tag:blogger.com,1999:blog-8350995606468143812024-03-13T21:56:22.996+01:00Penetration Testingsushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.comBlogger35125tag:blogger.com,1999:blog-835099560646814381.post-19663527960873333392013-11-05T20:37:00.000+01:002013-11-05T20:51:12.509+01:00Squid 3.3.10 - Transparent Proxy for HTTP and HTTPSHey there,<br />
<br />
for several years the squid proxy can be used as transparent proxy for HTTP and also HTTPS. As I was curious how it will work and how hard it is to setup, I've just installed and configured it.<br />
<br />
First I installed a fresh virtual machine with Debian 7.2. In Debian you could either install Squid 2.7 or Squid 3.1 via apt-get (apt-get install squid or apt-get install squid3). Unfortunately to make a transparent proxy that also supports all HTTPS features, at least version 3.2 is needed. So I downloaded the latest sources (Version 3.3.10) directly from squid-cache.org. Before installing, the following packages should be installed in Debian, otherwise errors will pop-up during configure or make:<br />
<blockquote class="tr_bq">
# apt-get install build-essential<br />
# apt-get install libssl-dev</blockquote>
After unpacking the squid sources it is important to use the following configure statement, to activate ssl, because it is disabled by default:<br />
<blockquote class="tr_bq">
#./configure --prefix=/usr/local/squid --enable-icap-client --enable-ssl --enable-ssl-crtd --with-default-user=squid</blockquote>
Afterwards you can compile and install squid:<br />
<blockquote class="tr_bq">
# make all<br />
# sudo make install</blockquote>
Now squid is installed in /usr/local/squid. As next step the user squid should be created and the log directory should be allocated to that user:<br />
<blockquote class="tr_bq">
# useradd squid<br />
# chown -R squid:squid /usr/local/squid/var/logs/</blockquote>
<div>
The next steps I've copied from the squid documentation (2): </div>
<div>
Afterwards you must create the swap directories. Do this by running Squid with the -z option:</div>
<blockquote class="tr_bq">
# /usr/local/squid/sbin/squid -z</blockquote>
Once the creation of the cache directories completes, you can start Squid and try it out. Probably the best thing to do is run it from your terminal and watch the debugging output. Use this command:<br />
<blockquote class="tr_bq">
# /usr/local/squid/sbin/squid -NCd1</blockquote>
<div>
If everything is working okay, you will see the line:<br />
<blockquote class="tr_bq">
Ready to serve requests. </blockquote>
If you want to run squid in the background, as a daemon process, just leave off all options:<br />
<blockquote class="tr_bq">
# /usr/local/squid/sbin/squid</blockquote>
Now you should have a running squid on port 3128. But we still do not support HTTPS requests and the proxy is still not transparent. The next steps will be modifing squid.conf and put in some iptables rules. But at first we need to create our your own CA (Certificate Authority):<br />
<blockquote class="tr_bq">
# cd /usr/local/squid<br />
# mkdir ssl_cert<br />
# cd ssl_cert<br />
# openssl req -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout myCA.pem -out myCA.pem</blockquote>
</div>
<div>
This pem file can now be imported in your certificate store in your browser. Then you will not get any certificate errors when surfing HTTPS sites later via our transparent squid.<br />
Next we need to replace the line "http_port 3128" with the following lines in /usr/local/squid/etc/squid.conf:<br />
<blockquote class="tr_bq">
http_port 3128 intercept<br />
https_port 3127 intercept ssl-bump generate-host-certificates=on dynamic_cert_mem_cache_size=4MB cert=/usr/local/squid/ssl_cert/myCA.pem<br />
acl broken_sites dstdomain .example.com<br />
ssl_bump none localhost<br />
ssl_bump none broken_sites<br />
ssl_bump server-first all<br />
sslcrtd_program /usr/local/squid/libexec/ssl_crtd -s /usr/local/squid/var/lib/ssl_db -M 4MB<br />
sslcrtd_children 5</blockquote>
<div>
Also ip-forwarding needs to be activated:</div>
<blockquote class="tr_bq">
# echo "1" > /proc/sys/net/ipv4/ip_forward</blockquote>
<div>
Finaly we need to insert our iptables rules to redirect the traffic to squid:</div>
<blockquote class="tr_bq">
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128<br />
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3127<br />
# iptables -I INPUT -p tcp -m tcp --dport 3127 -j ACCEPT</blockquote>
Another folder needs to be created, for the dynamically generated certificates:<br />
<blockquote class="tr_bq">
# mkdir /usr/local/squid/var/lib<br />
# /usr/local/squid/libexec/ssl_crtd -c -s /usr/local/squid/var/lib/ssl_db -M 4MB<br />
# chown -R squid:squid /usr/local/squid/var/lib/ssl_db/ </blockquote>
</div>
<div>
Now you should start squid in debugging mode:<br />
<blockquote class="tr_bq">
# /usr/local/squid/sbin/squid -NCd9</blockquote>
If the process is running and you get something similar to this, you work was successfull:<br />
<blockquote class="tr_bq">
2013/11/04 22:39:16| Accepting NAT intercepted HTTP Socket connections at local=0.0.0.0:3128 remote=[::] FD 19 flags=41<br />
2013/11/04 22:39:16| Accepting NAT intercepted SSL bumped HTTPS Socket connections at local=0.0.0.0:3127 remote=[::] FD 20 flags=41</blockquote>
<div>
To fully work as transparent HTTPS proxy, your clients in the network needs now the IP of this proxy as gateway address and the pem certificate needs to be imported in the browser of the clients. </div>
<div>
<br />
Now you can start squid by exeuting:<br />
<blockquote class="tr_bq">
# /usr/local/squid/sbin/squid</blockquote>
<br /></div>
<div>
Debugging:</div>
<div>
<br /></div>
<div>
If you have any problems you should check if squid and their ports are running. You can do this by using netstat:</div>
<blockquote class="tr_bq">
# netstat -tulpen</blockquote>
<div>
You should then see port 3128 and 3127. If not execute "killall squid" several times and restart squid in debugging mode with </div>
<blockquote class="tr_bq">
# /usr/local/squid/sbin/squid -NCd9</blockquote>
<div>
You can also have a look at the access.log during browsing or via tcpdump to see if the packets are really arriving at your proxy. </div>
<div>
<br /></div>
<div>
Hint:</div>
<div>
This was just a quick'n'dirty how-to on how a transparent proxy supporting HTTPS can be created. This setup is for lab environments to get to know squid and it's capabilites and not for productive use. For example your private key is in the pem certificate which should be seperated from the certificate your deploying to your browser. </div>
<div>
<br /></div>
Links<br />
(1) <a href="http://www.squid-cache.org/Versions/">Download Squid Source</a><br />
(2) <a href="http://wiki.squid-cache.org/SquidFaq/InstallingSquid">Installing Squid</a><br />
(3) <a href="http://wiki.squid-cache.org/Features/DynamicSslCert">Dynamics SSL Certificate Generation</a><br />
(4) <a href="http://wiki.squid-cache.org/Features/SslBump">SSL Bump</a><br />
<br /></div>
sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com14tag:blogger.com,1999:blog-835099560646814381.post-8592004171029625802013-10-20T16:58:00.000+02:002013-10-20T17:02:11.852+02:00X Forwarding with SSH - Magic-Cookie problemHey there,<br />
<br />
I've mentioned in one of <a href="http://pen-testing-lab.blogspot.de/2013/08/raspberry-pi-and-pentesting.html">my last posts</a>, that it is possible to forward X via SSH. In my case I'm connecting from my Mac OS X client to my Rasperry PI running Kali Linux. I'm using the X forwarding feature of ssh to start tools that would need X on my Raspberry Pi, but the window will pop up in Mac OS X, as long as X11 is started on my Mac. If this was too confusing, you can just read <a href="http://www.tldp.org/HOWTO/XDMCP-HOWTO/ssh.html">this</a>, and I think you will get it ;-)<br />
<br />
I've just got one problem when doing this: When I log into Kali Linux I'm using an unprivileged account, let's say the account name is <i>alice</i>. The problem is that some tools need root-privileges, like Wireshark (of course you can also run tcpdump, but Wireshark is just an example). If I switch to the root account via su, the X forwarding for the application I want to start is not working anymore:<br />
<br />
<blockquote class="tr_bq">
root@kali:~# wireshark<br />(wireshark:2810): Gtk-WARNING **: cannot open display: localhost:11.0</blockquote>
<br />
I'm getting this error because when the ssh connection is initiated a file called .Xauthority is created in the home directory of alice. This file contains a "session cookie" called Magic-Cookie. When I want to start now the application as root, the content of this file is not available to the root account, so I have to copy the .Xauthority file to the home folder of the root account:<br />
<br />
<blockquote class="tr_bq">
# su -<br /># cp /home/alice/.Xauthoriy /root/</blockquote>
<br />
Then the Magic-Cookie will also be available for the root account and now wireshark can be started. If it is still not working you should check the environment variable DISPLAY. The DISPLAY variable of alice needs to be the same as in the root account.<br />
<br />
To automate this task, I've created the file .bash_profile in the root directory:<br />
<br />
<blockquote class="tr_bq">
# touch /root/.bash_profile<br /># vim /root/.bash_profile</blockquote>
<br />
and added the following content:<br />
<br />
<blockquote class="tr_bq">
# cp /home/alice/.Xauthoriy /root/</blockquote>
<br />
Now everytime when I change to the root account the .Xauthority will be copied in the home folder of the root account and the X forwaring feature is still working.<br />
<br />
If you have better/other solutions for this problem, feel free to leave a comment.<br />
Cheers.<br />
<br />
<br />sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-17504343105353165162013-10-13T06:28:00.004+02:002013-10-13T06:28:35.978+02:00ssh and tmuxHi there,<br />
<br />
with tmux you can make your life a little more easy, if you have to work on the command line or manage one or more servers. So here is what I did:<br />
<br />
If I connect to one of my servers via ssh I'm doing this always via my ssh key. <a href="https://wiki.archlinux.org/index.php/SSH_Keys">Here</a> you can find a detailed guide on how to setup a connection via ssh by using a key and a password for the key. If you're using this kind of authentication you just have to remember one password (the one for your private key) and you can login to any server you distributed your public key to. So now you can easily connect to your server(s) without creating another password for your user on another server.<br />
<br />
But after login you have still just one shell available but maybe you need sometimes more shells but don't want to login for it. Thats the moment when you should start tmux.<br />
<br />
As there are already some good tutorials and explanations I don't want to make my own one here so just visit <a href="http://net.tutsplus.com/tutorials/tools-and-tips/intro-to-tmux/">here</a>, <a href="http://www.openbsd.org/faq/faq7.html#tmux">here</a>, <a href="http://www.strcat.de/eigenes/tmux.html">here</a> (german) or <a href="https://wiki.archlinux.org/index.php/Tmux">here</a> as a starting point.<br />
<br />
There is also<a href="http://pragprog.com/book/bhtmux/tmux"> a book available</a> about tmux. I didn't read it, but maybe useful for someone who wants to dive deeper into tmux.<br />
<br />
Cheers.sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-65749450824150939252013-10-12T12:42:00.001+02:002013-10-12T12:42:56.194+02:00Be your own cloud provider and kick out Google Calendar, Dropbox and co. - Part 2 File SyncHey there,<br />
<br />
so after I was able to <a href="http://pen-testing-lab.blogspot.de/2013/09/be-your-own-cloud-provider-and-kick-out.html">sync all my calendar entries </a>with all my devices by using OwnCloud, the next step is to use it as Dropbox replacement.<br />
<br />
The main purpose for me using Dropbox was always to store documents like PDFs (books, whitepapers etc.) and to read them on my iPad. It was very convenient and I didn't had to worry about backups, as the files were on my mobile devices, my laptop and in my Dropbox and it was also very convenient to share the files with others.<br />
<br />
Here is the configuration, that I'm using now instead of Dropbox:<br />
<ol>
