Tor & disabling IPv6 in Linux

23 06 2012

Install & configure tor / privoxy & proxychains

– Add a new repo

vi /etc/apt/sources.list

deb http://deb.torproject.org/torproject.org lucid main

– Get the key

gpg –keyserver keys.gnupg.net –recv 886DDD89
gpg –export A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add –

– Installapt-get update
apt-get install tor tor-geoipdb
apt-get install privoxy

– Check privoxy config to make sure listen address is 127.0.0.1:8118 & configure socks4a proxy

vi /etc/privoxy/config

listen-address 127.0.0.1:8118
forward-socks4a / 127.0.0.1:9050 .

– change keep-alive-timeout & socket-timeout to 600

keep-alive-timeout 600
socket-timeout 600

– Start privoxy

/etc/init.d/privoxy start

– Change your browser to point @ your proxy 127.0.0.1:8118
– Check that you connect over tor

https://check.torproject.org/

– Next up, install proxychains so you can use other tools over tor

apt-get install proxychains

– Verify the following line is in /etc/proxychains.conf

socks4 127.0.0.1 9050

– Remove tor & privoxy from startup (init when you need them)

update-rc.d -f tor remove
update-rc.d -f privoxy remove

– Start them up

service tor start
service privoxy start

– Check its working – “proxychains <command>”

root@bt:~# netstat -antp | grep LISTEN
tcp        0      0 127.0.0.1:8118          0.0.0.0:*               LISTEN      3569/privoxy
tcp        0      0 127.0.0.1:9050          0.0.0.0:*               LISTEN      3562/tor

root@bt:~# curl -s icanhazip.com
101.171.255.232

root@bt:~# proxychains curl -s icanhazip.com
|S-chain|-<>-127.0.0.1:9050-<><>-174.132.254.58:80-<><>-OK
31.172.30.1- Have fun, then shut em down when you are done

service privoxy stop
service tor stop

– There are many reasons you may not want IPv6 running on your machine (for example if you were using tor & didnt want IPv6 traffic to go directly to a target instead of via your IPv4 socks proxy)

root@bt:~# vi /etc/sysctl.conf

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1

root@bt:~# sysctl -p





Large URL List Processing

9 02 2012

So – a quick detour came to my attention in the form of a list of urls.

These 680 odd urls were neatly formatted in a list, and lets for this excercise say they presented an image.

Now what – copy & paste each one into a browser to see if it works – FAIL.

 

So – using simple cli-fu I verified the URLs were valid & then created a page, embedding them all in there.

First – run your list through wget to verify its valid & working

# wget –spider -i urls.txt -T 2 -t 1 -nv -o urls.out

Then just grep for the HTTP 200 OK string out of urls.out

# grep “200 OK” urls.out > urls.out.httpok

Then tack on the html code so you can browse them all at once

# cat urls.httpok | awk ‘{print “\<img width=\”200px\” src=\””$4″\”\ />”}’ > urls.htm

Then simply fire it up in your favourite browser

# firefox urls.htm





PaulDotCom: Archives : Zen and The Art Of An Internal Penetration Testing Program

5 09 2010

Ok Ok …. I know im 2 years late to post this as a “new” presentation – but there is some interesting & valuable info in here about pentesting your internal network. Its starts out pretty high level, but is a nice rounded overview on the reasons, methods & tools that you can use to penetration test your network. Hosted by CoreSecurity & presented by Paul Asadoorian from pauldotcom.

Part1:

• Phase I – Target identification
• Phase II – Detect OS & Services
• Phase III – Identify Vulnerabilities

Part2:

• Phase IV – Exploitation
• Phase V – Post-Exploitation
• Phase VI – Reporting

Part 1 has some great grounding information in penetration testing, examples in here for several tools (nmap, nessus, nbtscan etc) and also ways to link them together, eg, run an nmap scan across the network, identifying windows hosts listening on 445, use the nmap scripting engine to determine if they are vulnerable – and use that list of hosts in nessus or metasploit etc.

Part 2 contains more information on why should you exploit a machine, how to exploit etc, using both Metasploit & Core Impact. Some useful info on tasks to perform once you have compromised a host – automated info gathering, looking for sensitive data, gathering screenshots, video, sound recordings etc etc. This segment ends with some good tips on how to report this information to management, then some Q&A.

there is some great info in here, its worth a look.

