I’ve been debating making this kind of post for about a week, and I apologize for the RSS spam. But it was getting a bit repetitive telling people via DM, email or other communication what happened.
When I took my hiatus from Twitter, I zero’d out my followers, so, if you care to, please check to see if you are still following me. I will be watching my follows closely and will refollow people I might have missed in my initial run through.
Thanks, Rob
CKTricky over at http://cktricky.blogspot.com has been running an awesome Burp Tip of the Day series on his blog. After seeing him use Nikto through Burp. I decided to see if I could just export the list of checks to a text file so that I could use them over and over in Intruder. After a bit of awk and sed hell I figured it out, and submited it to him for acceptance to his BTotD series. Yesterday it was posted ;–)
Here: http://cktricky.blogspot.com/2009/10/btod-importing-nikto-db-to-intruder.html
Here is the ugly command I came up with:
cat /pentest/web/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^"*//;s/"$//' | sed 's/^@CGIDIRS//;s/@ADMIN//;s/^@NUKE//;s/^@POSTNUKE//;s/^@PHPMYADMIN//' | sed 's/^///' > ~/nikto_burp.txt1What you are sacrificing here are the checks for the CGIDIRS, ADMIN, NUKE, POSTNUKE, and PHPMYADMIN interfaces. Personally, I’ve modified this script a bit, but you can modify it how best fits your tests:
cat /pentest/web/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^"*//;s/"$//' | sed 's/^@CGIDIRS/cgi-bin//;s/@ADMIN//;s/^@NUKE//;s/^@POSTNUKE//;s/^@PHPMYADMIN/phpMyAdmin//' | sed 's/^///' > ~/nikto_burp.txtSo that I could cover at least the most common cgi and phpmyadmin directories
So this is a pretty crafty way of getting packet captures on a target system. Definitely could be streamlined with some meterpreter scripting fu, but awesome job on the video.
Metasploit meterpreter Windump/Winpcap sniffer from siles on Vimeo.
The site has been down for a while, there were a lot of factors that played into that, but mostly it was focus on some family, as I had some in town. I also came to the conclusion that it’s time to move to “the cloud” so I moved over to SquareSpace (using the coupon code: DEFCON </end shameless plug>). I have an actual web designer looking at hooking this thing up right.
Also, I wanted to ask if anyone was interested in becoming a writer for Room362, opening it to more people to contribute to the content here. Shoot me an email: mubix@hak5.org or one of the other ones I have on the net and we’ll work something out.
Thanks, and see you around the net.
Rob
Brute force, even though it’s gotten so fast, is still a long way away from cracking long complex passwords. That’s were word lists come in handy. It’s usually the crackers first go-to solution, slam a word list against the hash, if that doesn’t work, try rainbow tables (if they happen to have the tables for that specific hash type), and then the full on brute force. Some would say those first two steps are reversed, and it really is the choice of the the person doing it and the word lists they have to work with.
Matt Weir and company created a cool tool that has the best of both worlds, Dictionary based Rainbow Tables with Dr-Crack, which you can find here:
http://reusablesec.googlepages.com/drcrack
But, back to the reason of this post, word lists. Where do you get them? Here are a couple of my favorite places in no particular order:
http://www.packetstormsecurity.org/Crackers/wordlists/
http://www.theargon.com/achilles/wordlists/
http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html
I like to keep 3 size word lists:
1. small and fast: usually based on the output of one of the tools i’m about to tell you about
2. medium: this is my custom list that I add passwords I find / crack and generally think are good to add. I’m pretty picky about what goes into this list
3. huge: any wordlist I come across gets added to this list, it gets sorted and uniqued and restored
Now the two tools that I like for the small list is are CeWL and wyd
CeWL – http://www.digininja.org/projects/cewl.php
Wyd – http://www.remote-exploit.org/codes_wyd.html
They have some very similar lists of features, your mileage may vary. But they basically parse files and web pages for words and generate password lists based on the words found.
