How-to’s « Security related discussions, articles, and tutorials

May 27th, 2011

Backtrack 5, Metasploit, and PostgreSQL

Backtrack 5 ships with some very nice features, however I will be discussing Metasploit and PostgreSQL within this post.  Backtrack 5 ships with metasploit and postgresql out of the box, which means that postgres is already running within BT5.  One thing to note here is that you may need to install the postgres gem and specify the db_driver within msf.  I installed the gem using ruby version 1.8.7, I get errors installing the postgres gem using ruby version 1.9.2_dev.  There are some very nice how-to’s for this over at the BT5 forums. Update 6/1/2011 – MSF does not contain any postgres drivers if launched from ‘/pentest/exploits/framework3′ however, if launched from you path then drivers are available and postgresql is initialized and connected.  However, it is not running on the default 5432 tcp port, instead postgres is running on localhost:7175.  A quick ‘netstat -antp | grep 7175′ command will display if any service is running on a port.

But, if we try to stop the postgres service using /etc/init.d/postgresql-8.4 stop, we get no luck no service is running called postresql-8.4.  Hmm, lets display all services with the ‘service –status-all’ command.  We see the following, which indicates that the installation of postgresql is associated with msf by default within BT5.  As we can see this service is called ‘framework-postgres NICE =)

What does this mean, it means we know the service name so we can start and stop the service, stop auto-run at boot time, and we know that the installation of postgres is associated primarily with metasploit.  But hey, the postgres config files are not in there default location.  Well ok, letf find where they are.  Lets start with where metasploit is installed.  the ‘framework3 directory within the ‘/pentest/exploits/’ directory is a symbolic link to ‘/opt/framework3/msf3′.  Therefore, we look inside these directories and see a postgresql directory within the ‘/opt/framework3′ directory.  However if we start metasploit and try to connect to the database with user and password of ‘root:toor’  we get an authentication error.  So what is the user and password combo used?

After going through some of the directories within the ‘/opt/framework3′ directory, I find an interesting directory called config which has a file named ‘database.yml’ within it.  Let’s cat the contents of the file and see what it tells us.  As we can see from the screenshot below it tells us the username and password.  Nice info, however, instead of specifying the username and password everytime we connect to msf and want to use the postgresql database, we can use the ‘db_connect command with the database.yml file.

As we can see, we have a username of msf and a randomly generated password.  I am running a few different BT5 virtual machines and each one has a different password.  Nice.  Now to connect msf to the database we just use the db_connect command with the right syntax to use the yml file, with the absolute path to the file specified.

Now we are in business.  I figured I would do a little write-up on this since I have not seen a lot of documentation for this anywhere, hope you enjoy.  To be honest I am finding more and more very nice features the BT5 developers introduced.  Nice work.

No Comments »
May 9th, 2011

Creating a Pentest Virtual Lab Environment

Creating a lab environment gives the user an opportunity to explore new technologies, test configurations, test exploitation methods, create scripts, and more. This is why creating a lab environment is an imperative task. In this article I will go over building lab environments specific to penetration testing. However, any one could modify these lab guidelines and create their own specific lab environment. This article is not a definitive guide on how to setup a lab environment to suit everyone’s needs. Instead it is an overview of how to start a penetration testing lab environment.

A lab environment is necessary to learn specific penetration testing techniques that would be illegal if not given specific permission to test public facing systems. Thus, setting up a private environment of your own in which you can launch any attack, tool, exploit, and do whatever you like within the environment is essential to the learning process, plus it is a lot of fun. Another reason for a pentest lab is if you are tasked with a penetration test of a client, and are unfamiliar with an exploit that one of their systems may be vulnerable too, then you can setup a test system that mirrors the original client’s system configuration to the best of your knowledge to test and/or rewrite the exploit to make sure it acts as described. On another note, personally I like to re-write all exploits that are not directly ported within an exploit framework. This assures that the exploit does and performs exactly how I want it too; additionally it gives me peace of mind to know what the shellcode within the exploit does. However, this is out of the scope of this article.

The lab can be small or large but gives you the ability to run multiple operating systems, different configurations, and software to test. Virtualization makes an excellent lab environment and cuts down on the need of a lot of hardware. There are many virtualization solutions on the market today. However, in my opinion VMware products are the best. I may be biased since I started with VMware for this reason this article will be focused on using VMware technology since all of my labs are setup within VMware.

Depending on your setup at minimum you should have a dedicated box or if you don’t want to go the dedicated route the desktop or laptop running your lab should be able to at least run 2-3 virtual machines consecutively without degrading the performance of your system and making it inoperable. Within my lab environments, I have two dedicated servers each with 12GB of ram running Vmware esxi 3.5 and 4.0. However, you do not need a setup like this if you just want too setup a couple of virtual machines to get started with and test against. I do have a VMware workstation lab environment on my desktop as well with 8GB of ram. Additionally, since I travel a lot I installed 8GB or ram on my laptop so I can test against VM’s locally if needed while at a client site or in a hotel room.

