This time i found 2 little scripts that i wrote some time ago:
word.pl: this is a command line dictionary, it will connect to www.dictionary.com and parse the results.I find it very useful, you don't to load the browser :)
translate.pl: this one is almost the same that the other, but it will translate a word from english to spanish (you could change the language easy). This also run from command-line.
They are very useful, unless for me ;)
Get it here:
http://www.edge-security.com/word-translate.tar
Edge-security blog about Penetration testing, OSINT, security tools, and other interesting stuff.
Tuesday, December 21, 2004
Tuesday, December 14, 2004
GoogleDigger v0.2
Well another perl tool, this time i wrote a program for the Google Hacking madness.
The tool, ask google for queries that it takes from a file , looking for known vulnerabilities in web applications (password files, config files, etc) of a specific domain.
The queries file is updatable, and it source is the GHDB (Google Hacking DataBase).
Language: Perl
Get it Here:
http://www.edge-security.com/googledigger-02.tar
The tool, ask google for queries that it takes from a file , looking for known vulnerabilities in web applications (password files, config files, etc) of a specific domain.
The queries file is updatable, and it source is the GHDB (Google Hacking DataBase).
Language: Perl
Get it Here:
http://www.edge-security.com/googledigger-02.tar
Thursday, December 9, 2004
GoogleHarvester Version 0.3
This tool searchs in google for all email addresses from a specific domain, to collect potential account names for the pentest. It supports the use of proxy.
Language: Perl
You can get a copy here:
http://www.edge-security.com/googleharvester-0.3.pl
Language: Perl
You can get a copy here:
http://www.edge-security.com/googleharvester-0.3.pl
ProxyFinder, a perl tool to find working proxies.
This program download and parse a list of open proxys, from 2 websites (samair and multiproxys), and then check if the proxies are working. Can test for GET and CONNECT method.
You could restrict the search for a specific number of working proxies.
Language: Perl
You can get a copy here:
http://www.edge-security.com/proxyfinder-0.3.pl
You could restrict the search for a specific number of working proxies.
Language: Perl
You can get a copy here:
http://www.edge-security.com/proxyfinder-0.3.pl
DigDug, a domain analyser tool.
This is a perl program for auditing a DNS, it will brute force a domain asking for hostnames taken from a predefined list. The list has the most common names used for hosts.
It supports hybrid querys to find a broader range of hosts.
You can download it here:
http://www.edge-security.com/digdug-0.8.tar
It supports hybrid querys to find a broader range of hosts.
You can download it here:
http://www.edge-security.com/digdug-0.8.tar
Wednesday, December 1, 2004
GDB Basic-Howto v0.1
-What is Gdb?
Gdb is a debugger, it will let us to see what is happening inside a program.
-What programs can be debugged?
GDB supports C, C++, Fortran, Java, assembly, and Modula-2.
Basics of GDB:
-First you need to compile your program with the -ggdb, so this way,
GDB knows the names of your variables and what each line of your program says. If we use gcc for compiling our programs we use:
#gcc -o myprogram myprogram.c -ggdb
-Now we are able to load the file in the gdb:
#gdb myprogram
or
#gdb
(gbd)file myprogram
Once the file is loaded in the GDB we have a lot of possible actions,
we are going to see the ones that i use most.
*list: print lines from a source file. by default it prints 10 lines.
there are various way of printing:
(gdb)list linenum
Print lines centered around line number linenum in the current source file.
(gdb)list startline,numlines
Print numlines starting from startline in the current source file.
(gdb)list function
Print lines centered around the beginning of function function.
(gdb)set listsize count
Make the list command display count source lines (unless the list argument explicitly specifies some other number).
*disassem: display memory as machine instructions (disassembly)
(gdb)disas main
show the machine instructions for the function main
*break: Breakpoints are set with the break command, a breakpoint stop the program at the desired point:
(gdb) break linenum
Set a breakpoint at line linenum in the current source file.
The current source file is the last file whose source text was printed.
The breakpoint will stop your program just before it executes any of the code on that line.
(gbd) break *address
Set a breakpoint at address address. You can use this to set breakpoints in parts of your program which do not have debugging information or source files.
After breaking the execution we could:
-Continue the execution: continue or c
-Execute until another line reached: step or s
-Step by machine execution instead of source line: stepi or si
-Execute next line, include any function call: next or n
-Execute next machine instruction: nexti or ni
-Resume the execution at specified line or address: jump line or jump address
*info registers: it shows the values of the registers in that moment of the execution.
*print: It evaluates and prints the value of an expression of the language your program is written in.
(gdb) print $ebp
it shows the address where is ebp
(gdb) print $esp
it shows the address where is esp
*x: examine memory in any of several formats, independently of your program's data types. It shows the content of a variable.
(gdb)x/24 $esp
it will show 24 words addresses starting from $esp
(gdb)x $ebp+4
it shows the return address
(gdb)x/24 $ebp
it shows the sorrounding addresses from $ebp
(gdb)x 0xbffffa0c
it shows the content at that address
Gdb is a debugger, it will let us to see what is happening inside a program.
-What programs can be debugged?
GDB supports C, C++, Fortran, Java, assembly, and Modula-2.
Basics of GDB:
-First you need to compile your program with the -ggdb, so this way,
GDB knows the names of your variables and what each line of your program says. If we use gcc for compiling our programs we use:
#gcc -o myprogram myprogram.c -ggdb
-Now we are able to load the file in the gdb:
#gdb myprogram
or
#gdb
(gbd)file myprogram
Once the file is loaded in the GDB we have a lot of possible actions,
we are going to see the ones that i use most.
