Metasploit is awesome, but some don’t know that their are updates all the time via SVN, and even fewer know of places to get good non-svn modules / scripts. Here are a few of my favorites:
— newly added, check out the CookieMonster script and a host of others:
And of course: http://carnal0wnage.blogspot.com/
I have had the idea for this app for a long time, expressed it a few times, but never really pushed, and I sure that I am not the only one who has thought of or wanted an app like Ear Trumpet by Robin Wood. Well on Jan 21st Sam Buhlig posted to the PaulDotCom mailing list asking for an app to test a firewall that would answer on all ports. A great discussion spawned off and a couple guys (Dimitrios Kapsalis, and Robin Wood) started work on it.
So what is Ear Trumpet? It’s a server/client app just like Cain and Abel is. But each piece has one very simple task: ear listens on a server on all TCP port, and trumpet tries to get to it on all TCP ports. That’s it.
What does that do for me? Well, here are two instances where it could be useful:
As a Firewall / Perimeter Technician, where you use it to test to see if all of your firewall rules are working properly so that no one can get through. (Outside in. Ear internal, Trumpet external)
As a Penetration Tester, where you use it to find exfiltration points, ways out of the network. (Inside out, Ear external, Trumpet internal), You could even put Trumpet on multiple computers in this instance and see which systems have different access out. There are sleep methods plugged into Trumpet to allow you to stay under the radar.
What can you use it for? Simple programs like this always have a million uses. Comment with your idea.
I registered Bobstories.com after listening to PaulDotCom for a while. I have always told stories of this manor, but never quite put a name to “my friend”. Now that he has a name, it is only fitting that he has a domain and a blog. Please, come, register under the name bob_#### with a mailinator address to match, or your own name and email address if you wish. I’ll moderate all posts simply for spam purposes and have them up post haste. So to start things off, here is my Bob story:
Bob and I were hanging out at an airport waiting for our flights. He was headed to Kenya and I to Canada. Being the evil guy that Bob is, he wipped out his DD-WRT Fonera router, hooked it up to his laptop, turned on internet sharing and shared out his teathered internetconnection to his ethernet port and connected the other end to his Fon. He then proceeded to boot up his BT3 VM and attach his USB Alfa to it. Connecting to the WPA AP portion of his Fon he configured the other virtual wireless interface for “Free Public Wireless” and pulled a DHCP address from his laptop for the WAN port. Disconnecting the Alfa he proceeded to start using it to mass deauth the other APs in the area. Leaving that to go he spun up dsniff, wifizoo, cain and able, and ettercap listening on the ‘vmware briged ethernet’.
And of course being the ethical person that I am, I proceeded to pressure Bob until he finally dumped the logs right before his flight left.
We parted ways and I haven’t seen him since. Is Bob in your city/town/country register on Bobstories.com and tell us what evil thing he did today.
I recently obtained the status Offensive Security Certified Professional. It is one of the best courses I have ever taken. It challenged me to think and learn new skills on the fly. You start the course with a bunch of video files, a huge pdf and an lzm file to get your VPN setup. It is self paced and intense. The topics cover everything from Back|Track basics to the HXDEF rootkit.
Here is the problem, you can’t get a job with it. I know that seems shallow, but let me explain. As I see it there are basically 3 types of certifications or for that matter education in general that you can go through. The first gets you a job. The second teaches you something. The third is good for you or fun.This course is fun but more so falls in the ‘teaches you something’ category. The CISSP on the other hand help you get a job, but I’ll hold that topic for another post.
Well, the Offensive Security 101 course (leads to the OSCP test), is not quite on the radars of any recruiters or for that matter companies yet. Which is truly a shame. Unlike the CISSP and almost every other certification that I know of or heard of via 3rd party, this cert makes you “try harder”. And all of the pain ends in a 24 hour marathon of hacking, where you will be an idiot not to use every second of it.