Part 1:

This webcast is Part I of a two part series I am doing in collaboration with Core Security Technologies. The presentation is full of tips, tricks, process, and practical knowledge about performing penetration testing within your own organization. Whether you are a third-party doing penetration tests or want to penetration test your internal network, this webcast is for you! In Part I I cover such topics as finding rogue access points, processes for creating a successful penetration testing program, identifying targets, and more! Information and resources are below:

via PaulDotCom: Archives.

===OR===

Zen and the Art of an Internal Penetration Testing Program Part I with Paul Asadoorian
Recording date: Wednesday, November 19, 2008 3:00 pm Eastern Standard Time (New York, GMT-05:00)
Panelist Information: Paul Asadoorian of PaulDotCom Security Weekly
Duration: 1 hour 9 minutes
Description:

Please join Core Security and Paul Asadoorian, founder of PaulDotCom Security Weekly, for a live webcast: “Zen and the Art of Maintaining an Internal Penetration Testing Program.”

During this webcast, Asadoorian will offer tips on successfully integrating penetration testing into your vulnerability management program. You’ll learn:

* How to determine if internal penetration testing is right for your organization
* What questions you should ask when planning a pen testing initiative
* How you can best pitch testing to other departments and gain permission from management
* What types of tests to run and how to address the process of dealing with compromised devices
* Which tips and tricks can help you carry out faster, more effective testing

Whether you’re considering rolling out an internal penetration testing program or need a refresher of best practices for your current testing initiatives, this webcast is sure to be time well-spent.

via Core Security: Recorded webcast

Part 2:

During the webcast, Paul Asadoorian of PaulDotCom Security Weekly will discuss best practices for automating your security testing initiatives. You’ll learn tips and tricks for tying vulnerability scanning, penetration testing and reporting into an efficient, repeatable testing process. Paul will demonstrate techniques for vulnerability identification and exploitation, including:

• Importing Nmap data into Nessus
• Using Nessus, and running nessuscmd to automate vulnerability scanning
• Importing results into Metasploit
• Running msfcli to automate penetration testing
• Importing Nmap & Nessus results into CORE IMPACT Pro
• Using Python to script tasks on compromised hosts with CORE IMPACT Pro

You’ll also get answers to questions such as, “How do I integrate password cracking into my testing?” and “What should I do once a host is compromised during a test?”

via Core Security: Recorded webcast





HttpWatch: Overview

5 09 2010

I just want to share a nice little tool I have been using to troubleshoot web page load times, and also as an easy way to see all the components of a loaded page without having to view source. You can simply load up the plugin, hit record, go to the website & you get a breakdown of each object, the time it takes to load and the link for it. It makes calls like “my internet is slow” easier to measure. Its free (for the basic version) and I find it very useful. Check it out. – HttpWatch

HttpWatch integrates with Internet Explorer and Firefox browsers to show you exactly what HTTP traffic is triggered when you access a web page. If you access a site that uses secure HTTPS connections, HttpWatch automatically displays the decrypted form of the network traffic.

Screenshot of HttpWatch

Conventional network monitoring tools just display low level data captured from the network. In contrast, HttpWatch has been optimized for displaying HTTP traffic and allows you to quickly see the values of headers, cookies, query strings and more…

HttpWatch also supports non-interactive examination of HTTP data. When log files are saved, a complete record of the HTTP traffic is saved in a compact file. You can even examine log files that your customers and suppliers have recorded using the free Basic Edition.

via HttpWatch: Overview.





web page speed test & recon

23 07 2010

I was looking for tools to test webpage load speeds, and found these ones from pingdom & site-perf. I use pingdom for monitoring uptimes & its great, it emails me once a month with a summary of downtimes.

These tools test website load times, which is cool – but it also gives you a visual of each object loaded, its size & speed – this is VERY useful when investigating pages – showing all the objects (javascripts / css / images etc).

These ones might prove useful in recon of public accessible websites & also for testing access to pages you manage.

How it works

Response time exampleThe Full Page Test loads a complete HTML page including all objects (images, CSS, JavaScripts, RSS, Flash and frames/iframes). It mimics the way a page is loaded in a web browser.

The load time of all objects is shown visually with time bars.

You can view the list of objects either in load order or as a hierarchy. The hierarchy view allows you to see which objects are linked to in for example a CSS file.

Every test also shows general statistics about the loaded page such as the total number of objects, total load time, and size including all objects.

Note: This version doesn’t load objects included in JavaScripts. We have also put a limit on the number and size of the objects that are loaded (to prevent the tool from downloading movies, for example).

via Pingdom Tools Full Page Test.

