Tuesday, 9 April 2013

Creating your own USB thumb drive switchblade

Everybody wants to have their favorite tools with them at all times... somebody will ask you to fix something/take a look at something.. you wana be a good boyscout and "be prepared" so.. enter YUMI.

"YUMI (Your Universal Multiboot Installer), is the successor to MultibootISOs. It can be used to create a Multiboot USB Flash Drive containing multiple operating systems, antivirus utilities, disc cloning, diagnostic tools, and more." - go get it
 Making the whole thing is kinda intuitive so I am just going to list my preferable options here.

  1. You always need a good AV
    AVG Rescue CD
  2. Kali Linux (I feel naked without it :P)
    Kali 1.0.3
  3. DBAN (you never know when you might need to go kaboom!! plus the other distros don't have an up-to-date version of dban)
    dban-2.2.7
  4. Hiren's.BootCD is always nice to have
    http://www.hiren.info/pages/bootcd
  5. Ultimate Boot CD (another great collection of utils)
    ubcd521.iso
  6. Windows 7 PE release
    more details here
  7. Kon-boot 2.1 (it doesn't always work but... come on.. 20$)
    for 20 bucks who can argue
  8. BitDefender Rescue CD
    bitdefender-rescue-cd.iso
  9. My toolbox folder with some portable or non-portable utilities
    Caine-4.0/
    Deft-7.1/
    etoolz-4.0/
    File_Scavenger/
    PortableApps/
    SysinternalsSuite/
Caine 4.0 was the only iso that was being a pain... so easier conclusion... If you want to conduct an investigation yes install Cain 4.0 on a VM or workstation, but if you want to retrieve files from a live system... all you need is:

FtkImager/
NirLauncher.cfg
NirLauncher.exe
NirSoft/
piriform/
sysinternals/
utilities/

If you need to take advantage of the live linux interface to capture evidence... go ahead and use Kali, you will find that she has all you need for that :)

Deft is also a very good distro that provides similar tools for this one download the iso and copy the following files/dirs:

dart/
dart.exe
dart.ico

eToolz includes some of the most important network tools like NS-Lookup, Ping, TraceRoute and Whois.

File Scavenger is a data recovery utility that supports multiple file-system types: NTFS, FAT 32/16/12, Ext3, Ext4, XFS, HFS+, HFSX, UFS1 and UFS2.
You can download the utility and run it from the USB stick with no issues.


The portable apps directory has some extra apps that might be useful:

EraserPortable/
EvincePortable/
GIMPPortable/
LibreOfficePortable/
PuTTYPortable/
TrueCrypt/
WinSCPPortable/
WiresharkPortable/

SysinternalsSuite is always useful too
Thats enough I would say.. :)

Monday, 8 April 2013

Kali linux - Nessus

Nessus rocks so its a must on a pentesting box.. so here we go, installation/configuration/quick guide for the lazy..

cd ; wget http://goo.gl/CDTb5 -O Nessus-5.0.3-debian6_amd64.deb
dpkg -i Nessus-5.0.3-debian6_amd64.deb

and you will get...

All plugins loaded

 - You can start nessusd by typing /etc/init.d/nessusd start
 - Then go to https://localhost:8834/ to configure your scanner

dont forget to

rm Nessus-5.0.3-debian6_amd64.deb

go to Nessus HomeFeed (if you are a home user) and register to receive the activation code (xxxx-xxxx-xxxx-xxxx-xxxx)

Now you can go to https://localhost:8834 and continue with the setup.

If you want to use it from another box and you applied the simple firewall I recommended here  don't forget to allow traffic to that port by adding after the last line

iptables -A INPUT -p tcp --dport 8834 -m state --state NEW -j ACCEPT

and then running the script again.

After you setup the product, put in the key-code you will see the admin interface.. which is lovely but... everybody loves metasploit so...

/etc/init.d/postgresql start
/etc/init.d/metasploit start

msfconsole
msf >

All we need to do now is load the plugin...

load nessus

Authenticate with our server...

nessus_connect admin:password@localhost:8834

Check out the existing scan policies

nessus_policy_list

And kick off our scan using the External Network Scan policy (-4)

nessus_scan_new -4 Target1 <ip>

We can check to see how its going with

nessus_scan_status

When the scan will finish we can run

nessus_report_list

And finally

nessus_report_get <id_of_the_scan>

Now you can see that the resuls of the scan have been imported on metasploit (just run 'hosts' and 'services' and you will see the new data.