<li>iOS: I'm using an app called "<a href="https://itunes.apple.com/de/app/goodreader-for-ipad/id363448914">Good Reader</a>" on my iPad in order to read all kinds of documents and Good Reader also provides an interface to connect to your Dropbox. It is possible for every App that can talk to a WebDAV server to connect to your OwnCloud. In Good Reader I just needed to add a new WebDAV server, insert the URL accordingly to the manual of <a href="http://doc.owncloud.org/server/5.0/user_manual/files/files.html#mobile">OwnCloud</a> (e.g. https://example.com/owncloud/) put in your credentials and afterwards you can sync all data with Good Reader. You can sync data that is already available in your OwnCloud with Good Reader or upload files to OwnCloud via Good Reader. It's working for me now as convenient as Dropbox. </li>
<li>Mac OS X: I wanted to use the Finder of Mac OS X for connecting to OwnCloud, as described <a href="http://doc.owncloud.org/server/5.0/user_manual/files/files.html#macos">here</a>. Unfortunately it is not working as expected. I'm able to connect to my server via WebDAV and I can navigate through the directories, but when I want to create a folder or upload a file, it takes minutes and then the operation I wanted to execute did not succeed. I couldn't find out the problem, so I switched to <a href="http://cyberduck.ch/">Cyberduck</a>. With Cyberduck I'm not having any problems and it I've got a good performance. </li>
<li>Windows: In <a href="http://doc.owncloud.org/server/5.0/user_manual/files/files.html#windows">Windows</a> it was no problem to map the WebDAV share to a drive letter. Maybe you need to tweak on the <a href="http://support.microsoft.com/kb/841215">registry</a>, but I didn't had to do it on my Windows 7 Professional Laptop. </li>
</ol>
<div>
With this configuration I can access now all my files via iOS, Mac OS X and Windows. But to access the files I need to be online, otherwise the files will not be available. To access your files also when your offline you can use the <a href="http://owncloud.org/sync-clients/">Sync-Clients</a> by OwnCloud. <br />In Windows it worked without any errors, but on Mac OS X I alway got the following error when I wanted to connect to my server via HTTPS:</div>
<blockquote class="tr_bq">
Die Verbindung zu OwnCloud konnte nicht hergestellt werden: Im Ablauf des SSL-Protokolls ist ein Fehler aufgetreten.</blockquote>
respectively in english:<br />
<blockquote class="tr_bq">
Failed to connect to ownCloud: SSL-Handshake failed</blockquote>
When I added the parameter "ServerName" to /etc/apache2/apache2.conf and did a restart of apache I was also able to connect to my OwnCloud with the Mac OS X Sync-Client.<br />
<br />
So now I can share my calendar and files between all my devices with my OwnCloud and do not have to use Dropbox, iCloud or another cloud provider.<br />
<br />
Great success :-)sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-28606294507208641292013-09-18T18:57:00.002+02:002013-09-21T08:50:28.626+02:00Be your own cloud provider and kick out Google Calendar, Dropbox and co. - Part 1 CalendarHey there,<br />
<br />
I want to make a little experiment to get as much data in my own cloud and not using services like Google Calendar or iCloud. Especially because of all the things regarding Edward Snowden disclosed confirmed all our paranoid thoughts about a big brother scenario and total surveillance and I want to try to be the master of my data as much as possible now. And of course I'm curious what can be done with services like OwnCloud.<br />
<br />
What I want is to be my own cloud provider by using my own root-server and all my devices (laptop, smartphone and tablet) can use this server to sync their data. Actually I've used such cloud services like Google Calendar or Dropbox, but never trusted those services and I always felt uncomfortable and thats why I didn't use cloud services e.g. for syncing my contacts. I've always synced my contacts directly via my laptop to my other devices.<br />
<br />
My goal is to get as much data on my own server so it's under my control and not stored on some server or on a server somewhere in the US that will be monitored by some agency. Of course this server will be the single point of failure, and if it get's hacked all my data will be disclosed or compromised, but hey, at least I'm responsible now for my data.<br />
<br />
First thing I've done is installing OwnCloud on my Debian server, see <a href="http://software.opensuse.org/download.html?project=isv:ownCloud:community&package=owncloud">the link here</a> for further installation instructions. Afterwards you can navigate to your web server by adding /owncloud to your URL, e.g. https://www.dummy.org/owncloud for further configuration.<br />
<br />
I wanted to use the MySQL service as database for OwnCloud, as it is already running on my server:<br />
<br />
1. Connect to MySQL and create a database for OwnCloud:<br />
<blockquote class="tr_bq">
root@kali # mysql -u root -p<br />
mysql> create database owncloud;</blockquote>
<br />
2. Create a user for the new database owncloud and grant all privileges to him<br />
<blockquote class="tr_bq">
mysql> GRANT ALL PRIVILEGES<br />
-> ON owncloud.*<br />
-> TO 'owncloudUser'@'localhost'<br />
-> IDENTIFIED BY '<your password here>'<br />
-> WITH GRANT OPTION;</blockquote>
3. Now you can go again to https://www.dummy.org/owncloud and type in the name of the database you want to use for OwnCloud and the user and password for it. Also an administrator user will be created for the web interface.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXNfJ3gZZaPsjCH7_1Aq7iXpco8YxNjpu2CXMLheD1iGdt_AcqGTdGsYpPCPF9_gMBxBTZacWH6Wy2F2k8ZbUKtYgSa5pafpqZtvzZV122pm2lNJI7m_q1cF7YBouI3LI_b1gpLhO_lyE/s1600/owncloud.tiff" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXNfJ3gZZaPsjCH7_1Aq7iXpco8YxNjpu2CXMLheD1iGdt_AcqGTdGsYpPCPF9_gMBxBTZacWH6Wy2F2k8ZbUKtYgSa5pafpqZtvzZV122pm2lNJI7m_q1cF7YBouI3LI_b1gpLhO_lyE/s320/owncloud.tiff" width="155" /></a></div>
Afterwards you can finish the installation and your OwnCloud is ready. You should also use SSL for your OwnCloud, so that your communication channel is encrypted. If you don't use SSL now and you don't want to spend money for an SSL certificate you should consider to create a server certificate at <a href="http://www.cacert.org/">CAcert</a>. Don't forget to import the <a href="https://www.cacert.org/index.php?id=3">root Certificate of CAcert</a> into your browser and devices that want to use OwnCloud, so you have a trusted connection to your server.<br />
<br />
So what can you do now by using OwnCloud? After logging into your OwnCloud you have the opportunity to share a calendar, contacts, data, pictures and music.<br />
<br />
I just wanted to use the calendar service for now. To synchronize the calendar with your iOS device, just follow the <a href="http://doc.owncloud.org/server/5.0/user_manual/pim/sync_ios.html">manual at owncloud.org</a>. You can also synchronize it with <a href="http://doc.owncloud.org/server/5.0/user_manual/pim/sync_osx.html">iCal</a> on OS X and also with Lightning in Thunderbird. In Lightning you need the CalDav link that points directly to your calendar. You can find that link in OwnCloud 5 if you navigate to calendar, click on the settings symbol in the right corner and click on the little earth symbol in the row of your calendar. Then the CalDav link will appear. In Lightning you just need to create a new calendar, choose network, select CalDav as format and paste the URL in the address field. Then you just need to fill in the credentials in the login dialog that will pop-up and you have also the OwnCloud calendar in Thunderbird Lightning.<br />
<br />
You can also sync the calendar with Android devices, but you need a 3rd party app like <a href="https://play.google.com/store/apps/details?id=org.dmfs.carddav.sync">Card-Dav Sync</a>. As I've got no Android device, I could not test it, so if there are better apps or if it is supported by the OS by now, feel free to leave a comment.<br />
<br />
For me this setup is working fine now. I'm using it on OS X in iCal, on my iPhone, iPad and also another Windows Laptop has access to the calendar via Thunderbird Lightning and all via SSL. First step is done to get your own secure datastore.<br />
<br />
For backup purposes <a href="http://doc.owncloud.org/server/5.0/admin_manual/maintenance/backup.html?highlight=backup">here</a> is a little hint what you want to backup on another machine to restore your data in OwnCloud, if the server crashes.<br />
<br />
Cheers.sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-22104089084120443502013-09-15T18:44:00.000+02:002013-09-15T21:52:46.464+02:00Raspberry Pi and Nano USB WiFi (EDIMAX EW-7811Un) on Kali LinuxHey there,<br />
<br />
yesterday my order arrived. An <a href="http://www.amazon.de/gp/product/B003MTTJOY/ref=oh_details_o02_s00_i00?ie=UTF8&psc=1">Wireless USB Adapter</a> for my Raspberry Pi. Right after plugging it into the Pi and booting it up, it was found:<br />
<blockquote class="tr_bq">
root@kali:~# dmesg</blockquote>
<blockquote class="tr_bq">
...<br />
usb 1-1.2: new high-speed USB device number 4 using dwc_otg<br />
usb 1-1.2: New USB device found, idVendor=7392, idProduct=7811<br />
usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3<br />
usb 1-1.2: Product: 802.11n WLAN Adapter<br />
usb 1-1.2: Manufacturer: Realtek<br />
usb 1-1.2: SerialNumber: 00e04c000001</blockquote>
You can also list the usb devices via lsusb, to make sure the device is recognized:<br />
<blockquote class="tr_bq">
root@kali:~# lsusb</blockquote>
<blockquote class="tr_bq">
Bus 001 Device 002: ID 0424:9512 Standard Microsystems Corp.<br />
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub<br />
Bus 001 Device 003: ID 0424:ec00 Standard Microsystems Corp.<br />
Bus 001 Device 004: ID 7392:7811 Edimax Technology Co., Ltd EW-7811Un 802.11n Wireless Adapter [Realtek RTL8188CUS]</blockquote>
I'm using Kali 1.0.5 with the original kernel which is 3.6.11-cutdown:<br />
<blockquote class="tr_bq">
root@kali:~# uname -r<br />
3.6.11-cutdown</blockquote>
I've read that the since kernel 3.0 and higher a driver called rtl8192cu should be available that is supporting the chipset RTL8188CUS. After searching for "*8192*" I've found the module in kali:<br />
<blockquote class="tr_bq">
root@kali:~# find / -name "*8192*" -print<br />
/sys/bus/usb/drivers/rtl8192cu<br />
<b>/sys/module/8192cu</b><br />
/sys/module/8192cu/drivers/usb:rtl8192cu<br />
/opt/metasploit/apps/pro/ui/db/migrate/20130208192816_add_hidden_to_task_chain.rb<br />
/lib/modules/3.6.11-cutdown/kernel/drivers/net/wireless/rtl8192cu<br />
/lib/modules/3.6.11-cutdown/kernel/drivers/net/wireless/rtl8192cu/8192cu.ko<br />
/lib/firmware/rtlwifi/rtl8192defw.bin<br />
/lib/firmware/rtlwifi/rtl8192cfwU.bin<br />
/lib/firmware/rtlwifi/rtl8192cfw.bin<br />
/lib/firmware/rtlwifi/rtl8192cfwU_B.bin<br />
/lib/firmware/rtlwifi/rtl8192cufw.bin<br />
/lib/firmware/rtlwifi/rtl8192sefw.bin<br />
/lib/firmware/RTL8192E<br />
/usr/share/exploitdb/platforms/php/webapps/18192.txt</blockquote>
As no driver was loaded automatically, I've tried to load the module manually:<br />
<blockquote class="tr_bq">
root@kali:~# modprobe 8192cu </blockquote>
<blockquote>
root@kali:~# lsmod</blockquote>
<blockquote>
Module Size Used by<br />
ipv6 207600 12<br />
<b>8192cu 411588 0</b><br />
leds_gpio 1668 0<br />
led_class 1788 1 leds_gpio</blockquote>
So the driver is loaded and now we can bring up the interface:<br />
<blockquote class="tr_bq">
root@kali:~# ifconfig wlan0 up</blockquote>
<blockquote class="tr_bq">
root@kali:~# ifconfig wlan0<br />
wlan0 Link encap:Ethernet Hardware Adresse 80:1f:02:b3:50:8b<br />
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1<br />
RX packets:0 errors:0 dropped:0 overruns:0 frame:0<br />
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0<br />
Kollisionen:0 Sendewarteschlangenlänge:1000<br />
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)</blockquote>
You can make a quick scan of available wifi networks via:<br />
<blockquote class="tr_bq">
root@kali:~# iwlist wlan0 scan</blockquote>
Now you can either use the graphical WiFi manager or you can configure your WiFi via terminal, which is what I did. Just add the following lines to your /etc/network/interfaces:<br />
<blockquote class="tr_bq">
auto wlan0<br />
iface wlan0 inet dhcp<br />
wpa-ssid <your SSID here><br />
wpa-psk <your wlan-key here></blockquote>
After restarting the network you should have a working wifi connection.<br />
<blockquote class="tr_bq">
root@kali:~# service networking restart</blockquote>
<div>
<br /></div>
<div>
<br />
Note:<br />
If you're using a hidden SSID you should read the <a href="http://www.raspberrypi.org/phpBB3/viewtopic.php?t=22769&p=214072">following thread</a>.</div>
sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com5tag:blogger.com,1999:blog-835099560646814381.post-27469490247510209162013-08-31T16:17:00.001+02:002013-09-23T08:53:26.833+02:00Additional, useful Unix tools in Kali via apt-getHey there,<br />