With Site-Perf.com, you get an accurate, realistic, and helpful estimation of your site’s loading speed. The script fully emulates natural browser behaviour downloading your page with all the images, CSS, JS and other files – just like a regular user. Spot bottlenecks, reach perfect performance and balance your site load with Site-Perf.com, a smart and flexible testing tool. Focus on important things while Site-Perf.com delivers the speed facts straight to your screen. Try it right now!

via Site-Perf.com – Know all about your site performance.





Antimeter: Detect & Kill Metasploit Meterpreter! — PenTestIT

9 07 2010

Antimeter is a very useful tool for internal security administrators who can scan their systems for meterpreter session remains after they have successfully exploited any system with Metasploit.

Today most of the penetration testers who can not afford heavily paid security software’s use Metasploit for penetration testing. Couple of days back, the latest version of Metasploit was released . As most of these tools work or exploit in memory of target system, after a successful exploitation, it is necessary to clean the system . In such situations antimeter comes handy. Also, you could use it on an important production server to check for any meterpreter shells and kill them if detected.

via Antimeter: Detect & Kill Metasploit Meterpreter! — PenTestIT.





nmap scripting engine

10 06 2010

An interesting tidbit of information that I was recently shown – figured it was too good not to share.

Quoted from “http://nmap.org/book/nse.html

“The Nmap Scripting Engine (NSE) is one of Nmap’s most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs.”

Details of the scripts are here: http://nmap.org/nsedoc/

example uses:

banner grabbing
http://nmap.org/nsedoc/scripts/banner.html
Download: http://nmap.org/svn/scripts/banner.nse

User Summary

A simple banner grabber which connects to an open TCP port and prints out anything sent by the listening service within five seconds.

The banner will be truncated to fit into a single line, but an extra line may be printed for every increase in the level of verbosity requested on the command line.
Example Usage

nmap -sV –script=banner <target>

Script Output

21/tcp open ftp
|_ banner: 220 FTP version 1.0\x0D\x0A

smb-check-vulns
http://nmap.org/nsedoc/scripts/smb-check-vulns.html
Download: http://nmap.org/svn/scripts/smb-check-vulns.nse

User Summary

Check for vulnerabilities:

* MS08-067, a Windows RPC vulnerability
* Conficker, an infection by the Conficker worm
* Unnamed regsvc DoS, a denial-of-service vulnerability I accidentically found in Windows 2000
* SMBv2 exploit (CVE-2009-3103, Microsoft Security Advisory 975497)

WARNING: These checks are dangerous, and are very likely to bring down a server. These should not be run in a production environment unless you (and, more importantly, the business) understand the risks!

Example Usage

nmap –script smb-check-vulns.nse -p445 <host>
sudo nmap -sU -sS –script smb-check-vulns.nse -p U:137,T:139 <host>

Script Output

Host script results:
| smb-check-vulns:
| | MS08-067: NOT VULNERABLE
| | Conficker: Likely CLEAN
| | regsvc DoS: NOT VULNERABLE
|_ |_ SMBv2 DoS (CVE-2009-3103): NOT VULNERABLE

smb-enum-shares
http://nmap.org/nsedoc/scripts/smb-enum-shares.html
Download: http://nmap.org/svn/scripts/smb-enum-shares.nse

User Summary

Attempts to list shares using the srvsvc.NetShareEnumAll MSRPC function and retrieve more information about them using srvsvc.NetShareGetInfo. If access to those functions is denied, a list of common share names are checked.

Example Usage

nmap –script smb-enum-shares.nse -p445 <host>
sudo nmap -sU -sS –script smb-enum-shares.nse -p U:137,T:139 <host>

Script Output

Host script results:
| smb-enum-shares:
| | ADMIN$
| | | Type: STYPE_DISKTREE_HIDDEN
| | | Comment: Remote Admin
| | | Users: 0, Max: <unlimited>
| | | Path: C:\WINNT
| | | Anonymous access: <none>
| | |_ Current user (‘administrator’) access: READ/WRITE
| | C$
| | | Type: STYPE_DISKTREE_HIDDEN
| | | Comment: Default share
| | | Users: 0, Max: <unlimited>
| | | Path: C:\
| | | Anonymous access: <none>
| | |_ Current user (‘administrator’) access: READ
| | IPC$
| | | Type: STYPE_IPC_HIDDEN
| | | Comment: Remote IPC
| | | Users: 1, Max: <unlimited>
| | | Path:
| | | Anonymous access: READ <not a file share>
|_ |_ |_ Current user (‘administrator’) access: READ <not a file share>