This article will just provide some quick steps to get Backbox Linux ready with a DB for Metasploit to use. To learn more about any of the framework commands shown below try running them with a ‘-h’ switch to see the help.

First start postgresql

sudo service postgresql start

Then login as the DBA and create a user and database

su – postgres

CREATE USER user_name WITH PASSWORD ‘SecretPassword’;

CREATE DATABASE db_name;

GRANT ALL PRIVILEGES ON DATABASE db_name to user_name;

\q

Now we launch Metasploit and connect it to our DB

sudo msfconsole

db_connect user_name:SecretPassword@localhost/db_name

db_status

Now let’s create some workspaces to hold our discoveries

workspace -a Company_A

workspace -a Domain_A

workspace -a Network_192

If we have some previously mapped data we can import it to the workspace

workspace Network_192

db_import /home/user/nmaps/*.xml

Or we can just start a new scan to import directly

db_nmap -sV  -O 192.168.0.0/24

Now we should see our scanned hosts and services

hosts

services

Lastly if you want to move the data to other DB servers MSF also provides a quick export function

db_export /home/user/msfdb_dump.xml

That concludes this short lesson, happy hunting!

Sometimes it really fun to watch people stumble about.
Watching the drunk bloke leave the local pub after way to many.
Seeing as he stumbles about in his drunken dance trying to stay on his feet.
Just before he hits the curb loses his footing and tumbles on his back into the middle of the roadway.

At least that’s what it feels like when you see the constant attempts to run web scanning tools against websites these days.
The scripts and tools have been dumb’d down so much that most people running the tools have no idea what they are doing.

That being said it’s not nearly as much fun if all the players don’t understand the rules to play the game.

So here is your first installment of how to UN-n00B your nikto script.
Since Nikto scans are such a commonly used tool out there it is something more website admin’s will look for and try to prevent.
The easiest way to do this is to just filter for the default Nikto user agent since many n00B’s will not bother to change this value.

Here is what it looks like in the web server logs:
Default User Agent

Pretty easy to see the big “Kick Me” sign there.
So let’s make that look better shall we?
First we need to verify we have a newer version of Nikto (v2+)
./nikto.pl --Version
Nikto Version Info
(older version’s of Nikto require modification of actual perl modules not covered here)

Next we edit the nikto.conf file (for BT users that’s /pentest/web/nikto/nikto.conf)
We want to change the following value
Nikto Default Agent Value
To something more friendly
Nikto Modified User Agent

Now when we look at the web server logs we see our changes
Nikto New Logs

The Smackin9 of Hakin9

Posted: 2012/10/02 in Uncategorized

The folks here at SecurityPimp.net have been doing this Information Security thing for some time.  Back in the early days knowledge, tools, and training usually took place on a hidden BBS, and later private IRC’s. But as technology and the internet have evolved so has the training methods and sharing in our hacking community.

It’s always good to learn new things or how to do old things even better. It’s that thirst for knowledge that lead myself to a FREE subscription to a new Information Security & Hacking electronic publication known as “Hakin9”.  How I came to know about this publication I do not remember but I’m sure it had something to do with the free issues and some decent talking points on the cover. 

Who doesn’t like free stuff? Over the next few months I received more links for issues to download for free. Then around Fall/Winter of 2011 things changed. The “Hakin9” publication was going to start charging for their electronic monthly issues.  No big deal I will pay a fair price for quality content. And so far so good right?

About that price.. So I click on the “Subscribe Now” link and see a price of $180 for a 1 year subscription. Or if you break it down $15 a month (the cost of a decent tablet, 3 x monthly Netflix subscription, 2 x annual Amazon Prime).  So does this include any swag, extra tools, access to member forums or anything special? Nope.. $180 for the magazine for 1 person (guess that means others can’t read your magazine). 

About that magazine.. After the first 2 issues I had downloaded I realized there was not too much “new” content included, it almost felt like a version of 2600 quarterly but with cheaper content (and no cool phone pictures). Since then I have mostly tuned out the entire publication and everything associated with it. The most interaction I have these days is seeing the Hakin9 emails spamming my garbage email account at least 2 times a week (over 300 in the past year alone) begging to buy their wares..

Then the other day I found this little gem on our twitter timeline.

 

Image

Which leads you here an email thread on the Nmap boards which outlines how Hakin9 got trolled by some of their “volunteer” authors. Judging by how hard they spammed my inbox just to sell the product I can only imagine how hard these guys were spammed to give them FREE product to sell in their magazine.

So you start off with something decent and catch everyone’s attention, then modify your business model to disgust and gouge your customers. Then after charging an inflated fee for your mediocre product you do not even bother to proof read the content you sell?

Image

 

And with support drying up very quickly hopefully we just see another fly by night security outfit go out into that good night.. 

 

 

Looking for a chance to have fun and show your stuff to the industry players?
CSAW CTF Begins this weekend.

“CSAW CTF is a entry-level CTF, designed for undergraduate students who are trying to break into security. Challenges are specifically designed to point students in directions that will help them understand fundamental concepts and develop practical skills. Our sponsors are big players in the security field, who are serious about hiring the right people with the right skills. Our judges are world-renowned experts in the security field, who are dedicated to making sure that our challenges are designed to test these skills.” https://csawctf.poly.edu/

Wish I had some wild story involving Aliens, Play-Doh, 2 wristwatches and 4 midgets to share as an excuse for my lack of updates. But the play-doh ran out before we were able to even get started.

Instead I offer this as something to help quench your hacking appetite while I was away..

It’s just human nature the more enthusiastic someone speaks about something the more it seems to stick around in your mind. This is how I would describe a recent talk on Password Cracking given by Robert Imhoff-Dousham at Defcon this year. I won’t recap his entire presentation which you can review for yourself but I will touch on a few key points which may affect many of the current policies and practices being used out in the real world today.

