Saturday, 29 June 2013

Cleaning wash in Kali

So I would try to run wash on my Kali box and the result would be:

root@hermes:~# wash -i mon0
Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

BSSID Channel RSSI WPS Version WPS Locked ESSID
---------------------------------------------------------------------------------------------------------------


That was a bit hard to believe since the area is full of wifis! So here is the solution I found on google. As root:

apt-get install libpcap-dev libsqlite3-dev
cd /usr/local/src/
wget http://reaver-wps.googlecode.com/files/reaver-1.4.tar.gz
tar -xvzf reaver-1.4.tar.gz
cd reaver-1.4/src/
./configure && make && make install

mv /usr/bin/wash /usr/bin/wash-old
ln -s /usr/local/bin/wash /usr/bin/wash
rm /usr/local/src/reaver-1.4.tar.gz

and we are good to go!


root@hermes:~# wash -i mon0
Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
BSSID                  Channel       RSSI       WPS Version       WPS Locked        ESSID
---------------------------------------------------------------------------------------------------------------
90:01:3B:0D:xx:xx       1            -66        1.0               No                SKYDXXXX
BC:76:70:9C:xx:xx       1            -61        1.0               No                BTHub3-XXXX
AC:E8:7B:4B:xx:xx       1            -82        1.0               No                BTHub3-XXXX
7C:4C:A5:36:xx:xx       1            -68        1.0               No                SKYCXXXX


Stay tuned for more

:) 

Sunday, 23 June 2013

Android JellyBean and Asus TF101

This is not really a security post, rather a collection of links/resources I found useful whilst upgrading to Android 4.2.2 today. Since Asus has given up on the old TF101... and I wanted to check out JellyBean... I was forced to take this route.

DISCLAIMER: I am not crazy enough to save important data on my tablet so I do not need to back it up.. read the posts in the links if you want to save data.

Step 1:

Get the ROMs from here
xda-developers are awesome and if you are not registered I would recommend doing so (if you are into all that stuff anyway)

As the post says you need the Team EOS nightly build and the GAPPS package. Put them on an microSD card and you are ready.

Step 2:

Follow  Frederuco's Guide to Root and ROM the TF101 and eventually boot into the TWRP. Use the images from the microSD and voila!

All in all  JellyBean is awesome, some of the fav apps are:

  • Fing
  • Sophos Security Suite
  • Wifi Analyser


Enjoy


PS: This is a good read as well.



Thursday, 23 May 2013

Windows Hardening - SecureCheq

So I've come across a very nice tool today... SecureCheq is a free tool from Tripwire which uses configuration tests just like the ones defined in CIS, ISO or COBIT standards to harden the following versions of windows:

    Windows Server 2003/2008/2012
    Windows XP/7/8

You can get it from here, it does require registration but so far they have not flooded me with email so.. so far so good!

I do like the whole idea so I gave it a try... according to the site SecureCheq:
  • Tests for a subset of typical (and often dangerous) Windows configuration errors
  • Provides detailed remediation and repair advice
  • Tests for about two dozen critical but common configuration errors related to OS hardening, Data Protection, Communication Security, User Account Activity and Audit Logging.
  • Demonstrates how systems can be continually hardened against attack

 On my Windows 7 Enterprise box


Weird enough I cannot find and fix the one fail that I have left, managed to configure all the goup or security policies following the instructions provided but not the SafeDLL one..


All in all its a good product worth trying it out :)



Wednesday, 15 May 2013

F5 Monitors

Here are some very useful monitors I have created to keep track of services running on nodes using with F5 load balancers.


Shibboleth Monitor
Send String: GET /idp/profile/Status HTTP/1.1\r\nHost: idp.domain\r\nConnection: Keepalive\r\n\r\n
Receive String: ok

Access Gateway Monitor
Send String: GET /nesp/app/heartbeat HTTP/1.1\r\nHost: esp.domain.com\r\nConnection: Keepalive\r\n\r\n
Receive String: Success

Access Manager Identity Server Monitor
Send String: GET /nidp/app/heartbeat\r\n
Receive String: Success

ADFS Monitor
Send String: GET /adfs/fs/federationserverservice.asmx HTTP/1.1\r\nHost: \r\nConnection: Close\r\n\r\n
HTTP/1.1 200 OK


 Stay tuned for more

:) 

Tuesday, 9 April 2013

Creating your own USB thumb drive switchblade

Everybody wants to have their favorite tools with them at all times... somebody will ask you to fix something/take a look at something.. you wana be a good boyscout and "be prepared" so.. enter YUMI.