I have been a huge supporter of Back|Track for ages and they have really shifted my thinking of certifications by providing the Offsec 101 course. I can’t wait to take their other courses, Wi-Fu and Back|Track to the Max (which I am told that my mind will melt during the course of study). They also have some instructor led training so you can get one on one with Muts or one of the other crazy brains behind OFFENSIVE SECURITY.
You can sign up for classes via their website: http://offensive-security.com/training.php
Also check out some of their videos here: http://offensive-security.com/videos.php
Update: Back|Track to the Max is now named: Cracking the Perimeter which ends in your OSCE (Offensive Security Certified Expert) exam.
First: Using SAMBA to crack Unix passwords
Theory: You compromise a unix host during a pentest and grab /etc/shadow and /etc/password. You take the entries for root in both and drop them into a unix host that you control that is set up with SAMBA to sync authentication. You then use windows methods to extract the LM/NTLM hash from SAMBA.
Problem: SAMBA doesn’t cache the LM/NTLM hash until the correct one is passed to it. I’m still not sure how SAMBA uses the *nix hashes so there still may be a vulnerability there, but I don’t think there is any research there yet. And I don’t have the cryptographic mind to figure it out.
Second: Random Thoughts – Web App Hacking
Theory: Prepopulating a hidden upload field through SQLi or other methods of altering a site
Problem: The DOM does not allow this to happen, however, I don’t think that that rules out flash or VB script that I know of. Please comment and correct me if I am wrong.
The Full Disclosure mailing list has a long and illustrious past. It has played host to everything from zero days to politics. One thing that has rung true for a number of years, if not since it’s inception is that it is unregulated (save spam of course). However in recent months it has fallen pray to less and less technical discussions, and more bickering, name calling, and outright trolling.
The reason for this post is to let everyone know that has unsubscribed, that a change is coming. A bit of “Spring cleaning” of sorts. Please see the following FD post to see the dirt:
So get back on, the wild west has been cleared. Sign up here: https://lists.grok.org.uk/mailman/listinfo/full-disclosure
TiVo and DVRs in general have brought TV watching a long way. Some of the innovations that have come of it have made the TV experience better. Commercial skipping is my own personal favorite. But some of the other features are pausing, rewinding, and fast forwarding (after you are behind a bit obviously) and finally recording.
Now, recording live TV is nothing new. People have done it since VCRs were invented, and I’m sure much before then. But the problem, from back in the day, all the way up to the most updated TiVo is that you, the user have to remember to set it up to record, and if you missed an episode, you’re SOL.
In comes torrenting. Usually it’s a bad word on the Internet and on the news, so I will make my disclaimer here. I am not a lawyer, nor do I know the laws surrounding what I am about to describe. Use at your own discretion.
Using your favorite torrent search engine (mine is http://www.scrapetorrent.com/) you can find every episode of every show you could ever imagine, even some of the more obscure ones. However we run into the same problem, you the user have to know when a new episode is out, hunt it down, and download it.
This is where TVRss (http://www.tvrss.net/) shines and makes your life easy. TVRss is a website that serves up RSS feeds for a huge list of shows. You might not find some of the more obscure shows, like you would doing a naked torrent search, but they have most of them.
So where do all the pieces fit together? TVRss + uTorrent (or your favorite RSS supporting torrenting program) + your favorite media server/client of choice and you have a free TiVo killer.
Lifehacker has a tutorial on getting this running working with Democracy: http://lifehacker.com/204057/
I will post screen shot here later
More information can be found at http://www.podcastersmeetup.com/
But here is the down and dirty:
We are sponsored this year by: HP, SunbeltSoftware, DojoSec, and TheAcademyPro / TheAcademyHome solidly so far.
The following podcasts will be making an appearance:
And the schedule goes as such:
Plus a new event: FireTalks. Check out the site for more details.
We have had a lot of great response for everyone on this year’s event! I want to reiterate, this event is for podcasters, bloggers, twitter addicts, and everyone in between. I would also like to announce an update to our sponsor’s lineup:
TheAcademyPro.com / TheAcademyHome.com
These are twin sites catering videos to the security pro looking to learn about everything from enterprise gear to Maltego, and the home user trying to start the learning about security and how to secure their own computers without going to you the IT guy in the family.