“Passwords must contain 8 characters and include upper case and numbers”

This ‘rule’ is often used by many websites, corporate domains, and networking devices. But as is the case with many information security standards by the time it is adopted by the masses it is already weakened or outdated. Another point of human nature is we usually take the path of least resistance, even more so when we are dealing with something uncomfortable. For most average people this could include working on computer systems. So let’s take a closer look at this rule and how that would apply.

Let’s see Password1
While most users are hopefully wise enough not to use such an obvious word most would do the following. Use an uppercase letter as the first letter, it’s easier to remember that way since that’s the way we write. Use a number as the last character, because after all AOL only had the username “StickyBuns234” available for me.

So me as an attacker can simply modify my method of brute force to test for these specific rules, thus reducing your 8 character passwords to 6.

Well it’s brute so it would take you years to actually get this cracked right?
With the advancement of both the GPU and cloud computing markets this is no longer the case. Let’s take GPU brute forcing for example. If we take a newer 8 core GPU and use a rainbow cracking tool or a multihashing tool and pump up to 8000+ streams at the operation. Using a brute force calculator we can see that with 1 box w/4gpu’s we would require ~240 hours. Now if we spread this out across 4 boxes w/4gpu’s each we bring our time down to 2.5 days. Double the boxes and cut the time to crack in half again. Now these numbers are based on a true complex 8 character password. If users are using the flawed methods mentioned above they really have something closer to a 6 Character password depending on my table/dictionary files.

So depending on how valuable your password or passwords in general are to me. I may be able to scale a small server farm just to break user passwords (see the presentation for a cool shopping list showing a $50k 40GPU super cracking server that will eat your password up in less than 140 seconds).

Coincidentally adding just 1 or 2 characters to your required password policy can make this attack vector almost non existent again (well maybe not from the 40gpu super server).

Creating secure passwords can be as simple as coming up with a memorable phrase instead of just a word or two. Here is a great video on how to perform this task. Also remember NEVER use the same password on multiple sites, it makes it much easier to steal all your gold pieces..

One of the good things about long airport layovers are the chances you finally get to catch up on your reading. Which is what it finally took to crack open my last issue of Wired magazine. I must say I was quite amused to find an article outlining the love/hate relationship between AT&T and Apple. Since I have never been an Apple fan I usually just tune out most news related to them which may explain why many of the details in the article was new to me. The tale ends up being a good example of a “FAILationship” and the fact that it starred two of my favorite US corporations just made it that much more comical. Read the article Here

Meanwhile, no matter how frustrated AT&T got with Jobs, it had little choice but to stand by him. It would have been devastating to lose the iPhone after investing billions of dollars and endless reputational capital. And so the relationship carried on, dysfunctional and loveless though it was. Divorce, at least for the time being, was not an option.

iphone blowup

Sometimes carrying around a laptop to conduct wireless recon can be a pain.
Today I will show how with your rooted Android & a couple free programs from the Android marketplace you can begin doing some real wireless recon.

Install:

To start search for and install the following 5 programs.
1) Droidwall
2) WiFi Analyzer
3) Shark for Root
4) Shark Reader
5) Network Discovery

Some other useful tools: ssh client, file manager w/SMB, RDP client, Wireless Tether,
Android Webserver, FTP client & server

Setup:

Once all programs are installed we setup our Droidwall like so
Droidwall Rule1Droidwall Rule2
Continue doing this for Network Discovery and other programs
you wish to use during your recon fun.

Action:

We launch our WiFi Analyzer
WiFi Analyzer Screen
Using the signal strength meter we find a good access point to visit.
Then we launch our Shark to eat up the packets out there.
Sharky
Eventually we will end up with some data to read.
We can use Shark Reader now or a desktop later to read the data.
Shark Reader 1Shark Reader 2
We can also use our Network Discovery tool to find devices
and services running on the target network.
Network Discovery

Some more advanced techniques using some of the additional tools mentioned above could be to launch phishing attacks in areas requiring users to login thru a web based portal.

When looking for cool spots to capture some traffic try your networks, coffee shops, airports, campuses, hotels, etc…

Freshly back from a new round of security based conferences I will take a moment to point out one of the more interesting topics for me this time around.
The discussion on Cell Phone Spying (not that I made it inside the actual talk with the ungodly line). More specifically how by using a frequency flooding technique on 2G networks its possible to do a MiTM type of ease drop on conversations & data. You can read more about it Here

As mentioned in the article a workaround for this issue would be to disable 2G mode on GSM phones.

Here is the quick and dirty way to do this in Android (tested on rooted phone)
DISCLAIMER: Forcing 3G mode will use more battery life
Also if your not on GSM don’t try this @ home…duh

Open Dialer and Enter: *#*#4636*#*#
After inputing the number you will be prompted with a “Testing” menu
Choose “Phone Information”
Scroll all the way down “Set preferred network type” and change this setting to WCDMA_only
That’s it!

Droid 3G Only Mode

I take no credit for the fix above as it was posted on the android dev forums.
Also this protects you from this exploit and any targeting 2G only, but many other GSM insecurities still exist. Another related topic also discussed was using a TOR client to obfuscate your traffic and make yourself much more anonymous. I will cover this topic a bit more in some upcoming Android based posts.

Pimpin’ is Pimpin’

Posted: 2009/06/11 in Uncategorized

I must apologize for the lack of updates.
Between work and other projects my hacking research has suffered.
BUT! Rest assured the security pimp is still pimpin’
I’m just doing it in another fashion at the moment.
My first home studio album will be released next month..
Hopefully still with enough time to give my hacking skills a week or 2 to prep up for Blackhat & Defcon this year ..

Find out more about my musical project Here