<br />
just today I found a new useful linux command called "mtr", ok this tool is available since the late 90s of the last century, but for me it was new. It is an enhanced traceroute and is much quicker than traceroute, as it combines traceroute with ping and you can gather much more information with mtr than with traceroute. As I also install some more useful Unix commands via apt-get on my Kali Linux for Raspberry Pi, I just give a short overview about them (also as reminder for me):<br />
<br />
- <a href="http://www.bitwizard.nl/mtr/">mtr</a> (as explained above, much more powerful than traceroute)<br />
- <a href="http://htop.sourceforge.net/">htop</a> (nicer view than the normal top)<br />
- <a href="http://dag.wieers.com/home-made/dstat/">dstat</a> (nice view of resource consumption with timestamp, e.g. dstat --tclmgry)<br />
- <a href="http://mama.indstate.edu/users/ice/tree/">tree</a> (shorter and much powerful version of "find . -type d")<br />
- <a href="http://links.twibright.com/">links</a> (if you need a browser in the shell; it is no fun to surf the web in a cli, but sometimes it can be useful)<br />
- <a href="http://www.gnu.org/software/bc/bc.html">bc</a> (little calculator in the shell)<br />
- <a href="http://www.colordiff.org/screenshots.html">colordiff</a> (you can guess it by the name, it enhances diff by adding color)<br />
- <a href="http://tmux.sourceforge.net/">tmux</a> (alternative to <a href="http://www.gnu.org/software/screen/screen.html">screen</a>)<br />
- <a href="http://www.vim.org/">vim</a> (no, I don't use emacs ;-)<br />
<br />
A really great tool is tmux, that makes you're life in the shell much more easy. You should read the <a href="http://www.openbsd.org/faq/faq7.html#tmux">FAQ of OpenBSD to tmux</a> for a quick'n'dirty introduction in it.<br />
<br />
If you have any commands that are also useful for you regarding pentesting or to work more efficiently just leave a comment.<br />
<br />
Another very useful tool for Mac OS X, regarding ssh is <a href="https://code.google.com/p/csshx/">csshX</a>. You can install it easily via <a href="http://brew.sh/">homebrew</a> on your Mac and you can manage different ssh sessions at once and you have also a master window that sends all input to every ssh session. Pretty neat.<br />
<br />
<br />sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-34309644266628050922013-08-28T15:53:00.004+02:002013-09-15T21:52:32.385+02:00Raspberry PI and PentestingHey everybody,<br />
<br />
I've got a Raspberry PI for one year now and at the beginning I was just playing around with it as Media Center, but then it was laying around and I didn't use it for several months.<br />
<br />
This had to change, so I ordered a HDMI2DVI cable from <a href="http://www.amazon.de/AmazonBasics-HDMI-DVI-Adapterkabel-Meter/dp/B001TH7T2U/ref=sr_1_1?ie=UTF8&qid=1359266303&sr=8-1">Amazon</a>, as I wanted to use it on my monitor that has only DVI and no HDMI. I ordered also a <a href="http://www.amazon.de/gp/product/B007PYBOEU/ref=wms_ohs_product">16 GB SanDisk Class 10 Ultra SHDC memory card</a>, You can find a detailed overview about memory cards that are working with the Raspbery Pi <a href="http://elinux.org/RPi_SD_cards">here</a>.<br />
<br />
<a href="http://elinux.org/RPi_Distributions">Here</a> you can find a list of several distributions available for the Raspebry Pi. <a href="http://elinux.org/RPi_Easy_SD_Card_Setup" target="_blank">Here</a> are also detailed explanations of general installation instructions of an image to a memory card on Linux, Windows and Mac OS.<br />
<br />
There are some Raspberry Pi distributions available, that can be used for Pentesting:<br />
<ul>
<li><a href="http://www.kali.org/downloads/">Kali</a> Version 1.0.4 is the latest as of this writing</li>
<li><a href="http://pwnpi.sourceforge.net/index.html">PwnPi</a></li>
<li><a href="https://github.com/pwnieexpress/Raspberry-Pwn">Raspberry-Pwn</a></li>
</ul>
I installed the Kali image, as it is most likely that this distribution will be maintained better than the other two. PwnPi and Raspberry Pwn are both from 2012.<br />
<br />
If you install the Kali <a href="http://docs.kali.org/armel-armhf/install-kali-linux-arm-raspberry-pi">image on a Unix system</a>, just use dd:<br />
<br />
<blockquote class="tr_bq">
root@kali:~ dd if=kali-pi.img of=/dev/sdb bs=512k</blockquote>
<br />
Of course you need to change /dev/sdb to your actual device where you want to write the image to.<br />
<br />
If you install the Kali image to the memory card on a Windows system, you can use <a href="http://sourceforge.net/projects/win32diskimager/files/latest/download?source=navbar" target="_blank">Win32 Disk Imager</a>.<br />
<br />
After installation just plug the memory card into your Raspberry Pi and boot up Kali Linux. After login with user root and password toor your should reset the root password and start the ssh-service. The basics for Kali can be found <a href="http://www.backtrack-linux.org/wiki/index.php/Basic_Usage" target="_blank">here</a>.<br />
<br />
If you connect now via ssh to your Raspberry Pi and ask yourself: "How can I start tools that need a X-Server?", just do the following on your Linux / Mac OS X client:<br />
<br />
<blockquote class="tr_bq">
ssh -X <username>@<IP-of-Raspberry-Pi></blockquote>
<br />
After you connected to it you can start for example wireshark and it will pop up on your client but will run on your Raspberry Pi. So you don't need any monitor or keyboard on it, you can do anything from remote.<br />
<br />
If you are using Windows, you can also do this trick via the -X flag. You just need to install an X-Server on your windows machine, like <a href="http://www.straightrunning.com/XmingNotes/" target="_blank">Xming</a> and connect via <a href="http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html" target="_blank">Putty</a>.<br />
<br />
To automatically start ssh during the boot process, just execute the following command:<br />
<blockquote class="tr_bq">
update-rc.d ssh enable </blockquote>
Now you have a simple little pentesting gadget that you can use either to support you during onsite penetration tests or as an intruder showcase to just scare your management/customer as how an attacker could easily hide the gadget in the suspended ceiling of the office and eavesdrop your network.<br />
<br />
<br />sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-88723014262985697532013-08-19T11:43:00.000+02:002013-08-19T11:43:07.002+02:00Killing (Deleting) Facebook Account - quick'n'dirtyHi there,<br />
<br />
I've been registered at Facebook since 2009. Now I've killed my account. This has several reasons:<br />
<br />
- Since I've registered the spam and ads are increasing and now Facebook want's the users to watch ad videos in their timeline. So Facebook is just an advertising rostrum.<br />
- I've been registered at <a href="https://join.app.net/">ADN</a> and really like it much more than Twitter or Facebook, I have to pay for it, but that's totally worth it as there are no ads.<br />
- I don't want Facebook to track me and my behavior and Facebook has no real value to me anymore when compared to all the privacy issues.<br />
- Instead of clicking dump Like Buttons of actions people talk about, I want to talk to a few people in real life or do a chit-chat via phone without any distractions. I don't even concentrate on the conversation when I was chatting via Facebook as I was always doing something aside, like googling, scrolling the Facebook timeline etc. Of course that's no real argument against Facebook, but a behavior that I want to change and Facebook is not supporting me by achieving this.<br />
- Several weeks ago I've read a tweet, unfortunately I don't have a link to it, that Facebook is the new "going to the kitchen and looking in the fridge". And exactly that's how I feel when I'm using Facebook, sometimes I just think it's a waste of time.<br />
<br />
So this is what I've done:<br />
<br />
1. I requested for a copy of all my Facebook data. You can make this request when you go to your preferences and click on the link "download your Facebook data". An e-mail will be send to you with a download link. I've got the e-mail after some minutes and download the archive.<br />
<br />
2. As I couldn't find a button for deleting my account in the preferences (I thought that it would be hard to find the delete button), I could find the following link in a blog:<br />
<br />
<a href="https://www.facebook.com/help/delete_account">https://www.facebook.com/help/delete_account</a><br />
<br />
3. After clicking on this link your account is deleted. But it is only deleted if you don't login for the next 14 days. If you log in your account will be reactivated.<br />
<br />
4. Use your free time wisely :-)<br />
<br />
<br />sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-27500075961546918652013-01-20T08:28:00.001+01:002013-09-16T05:32:31.645+02:00OVA VMware FusionHey there,<br />
<br />
I'm using VMware Fusion Version 4 and wanted to open a .ova file. I just wanted to play around a little on https://www.hacking-lab.com/, and the they provide a full virtual machine that is ready to connect to their test network via VPN. Unfortunately VMware Fusion 4 won't open it. According to the docs of VMware Fusion 5 you can just import an .ova file (http://pubs.vmware.com/fusion-5/index.jsp?topic=%2Fcom.vmware.fusion.help.doc%2FGUID-275EF202-CF74-43BF-A9E9-351488E16030.html), but that's not working in VMware Fusion 4.<br />
<br />
I just found a tool called OVF Tool by VMware. Yo can download it here:<br />
<br />
https://my.vmware.com/group/vmware/get-download?downloadGroup=OVF-TOOL-3-0-1 (you will need an account on VMware to download it)<br />
<br />
After installing the command ovftool is availabe in "/Applications/VMware OVF Tool" in the CLI.<br />
<br />
<a href="http://www.vmware.com/support/developer/ovf/ovf301/ovftool-301-userguide.pdf">Here</a> you can get the full user guide of ovtool or just enter<br />
<br />
# ./ovftool --help<br />
<br />
at the command prompt in the folder "/Applications/VMware OVF Tool".<br />
<br />
By using the following command I could convert the .ova to .vmwarevm. You just need to enter the source file and your target where you want to save it:<br />
<br />
./ovftool /Users/<username>/Downloads/lcd596vmware8.ova /Users/<username>/Downloads/lcd596vmware8.vmwarevm<br />
<br />
<br />
Maybe you can also just convert it to vmx or another fileformat which is more efficient, because now the file size increased from 2.6GB to 7 GB. But at least I can open it now.<br />
<br />sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com1tag:blogger.com,1999:blog-835099560646814381.post-93540455360274942012-10-15T07:30:00.002+02:002012-11-02T21:11:49.647+01:00Rebuild MiniPwnerHi,<br />
<br />
I just wanted to use my MiniPwner again after some months where it was just placed on my desk and unfortunately I forget the password and I also didn't wrote it in my KeePass File.<br />
<br />
So I had to reinstall it. Luckily there is a <a href="http://www.minipwner.com/index.php/minipwner-support-faq">rebuilding instruction</a> of the MiniPwner in case there went something wrong with your MiniPwner (or you just forget about the password ;-) ).<br />
<br />
<strike>In the rebuilding instructions it is mentioned to get the "squash-sysupgrade.bin". I couldn't get it on this URL as <a href="http://downloads.openwrt.org/snapshots/trunk/ar71xx">the folder is empty</a>. So I used the latest firmware "openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory" for the TP-Link router from <a href="http://downloads.openwrt.org/attitude_adjustment/12.09-beta/ar71xx/generic/">this directory </a>on openwrt. The MD5Sum I got was:</strike><br />
<strike><br /></strike>
<strike><br /></strike>
<blockquote class="tr_bq">
<strike>root@Pulse:/tmp# md5sum owrt.bin</strike><br />
<strike>5d7bac7b467c42e215c60fcd0a00cc01</strike></blockquote>
The image is available <a href="http://downloads.openwrt.org/snapshots/trunk/ar71xx/">again</a>.<br />
<br />
On your Client where you've placed your openwrt image, you just start your netcat server.<br />
<br />
# nc -l -p 3333 < openwrt-ar71xx-generic-tl-wr703n-v1-squashfs-factory.bin<br />
<br />
On your TP-Link now just get the image via netcat:<br />
<br />
# nc 192.168.1.2 3333 > /tmp/owrt.bin<br />
<br />
The file should be on your TP-Link within a few seconds so you can abort the netcat session on it. After that just install the firmware:<br />
<br />
# mtd -r write 703.bin firmware<br />
<div>
<br /></div>
<div>