DojoSec
A conference in Columbia, Maryland that is geared towards education of the beginner to intermediate hacker / security guru. It is a monthly conference with perpetual call-for-papers.
Hewlett-Packard
No introduction needed, they are the maker of the fabled HP 2133, the hackers choice ‘netbook’ (which we may just be giving away one)
Sunbelt Software
Makers of VIPRE the low resource AV, and the CWSandbox malware analyzer. Trusted Signal Trusted Signal is a vendor independent provider of information security solutions, expert services and training. Look forward to some awesome prizes and giveaways this year!
The podcasts that we have heard back from as attending:
(Until the ShmooCon’s solid schedule is posted this is floating): FRIDAY NIGHT
Have a talk that didn't get accepted? Want the chance to share a project that you are working on? Think of FireTalks as a verbal blog post. The human experience is built on the ability to tell and learn from stories. At SchmooCon 2009, “FireTalks” is a supportive environment in which to either share insights or learn from others. Whether polishing a presentation (story) for conferences, meetings or training, FireTalks are the way to share, learn and improve. The inaugural FireTalks take place Friday night -- following the Podcasters Meetup. Talks are limited to 10-15 minutes with four (4) scheduled talks and four (4) open slots. Open slots will be filled on a first come, first serve basis. Saturday night will be more relaxed. Come join us and present, listen and learn. When Friday and Saturday Night at ShmooCon ‘09 Where ShmooCon 2009, in or around the press room
The list of prizes will be posted as they materialize. Keep up with http://www.podcastersmeetup.com/ for the details. If you have any questions at all, please feel free to shoot me an email. Look forward to seeing ya’ll at the Wardman Park – Feb 6-8
Today we are taking a brief step outside of Maltego and at the end we’ll show how you can use what you have learned to take Maltego to another level. So, without further ado:
The Human Factor is why we all still have jobs in the security world. It is impossible for machines at this day in age to make logical leaps of faith. Yes, there is fuzzy logic, but the human brain still trumps computers on being able to instinctively make those leaps. Instinct, that word describes the whole reason for this part in the series. Just as a PI uses he gut to lead him on the right trail, as an OSINT (Open Source Intelligence) Specialist you have to use your instincts to guide your investigation as well. The following paragraphs will describe my own method of making those leaps. If you disagree or have better methods, please comment below so that others can learn as well.
What is a logical leap of faith? Well, most pentesters do it daily if not hourly, when they assume a cracked password is going to work in other places. It’s all about betting on standards. Standards in this reference is anything that has become common place, not specifically a written rule, but those are good to. Dan Geer ‘left’ @Stake when he and other thought leaders in the security community published a paper back in 2003:
Cyber _In_Security: The Cost of Monopoly [PDF]
Archived Link: http://pdf.textfiles.com/academics/cyberinsecurity.pdf
I was originally planning on making this article full of examples on how you can make these leaps, but I have had a lot of time to think these examples and have decided against it. To practice this method you must use your own experiences. Where do people do the same thing? Think about it. I’m sure you can come up this at least a dozen examples where even you do the same thing across the board… Ok, so I can’t resist. Using the same password, or username on different sites. Seeing a User Agent that is concatenated by a proxy. The router being .1 or .2. Using full class C networks. Always adding the same core friends or co-workers to every social networking site. What about referencing the same ‘ficticous’ bank when describing a problem with that bank. What examples have you come up with?
How do you pull this out-of-the-box thinking into Maltego? When entering an email for an entity, try putting it in under different domains (yahoo.com, aol.com, gmail.com, google.com, hotmail.com). When entering a domain, try putting it in under different TLDs (.net, .org, .tv). You might be surprised at the gems you find when you find those forgotten pieces of information. This all falls back on my mantra that you should put in ALL of the information you have (and estimated) before you even start running transforms.
Maltego is a tool that can only take you so far. Your creativity is what makes a tool like this powerful.