"YUMI (Your Universal Multiboot Installer), is the successor to MultibootISOs. It can be used to create a Multiboot USB Flash Drive containing multiple operating systems, antivirus utilities, disc cloning, diagnostic tools, and more." - go get it
 Making the whole thing is kinda intuitive so I am just going to list my preferable options here.

  1. You always need a good AV
    AVG Rescue CD
  2. Kali Linux (I feel naked without it :P)
    Kali 1.0.3
  3. DBAN (you never know when you might need to go kaboom!! plus the other distros don't have an up-to-date version of dban)
    dban-2.2.7
  4. Hiren's.BootCD is always nice to have
    http://www.hiren.info/pages/bootcd
  5. Ultimate Boot CD (another great collection of utils)
    ubcd521.iso
  6. Windows 7 PE release
    more details here
  7. Kon-boot 2.1 (it doesn't always work but... come on.. 20$)
    for 20 bucks who can argue
  8. BitDefender Rescue CD
    bitdefender-rescue-cd.iso
  9. My toolbox folder with some portable or non-portable utilities
    Caine-4.0/
    Deft-7.1/
    etoolz-4.0/
    File_Scavenger/
    PortableApps/
    SysinternalsSuite/
Caine 4.0 was the only iso that was being a pain... so easier conclusion... If you want to conduct an investigation yes install Cain 4.0 on a VM or workstation, but if you want to retrieve files from a live system... all you need is:

FtkImager/
NirLauncher.cfg
NirLauncher.exe
NirSoft/
piriform/
sysinternals/
utilities/

If you need to take advantage of the live linux interface to capture evidence... go ahead and use Kali, you will find that she has all you need for that :)

Deft is also a very good distro that provides similar tools for this one download the iso and copy the following files/dirs:

dart/
dart.exe
dart.ico

eToolz includes some of the most important network tools like NS-Lookup, Ping, TraceRoute and Whois.

File Scavenger is a data recovery utility that supports multiple file-system types: NTFS, FAT 32/16/12, Ext3, Ext4, XFS, HFS+, HFSX, UFS1 and UFS2.
You can download the utility and run it from the USB stick with no issues.


The portable apps directory has some extra apps that might be useful:

EraserPortable/
EvincePortable/
GIMPPortable/
LibreOfficePortable/
PuTTYPortable/
TrueCrypt/
WinSCPPortable/
WiresharkPortable/

SysinternalsSuite is always useful too
Thats enough I would say.. :)

Monday, 8 April 2013

Kali linux - Nessus

Nessus rocks so its a must on a pentesting box.. so here we go, installation/configuration/quick guide for the lazy..

cd ; wget http://goo.gl/CDTb5 -O Nessus-5.0.3-debian6_amd64.deb
dpkg -i Nessus-5.0.3-debian6_amd64.deb

and you will get...

All plugins loaded

 - You can start nessusd by typing /etc/init.d/nessusd start
 - Then go to https://localhost:8834/ to configure your scanner

dont forget to

rm Nessus-5.0.3-debian6_amd64.deb

go to Nessus HomeFeed (if you are a home user) and register to receive the activation code (xxxx-xxxx-xxxx-xxxx-xxxx)

Now you can go to https://localhost:8834 and continue with the setup.

If you want to use it from another box and you applied the simple firewall I recommended here  don't forget to allow traffic to that port by adding after the last line

iptables -A INPUT -p tcp --dport 8834 -m state --state NEW -j ACCEPT

and then running the script again.

After you setup the product, put in the key-code you will see the admin interface.. which is lovely but... everybody loves metasploit so...