*list: print lines from a source file. by default it prints 10 lines.
there are various way of printing:
(gdb)list linenum
Print lines centered around line number linenum in the current source file.
(gdb)list startline,numlines
Print numlines starting from startline in the current source file.
(gdb)list function
Print lines centered around the beginning of function function.
(gdb)set listsize count
Make the list command display count source lines (unless the list argument explicitly specifies some other number).
*disassem: display memory as machine instructions (disassembly)
(gdb)disas main
show the machine instructions for the function main
*break: Breakpoints are set with the break command, a breakpoint stop the program at the desired point:
(gdb) break linenum
Set a breakpoint at line linenum in the current source file.
The current source file is the last file whose source text was printed.
The breakpoint will stop your program just before it executes any of the code on that line.
(gbd) break *address
Set a breakpoint at address address. You can use this to set breakpoints in parts of your program which do not have debugging information or source files.
After breaking the execution we could:
-Continue the execution: continue or c
-Execute until another line reached: step or s
-Step by machine execution instead of source line: stepi or si
-Execute next line, include any function call: next or n
-Execute next machine instruction: nexti or ni
-Resume the execution at specified line or address: jump line or jump address
*info registers: it shows the values of the registers in that moment of the execution.
*print: It evaluates and prints the value of an expression of the language your program is written in.
(gdb) print $ebp
it shows the address where is ebp
(gdb) print $esp
it shows the address where is esp
*x: examine memory in any of several formats, independently of your program's data types. It shows the content of a variable.
(gdb)x/24 $esp
it will show 24 words addresses starting from $esp
(gdb)x $ebp+4
it shows the return address
(gdb)x/24 $ebp
it shows the sorrounding addresses from $ebp
(gdb)x 0xbffffa0c
it shows the content at that address
Thursday, November 25, 2004
GCC -mpreferred-stack-boundary=num
Another thing to keep in mind when dealing with exploits is the stack alignement so here is little info that may help you:
"-mpreferred-stack-boundary=num
Attempt to keep the stack boundary aligned to a 2 raised to num byte boundary. If -mpreferred-stack-boundary is not specified, the default is 4 (16 bytes or 128 bits), except when optimizing for code size (-Os), in which case the default is the minimum correct alignment (4 bytes for x86, and 8 bytes for x86-64).
On Pentium and PentiumPro, double and long double values should be aligned to an 8 byte boundary (see -malign-double) or suffer significant run time performance penalties. On Pentium III, the Streaming SIMD Extension (SSE) data type __m128 suffers similar penalties if it is not 16 byte aligned.
To ensure proper alignment of this values on the stack, the stack boundary must be as aligned as that required by any value stored on the stack. Further, every function must be generated such that it keeps the stack aligned. Thus calling a function compiled with a higher preferred stack boundary from a function compiled with a lower preferred stack boundary will most likely misalign the stack. It is recommended that libraries that use callbacks always use the default setting.
This extra alignment does consume extra stack space, and generally increases code size. Code that is sensitive to stack space usage, such as embedded systems and operating system kernels, may want to reduce the preferred alignment to -mpreferred-stack-boundary=2."
"-mpreferred-stack-boundary=num
Attempt to keep the stack boundary aligned to a 2 raised to num byte boundary. If -mpreferred-stack-boundary is not specified, the default is 4 (16 bytes or 128 bits), except when optimizing for code size (-Os), in which case the default is the minimum correct alignment (4 bytes for x86, and 8 bytes for x86-64).
On Pentium and PentiumPro, double and long double values should be aligned to an 8 byte boundary (see -malign-double) or suffer significant run time performance penalties. On Pentium III, the Streaming SIMD Extension (SSE) data type __m128 suffers similar penalties if it is not 16 byte aligned.
To ensure proper alignment of this values on the stack, the stack boundary must be as aligned as that required by any value stored on the stack. Further, every function must be generated such that it keeps the stack aligned. Thus calling a function compiled with a higher preferred stack boundary from a function compiled with a lower preferred stack boundary will most likely misalign the stack. It is recommended that libraries that use callbacks always use the default setting.
This extra alignment does consume extra stack space, and generally increases code size. Code that is sensitive to stack space usage, such as embedded systems and operating system kernels, may want to reduce the preferred alignment to -mpreferred-stack-boundary=2."
Tuesday, November 23, 2004
SecurityForest ExploitTree
I started working on the ExploitTree, what is this? it is an extensive collection of exploits(2250), it pretends to be the largest and best organized collection available. It works trough CVS, there is a perl client to work with it (ExploitTree.pl). How can you help? creating a user, and downloading a .zip file with 25 exploits, and classifying them into the ExploitTree estructure, then you update de ExploitTree! it's easy and you learn in the process. Check more in www.securityforest.com
Buffer Overflow and Fedora Core 3
I was trying some buffer overflow examples in my Fedora Core 3, and after hitting the wall for about 3 hours i found that fedora core 3 has a stack proctection (exec-shield) enabled, so one way to disable it is "sysctl -w kernel.exec-shield=0" or "echo 0 > /proc/sys/kernel/exec-shield".
(beware that now you machine is vulnerable to Buffer overflows).
Note: This also apply to Fedora Core 2.
(beware that now you machine is vulnerable to Buffer overflows).
Note: This also apply to Fedora Core 2.
Subscribe to:
Posts (Atom)
Wfuzz 2.2.0 released
I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...
-
In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everyw...
-
I'm pleased to announce a new version of WFuzz! Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for findi...
-
In one of the latest penetration tests we faced a SSH server that was based in Maverick SSHTOOLS. The funny thing is that this server was ...