That being said I suggest you start off with VMware workstation or server. Workstation is much more robust then VMware server, however it is not free like VMware server edition. It is up too you which virtualization platform you want too run. However, if you are a student VMware does offer educational discounts for VMware Workstation and Fusion (If you have a Mac).

VMware workstation and fusion also gives the user the ability to choose what kind of networking you want too enable on the host. There are three default options, bridged, NAT, and host only. Here are some high –level definitions of the three types of networking. (For more information read the VMware documentation)

Bridged Networking – Assigns the guest system a IP address within the Physical LAN that the host is on.

NAT – Uses Network address translation to assign the guest a NATed IP address which can reach your LAN and the internet through your hosts internet connection.

Host-only – will assign a IP address to the guest that is only accessible on the host system. Host-only basically sandboxes the network to your host, you will not be able to access the Internet or any resources on the LAN which the host is on.

This is good since it gives you many options for your host. However, I highly suggest sticking with host-only when running exploits or testing malware within your lab environment. This will restrict the exploits to a sandboxed network and the exploit or malware will not have the ability to access resources on your production LAN.

Another thing to consider is where to get iso images of operating systems you want too install to play with or test against. For Microsoft builds this can be costly. However, I suggest a technet professional subscription, it will allow you to download Microsoft operating system iso’s for development purposes. Additionally you will want a variety of vm’s setup to test different exploits and tools against. At the least setup the following victim machines within you lab environment:

Windows XP SP2
Windows XP SP3
Windows Vista
Windows 7
Windows Server 2003
Windows Server 2008
Server 2008 R2
Several Linux flavors I like Ubuntu and CentOS
PFsense or Monowall Firewall (Optional)
BT4 and Soon BT5 (Attacker)

This will give you many targets within your environment, which you can test against. As well as, an attacking box, I love backtrack, and the guys who make the backtrack linux distribution possible do a phenomenal job. Backtrack is my preferred attacking box within my lab and while conducting a real-life penetration tests. It is highly recommended since it has the majority of the tools you will need to learn and get to know intimately pre-installed.

To add, once you have all of your test victim machines setup. I highly suggest you store them and make clones and snapshots of the systems this will enable you to revert the systems if they get hosed or corrupt. Clones also come in handy when having to install new vulnerable software on the system. Clones enable you to just clone an existing virtual machine instead of having to install an OS from scratch thus saving precious time.

Overall, having a virtual lab environment for testing purposes can go a long way, as well as, allow you to learn many tasks and methods that you may not have used before. Within your lab environment you are only limited by your mind. I hope you enjoyed my high-level overview of setting up a basic lab environment, and the main idea is to learn and have fun while learning new technology and testing methodologies. I hope you learned how important having a virtual lab environment could be professionally and personally you can learn so much and actually see how many types of technology and operating systems work and how they are different. Therefore, have fun, setup a nice lab and I hoped this article will help you out. Till next time =)

-bostonlink

No Comments »
April 5th, 2011

Mac OSX nmap nse script search

OK,

I was tired of listing the directory manually everytime I wanted to use a nmap nse scrip on my mac. Therefore, I wrote this simple script to either display all nmap nse script or search for a string and list the relevant scripts. Call me lazy but I am all about saving time and increasing efficiency. I also love the challenge =)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/python

""" Nmap Script search, this script displays all nmap scripts, or searches for a
string within the title of the nmap script"""

import sys,subprocess,os

# to see if nmap is installed and the script directory is in default directories

usage = """
nmap nse search script coded by bostonlink @ pentest-labs.org
example1: ./nse_search.py -l
example2: ./nse_search.py -s smb"""

help = """
Nmap nse search script options

-l = lists all nmap nse scripts within the /nmap/scripts directory

-s [search string] = searches all nse scripts and prints ones that matches the search string\n"""

if len(sys.argv) <= 1:
    print usage
    print help
    sys.exit(0)

cwd = os.getcwd()
script_path = '/usr/local/share/nmap/scripts/'

def chg_dir():
    if cwd != script_path:
        os.chdir('/usr/local/share/nmap/scripts/')
        print '\nChanged CWD to default nmap script directory\n'

def list_all():
    cmd1 = subprocess.Popen(["ls","-l"], stdout=subprocess.PIPE)
    lista = cmd1.stdout.read()
    cmd1.wait()
    print lista

def list_search():
    if len(sys.argv) <= 2:
        print usage
        print help
        sys.exit(0)
    else:
        search_string = sys.argv[2]
        cmd1 = subprocess.Popen(["ls"], stdout=subprocess.PIPE)
        lista = cmd1.stdout.read()
        cmd1.wait()
        lista1 = lista.strip().split()
        for i in lista1:
            if search_string in i:
                print i

if sys.argv[1] == '-l':
    chg_dir()
    list_all()

if sys.argv[1] == '-s':
    chg_dir()
    list_search()

Note: same path in a Ubuntu Linux environment

you can use wget to download the script http://pentest-labs.org/downloads/nse_search.py