After the installation of the firmware is done, which shouldn't take longer than one or two minutes, you need to configure your interface of the client that is connected to TP-Link to DHCP. The IP of TP-Link should be 192.168.1.1. You can now telnet to this IP:<br />
<br />
<br />
<blockquote class="tr_bq">
$ telnet 192.168.1.1<br />
Trying 192.168.1.1...<br />
Connected to 192.168.1.1.<br />
Escape character is '^]'.<br />
=== IMPORTANT ============================<br />
Use 'passwd' to set your login password<br />
this will disable telnet and enable SSH<br />
------------------------------------------<br />
<br />
BusyBox v1.19.4 (2012-08-26 12:49:54 UTC) built-in shell (ash)<br />
Enter 'help' for a list of built-in commands.<br />
_______ ________ __<br />
| |.-----.-----.-----.| | | |.----.| |_<br />
| - || _ | -__| || | | || _|| _|<br />
|_______|| __|_____|__|__||________||__| |____|<br />
|__| W I R E L E S S F R E E D O M<br />
-----------------------------------------------------<br />
ATTITUDE ADJUSTMENT (12.09-beta, r33312)<br />
-----------------------------------------------------<br />
* 1/4 oz Vodka Pour all ingredients into mixing<br />
* 1/4 oz Gin tin with ice, strain into glass.<br />
* 1/4 oz Amaretto<br />
* 1/4 oz Triple sec<br />
* 1/4 oz Peach schnapps<br />
* 1/4 oz Sour mix<br />
* 1 splash Cranberry juice<br />
-----------------------------------------------------<br />
root@OpenWrt:/# </blockquote>
<div>
You should now change your root password so that you can login via ssh in the future. Then you can ssh to your TP-Link and can continue the <a href="http://www.minipwner.com/index.php/minipwner-build">installation instructions</a> on minipwner.org at step 12.</div>
<br />
You can also navigate now to the Webgui under http://192.168.1.1/cgi-bin/luci.<br />
<h3>
<b>IMPORTANT:</b></h3>
<br />
<strike>Right now it is not possible to execute "opkg update" as all the files in http://downloads.openwrt.org/snapshots/trunk/ are missing. There are several tickets about this issue, <a href="https://dev.openwrt.org/ticket/12257">here</a> and <a href="https://dev.openwrt.org/ticket/12275">here</a>.</strike><br />
<strike><br /></strike>
<strike>But they are both almost 2 weeks old and it's not clear when the files are coming back. So here is what I did (thanks to flyingstar16, who posted this hint in one of the tickets):</strike><br />
<strike><br /></strike>
<strike>1. Comment out the lines in /etc/opkg/xwrt.conf</strike><br />
<strike><br /></strike>
<blockquote class="tr_bq">
<strike>root@Pulse:/etc# vim opkg/xwrt.conf</strike><br />
<strike>#src/gz X-Wrt http://downloads.x-wrt.org/xwrt/snapshots/trunk/ar71xx/packages</strike></blockquote>
<strike><br /></strike>
<strike>2. Comment out the line to http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages as it is not working and add the line "src/gz attitude_adjustment http://downloads.openwrt.org/attitude_adjustment/12.09-beta/ar71xx/generic/packages"</strike><br />
<strike><br /></strike>
<strike>root@Pulse:/etc# vim opkg.conf</strike><br />
<strike><br /></strike>
<strike><br /></strike>
<blockquote class="tr_bq">
<strike>src/gz attitude_adjustment http://downloads.openwrt.org/attitude_adjustment/12.09-beta/ar71xx/generic/packages</strike></blockquote>
<blockquote class="tr_bq">
<strike>#src/gz snapshots http://downloads.openwrt.org/snapshots/trunk/ar71xx/packages</strike><br />
<strike>dest root /</strike><br />
<strike>dest ram /tmp</strike><br />
<strike>lists_dir ext /var/opkg-lists</strike><br />
<strike>option overlay_root /overlay</strike></blockquote>
<strike><br /></strike>
<strike>3. Now you can execute opkg update.</strike><br />
<br />
<br />
<b>Some other hints:</b><br />
<br />
When copying all the files in Step 19 in /etc/ to make a backup of them, I hadn't a firewall config and fstab. See my output:<br />
<br />
<br />
<blockquote class="tr_bq">
root@OpenWrt:/usr/share# cp -f /etc/config/network /etc/config/network.orig<br />
root@OpenWrt:/usr/share# cp -f /etc/config/wireless /etc/config/wireless.orig<br />
root@OpenWrt:/usr/share# cp -f /etc/config/firewall /etc/config/firewall.orig<br />
root@OpenWrt:/usr/share# cp -f /etc/profile /etc/profile.orig<br />
root@OpenWrt:/usr/share# cp -f /etc/config/fstab /etc/config/fstab.orig<br />
cp: can't stat '/etc/config/fstab': No such file or directory<br />
root@OpenWrt:/usr/share# cp -f /etc/opkg.conf /etc/opkg.conf.orig<br />
root@OpenWrt:/usr/share# cp -f /etc/config/system /etc/config/system.orig<br />
root@OpenWrt:/usr/share# cp -f /etc/config/dhcp /etc/config/dhcp.orig<br />
root@OpenWrt:/usr/share# cp -f ./network.1 /etc/config/network<br />
cp: can't stat './network.1': No such file or directory<br />
root@OpenWrt:/usr/share# cp -f ./wireless.1 /etc/config/wireless<br />
cp: can't stat './wireless.1': No such file or directory<br />
root@OpenWrt:/usr/share# cp -f firewall.1 /etc/config/firewall<br />
cp: can't stat 'firewall.1': No such file or directory</blockquote>
<br />
<blockquote class="tr_bq">
<br /></blockquote>
<div>
But everything worked fine. I also skipped step 20 and 21 as the right MAC-Address for WiFi was already in the config. </div>
<br />
Here is a good explanation how to <a href="http://wiki.openwrt.org/doc/uci/wireless">configure WiFi in OpenWRT</a>.<br />
<br /></div>
<div>
Have fun.</div>
sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-35654305996138206422012-09-23T20:03:00.001+02:002012-09-23T20:03:06.088+02:00Setup a MailserverHy,<br />
<br />
this post is not about pentesting, but this weekend I had to move a domain of a friend of mine to my Debian server. After moving the domain I needed also to setup a (IMAP-) mail server. I'm not so good into configuring a whole mailserver system, but I found this really great tutorial:<br />
<br />
http://workaround.org/ispmail/squeeze/<br />
<br />
It worked just like a charme. And even if you have a problem just look in the comments, there is for sure someone that already had the same problem. If not, look in /var/log/mail.log ;-)<br />
<br />
Cheers.sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-16736485463869073162012-09-06T23:28:00.000+02:002012-09-06T23:28:33.872+02:00Perl and https requestsHi there,<br />
<br />
today I was in the mood in writing some little perl script that I need for a project. To get the perl script running it was needed to execute some https requests.<br />
<br />
First I was installing LWP::UserAgent and HTTP::Request via cpanm. Then I was writing a basis script that was executing a http request. I'm only interested in the header, so I don't want to print out the body content (I've found this litte code snippet <a href="http://www.webmasterworld.com/perl/3820935.htm">here</a>).<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvBrdBy1fymGR5s3uA82ux4guFqL33fnpsESx1UNIUpkRLuSHFTOhegF234uDILBzSkYRpOaFRbiAXYZLe-xGkAvMZPG4rsDpHZ-qK6xOA0sHefxgLpetrM948cGWvjZuEmfz-WQjPaEKt/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> #!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request;
my $URL = 'http://www.example.com/';
my $agent = LWP::UserAgent->new(env_proxy => 1,keep_alive => 1, timeout => 30);
my $header = HTTP::Request->new(GET => $URL);
my $request = HTTP::Request->new('GET', $URL, $header);
my $response = $agent->request($request);
if ($response->is_success){
print "URL:$URL\nHeaders:\n";
print $response->headers_as_string;
}elsif ($response->is_error){
print "Error:$URL\n";
print $response->error_as_HTML;
}
</code></pre>
<br />
This worked for me very well, but I needed to create a https request. When I was executing the same script with https instead of http I was getting the following error:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvBrdBy1fymGR5s3uA82ux4guFqL33fnpsESx1UNIUpkRLuSHFTOhegF234uDILBzSkYRpOaFRbiAXYZLe-xGkAvMZPG4rsDpHZ-qK6xOA0sHefxgLpetrM948cGWvjZuEmfz-WQjPaEKt/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> Error:https://www.example.com/
<html>
<head><title>An Error Occurred</title></head>
<body>
<h1>An Error Occurred</h1>
<p>501 Protocol scheme 'https' is not supported (LWP::Protocol::https not installed)</p>
</body>
</html>
</code></pre>
<div>
<br />
So, I need to install LWP:Protocol:https, but this wasn't working:</div>
<div>
<br /></div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvBrdBy1fymGR5s3uA82ux4guFqL33fnpsESx1UNIUpkRLuSHFTOhegF234uDILBzSkYRpOaFRbiAXYZLe-xGkAvMZPG4rsDpHZ-qK6xOA0sHefxgLpetrM948cGWvjZuEmfz-WQjPaEKt/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> $ sudo cpanm LWP::Protocol::https
--> Working on LWP::Protocol::https
Fetching http://www.cpan.org/authors/id/G/GA/GAAS/LWP-Protocol-https-6.03.tar.gz ... OK
Configuring LWP-Protocol-https-6.03 ... OK
==> Found dependencies: IO::Socket::SSL
--> Working on IO::Socket::SSL
Fetching http://www.cpan.org/authors/id/S/SU/SULLR/IO-Socket-SSL-1.76.tar.gz ... OK
Configuring IO-Socket-SSL-1.76 ... OK
==> Found dependencies: Net::SSLeay
--> Working on Net::SSLeay
Fetching http://www.cpan.org/authors/id/M/MI/MIKEM/Net-SSLeay-1.48.tar.gz ... OK
Configuring Net-SSLeay-1.48 ... OK
Building and testing Net-SSLeay-1.48 ... FAIL
! Installing Net::SSLeay failed. See /root/.cpanm/build.log for details.
! Bailing out the installation for IO-Socket-SSL-1.76. Retry with --prompt or --force.
! Bailing out the installation for LWP-Protocol-https-6.03. Retry with --prompt or --force. </code></pre>
<br />
Openssl was installed, but I needed to install "build-essential libssl-dev" to get the installation of LWP:Protocol_https working:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvBrdBy1fymGR5s3uA82ux4guFqL33fnpsESx1UNIUpkRLuSHFTOhegF234uDILBzSkYRpOaFRbiAXYZLe-xGkAvMZPG4rsDpHZ-qK6xOA0sHefxgLpetrM948cGWvjZuEmfz-WQjPaEKt/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> $ sudo apt-get install build-essential libssl-dev
</code></pre>
<br />
Now https requests can be made with perl:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvBrdBy1fymGR5s3uA82ux4guFqL33fnpsESx1UNIUpkRLuSHFTOhegF234uDILBzSkYRpOaFRbiAXYZLe-xGkAvMZPG4rsDpHZ-qK6xOA0sHefxgLpetrM948cGWvjZuEmfz-WQjPaEKt/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> #!/usr/bin/perl
use LWP::UserAgent;
use HTTP::Request;
my $URL = 'https://www.twitter.com/';
my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 1 });
my $header = HTTP::Request->new(GET => $URL);
my $request = HTTP::Request->new('GET', $URL, $header);
my $response = $ua->request($request);
if ($response->is_success){
print "URL:$URL\nHeaders:\n";
print $response->headers_as_string;
}elsif ($response->is_error){
print "Error:$URL\n";
print $response->error_as_HTML;
}
</code></pre>
<br />
Response of twitter.com on port 443:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvBrdBy1fymGR5s3uA82ux4guFqL33fnpsESx1UNIUpkRLuSHFTOhegF234uDILBzSkYRpOaFRbiAXYZLe-xGkAvMZPG4rsDpHZ-qK6xOA0sHefxgLpetrM948cGWvjZuEmfz-WQjPaEKt/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">
$ ./hsts.pl
URL:https://www.twitter.com/
Headers:
Cache-Control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
Date: Thu, 06 Sep 2012 21:22:33 GMT
Pragma: no-cache
ETag: "f7a8e95e2978ac6f73209336152b9495"
Server: tfe
Vary: Accept-Encoding
Content-Length: 47126
Content-Type: text/html; charset=utf-8
Expires: Tue, 31 Mar 1981 05:00:00 GMT
Last-Modified: Thu, 06 Sep 2012 21:22:33 GMT
Client-Date: Thu, 06 Sep 2012 21:22:33 GMT
Client-Peer: 199.59.148.10:80
Client-Response-Num: 1
Content-Base: http://twitter.com/
Link: <http://a0.twimg.com>; rel="dns-prefetch"
Link: <http://api.twitter.com>; rel="dns-prefetch"
Link: </favicons/favicon.ico>; rel="shortcut icon"; type="image/x-icon"
Link: <http://a0.twimg.com/a/1346884958/t1/css/t1_core_logged_out.bundle.css>; media="screen"; rel="stylesheet"; type="text/css"
Link: <https://twitter.com/>; rel="canonical"
Link: <http://a0.twimg.com/a/1346884958/t1/css/t1_more.bundle.css>; media="screen"; rel="stylesheet"; type="text/css"
Refresh: 0; URL=/?_twitter_noscript=1
Set-Cookie: k=10.36.21.101.1346966553057924; path=/; expires=Thu, 13-Sep-12 21:22:33 GMT; domain=.twitter.com
Set-Cookie: guest_id=v1%3A134696655306150737; domain=.twitter.com; path=/; expires=Sun, 07-Sep-2014 09:22:33 GMT
Set-Cookie: _twitter_sess=BAh7CSIKZmxhc2hJQzonQWN0aW9uQ29udHJvbGxlcjo6Rmxhc2g6OkZsYXNo%250ASGFzaHsABjoKQHVzZWR7ADoPY3JlYXRlZF9hdGwrCOaBdp05AToMY3NyZl9p%250AZCIlNThkNmZkYjY2ODJjNTc0MzY0YTY2Y2M0YjI0OGU2NWE6B2lkIiUwMmUz%250AZTJjY2VkMjFiYWNmZjQ5MmI2MjQyNWU5ZTJiMw%253D%253D--7d08430b6a85e0006ac4c062a4218d5cf841f564; domain=.twitter.com; path=/; HttpOnly
Status: 200 OK
Title: Twitter
X-Frame-Options: SAMEORIGIN
X-Meta-Charset: utf-8
X-Meta-Description: Verbinde Dich sofort mit den Dingen, die fĂĽr Dich am wichtigsten sind. Folge Freunden, Experten, Lieblingsstars und aktuellen Nachrichten.