If you want to see the results on the console you can always run

nessus_report_host_detail <ip> <port> tcp <report_id>


More to come :)

Sunday, 7 April 2013

Kali linux - iptables firewall

Well one of the things that Kali does not have is a firewall.. and even though I'm usually behind NAT (s/usually/always/g) I want to have one anyway.. so here it is:

root@hermes:~# cat /etc/firewall.sh

#!/bin/sh
# A very basic IPtables / Netfilter script

PATH='/sbin'

# Flush the tables to apply changes
iptables -F

# Default policy to drop 'everything' but our output to internet
iptables -P FORWARD DROP
iptables -P INPUT   DROP
iptables -P OUTPUT  ACCEPT

# Allow established connections (the responses to our outgoing traffic)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow local programs that use loopback (Unix sockets)
iptables -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT

# Allow incoming traffic on defined ports
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

and in /etc/rc.local add before "exit 0"

# Launch my netfilter rules
if [ -e '/etc/firewall.sh' ]
then
    /bin/sh '/etc/firewall.sh'
fi

Of course do not forget to chmod +x /etc/firewall.sh
and...
Done :)

Source: Debian Wiki

Saturday, 6 April 2013

Kali linux - recon-ng v3

This is the third and final post on recon-ng, covering automation among other things. After all all this functionality is great but I don't want to kick it off manually every time!

Some of the most interesting modules I will mention below avoiding most that need real interaction or APIs or even registration (pwnedlist.com yeah awesome service but not free...)

One of the simplest commands in the recon-ng world is record (start/stop/status) where you can record and create a script that contains a series of commands to be run in sequence, really nothing more than a command-per-line file (default save at ./data/cmd.rc) so... here we go, I have created my own script with my favorite modules.

Outputs from the script are either going to be saved in the database or under ./workspaces/default

Lets see the script (the comments will be run in a shell so you can leave them there.. bash knows what a comment looks like):

# Recon script recon.rc
# lets set up the environment
set workspace project1
set company "name of company"
set domain targetcompany.com
# important! setup a correct user-agent http://www.useragentstring.com/
set user-agent "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.60 Safari/537.17"
# lets start looking now
use recon/contacts/gather/http/whois_pocs
run
back
use recon/contacts/gather/http/jigsaw
run
back
# enough with people lets get some hosts now
use recon/hosts/gather/dns/brute_force
run
back
use recon/hosts/gather/http/bing
run
back
use recon/hosts/gather/http/google
run
back
use recon/hosts/gather/http/netcraft
run
back
use recon/hosts/enum/dns/resolve
run
back
use recon/hosts/enum/http/geoip/hostip
run
back
use recon/hosts/enum/http/netcraft_history
run
back
use recon/hosts/enum/http/urlvoid
run
back
# lets see if there are any intresting files in the discovered hosts
# (files will be saved in the ./workspaces/project1 location)
use discovery/info_disclosure/http/interesting_files
run
back
# lets create a nice report as well
use reporting/html_report
set filename ./workspaces/project1/results.html
run
back


Ok... now lets run it and see what happens :)

./recon-ng -r recon.rc

Some additional modules I found interesting are
use recon/contacts/support/mangle
info
use recon/hosts/enum/http/builtwith

info
use recon/hosts/enum/http/server_enum

info

but I would run them manually after the script to better play with with outputs..

That's it with recon-ng (until I find something else interesting to do with it really...) thanks for reading :)

Enjoy :)

Kali linux - recon-ng v2

Now moving from recon-ing people in the previous blog-post to hosts...

I assume we are at "recon-ng >" point so

use recon/hosts/gather/http/google
show options
set domain target.com
run


Notice how nicely it says

[*] Sleeping to Avoid Lock-out...

and finally

[*] 50 NEW hosts found!

Woohoo! Just to make sure everything is stored where it should be

query select * from hosts

[*] 51 rows returned


Lovely!

This will do a great job but not good enough to stop here... we should use different search engines. You can never expect google or bing or anybody really to be 100% accurate.. so

back
use recon/hosts/gather/http/bing
show options
set domain target.com
run

[*] 3 NEW hosts found!


Which proves my previous point and at the same time illustrates that recon-ng is actually smart enough to know that it has discovered a host already and not to create duplicates :)

Anyway.. that's enough for today

More to come tomorrow :)

Kali linux - recon-ng v1

During my regular net-tool-mining I have stumbled upon this tool which looks like a command line version/free version of Maltego (which ships preinstalled with Kali)... everybody likes cmdline tools better though so why not give it a go :)

What a lovely tool to play around with! As LaNMaSteR53 says on the site "If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng!"... and yes we shall!
If you don't have it getting it is as simple as this (I put most of my stuff in /opt so..)

cd /opt; git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git

cd recon-ng
and finally

./recon-ng.py


Looks familiar doesn't it? Here are some basics:

The basics are the same with msf (Ctr-L, show/use...) Tab completion works which is awesome as well..

We can use set to define global options so we do not have to do that every time

set company "target company ltd"
set domain "target.com"

So..

Lets start collecting some info about the target

use recon/contacts/gather/http/jigsaw
show options
run


This will run and get a bunch of data for your db.. hm.. how do I see that data?

back
show schema


There we go! The table "contacts" is populated with the results from the jigsaw gatherer and with an SQL-like query we can present that

query SELECT * FROM contacts

Additionally you can export that data to something you can manipulate (if you wish to do so)

use reporting/csv_file
show options
set filename ./results.csv
run



Stay tuned... more to come :)