Archive for August, 2010

Weaponizing cmd.exe – Port Scanning

Posted in Fu (a.k.a Tips) on August 30, 2010 by Skyler

I have posted a cmd.exe entry for how to conduct port scans via cmd.exe

read it here on the new blog!

Weaponizing cmd.exe – UN/PW Guessing

Posted in Fu (a.k.a Tips) on August 27, 2010 by Skyler

This is a fantastic way to automate a dictionary attack on windows net accounts. This is part of my salute to Pentesting Ninjitsu.

See the full version on the new blog!

Continue reading

Weaponizing cmd.exe – Enumerate users (inspite of RestrictAnonymous)

Posted in Fu (a.k.a Tips) on August 26, 2010 by Skyler

Okay. Continuing on with the series. Now that we have  mapped the network, we need to enumerate users on the active hosts. Often times you will be preforming a Penetration Test on a windows machine. In the event that the machine has RestrictAnonymous set, you may find it difficult to enumerate users using your null session. It is important to note that this does not make it impossible! tools like enum rely upon the null session enumeration option,  therefore RestrictAnonymous = 2 ruins the use of that tool (and others like it). I am going to show you a method to brute force usernames in a different manner. For this you will need two tools, sid2user, and user2sid. You can get them here.

Read the rest of the post on the new blog!

Continue reading

Weaponizing cmd.exe – DNS Reverse Lookup

Posted in Fu (a.k.a Tips) on August 25, 2010 by Skyler

Here is a nice way to perform a reverse lookup of all the hosts on your network. It uses the nslookup <ip> command to do it.

Find the entire post on the new blog site!

Continue reading

Weaponizing cmd.exe – Ping Sweep

Posted in Fu (a.k.a Tips) on August 24, 2010 by Skyler
This is part of my tribute to PenTesting Ninjitsu. Here is a nice quick way to perform a ping sweep from the windows command line.
See the official post on the new blog!
Continue reading

We have moved to SecureGossip!!!

Posted in News on August 23, 2010 by Skyler

Security Reliks has become part of the SecureGossip initiative!

All of our posts will now be made over there, as well as an archive of older posts!

We Moved Here!

Enabling /dev/tcp on Backtrack 4r1(Ubuntu)

Posted in Fu (a.k.a Tips) on August 23, 2010 by Skyler

After my post on weaponizing /dev/tcp, I had some kickback  from people trying to test it out. Users on a Debian based system will have issues since bash is not compiled with /dev/tcp enabled. All it requires is a quick recompiling of the shell, and a few changes after that:

Step 1: Download the latest BASH source

use a browser to get it here.

or

cd /tmp
sudo wget ftp.gnu.org/gnu/bash/bash-4.1.tar.gz

NOTE: Backtrack uses an older version of bash. I am not sure if they do this for any specific reason. I compiled 4.1 and havn’t had any issues. Let me know if you know otherwise

Step 2: Extract the source code

tar zxvf bash-4.1.tar.gz
cd bash-4.1

Step 3: Configure and install

sudo su
./configure --enable-net-redirections
make && make install

Step 4: Replace old version of bash with the new version

mv /bin/bash /bin/bash-OLD
ln -s /usr/local/bin/bash /bin/bash

Step 5: Test!

check to see if your new installation works. Close your current terminal, and reopn it. Then issue the following command and check the results:

reliks@bt:/tmp$ bash --version
GNU bash, version 4.1.0(1)-release (i686-pc-linux-gnu)
..... reliks@bt:/tmp$ /bin/bash --version GNU bash, version 4.1.0(1)-release (i686-pc-linux-gnu)
The versions returned should be that of which you just installed. They should also match.

You can now test to see if your access to /dev/tcp works:

cat < /dev/tcp/time.nist.gov/13

There you go! You should get back the time according to NIST.

Let me know if you have any issues! thanks!