X-MID: e88c4d8fc53fc1466f24f3cbc905d24fd89af901
X-Runtime: 0.07026
X-Transaction: 4998cc5789e9b2c0
X-UA-Compatible: IE=edge
X-XSS-Protection: 1; mode=block
</code></pre>
<br />
<br />
First step is done :-)sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-23670530593129799222012-09-02T09:43:00.000+02:002012-09-02T09:43:13.599+02:00Vulnerable Web ApplicationsHey there,<br />
<br />
really a long time without a new post, but hopefully this will change in the future.<br />
<br />
In <a href="http://pen-testing-lab.blogspot.de/2011/12/setting-up-pen-test-lab-with-vulnerable.html">this</a> post I was listing some vulnerable VMs that can be used for pentesting at home. There are also several vulnerable Web Applications available, that can be used for pentesting. I've found a really <a href="http://securitythoughts.wordpress.com/2010/03/22/vulnerable-web-applications-for-learning/">great overview</a> of vulnerable Web Applications.<br />
<br />
I will use for local testing now <a href="http://www.dvwa.co.uk/">Damn vulnerable Web Application</a> (DVWA)<br />
<br />
Here is a short description about DVWA copied from the DVWA website:<br />
<blockquote class="tr_bq">
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.</blockquote>
So the only thing you will need, after downloading DVWA is Apache/PHP/MySQL environment. This can be easily realized with <a href="http://www.apachefriends.org/en/xampp.html">XAMPP</a>, as it is a full package containing Apache Webserver with PHP and a MySQL Database and is available for a lot of plattforms (Mac OS X/ Windows / Linux / Solaris).<br />
<br />Hopefully I will have some time to execute a pentest against DVWA and to post some findings about it :-)<div>
<br /></div>
<div>
<br /></div>
sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-73625021083729233542012-03-13T09:31:00.000+01:002012-03-13T09:31:43.557+01:00MiniPwnerHey folks,<br />
<br />
after waiting for two months my TP-Link Router has finally arrived yesterday. I'm not quite happy how the order was processed by volumerates.com. I ordered the TP-Link on 16th of January and volumerates gave an information in the automated E-Mail (after buying the router) that customers should write an E-Mail to them if they didn't get any response by volumerates.com within one week.<br />
I didn't get any response within one week so I decided to write an E-Mail to them. => No Answer.<br />
After another 4 weeks (I was in vacation abroad) still no answer. So I wrote another E-Mail => No Answer.<br />
Then I openend a ticket on http://www.volumerates.com/. => No Answer.<br />
I had no information at all for two months and there were also no E-Mails in my Spam Folder. Just one respond to my E-Mail that it will take one or two months would have been very good. I already thought my money is lost...<br />
<br />
The happy part though is that it finally arrived and the installation instruction on<a href="http://www.minipwner.com/index.php/minipwner-build"> MiniPwner.com</a> worked as a charm.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRaW2w8zNmPaHUH2w7oBgeo9Yn16tVpo9gQfCWYfORC5r4ddy4c14utlIarpSE1xOP2bGJyxnrZooxYThy3X2CbmvHjQhY_SJbJqhd2kgFqArb7cxPPOTr8R8gcN7D7G4fc_9uzTZH58w/s1600/IMG_1008.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRaW2w8zNmPaHUH2w7oBgeo9Yn16tVpo9gQfCWYfORC5r4ddy4c14utlIarpSE1xOP2bGJyxnrZooxYThy3X2CbmvHjQhY_SJbJqhd2kgFqArb7cxPPOTr8R8gcN7D7G4fc_9uzTZH58w/s320/IMG_1008.JPG" width="239" /></a></div>Now I've got a fully working pentesting device with a RJ45 port, Wi-Fi and one USB-Port running OpenWRT. The USB-Port is already used by a 8 GB USB Flash-Drive.<br />
<br />
Here a short overview of the installed tools so far:<br />
<br />
<blockquote class="tr_bq"><i>root@OpenWrt:~# opkg list<br />
aircrack-ng - 1.1-3<br />
base-files - 104-r30857<br />
base-files-network - 3<br />
blkid - 1.42-1<br />
block-mount - 0.2.0-7<br />
busybox - 1.19.3-10<br />
bzip2 - 1.0.6-1<br />
crda - 1.1.1-1<br />
dnsmasq - 2.59-2<br />
dropbear - 2011.54-2<br />
dsniff - 2.4b1-2<br />
elinks - 0.11.7-1<br />
firewall - 2-47<br />
hotplug2 - 1.0-beta-4<br />
iptables - 1.4.10-4<br />
iw - 3.3-1<br />
kernel - 3.2.9-1-7ca3c65ac3709dabad42d460596851da<br />
kismet-client - 2010-07-R1-1<br />
kismet-server - 2010-07-R1-1<br />
kmod-ath - 3.2.9+2012-02-27-1<br />
kmod-ath9k - 3.2.9+2012-02-27-1<br />
kmod-ath9k-common - 3.2.9+2012-02-27-1<br />
kmod-cfg80211 - 3.2.9+2012-02-27-1<br />
kmod-crypto-aes - 3.2.9-1<br />
kmod-crypto-arc4 - 3.2.9-1<br />
kmod-crypto-core - 3.2.9-1<br />
kmod-fs-ext4 - 3.2.9-1<br />
kmod-gpio-button-hotplug - 3.2.9-1<br />
kmod-ipt-conntrack - 3.2.9-1<br />
kmod-ipt-core - 3.2.9-1<br />
kmod-ipt-nat - 3.2.9-1<br />
kmod-ipt-nathelper - 3.2.9-1<br />
kmod-leds-gpio - 3.2.9-1<br />
kmod-ledtrig-usbdev - 3.2.9-1<br />
kmod-lib-crc-ccitt - 3.2.9-1<br />
kmod-lib-crc16 - 3.2.9-1<br />
kmod-mac80211 - 3.2.9+2012-02-27-1<br />
kmod-nls-base - 3.2.9-1<br />
kmod-ppp - 3.2.9-1<br />
kmod-pppoe - 3.2.9-1<br />
kmod-scsi-core - 3.2.9-1<br />
kmod-tun - 3.2.9-1<br />
kmod-usb-core - 3.2.9-1<br />
kmod-usb-ohci - 3.2.9-1<br />
kmod-usb-storage - 3.2.9-1<br />
kmod-usb2 - 3.2.9-1<br />
kmod-wdt-ath79 - 3.2.9-1<br />
libblkid - 1.42-1<br />
libbz2 - 1.0.6-1<br />
libc - 0.9.33-104<br />
libcom_err - 1.42-1<br />
libext2fs - 1.42-1<br />
libgcc - 4.6-linaro-104<br />
libgdbm - 1.9.1-2<br />
libip4tc - 1.4.10-4<br />
liblzo - 2.05-1<br />
libncurses - 5.7-5<br />
libnet0 - 1.0.2a-8<br />
libnids - 1.18-1<br />
libnl-tiny - 0.1-2<br />
libopenssl - 1.0.0g-1<br />
libpcap - 1.1.1-1<br />
libpcre - 8.11-2<br />
libpthread - 0.9.33-104<br />
libreadline - 5.2-2<br />
librpc - 0.9.32-rc2-0a2179bbc0844928f2a0ec01dba93d9b5d6d41a7<br />
libstdcpp - 4.6-linaro-104<br />
libuci - 2012-02-24.1-1<br />
libuuid - 1.42-1<br />
libxtables - 1.4.10-4<br />
mtd - 17<br />
nbtscan - 1.5.1<br />
netcat - 0.7.1-2<br />
nmap - 5.51-3<br />
openssh-sftp-client - 5.9p1-4<br />
openvpn - 2.2.1-5<br />
opkg - 618-2<br />
perl - 5.10.0-7<br />
ppp - 2.4.5-4<br />
ppp-mod-pppoe - 2.4.5-4<br />
samba2-client - 2.0.10-8<br />
samba2-common - 2.0.10-8<br />
snort - 2.8.4.1-3<br />
swap-utils - 2.13.0.1-4<br />
swconfig - 10<br />
tar - 1.23-1<br />
tcpdump - 4.2.1-1<br />
terminfo - 5.7-5<br />
uboot-envtools - 2011.06-4<br />
uci - 2012-02-24.1-1<br />
uclibcxx - 0.2.2-3<br />
wireless-tools - 29-4<br />
wpad-mini - 20111103-3<br />
yafc - 1.1.1-2<br />
zlib - 1.2.5-1</i></blockquote><div><br />
</div>sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-27575554006200882692012-01-17T21:56:00.000+01:002012-01-17T21:57:30.544+01:00Pentesting Devices / GadgetsThere are three devices I have found, that can be very useful if you're executing a (physical) security pentest:<br />
<ul><li><a href="http://pwnieexpress.com/">Pwnie Express</a> </li>
<li><a href="http://theplugbot.com/">The Plug Bot</a> </li>
<li><a href="http://www.minipwner.com/index.php/what-is-the-minipwner">Mini Pwner</a></li>
</ul>All of these devices are just as big as a cigarette packet and to make a long story short they can be described like this:<br />
<br />
<i>They are designed as a small, simple but powerful device that can be inconspicuously plugged into a network and provide the penetration tester remote access to that network.</i><br />
<i>(Quote from "What is the Mini Pwner")</i><br />
<i><br />
</i><br />
The great thing about the Mini Pwner is, that you can easily <a href="http://www.minipwner.com/index.php/minipwner-build">build one </a>on your own. I just purchased yesterday the TP-Link TL-WR703N router and hopefully I will get it next week. When I have time, I will build it in the next week and post about it here in my blog.<br />
<br />
An comparision between Pwnie Express and Mini Pwner can be found <a href="http://www.minipwner.com/index.php/minipwner-compare-pwnie-express">here</a>.sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com1tag:blogger.com,1999:blog-835099560646814381.post-33292611282909606242012-01-16T22:05:00.000+01:002012-01-17T21:25:04.552+01:00Increasing virtual disk in ESX 3.5My installation of BackTrack has only a 10 GB virtual disk, because I was using the default settings when I installed it. Now I want to increase it to 25 GB.<br />
<br />
This can be done through opening the VMware Infrastructure-Client (only available for Windows). After it has started, you have to right-click on the virtual machine that needs a bigger virtual disk and choose "Edit Settings" in the context menu. Then you have to select "Virtual Disk" Now you can increase the size of the disk and confirm the new size with "Ok".<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfy2EuqQruoJ8VSc3TdBFCPTnVMpxoG8-u0KyqyrKsXPCdyjK9G7AzpYMeMMEJSd-WvpepL782gflGK7WksbGlM2wCL8FSd76UykMmKz2zaexFm0Tt7J83c9ZXS-nTH4lSKc5hqjtPSrs/s1600/Bildschirmfoto+2012-01-16+um+20.54.55.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfy2EuqQruoJ8VSc3TdBFCPTnVMpxoG8-u0KyqyrKsXPCdyjK9G7AzpYMeMMEJSd-WvpepL782gflGK7WksbGlM2wCL8FSd76UykMmKz2zaexFm0Tt7J83c9ZXS-nTH4lSKc5hqjtPSrs/s200/Bildschirmfoto+2012-01-16+um+20.54.55.png" width="200" /></a></div><br />
All the steps I just described can also be done, when the VM is still running. As a next step we need to increase the partition, so that the VM will recognize the new space and that the disk size has changed. For this task we will use <a href="http://gparted.sourceforge.net/">GParted</a>. We just need to download the GParted ISO and upload it to the ESX server so that we can select it in the VM settings as "Datastore ISO File". With this settings the VM will boot up GParted when the VM is starting:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1nhYfOklx4FZxvlnttXm7MZG6_pJ6z_Uo4QVtxKWjOEx85diDJoA6apxku6CzxORG3L8Xppfju60krfUMy-zl3_2EruY21bzggkEz_hNIrZqu7XBSFU-KUL5PfBzv1LmS4nibiuKIFw8/s1600/Bildschirmfoto+2012-01-16+um+21.02.36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="257" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1nhYfOklx4FZxvlnttXm7MZG6_pJ6z_Uo4QVtxKWjOEx85diDJoA6apxku6CzxORG3L8Xppfju60krfUMy-zl3_2EruY21bzggkEz_hNIrZqu7XBSFU-KUL5PfBzv1LmS4nibiuKIFw8/s320/Bildschirmfoto+2012-01-16+um+21.02.36.png" width="320" /></a></div><br />
If GParted won't boot (in my case I had this problem), you have to force the VM to go into the BIOS settings and change the boot order (CD-Rom should be first, at least before HD ;-)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcZBkZI9eKAUgmn7YqJyoLvwtcj3kgBggdi7qt8rwIr3LsakosU_b9uCURBc9eUManjYxWRHuBEXlVqS9B5MxUWnWT7YDERAys5i3Ko8PRdww_tH1NoD9AvhedOWKGKEsvOp8YNT0Glsc/s1600/Bildschirmfoto+2012-01-16+um+21.19.13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="256" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcZBkZI9eKAUgmn7YqJyoLvwtcj3kgBggdi7qt8rwIr3LsakosU_b9uCURBc9eUManjYxWRHuBEXlVqS9B5MxUWnWT7YDERAys5i3Ko8PRdww_tH1NoD9AvhedOWKGKEsvOp8YNT0Glsc/s320/Bildschirmfoto+2012-01-16+um+21.19.13.png" width="320" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL5tp9LtLh1AjNCPwHO89r8Zi3DoyIJ1QkeaQTw1fl6y5Fj_Gd7I115vMGZsu9yqsd79Lr6NERUKo57GdhQoFfojTT_vj8Vu8RzywiXZ7JLSttFb7IIufUQDu4pmC5_ks-Es5thWp7DVQ/s1600/Bildschirmfoto+2012-01-16+um+21.22.29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjL5tp9LtLh1AjNCPwHO89r8Zi3DoyIJ1QkeaQTw1fl6y5Fj_Gd7I115vMGZsu9yqsd79Lr6NERUKo57GdhQoFfojTT_vj8Vu8RzywiXZ7JLSttFb7IIufUQDu4pmC5_ks-Es5thWp7DVQ/s320/Bildschirmfoto+2012-01-16+um+21.22.29.png" width="320" /></a></div><br />
After a new try to boot GParted, we can see now that GParted is actually booting :-)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjDFfW3oKAW7L-kpv9TIbj97wtocHidBmhxkIzgqPNAMNQ4t_HivItAU6swag0Nq-MufoKCUBP2f861aAE5Vq6gnTuSt9-WyMPXRhIxeVvn3VMLYGhr3izdtGmkpUfQliD8fHFMH0AI4Y/s1600/Bildschirmfoto+2012-01-16+um+21.13.19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjDFfW3oKAW7L-kpv9TIbj97wtocHidBmhxkIzgqPNAMNQ4t_HivItAU6swag0Nq-MufoKCUBP2f861aAE5Vq6gnTuSt9-WyMPXRhIxeVvn3VMLYGhr3izdtGmkpUfQliD8fHFMH0AI4Y/s320/Bildschirmfoto+2012-01-16+um+21.13.19.png" width="320" /></a></div><br />
After selecting the key-map I couldn't just start X. I had to configure it through the wizard first, otherwise I was getting this error (see also screenshot):<br />
<br />
Virtual width (1184) is too large for the hardware (max 1180)<br />