Update on 2011-02-11 08:01 by Rob Fuller
Korelogic’s password lists: http://contest.korelogic.com/wordlists.html
Korelogic’s John rule set: http://contest.korelogic.com/rules.html
Update on 2010-03-30 05:00 by Rob Fuller
I missed one hell of a treasure trove of word lists:
http://trac.kismac-ng.org/wiki/wordlists
Right now, there list is this:
Update on 2010-03-30 04:22 by Rob Fuller
Recent additions:
I recently upgraded my video card and had a rough time finding programs that fit the hype of GPU password cracking, so here is what I found so that you won’t have as hard a time.
Ivan Golubev’s SHA1/MD5/MD4 cracker:
http://www.golubev.com/hashgpu.htm
Ivan Golubev’s RAR pass cracker:
http://www.golubev.com/rargpu.htm
CUDA Multiforcer (down at the time of this posting)
http://www.cryptohaze.com/bruteforcers.php
BarsWF – MD5 Cracker:
http://3.14.by/en/md5
GPU MD5 Crack: (Included in BackTrack 4 repos “gpu-md5-crack”)
http://bvernoux.free.fr/md5/index.php
Distributed Hash Cracker:
http://rpisec.net/projects/show/hash-cracker
“ This is an interesting one as it has a PHP front end and is agent based, so you can use one or a dozen computers, and it will use the CPUs and GPUs available”
Pentoo Live CD with a bunch of GPU cracking goodness built in:
http://pentoo.blogspot.com/
Extreme GPU Bruteforcer (39.95 Euro)
http://www.insidepro.com/eng/egb.shtml
ElcomSoft Distributed Password Recovery ($599 for 1st lvl – 20 hosts)
http://www.elcomsoft.com/edpr.html
ax0n from http://www.h-i-r.net/ shot me an email stating that BT4 has some more GPU tools added to it:
Just FYI, BT4 also added some CUDA GPU cracking functionality a while
back ago. IIRC It includes Pyrit and CUDA-Multiforcer — maybe a few
others. Pyrit is a cuda-enabled WPA-PSK cracker that you may also be
interested in.
Pyrit – WPA/PSK – WPA2/PSK GPU cracker
http://code.google.com/p/pyrit/
Update I can’t say with 100% certainty that Nessus ever used NMAP as it’s base scanner, I was going off of memory. I apologize for not being perfect.
Update 2 Since people can’t seem to let it go, I would say that I was totally wrong and the nmap was absolutely never used in nessus ever, but then I would be caught in another absolute that I can’t confirm. According to their wiki, the nmap nasl script were taken out because people were No, I haven’t listened to the latest episode of Securabit in which Paul comes on and talks about Nessus. If he states in there that nmap was never the port scanning engine for nessus, then please go bug him if you think he is wrong.
Update 3 Ron Gula of Tenable has confirmed via email that Nessus has never used nmap as it’s base scanner. Also, Attrition.org posted a bit of history on the subject: http://attrition.org/misc/ee/nessus_and_nmap.html
On Securabit Episode 37 – I made the statement that some people could be running nmap and not even know it. While this could still hold true, the context I put around it. “Nessus uses nmap for scanning” showed my years a bit. That statement is now a falsehood. Nessus uses it’s own “optimized” port scanner. I put quotes around the word “optimized” simply because I don’t know what tweaks that have been done. Paul Asadorian from PaulDotCom Security Weekly sent an email into Securabit letting us know of the error.
I didn’t take the news very gallantly, but Paul was nice enough to lay out how someone would go about using nmap with Nessus these day. Those steps are pretty drawn out too, which I find kinda disheartining that not only do you not have nmap as your base port scanner, but the NASL scripts to use nmap are no longer included in the base install of Nessus (according to Paul, I haven’t confirmed that, but he does work for the company). And who knows why they decided to leave those script out, but you will have your chance to ask those questions because Paul will be on Securabit LIVE tonight to tie up any loose ends and talk about Nessus tonight at 8 PM EST (September 16th 2009).