No Comments »
November 28th, 2010

Shodan Python API module install in Backtrack 4 R2

So, if you read my post below on my script that searches the exploit-db.com database for exploits for anything, there was a problem installing the shodan module in BT4 R2.  With a late night and a few beers in hand I went at this problem and got the shodan python module working.  I believe that it is due to the versions of python in BT4 R2 they are 2.4 and 2.5, where 2.5 is the default interpreter that is executed when running a script or just the IDE, python 2.6 does not have this issue at least on my macbook pro.  Below are the steps I took to get the shodan module sucessfully working on BT 4 R2.

first we install the ‘python-simplejson’ module that the sodan api.py is dependent on and download the shodan module’s source
[code]
apt-get install python-simplejson
wget http://pypi.python.org/packages/source/s/shodan/shodan-0.2.tar.gz
gzip -d shodan-0.2.tar.gz
tar xvf shodan-0.2.tar
cd shodan-0.2/shodan
nano api.py
[/code]

Now if we try to run the ‘setup.py install’ the module will error out and not install, so we have to edit the api.py file and change a couple of lines for it to install. the first line we need to edit is the first line of the file where it states ‘ from json import dumps,loads’ to ‘import simplejson as json’ then we go down to line 59 of the file and where it says ‘data = loads(data)’ change this too ‘data = json.loads(data)’ now save and exit the api.py file, and run the following commands:

[code]
cd ..
python setup.py install
[/code]
Now it successfully installs with no errors, and we have the shodan python api working.

-bostonlink

No Comments »
August 3rd, 2010

Quick HTTP Header grabbing script

Just a quick script I came up with when I had to grab multiple url http headers. The script prints output to the terminal as well as writes an output file in the CWD you run the script from. The list of urls needs to have full http:// syntax and one url per line. Click here to view and download the script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/python

# Simple program which opens a file of urls, retrives their headers and prints them to tty and writes to a file

import urllib2
import sys

usage = '''
Port 80 Headers - Multiple site list
Author: bostonlink
Usage:  ./80headers.py url_list'
Notes: Use a custom list of urls, each url should be on a new line.
eg:
http://google.com
http:yahoo.com
if there is an empty new line at the end of the file, the script will terminate when the '\n' newline is passed to it.
'''

if (len(sys.argv)!=2):
    print(usage)
    sys.exit(0)

usrfile = open(sys.argv[1], 'r')
outfile = open('output.txt', 'w')
outfile.close()

urls = usrfile.readlines()

for url in urls:
    if url == '\n':
        break
    else:
        url.rstrip()
        header = urllib2.urlopen(url).info()
        print('=' * 60)
        print(url)
        print('-' * 60)
        print(header)
        print('=' * 60)
        print('')
        f = open('output.txt', 'a')
        f.write(('=' * 60) + '\n' )
        f.write(url)
        f.write(('-' * 60) + '\n')
        f.write(str(header))
        f.close()

usrfile.close()
No Comments »
May 3rd, 2010

Skipfish 1.33b/1.34b installation in BT4

This is a tutorial on how to install Skipfish 1.33b in BT4 final.

Update Note: Skipfish 1.34b released I just verified this tutorial will work with the new 1.34b version as well.

Note: all commands that should be issued are in code boxes all other text is comments

The first thing we need to do is install a dependency that does not come default with BT4. The dependency is libidn11-dev, BT4 comes with libidn11 by default just not the development lib.

Install libidn11-dev

Code:
apt-get install libidn11-dev

Installation
Download skipfish from the url below:
skipfish – Project Hosting on Google Code

once downloaded we extract and move to any dir you would like, I moved it to /pentest/web/skipfish so I will be organized.

Code:
mv skipfish-1.33b.tgz /tmp
cd /tmp
tar xvf skipfish-1.33b.tgz
mv skipfish /pentest/web/
cd /pentest/web/skipfish

Before we issue our make command we need to modify the Makefile, look for the LDFLAGS we need to add our correct directory. Before modification it looks like this:
Before:

Code:
LDFLAGS   += -L/usr/local/lib/ -L/opt/local/lib

After:

Code:
LDFLAGS   += -L/usr/lib/ -L/opt/local/lib

After you make the appropriate changes save the Makefile, you can now run make and compile skipfish.

Note: if you do not modify the Makefile as described above skipfish will compile but when you run the application it will error out and not scan since the Makefile was pointing to the wrong directory.

Make the executable:

Code:
make

and we are done, all you need to do now is choose the appropriate dictionary you want to use. for more information See dictionaries/README-FIRST to pick a dictionary for the tool.

I chose the minimal.wl dictionary now we cp and move it

Code:
cp minimal.wl skipfish.wl
cp skipfish.wl ..
cd ..

you can optionally make a output directory as well I like to, for the sake of organization:

Code:
mkdir output/
mkdir output/first

RUN IT:

Code:
./skipfish -o output/frist/ http://192.168.6.9

when the scan completes the output report will be output/first/index.html

Hope you enjoy it.

bostonlink – OSCP
No Comments »