Screen(s) found, but none have a usable configuration.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdxnDGEaDaEO-g5iGeu9WpDUWVwZtD8PZNe3RBx65NuFZt87G2zRUE5N29t35SE2vW6UAdyTndja9jw1dLyOaGrxSEObZ-F0xssbU5Kvr_TPfLbuQrj-B3FHTIdwDi9XZq04tlk5BG2lw/s1600/Bildschirmfoto+2012-01-16+um+21.53.18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdxnDGEaDaEO-g5iGeu9WpDUWVwZtD8PZNe3RBx65NuFZt87G2zRUE5N29t35SE2vW6UAdyTndja9jw1dLyOaGrxSEObZ-F0xssbU5Kvr_TPfLbuQrj-B3FHTIdwDi9XZq04tlk5BG2lw/s320/Bildschirmfoto+2012-01-16+um+21.53.18.png" width="320" /></a></div><br />
You have to select "Run Forcevideo to config X manually" and click through the wizard. You should take a resolution of 800x600.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk5EswuxDVxXdWQ5DQ554GAm2ofm3_2gv0qy3rNkXKZkkdcgwb9megtkYMUfAtxr_3eGXXBl2ngHfddmHPsqOSJo6TwBcHdXINrcavhik932mLeEEEFyHFh93xCZsVZCLgiF8ahVWXbbw/s1600/Bildschirmfoto+2012-01-16+um+21.52.52.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhk5EswuxDVxXdWQ5DQ554GAm2ofm3_2gv0qy3rNkXKZkkdcgwb9megtkYMUfAtxr_3eGXXBl2ngHfddmHPsqOSJo6TwBcHdXINrcavhik932mLeEEEFyHFh93xCZsVZCLgiF8ahVWXbbw/s320/Bildschirmfoto+2012-01-16+um+21.52.52.png" width="320" /></a></div><br />
<br />
Now GParted should have started and you just have to make a right-click on the unused space and create a new partition with an ext4 filesystem.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq01n3OrORe5zuBuS8wpOlr0nSVVGwAqmBlWCDDnm-YHOkZ5q4EtLC68uiZHPczWjHoqRrqt68sVP4Jegsf1_LSZNkx-uZxd_iOU27FOzD1XSIhXMDmzHB_enQHRJXDw7OnCm-3rdE720/s1600/Bildschirmfoto+2012-01-16+um+21.25.49.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="239" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjq01n3OrORe5zuBuS8wpOlr0nSVVGwAqmBlWCDDnm-YHOkZ5q4EtLC68uiZHPczWjHoqRrqt68sVP4Jegsf1_LSZNkx-uZxd_iOU27FOzD1XSIhXMDmzHB_enQHRJXDw7OnCm-3rdE720/s320/Bildschirmfoto+2012-01-16+um+21.25.49.png" width="320" /></a></div><br />
After the changes have been applied, there is a new partition with 15 GB.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj10W2b6AB8nN759NuJSMyOIAeWE3F1KRW5QdVMKdsNPVXYdNsQDOnHhCD1Bwtevv8bspydRyXWGAYBZxbJiIj5uis0E3QD1bDY2IJr1vBJvK_SOCfhFgiwO8F6FTai3BwySZIITtFie2g/s1600/Bildschirmfoto+2012-01-16+um+21.50.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj10W2b6AB8nN759NuJSMyOIAeWE3F1KRW5QdVMKdsNPVXYdNsQDOnHhCD1Bwtevv8bspydRyXWGAYBZxbJiIj5uis0E3QD1bDY2IJr1vBJvK_SOCfhFgiwO8F6FTai3BwySZIITtFie2g/s320/Bildschirmfoto+2012-01-16+um+21.50.03.png" width="320" /></a></div><br />
After a reboot we just need to modify /etc/fstab. With fdisk -l we can see all harddisks and partitions:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi71GsuJYTY3EwWOkYiLRKgFijHKs1diVmKaeSE95vK_-12l5E00agkTYNvcklRBXvJgzpqhYWQVFJ_b-abpTfpimhvJ5dkqSI-642JFvMEXj4MkorDKFR4KlPHNtJ_zaNRTm0xv185_Zk/s1600/Bildschirmfoto+2012-01-16+um+22.00.39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="187" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi71GsuJYTY3EwWOkYiLRKgFijHKs1diVmKaeSE95vK_-12l5E00agkTYNvcklRBXvJgzpqhYWQVFJ_b-abpTfpimhvJ5dkqSI-642JFvMEXj4MkorDKFR4KlPHNtJ_zaNRTm0xv185_Zk/s320/Bildschirmfoto+2012-01-16+um+22.00.39.png" width="320" /></a></div><br />
/dev/sda3 is my new partition with almost 15GB and will now be added to /etc/fstab as new partition for /root. We just need to find out the UUID to insert it into fstab:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-o9GI5iG-qcQqGQ8NP8Ui8_I4hN9hvhevhuxg-hgRXZu9qrYV__URk-JD3F2b84iDkPTgfOgB-yoUKOJkSHt8Wzv9FQ8DOyfDT0RMDs2Ryt6Y_hTSfNQTUjEb9xSnKK5YT6a0n_D-4qo/s1600/Bildschirmfoto+2012-01-16+um+22.04.11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="207" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-o9GI5iG-qcQqGQ8NP8Ui8_I4hN9hvhevhuxg-hgRXZu9qrYV__URk-JD3F2b84iDkPTgfOgB-yoUKOJkSHt8Wzv9FQ8DOyfDT0RMDs2Ryt6Y_hTSfNQTUjEb9xSnKK5YT6a0n_D-4qo/s320/Bildschirmfoto+2012-01-16+um+22.04.11.png" width="320" /></a></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2vhVESx-qOrYnxfpj25PW3xAdsIyVJEqNB981Ehtzb_2Irp9yxTPk67gG1HjwY_g0iQaqo5T11Dl1DuIGimSovJClU8Epgr9thw2pWqq2yif_275UQU4KFrI7K0WEiRU2964y54mk178/s1600/Bildschirmfoto+2012-01-16+um+22.07.24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2vhVESx-qOrYnxfpj25PW3xAdsIyVJEqNB981Ehtzb_2Irp9yxTPk67gG1HjwY_g0iQaqo5T11Dl1DuIGimSovJClU8Epgr9thw2pWqq2yif_275UQU4KFrI7K0WEiRU2964y54mk178/s320/Bildschirmfoto+2012-01-16+um+22.07.24.png" width="320" /></a></div><br />
<br />
That's it :-)<br />
<br />
<br />
URL<br />
<a href="http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1004047">VMware Increasing virtual disk size</a>sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-21531104002752857332012-01-15T21:15:00.000+01:002012-01-15T21:26:43.535+01:00Information Gathering of Apache on MetasploitableAfter bruteforcing Postgresql and MySQL, it's now time to prepare an attack to the Apache Webserver. I will try to get as much information about the webserver as possible to prepare an attack. The IP of my Metasploitable VM is 192.168.178.65.<br />
<br />
First we're starting the burp interception proxy. You can find burpsuite in the Backtrack Applications directory:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_9hGpYpxl1e5_RwamyW9Xka8uDe88rq8469NeI4jcttJgONscHBQQzygYBGKUyD6L4E6E7rANdP37zPE3ij_2fGpMN5O366fxhnlLKAQceCpXiQ2va-c-Qk8OA3bFsJ8TV83NRCLdI_E/s1600/Bildschirmfoto+2012-01-15+um+16.49.08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="237" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_9hGpYpxl1e5_RwamyW9Xka8uDe88rq8469NeI4jcttJgONscHBQQzygYBGKUyD6L4E6E7rANdP37zPE3ij_2fGpMN5O366fxhnlLKAQceCpXiQ2va-c-Qk8OA3bFsJ8TV83NRCLdI_E/s320/Bildschirmfoto+2012-01-15+um+16.49.08.png" width="320" /></a></div><br />
The version of burp used within BackTrack is of course only the "Free Edition" and not the "Professional Edition". <a href="http://portswigger.net/burp/download.html">Here</a> you can get a comparison of both versions. In the future I will use the <a href="https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project">ZAP proxy</a> provided by OWASP, but for this phase the capabilities of the burp "Free Edition" is sufficient.<br />
<br />
To use burp as an interception proxy you just need to configure your browser to use the burpsuite as a proxy server.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-PDrE_qVj5KnX2uxr8Nm92scgAH6ibNjWUCMMgEoUm41ZysBjjy8_dC5S1vLZ7Smk3R1ZT-NgUgwQrXoaEIFZBfDJtPfBtMSGNR51-p_ZBMQ0ztwFTp4hKXm8fDQEEWlB322ITvCP7KQ/s1600/Bildschirmfoto+2012-01-15+um+16.55.10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="229" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj-PDrE_qVj5KnX2uxr8Nm92scgAH6ibNjWUCMMgEoUm41ZysBjjy8_dC5S1vLZ7Smk3R1ZT-NgUgwQrXoaEIFZBfDJtPfBtMSGNR51-p_ZBMQ0ztwFTp4hKXm8fDQEEWlB322ITvCP7KQ/s320/Bildschirmfoto+2012-01-15+um+16.55.10.png" width="320" /></a></div><br />
When you're browsing now to the IP of Metasploitable, you will see the HTML request under the proxy Tab "intercept" in burp. This HTML requests can now be modified, forwarded or dropped.<br />
<br />
As we already know <a href="http://pen-testing-lab.blogspot.com/2012/01/brute-forcing.html">from our successful MySQL Brute Force attack</a>, there should be a tikiwiki installation available. And we already know the login credentials (admin:admin). So let's just give it a try:<br />
<br />
http://192.168.178.65/tikiwiki<br />
<br />
And there is an installation of tikiwiki available :-) Now you just need to login via the login form in the tikiwiki with the credentials admin:admin. After the successfull authentication we have to change the password, and we are already admin in the tikiwiki:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfbZGjsIswGSc2Sb7Rsgal0oJ_6aGaUXRzHSOtMgytbkPgWOlgjiEvwexQ8rPkFf6qyi7zauzboXqqfR8eb-F3SZpmju91Od22xsJDAGShL4Zmb0gu_eLvIv4VB4XE0AgQ0icVQVghpGM/s1600/Bildschirmfoto+2012-01-15+um+17.13.31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfbZGjsIswGSc2Sb7Rsgal0oJ_6aGaUXRzHSOtMgytbkPgWOlgjiEvwexQ8rPkFf6qyi7zauzboXqqfR8eb-F3SZpmju91Od22xsJDAGShL4Zmb0gu_eLvIv4VB4XE0AgQ0icVQVghpGM/s320/Bildschirmfoto+2012-01-15+um+17.13.31.png" width="320" /></a></div><br />
It is version 1.9.5 of TikiWiki<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAnsiSVTS6Bg_RwEP4LDgbuDBWluH3zvj4OcMhu-vaaElYnQ6fO7-BJAX4G5EnYv-t3VgTBfkkThbDl0lv3ZchtEkrqmcmYuXBm1JrVoI7-4P3VWnwRltI48wjjquYFFPDXfg5u8QgeOc/s1600/Bildschirmfoto+2012-01-15+um+21.07.57.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="238" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAnsiSVTS6Bg_RwEP4LDgbuDBWluH3zvj4OcMhu-vaaElYnQ6fO7-BJAX4G5EnYv-t3VgTBfkkThbDl0lv3ZchtEkrqmcmYuXBm1JrVoI7-4P3VWnwRltI48wjjquYFFPDXfg5u8QgeOc/s320/Bildschirmfoto+2012-01-15+um+21.07.57.png" width="320" /></a></div><br />
<br />
Now we should spider the directory of tikiwiki, to see what files and directories are available. This can be done when clicking on the "target" tab in burp. There you will see all the files and directories you just have been browsed manually. By clicking the right mouse button, a context menu will appear:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNlL78ByMgPaHkREDn7Pd8I6ETPinKgwqKfVPNmX6qnco2pTpshNnEJ9euMZ3Ql4ZxmaCtcnAQv0S_J81Clgvc42tOK8TAxPmI9ZbzOriGI01L2ILQ1tqikZD6SWR1b-S_uaYGB3NjPXw/s1600/Bildschirmfoto+2012-01-15+um+20.51.24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNlL78ByMgPaHkREDn7Pd8I6ETPinKgwqKfVPNmX6qnco2pTpshNnEJ9euMZ3Ql4ZxmaCtcnAQv0S_J81Clgvc42tOK8TAxPmI9ZbzOriGI01L2ILQ1tqikZD6SWR1b-S_uaYGB3NjPXw/s320/Bildschirmfoto+2012-01-15+um+20.51.24.png" width="320" /></a></div><br />
When you click on "spider this branch" burp will run through all links he can find in this branch and will create an index with all available directories and files he is finding. Through this commando you can get an overview of the web application and know what frameworks and programm languages and so an are used.<br />
<br />
Another good method to get information about the installed webserver and modules or programming languages that are used, is to force an error. By just requesting a website that is not available, the default error pages are generating very informative error messages:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgyZ2Q1LnnyayIl8vYdp2HTRGATNAwdetY-FZFUYYeYTJXrsOd39nNRwDAJ72E26lqC27KU_AwPs4b1VElH0W-gnpw07M0Yjkcs2fBQVR7vlyJHRyXV1_mERcupHZrQefuPUWx1WFcdD4/s1600/Bildschirmfoto+2012-01-15+um+20.58.30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgyZ2Q1LnnyayIl8vYdp2HTRGATNAwdetY-FZFUYYeYTJXrsOd39nNRwDAJ72E26lqC27KU_AwPs4b1VElH0W-gnpw07M0Yjkcs2fBQVR7vlyJHRyXV1_mERcupHZrQefuPUWx1WFcdD4/s320/Bildschirmfoto+2012-01-15+um+20.58.30.png" width="320" /></a></div><br />
Know we know that Apache version 2.2.8 with PHP version 5.2.4 is used and that the OS is very likely an Ubuntu installation.<br />
<br />
Nmap did also find another webserver on Port 8180:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia5gJ8xYbiXIqtUA8WArH3QDPJXuqns4xtnncyogXQZzoyGrApgyybRfdZmt3XJMJuuv3ZJqWCy4116lmD0tExGXdST0-rpRXA_6SeC8C2n1JdnOaf5EIbAsXPSvxjLaplwdzb_UD7osA/s1600/Bildschirmfoto+2012-01-15+um+21.19.41.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="195" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEia5gJ8xYbiXIqtUA8WArH3QDPJXuqns4xtnncyogXQZzoyGrApgyybRfdZmt3XJMJuuv3ZJqWCy4116lmD0tExGXdST0-rpRXA_6SeC8C2n1JdnOaf5EIbAsXPSvxjLaplwdzb_UD7osA/s320/Bildschirmfoto+2012-01-15+um+21.19.41.png" width="320" /></a></div><br />
<br />
A default installation of Tomcat version 5.5 is also available by Metasploitable. I can login via tomcat default credentials (tomcat:tomcat) to Status, Tomcat Administration and Tomcat Manager.<br />
<br />
So let's just sum up what we have found till now:<br />
<br />
<table border="1"><tbody>
<tr><td><b>Software</b></td><td><b>Version</b></td></tr>
<tr><td>Apache</td><td>2.2.8</td></tr>
<tr><td>PHP</td><td>5.2.4</td></tr>
<tr><td>TikiWiki</td><td>1.9.5</td></tr>
<tr><td>Apache Tomcat</td><td>5.5</td></tr>
</tbody></table><br />
<div>With this information, we should be able to find some vulnerabilities for this pretty old software in <a href="http://pen-testing-lab.blogspot.com/2012/01/searching-reported-vulnerabilities.html">known ressources</a> and of course some public available exploits :-)</div>sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-54929069792543676442012-01-15T15:47:00.000+01:002012-01-15T15:51:01.024+01:00Brute Forcing PostgresAfter brute forcing MySQL I wanted to brute force the next service, this time PostgreSQL. Again the output of the nmap scan against Metasploitable:<br />
<i><br />
<span style="font-family: 'Courier New', Courier, monospace;">PORT STATE SERVICE VERSION<br />
<br />
21/tcp open ftp ProFTPD 1.3.1</span></i><br />