/etc/init.d/postgresql start
/etc/init.d/metasploit start

msfconsole
msf >

All we need to do now is load the plugin...

load nessus

Authenticate with our server...

nessus_connect admin:password@localhost:8834

Check out the existing scan policies

nessus_policy_list

And kick off our scan using the External Network Scan policy (-4)

nessus_scan_new -4 Target1 <ip>

We can check to see how its going with

nessus_scan_status

When the scan will finish we can run

nessus_report_list

And finally

nessus_report_get <id_of_the_scan>

Now you can see that the resuls of the scan have been imported on metasploit (just run 'hosts' and 'services' and you will see the new data.

If you want to see the results on the console you can always run

nessus_report_host_detail <ip> <port> tcp <report_id>


More to come :)

Sunday, 7 April 2013

Kali linux - iptables firewall

Well one of the things that Kali does not have is a firewall.. and even though I'm usually behind NAT (s/usually/always/g) I want to have one anyway.. so here it is:

root@hermes:~# cat /etc/firewall.sh

#!/bin/sh
# A very basic IPtables / Netfilter script

PATH='/sbin'

# Flush the tables to apply changes
iptables -F

# Default policy to drop 'everything' but our output to internet
iptables -P FORWARD DROP
iptables -P INPUT   DROP
iptables -P OUTPUT  ACCEPT

# Allow established connections (the responses to our outgoing traffic)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local programs that use loopback (Unix sockets)
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

# Allow incoming traffic on defined ports
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

and in /etc/rc.local add before "exit 0"

# Launch my netfilter rules
if [ -e '/etc/firewall.sh' ]
then
    /bin/sh '/etc/firewall.sh'
fi

Of course do not forget to chmod +x /etc/firewall.sh
and...
Done :)

Source: Debian Wiki

Saturday, 6 April 2013

Kali linux - recon-ng v3

This is the third and final post on recon-ng, covering automation among other things. After all all this functionality is great but I don't want to kick it off manually every time!

Some of the most interesting modules I will mention below avoiding most that need real interaction or APIs or even registration (pwnedlist.com yeah awesome service but not free...)

One of the simplest commands in the recon-ng world is record (start/stop/status) where you can record and create a script that contains a series of commands to be run in sequence, really nothing more than a command-per-line file (default save at ./data/cmd.rc) so... here we go, I have created my own script with my favorite modules.

Outputs from the script are either going to be saved in the database or under ./workspaces/default

Lets see the script (the comments will be run in a shell so you can leave them there.. bash knows what a comment looks like):

# Recon script recon.rc
# lets set up the environment
set workspace project1
set company "name of company"
set domain targetcompany.com
# important! setup a correct user-agent http://www.useragentstring.com/
set user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17"
# lets start looking now
use recon/contacts/gather/http/whois_pocs
run
back
use recon/contacts/gather/http/jigsaw
run
back
# enough with people lets get some hosts now
use recon/hosts/gather/dns/brute_force
run
back
use recon/hosts/gather/http/bing
run
back
use recon/hosts/gather/http/google
run
back
use recon/hosts/gather/http/netcraft
run
back
use recon/hosts/enum/dns/resolve
run
back
use recon/hosts/enum/http/geoip/hostip
run
back
use recon/hosts/enum/http/netcraft_history
run
back
use recon/hosts/enum/http/urlvoid
run
back
# lets see if there are any intresting files in the discovered hosts
# (files will be saved in the ./workspaces/project1 location)
use discovery/info_disclosure/http/interesting_files
run
back
# lets create a nice report as well
use reporting/html_report
set filename ./workspaces/project1/results.html
run
back


Ok... now lets run it and see what happens :)

./recon-ng -r recon.rc

Some additional modules I found interesting are
use recon/contacts/support/mangle
info
use recon/hosts/enum/http/builtwith

info
use recon/hosts/enum/http/server_enum

info

but I would run them manually after the script to better play with with outputs..

That's it with recon-ng (until I find something else interesting to do with it really...) thanks for reading :)

Enjoy :)

Kali linux - recon-ng v2

Now moving from recon-ing people in the previous blog-post to hosts...