For more info about tonight’s show:
http://www.securabit.com/2009/09/15/securabit-live-wednesday-with-paul-asadoorian-from-pauldotcom/
Here is a quick no nonsense PTH video I made for the guys over at SecurityAegis
Music is Scott Brown’s contribution to the Happy 2b Hardcore Chapter Four album called “Elysium”
Per the best of the best in presenting, what breeds a good presentation slide deck? Simplicity
I want to pose a statement. “Simplicity is Security”. The reason I say this is that this day in age, at least in the US, ‘convenience’ is king. And we try to protect those conveniences with ‘security’. Let me start over a bit, this train of thought all started when I started to explain the insecurities in WiMAX to my wife. We saw a WiMAX device that plugged straight into your computer. I told her this was bad because by connecting to this you have no barrier between you and the ‘bad guys’ other than possibly the Windows Firewall. Her answer surprised me. ‘So?’ is all she said.
Japan doesn’t use ‘Check Cards’ or even really credit cards for that matter. To get such a card you need to go through a book worth of paper work, so it’s just not ‘convenient’ for most people, so they don’t get them. So guess what? They don’t bank online, and they don’t buy stuff online. I racked my brain to figure out what possibly could be on her computer that a ‘bad guy’ would want. I couldn’t think of anything (maybe you can). The government relies on paper backups of anything electronic (so they hardly make electronic versions). Signatures are based on stamps that are difficult to copy. The worst a hacker could do on her computer is use it as a zombie, and even then, their ISPs detect and disconnect excessive use.
Where did we as “Security Professionals” go wrong? Was it the fat paychecks we wanted? Was it the fear of the ‘underground’? Reality seems to dictate that we will continue on this path from the analog to the digital, from paper and clerks to networks and AI. The question I want to ask you though is; Should we continue down the path of “MORE SECURITY” or should we deviate a bit for simpler, possibly non-technical practices?
In these last two posts you may assume that I favor the Japanese culture and way of life over a US one. You would be mistaken, I simply learn, take the best parts of what I learn, and try to apply them where I can. Learning from others triumphs and defeats, strengths and weaknesses is a basic human function that we a humanoids should embrace.
I recently visited Tokyo, Japan. Just as always, my curiosity got the best of me and I started to calculate the population density of the buildings where I was staying. Giving fudge factor of non-populated apartments, I estimated 8,500 families in twelve 15 story buildings, living in a 1.5 mile square piece of land.That’s CRAZY. Mass transit and unrestricted modes of transit are not a whim, they are a requirement. I bet you’re asking how this applies to security, or for that matter computers at all. It doesn’t. But one of it’s effects does.
As an effect of this density, the Mom & Pap stores businesses flourish. In it’s density, the “big iron” is just too inconvenient, it doesn’t work. I used the reference for a reason. It was my own mental bridge between the “real” and security world (anyone who denies the difference is confused, and/or just left DefCon).
What is the “Big Iron” in the security world? Central management, Correlation, and other ways of supposedly spending “less” on security by having less points of failure. So this is where I stray from the path. I think that networks need to mimic their worldly equivalent. Large organizations need to take an page from Tokyo and decentralize. Yes, it’s hard getting ‘good’ people, and trust is not something we easily come by in this industry, but from an offensive point of view, centralization just means a bigger payoff. Higher walls, maybe, but an ‘easier’ target to zero in on.
So what does this mean? I eluded to it a bit in my previous paragraph, but what it means is more hands on. We need to train the ‘security guards’ of our network and put them at every location we have a grouping of nodes. The smaller the grouping of nodes the better. VLANs are not enough. I’m going to use the the dreaded “Defense in Depth” phrase: We need to make our defense in depth smaller, more compact. Make it to the point where you don’t NEED “Big Iron” because you have such small perimeters that open source stuff on an old *nix box would work just fine. Yes, that’s a bit of an exaggeration but you get the point.
Every city is different and unique, as is any network, and I am by no means saying that decentralization is for everyone. What I do think is that big organizations are getting too hung up on devices and one stop shops where they can set up a NOC and expect a number, however many, of people to be able to watch everything going on. Exactly the way that corporations lose touch with their employees because of their size, they are loosing touch with their network and how it works. How many places have you worked that they have a good diagram of nodes (not just subnets) on their network? Much less documentation on those nodes. How exactly are you supposed to centrally monitor something you have very little knowledge of? Will it take as many years as it did with personnel to reconnect with the life of the network? Probably, but I hope not.
As always, I am open to debate and hearing about flaws in my logic, so please leave a comment and tell me what you think.