<div><i><span style="font-family: 'Courier New', Courier, monospace;">22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)</span></i></div><div><i><span style="font-family: 'Courier New', Courier, monospace;">23/tcp open telnet Linux telnetd<br />
25/tcp open smtp Postfix smtpd</span></i></div><div><span style="font-family: 'Courier New', Courier, monospace;"><i>53/tcp open domain<br />
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)</i><i><br />
</i></span></div><div><i><span style="font-family: 'Courier New', Courier, monospace;">139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)</span></i><i><span style="font-family: 'Courier New', Courier, monospace;"><br />
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)<br />
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5<br />
<span style="color: orange;">5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7</span><br />
8009/tcp open ajp13?<br />
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1</span></i><br />
<i><span style="font-family: 'Courier New', Courier, monospace;"><br />
</span></i><br />
This time, I'm just using Metasploit to brute force:<br />
<div><br />
</div><div>#msfconsole</div><div>#search postgresql</div><div>#use auxiliary/scanner/postgres/postgres_login<br />
#show options<br />
#set RHOSTS <Target IP><br />
#set VERBOSE false<br />
#exploit<br />
<br />
Metasploit ships already with a default user and password list for brute forcing, so we don't have to specify other lists. If you wan't to use another user- and password lists, see my post about <a href="http://pen-testing-lab.blogspot.com/2012/01/brute-forcing.html">MySQL Brute Forcing</a>. There I'm explaining where to get and how to use user- and password lists within Metasploit and THC Hydra.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr597_Ga2i-Tp1wbjBNMMRgOy-HiZqIj4rNkrnEeN0ppR3l6d34wePN9CCGHZ11e_1HFp2s_5qUojatdtlvuhDQxNcC4WVcpnCWNcFQCobRnTAkA6jqArNMpjNHorCHCnuAyxxEt_YIRo/s1600/Bildschirmfoto+2012-01-15+um+15.35.06.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="69" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjr597_Ga2i-Tp1wbjBNMMRgOy-HiZqIj4rNkrnEeN0ppR3l6d34wePN9CCGHZ11e_1HFp2s_5qUojatdtlvuhDQxNcC4WVcpnCWNcFQCobRnTAkA6jqArNMpjNHorCHCnuAyxxEt_YIRo/s320/Bildschirmfoto+2012-01-15+um+15.35.06.png" width="320" /></a></div><br />
There is no postgresql-client available in BackTrack, so we have to install it to check the finding:<br />
<br />
#apt-get install postgresql-client<br />
<br />
Then psql can be started:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje-4EBo39i9eAIV1uBEFmOOaMlj15R7HUcAHPur8IBStkxDeCuqB026bw6VH_7Y6C6j_7wNrbTiLXM_RzSBjdAW2PjkAe5c0hZNJgj6fp_OGYZr15_DXn7MJvA2lO9E4WXHwfRGaELUHk/s1600/Bildschirmfoto+2012-01-15+um+15.46.21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="235" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEje-4EBo39i9eAIV1uBEFmOOaMlj15R7HUcAHPur8IBStkxDeCuqB026bw6VH_7Y6C6j_7wNrbTiLXM_RzSBjdAW2PjkAe5c0hZNJgj6fp_OGYZr15_DXn7MJvA2lO9E4WXHwfRGaELUHk/s320/Bildschirmfoto+2012-01-15+um+15.46.21.png" width="320" /></a></div><br />
Seems like a default postgres installation with no data inside. </div></div>sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com2tag:blogger.com,1999:blog-835099560646814381.post-24191786654213480292012-01-15T08:29:00.000+01:002012-01-15T15:51:34.154+01:00Brute Forcing MySQLI just did my first nmap scan against the Metasploitable Virtual Machine. There are several open ports and a lot of services running on the VM. Here is a listing of the services found by nmap:<br />
<i><br />
</i><br />
<i><br />
<span style="font-family: 'Courier New', Courier, monospace;"> PORT STATE SERVICE VERSION<br />
<br />
21/tcp open ftp ProFTPD 1.3.1<br />
</span></i><br />
<div><i><span style="font-family: 'Courier New', Courier, monospace;">22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)<br />
</span></i></div><div><i><span style="font-family: 'Courier New', Courier, monospace;">23/tcp open telnet Linux telnetd<br />
25/tcp open smtp Postfix smtpd</span></i></div><div><span style="font-family: 'Courier New', Courier, monospace;"><i>53/tcp open domain<br />
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)</i><i><br />
</i></span></div><div><i><span style="font-family: 'Courier New', Courier, monospace;">139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)</span></i><i><span style="font-family: 'Courier New', Courier, monospace;"><br />
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)<br />
<span style="color: orange;">3306/tcp open mysql MySQL 5.0.51a-3ubuntu5</span><br />
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7<br />
8009/tcp open ajp13?<br />
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1</span><br />
</i><br />
<i><span style="font-size: x-small;"><br />
</span></i></div><div>First I wanted to execute some brute-force attacks against the MySQL database that is running in Metasploitable. There are different ways of brute-forcing it, but your scanner is just as good as you're wordlist or wordcombination files for usernames and passwords are (<a href="http://www.skullsecurity.org/wiki/index.php/Passwords">here</a> are username and password lists for a first shot).<br />
<br />
As password list, I'm using elitehacker.txt.bz2 provided by skullsecurity.org and I defined six different users:<br />
<br />
<br />
<span style="font-family: 'Courier New', Courier, monospace;"><i>root@bt:~/test_environment/brute_force# cat username.txt </i></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><i>admin</i></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><i>root</i></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><i>mysql</i></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><i>db</i></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><i>test</i></span><br />
<span style="font-family: 'Courier New', Courier, monospace;"><i>user</i></span><br />
<br />
<br />
I inserted also all of these six users and a blank line into the elitehackers.txt password file.<br />
<br />
</div><div><br />
</div><div>1. Using Metasploit</div><div><br />
</div><div>#msfconsole</div><div>#search mysql</div><div>#use auxiliary/scanner/mysql/mysql_login<br />
#show options<br />
#set RHOSTS <Target IP><br />
#set USER_FILE /root/<your_username_file><br />
#set PASS_FILE /root/<your_password_file><br />
#exploit<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTMzuWVdh9I-iEWIR102tPj608n54uJQkpF1sfx5aOv2ubIkWd1yj1dJLIdxwtcc1rIQ_O-LiqJewTrbjVgOa00GWK2f6__VJ3g4_kC5_8moyR34q_AZVm2Df8MpRrC46PjjQFXHTm0Pg/s1600/Bildschirmfoto+2012-01-15+um+09.05.18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjTMzuWVdh9I-iEWIR102tPj608n54uJQkpF1sfx5aOv2ubIkWd1yj1dJLIdxwtcc1rIQ_O-LiqJewTrbjVgOa00GWK2f6__VJ3g4_kC5_8moyR34q_AZVm2Df8MpRrC46PjjQFXHTm0Pg/s320/Bildschirmfoto+2012-01-15+um+09.05.18.png" width="320" /></a></div><br />
The verbose mode is set by default to true, so you can see all login attempts. This is not very convenient, because of two reasons:<br />
<br />
a) If the brute force attempt is successful you have to scroll back the whole list of attempts to find the login as there is no summary after finishing the mysql_login module (can be very nasty).<br />
b) The actual scan time is decreasing dramatically. When I was scanning with verbose set to true, it took me 5 Minutes and 5 Seconds. After deactivating verbose mode, the scan was done in 2 Minutes and 5 Seconds.<br />
<br />
Conclusion => #set VERBOSE false<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXMwU3hn5peCVcZQ9SVveE1SK3Vf8C1xe1V-zcv6N1oz61-UnCWB54woObOOsk-kPKq5qALH__r86QfNXtp9xjaX-7dd6F63F8EJBsSA8AdNtvi4hOwN_5cmrYkc9Oae911PLH4_zQfJY/s1600/Bildschirmfoto+2012-01-15+um+09.38.05.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXMwU3hn5peCVcZQ9SVveE1SK3Vf8C1xe1V-zcv6N1oz61-UnCWB54woObOOsk-kPKq5qALH__r86QfNXtp9xjaX-7dd6F63F8EJBsSA8AdNtvi4hOwN_5cmrYkc9Oae911PLH4_zQfJY/s320/Bildschirmfoto+2012-01-15+um+09.38.05.png" width="320" /></a></div><br />
<br />
2. Using THC Hydra<br />
<br />
#hydra -L /root/<your_username_file> -P /root/<your_password_file> <IP> mysql<br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSi1JfQo8xrF15qQPD3LmHGmaImgGJbo76yeq0xC_ayXPzXxTbVKiJFNrVZqeg5K_VF9_SNKEgtr8aNatbV_OGP6Q4z3gU8upri9TlV5v8C4SBs98Iqrh9TwtydIji2Ova_lBaVW4VGLM/s1600/Bildschirmfoto+2012-01-15+um+08.42.29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="130" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSi1JfQo8xrF15qQPD3LmHGmaImgGJbo76yeq0xC_ayXPzXxTbVKiJFNrVZqeg5K_VF9_SNKEgtr8aNatbV_OGP6Q4z3gU8upri9TlV5v8C4SBs98Iqrh9TwtydIji2Ova_lBaVW4VGLM/s320/Bildschirmfoto+2012-01-15+um+08.42.29.png" width="320" /></a></div><br />
<br />
3. Result<br />
<br />
So here is an overview of the results (all scans were executed with the same user- and passwordfile).<br />
<br />
<table border="1"><tbody>
<tr> <td>mysql_login (verbose mode activated)</td><td>5 Minutes 5 Seconds</td> </tr>
<tr> <td>mysql_login (verbose mode deactivated)</td><td>2 Minutes 5 Seconds</td> </tr>
<tr> <td>THC Hydra</td><td>4 Minutes 8 Seconds</td> </tr>
</tbody></table><br />
It was just a very small brute-forcing attack (5.412 username/password combinations), but Metasploit took almost 25% more time than Hydra with the same wordlists when verbose mode is activated in mysql_login.<br />
<br />
If verbose mode is deactivated it is by far the most effective way to brute force mysql. <br />
<br />
I don't know if this will scale in the same manner if the brute force attack will have more combinations, but the mysql_login module of Metasploit seems more efficient for mysql brute forcing than THC Hydra.<br />
<br />
So let's check this finding manually:<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3bDGJAGdLCrLrhkQ2xz42xrSspdHsSeE1U8Lm8aKpWn8HhSZ_8xfJ8jvhX01J0QHXcpH_PITmPmBJtKaFZf4qtRygc0VvBR5LElUaY5xIzYBSQ0M_RZ1lTT-Y5guP2d3-kezu9IFot0E/s1600/mysql_login.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3bDGJAGdLCrLrhkQ2xz42xrSspdHsSeE1U8Lm8aKpWn8HhSZ_8xfJ8jvhX01J0QHXcpH_PITmPmBJtKaFZf4qtRygc0VvBR5LElUaY5xIzYBSQ0M_RZ1lTT-Y5guP2d3-kezu9IFot0E/s320/mysql_login.png" width="320" /></a></div><br />
So now we have another login, for a new attack :-)</div>sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-76131917701605581162012-01-15T07:58:00.000+01:002012-01-15T07:58:26.948+01:00tcpdump and Wireshark and permission to testWhen executing a pentest, it is necessary to document every step that is made during the pentest. This doesn't just mean to make screenshots of every step, input, output and results during the pentest but also to start tcpdump or Wireshark in the background to log every of your steps when executing attacks especially when you're executing exploits or an automated scan (nmap or nessus for example).<br />
<br />
This has two reasons:<br />
<br />
1. When executing a pentest you just have a short timeframe agreed between you and your customer, and sometimes you don't have time to execute an attack a second time. When you have a dump of the network traffic during pentesting you may be able to get the information you're looking for even after the agreed time frame. If you just have a screenhost you may have the result, but can't describe and understand in detail what has happened. To understand what has happened, is very important to define countermeasures to close the findings.<br />
<br />
2. An agreement or permission memo that allows pentesting should always be made and signed BEFORE pentesting (you can find a template<a href="http://www.counterhack.net/permission_memo.html"> here</a>). But even with this agreement, you are much more safer when you have a dump of you activity. Especially when a server or web application of the customer is having problems and the customer is blaming you. It's much better to show the customer your activities afterwards if problems occur, as when you got no evidence at all and can't prove that you were not the trigger for certain problems.<br />
<br />
Also the output by burp, ZAP or whatever interception proxy you are using, should always be saved completely afterwards.sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-47660713554633926452012-01-14T19:22:00.000+01:002012-01-14T19:24:04.160+01:00Update BackTrack InstallationBefore you execute a pentest, you should always update your BackTrack installation. It's pretty easy to update it, as it can be done via apt-get.<br />
<br />
#apt-get update<br />
#apt-get upgrade<br />
<br />
This will install the latest applications and changes to BackTrack.<br />
<br />