I assume we are at "recon-ng >" point so

use recon/hosts/gather/http/google
show options
set domain target.com
run


Notice how nicely it says

[*] Sleeping to Avoid Lock-out...

and finally

[*] 50 NEW hosts found!

Woohoo! Just to make sure everything is stored where it should be

query select * from hosts

[*] 51 rows returned


Lovely!

This will do a great job but not good enough to stop here... we should use different search engines. You can never expect google or bing or anybody really to be 100% accurate.. so

back
use recon/hosts/gather/http/bing
show options
set domain target.com
run

[*] 3 NEW hosts found!


Which proves my previous point and at the same time illustrates that recon-ng is actually smart enough to know that it has discovered a host already and not to create duplicates :)

Anyway.. that's enough for today

More to come tomorrow :)

Kali linux - recon-ng v1

During my regular net-tool-mining I have stumbled upon this tool which looks like a command line version/free version of Maltego (which ships preinstalled with Kali)... everybody likes cmdline tools better though so why not give it a go :)

What a lovely tool to play around with! As LaNMaSteR53 says on the site "If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng!"... and yes we shall!
If you don't have it getting it is as simple as this (I put most of my stuff in /opt so..)

cd /opt; git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git

cd recon-ng
and finally

./recon-ng.py


Looks familiar doesn't it? Here are some basics:

The basics are the same with msf (Ctr-L, show/use...) Tab completion works which is awesome as well..

We can use set to define global options so we do not have to do that every time

set company "target company ltd"
set domain "target.com"

So..

Lets start collecting some info about the target

use recon/contacts/gather/http/jigsaw
show options
run


This will run and get a bunch of data for your db.. hm.. how do I see that data?

back
show schema


There we go! The table "contacts" is populated with the results from the jigsaw gatherer and with an SQL-like query we can present that

query SELECT * FROM contacts

Additionally you can export that data to something you can manipulate (if you wish to do so)

use reporting/csv_file
show options
set filename ./results.csv
run



Stay tuned... more to come :)

Monday, 25 March 2013

Kali linux - vmware workstation

Finally took the step since Kali is out and its based on Debian (7)... so I replaced the base OS of my laptop with Kali :) good times (one would think!).

Installing VMware workstation 8 (there is a reason I am still using 8 I will not get into more detail here.. just go with it)

First of all make sure that in your /etc/apt/sources.list you got:

deb http://http.kali.org/kali kali main contrib non-free
deb http://security.kali.org/kali-security kali/updates main contrib non-free


deb-src http://http.kali.org/kali kali main contrib non-free

Then install your build essentials and the headers you need for the modules to be compiled after you are done with the install:

apt-get update && apt-get install build-essential linux-headers-$(uname -r)

cp /lib/modules/3.7-trunk-amd64/build/include/generated/uapi/linux/version.h /lib/modules/3.7-trunk-amd64/build/include/linux/

Now you can download VMware-Workstation-Full-8.0.6-1035888.x86_64.bundle make it executable and run it.

After you are done though... make sure you add the following to the corresponding init.d files (otherwise they will break your update-rc.d mojo)

Just add the following lines after the shell definitions on the top

File: /etc/init.d/vmware-USBArbitrator

### BEGIN INIT INFO
# Provides:          vmware-USBArbitrator
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 5
# Default-Stop:      2 3 5
# Short-Description: Start daemon when vmware starts
# Description:       Enable service provided by daemon.
### END INIT INFO

File:  /etc/init.d/vmware
### BEGIN INIT INFO
# Provides:          vmware
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 5
# Default-Stop:      2 3 5
# Short-Description: Start daemon when vmware starts
# Description:       Enable service provided by daemon.
### END INIT INFO

File :  /etc/init.d/vmware-workstation
### BEGIN INIT INFO
# Provides:          vmware-workstation
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 5
# Default-Stop:      2 3 5
# Short-Description: Start daemon when vmware starts
# Description:       Enable service provided by daemon.
### END INIT INFO

I am quite sure that same thing would apply if you would like to install VMware Workstation 9 on Kali Linux but I make no promises, this is what worked for version 8 for me.


That's all for now, stay tuned..