Metasploit will not be updated via apt-get, but you can update Metasploit nowadays via a simple msfupdate in BackTrack. Quite easy :-)sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-71136476366760383492012-01-14T08:37:00.000+01:002012-01-14T19:07:50.420+01:00Searching for reported vulnerabilitiesDuring the information gathering phase of a pentest, it is very important to check for already reported vulnerabilities. If you know the exact version of the application, operating system, framework, $foo after the usage of different tools (like nmap for example), this version string should be checked on different public available ressources:<br />
<div><br />
</div><div><a href="http://osvdb.org/">Open Source Vulnerability Database</a></div><div><br />
</div><div><a href="http://www.exploit-db.com/">Exploit-db.com</a> (is using the exploit archive of milw0rm.com, that was shout down in late 2009)</div><div><br />
</div><div><a href="http://packetstormsecurity.org/">Packetstormsecurity</a></div><div><br />
</div><div>You can search all of these sites after a vendor or product and you've got a free search. </div><div><br />
Also a good ressource for researching public available exploits is <a href="http://www.securitytube.net/">securitytube.net</a>. You can find a lot of different attacks and their descriptions to exploit known vulnerabilities, presented in a video.</div><div><br />
</div><div>There are also some mailing-liste available that can be searched through:</div><div><br />
</div><div><a href="http://seclists.org/fulldisclosure/">Full Disclosure</a> (very good source for the latest vulnerabilities)</div><div><br />
</div><div><a href="http://www.securityfocus.com/archive/1">Security Focus</a> (BugTraq archive, not possible to search mail archive)</div><div><br />
</div><div><br />
</div><div>The search engine at <a href="http://web.nvd.nist.gov/view/vuln/search?execution=e2s1">nist.gov</a> is quite useful if you are looking for a certain CVE number. You will get all the information associated with this vulnerability. </div><div><br />
</div><div><a href="http://www.cvedetails.com/">cvedetails.com</a> is also a great ressource if you're looking for a particular CVE number. You will get even more information as on nist.gov and also a link to an exploit, if available. The most important thing for me is, that you can execute a search of a specific product version. </div><div><br />
</div><div>For example let's say you discover an apache webserver during information gathering phase, that is also supporting PHP in version 5.3.5. Now you want to know what vulnerabilities are known for this PHP version. Just click on "Version Search" and enter the data. </div><div><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivZU-MRwEOvfEApNm6E2sjcSFHr_cH_KHaYvxj9qDuZB9QbdtJ0hbuGoPz3KKaw0aEEErHy58zxr5c0P0O1kSxPkJu-Glpq5Wf7eGq5FQjAusZfC8UFU1OqrGvgGLhz3hRkQeVmIqysgI/s1600/version_search.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivZU-MRwEOvfEApNm6E2sjcSFHr_cH_KHaYvxj9qDuZB9QbdtJ0hbuGoPz3KKaw0aEEErHy58zxr5c0P0O1kSxPkJu-Glpq5Wf7eGq5FQjAusZfC8UFU1OqrGvgGLhz3hRkQeVmIqysgI/s320/version_search.png" width="320" /></a></div><div><br />
</div><div>As a result you will get a listing of all CVE results that are related to PHP 5.3.5 (21 vulnerabilities right now). In this view you can also see if there is an exploit available (marked with a red circle).<br />
<br />
</div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbnIGzBr1reAZFkFjirkFtXoOfHzFJlE__-MSpH5xjAlFGXOjEA_G-hwcpPpKdrsVzowXDivEKuAUaG_CTkvqklLTiH65skk4tKeANFldOOrEpZoBa5EnPYUFOU_Eq3QpWvHBZ-0Kdko4/s1600/php535.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbnIGzBr1reAZFkFjirkFtXoOfHzFJlE__-MSpH5xjAlFGXOjEA_G-hwcpPpKdrsVzowXDivEKuAUaG_CTkvqklLTiH65skk4tKeANFldOOrEpZoBa5EnPYUFOU_Eq3QpWvHBZ-0Kdko4/s320/php535.png" width="320" /></a></div><div><br />
</div><div><br />
</div><div>But there is more to discover. If you click on PHP (red circle in screenshot above) you will get a lot of statistics about all the vulnerabilities in PHP. When we click on "Browse all versions", the next view will list a table with all versions of PHP that are known for vulnerabilities. </div><div><br />
</div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMLnJIWtVlADNQnqQlwbVcfQLqo0EMIkI2Ci5rBSnYzpuFQt9_nwyN92BpbC13IlddZXobu54zhyphenhyphenvVJME6sRN_skMt4h5WzLF9dgieWVWPhJam6Q_VSGq6Ziy6nE5LASCwCr9O3HvkFJg/s1600/cvedetails_browse.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMLnJIWtVlADNQnqQlwbVcfQLqo0EMIkI2Ci5rBSnYzpuFQt9_nwyN92BpbC13IlddZXobu54zhyphenhyphenvVJME6sRN_skMt4h5WzLF9dgieWVWPhJam6Q_VSGq6Ziy6nE5LASCwCr9O3HvkFJg/s320/cvedetails_browse.png" width="320" /></a></div><div><br />
</div><div><br />
</div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi88VBB-HEUrpw_YzhSNPnshrFYeRyn2kW_bcj3lRQm9SfhXWR_1Bmpg3g4xT9qoa5kN5F7f7byBtC3BSwuhfwJDqyAVetelUsfUc5tVB5lVxu2iD3-YloUeVgukp9Mwe7K4rL9riJeGyc/s1600/php_versions.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi88VBB-HEUrpw_YzhSNPnshrFYeRyn2kW_bcj3lRQm9SfhXWR_1Bmpg3g4xT9qoa5kN5F7f7byBtC3BSwuhfwJDqyAVetelUsfUc5tVB5lVxu2iD3-YloUeVgukp9Mwe7K4rL9riJeGyc/s320/php_versions.png" width="283" /></a></div><br />
</div><div><br />
</div><div>If you know more public available resources, leave a comment. Thx.</div>sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-44272977165164725732012-01-09T19:27:00.000+01:002012-10-16T09:05:33.143+02:00Useful Chrome Extensions regarding Pentesting<div>
There are really a lot of different and useful Extensions for Google Chrome that can be used when executing a Pentest. Right now there are more pentesting Add-Ons available for Firefox, but the pentesting Extensions are growing pretty fast. So here is a short overview:</div>
<div>
<br /></div>
<div>
A good starting point is the project <a href="http://www.firecat.fr/kromcat/">KromCAT</a> (Google Chrome Catalog of Auditing exTensions). KromCAT is providing a Mindmap that is categorizing security and audit Extensions regarding Google Chrome. You can download this catalogue in <a href="http://www.firecat.fr/kromcat/files/download/KromCAT_v1-0_Beta_(HTML).zip">HTML</a>, the actual <a href="http://www.firecat.fr/kromcat/files/download/KromCAT_v1-0_Beta_(MindMap).zip">Mindmap</a> or a <a href="http://www.firecat.fr/kromcat/files/download/KromCAT_v1-0_Beta.jpg">JPG</a> of it. The result of the KromCAT project is also the basis for <a href="http://www.getmantra.com/download/mantra-on-chromium/index.html">Mantra on Chrome</a>. Mantra is a special Chrome version that has been adapted for students, penetration testers, web application developers, security professionals etc. and contains almost all Extensions of the KromCAT Mindmap.<br />
<br />
As there is already a catalogue of Extensions maintained by KromCAT I don't want to start my own list here. I just want to point out some Extensions that are quite useful for me. I'm not using Extensions for XSS scanning or tampering HTTP data (especially because Extensions like XSS Rays never worked for me). There are better tools like burp that can do this kind of things. All of these Extensions are still working with the latest version of Google Chrome and are making my life easier when testing a web application:<br />
<br />
<a href="https://chrome.google.com/webstore/detail/mghenlmbmjcpehccoangkdpagbcbkdpc">Session Manager</a><br />
This Extension is quite useful to save all your open tabs in one session to open it later in the same alignment.<br />
<br />
<a href="https://chrome.google.com/webstore/detail/bmagokdooijbeehmkpknfglimnifench">Firebug Lite</a><br />
Firebug for Google Chrome<br />
<br />
<a href="https://chrome.google.com/webstore/detail/bfbameneiokkgbdmiekhjnmfkcnldhhm">Web Developer</a><br />
A web developer Toolbar<br />
<br />
<a href="https://chrome.google.com/webstore/detail/lhgkegeccnckoiliokondpaaalbhafoa">IP Address and Domain Information</a><br />
Quite useful Extension in information gathering phase to discover a big amount of information by one click about a certain IP or Domain.<br />
<br />
<a href="https://chrome.google.com/webstore/detail/alelhddbbhepgpmgidjdcjakblofbmce">Awesome Screenshot</a><br />
Great Extension to take and modify a screenshot.<br />
<br />
<a href="https://chrome.google.com/webstore/detail/caehdcpeofiiigpdhbabniblemipncjj">Proxy Switchy!</a><br />
Proxy Switchy! is an advanced proxy manager for Google Chrome, it allows users to manage and switch between multiple proxy profiles quickly and easily.</div>
<div>
<br /></div>
<div>
<a href="https://chrome.google.com/webstore/detail/bohahkiiknkelflnjjlipnaeapefmjbh">Note Anywhere</a></div>
<div>
With this ext, you can make notes on any web page, any position. when you open that page again, the notes get loaded automaticly.<span style="color: #3b709c; font-family: Arial; font-size: 6pt;"> </span></div>
sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com0tag:blogger.com,1999:blog-835099560646814381.post-77784287765744572292012-01-07T13:55:00.000+01:002012-01-09T22:55:23.121+01:00Useful Firefox Add-ons regarding Pentesting<div>There are really a lot of different and useful Add-ons for Firefox that can be used when executing a Pentest. </div><div><br />
</div><div>A good starting point is the project <a href="http://firecat.fr/">FireCAT</a> (Firefox Catalog of Auditing exTensions). FireCAT is providing a Mindmap that is categorizing security and audit Add-ons regarding Firefox. You can download this catalogue in <a href="http://www.firecat.fr/files/download/FireCAT_v2-0_(HTML).zip">HTML</a> or the actual <a href="http://www.firecat.fr/files/download/FireCAT_v2-0_(Mindmap).zip">Mindmap</a>. The result of the FireCAT project is also the basis for <a href="http://getmantra.com/">Mantra</a>. Mantra is a special Firefox version that has been adapted for students, penetration testers, web application developers, security professionals etc. and contains almost all Add-ons of the FireCAT Mindmap.</div><div><br />
</div><div>As there is already a catalogue of Add-ons maintained by FireCAT I don't want to start my own list here. I just want to point out some Add-ons that are quite useful for me. I'm not using Add-ons for XSS or SQL Injection scanning or tampering HTTP data (especially because Add-ons like XSS Me or SQL Inject Me never worked for me). There are better tools like burp that can do this kind of things. All of these Add-ons are still working with Firefox 9.0.1 and make my life easier when testing a web application:</div><div><br />
</div><a href="https://addons.mozilla.org/de/firefox/addon/hackbar/">HackBar</a><br />
This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, a lot of Google and a brain.<br />
<div><br />
</div><div><a href="https://addons.mozilla.org/de/firefox/addon/firebug/">FireBug</a></div>Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page. <br />
<br />
<a href="https://addons.mozilla.org/de/firefox/addon/web-developer">Web Developer</a><br />
The Web Developer extension adds various web developer tools to a browser. <br />
<div><div><br />
</div><div><a href="https://addons.mozilla.org/de/firefox/addon/session-manager">SessionManager</a></div><div>Session Manager saves and restores the state of all or some windows - either when you want it or automatically at startup, after crashes or periodically. It can also automatically save the state of open windows individually.<br />
<br />
</div><div><a href="https://addons.mozilla.org/de/firefox/addon/internote/">Internote</a></div>Persistent and private sticky notes for Firefox. This can be very useful as a reminder or just to take a note to a certain area of a website or input field.<br />
<div><br />
</div><div><a href="https://addons.mozilla.org/de/firefox/addon/awesome-screenshot-capture-/">Awesome Screenshot</a></div><div>Capture the whole page or any portion, annotate it with rectangles, circles, arrows, lines and text, blur sensitive info, one-click upload to share. During a pentest it's very important to document everything (like error messages for example)<br />
<br />
<a href="https://addons.mozilla.org/de/firefox/addon/worldip-flag-and-datacenter-pi/">WorldIP</a><br />
A great Add-on for a first scan in the information gathering phase of a pentest to collect some information about an IP or domain.<br />
<br />
<a href="https://addons.mozilla.org/de/firefox/addon/foxyproxy-standard/">FoxyProxy</a><br />
FoxyProxy is a great tool to switch very convenient between different proxies and is replacing the proxy function provided by Firefox.</div></div>sushi2khttp://www.blogger.com/profile/11236463824694070616noreply@blogger.com2