Pentesting « Security related discussions, articles, and tutorials

Ok it has been a week since DerbyCon and I am still drinking Kentucky Bourbon =)

In all seriousness DerbyCon is one of the best conferences I have been too and it easily goes head to head with DefCon.  The talks were awesome and not just repeats of previous talks given at other cons.  Plus the people I talked with and met were amazing, friendly, and willing to talk about anything especially bourbon =)  To @Rel1k @pure_hate @irongeek well done guys.  All the staff made it an awesome con as well.  I am going back next year and the year after, well you get the picture. The point is you should have been there =)  Don’t miss net years DerbyCon it will be epic.  Shout outs to my friend Buffalo Trace and all the cool people I met at DerbyCon.

Backtrack 5 ships with some very nice features, however I will be discussing Metasploit and PostgreSQL within this post.  Backtrack 5 ships with metasploit and postgresql out of the box, which means that postgres is already running within BT5.  One thing to note here is that you may need to install the postgres gem and specify the db_driver within msf.  I installed the gem using ruby version 1.8.7, I get errors installing the postgres gem using ruby version 1.9.2_dev.  There are some very nice how-to’s for this over at the BT5 forums. Update 6/1/2011 – MSF does not contain any postgres drivers if launched from ‘/pentest/exploits/framework3′ however, if launched from you path then drivers are available and postgresql is initialized and connected.  However, it is not running on the default 5432 tcp port, instead postgres is running on localhost:7175.  A quick ‘netstat -antp | grep 7175′ command will display if any service is running on a port.

But, if we try to stop the postgres service using /etc/init.d/postgresql-8.4 stop, we get no luck no service is running called postresql-8.4.  Hmm, lets display all services with the ‘service –status-all’ command.  We see the following, which indicates that the installation of postgresql is associated with msf by default within BT5.  As we can see this service is called ‘framework-postgres NICE =)

What does this mean, it means we know the service name so we can start and stop the service, stop auto-run at boot time, and we know that the installation of postgres is associated primarily with metasploit.  But hey, the postgres config files are not in there default location.  Well ok, letf find where they are.  Lets start with where metasploit is installed.  the ‘framework3 directory within the ‘/pentest/exploits/’ directory is a symbolic link to ‘/opt/framework3/msf3′.  Therefore, we look inside these directories and see a postgresql directory within the ‘/opt/framework3′ directory.  However if we start metasploit and try to connect to the database with user and password of ‘root:toor’  we get an authentication error.  So what is the user and password combo used?

After going through some of the directories within the ‘/opt/framework3′ directory, I find an interesting directory called config which has a file named ‘database.yml’ within it.  Let’s cat the contents of the file and see what it tells us.  As we can see from the screenshot below it tells us the username and password.  Nice info, however, instead of specifying the username and password everytime we connect to msf and want to use the postgresql database, we can use the ‘db_connect command with the database.yml file.

As we can see, we have a username of msf and a randomly generated password.  I am running a few different BT5 virtual machines and each one has a different password.  Nice.  Now to connect msf to the database we just use the db_connect command with the right syntax to use the yml file, with the absolute path to the file specified.

Now we are in business.  I figured I would do a little write-up on this since I have not seen a lot of documentation for this anywhere, hope you enjoy.  To be honest I am finding more and more very nice features the BT5 developers introduced.  Nice work.

To sum this all up I really wanted to try out my Alfa AWUS051NH usb card with the new BT5 distro. Injection worked flawlessly and I was able to crack my seclab WEP enabled WAP within a few minutes of injection. However, this was a 64bit WEP key, stronger encryption will take a bit longer and more IV’s to crack. Lets get this going.

The Setup:

BT5 KDE x32 – Virtual Machine
Alfa AWUS051NH USB card
Wireless Access Point running WEP

The Results:

Alfa AWUS051NH in monitor mode.

Start airodump-ng to see where my AP is.

Airodump-ng refined command specifying the BSSID and channel of my target AP.  (sorry guys) =)

Now to start the arp injection using aireplay-ng while airodump-ng is capturing only IV packets.

And now for what everyone has been waiting for =)  Cracking the WEP key, using aircrack-ng.

Easy as 1,2,3 =)  Glad my card works out of the box with BT5.  Hope you all enjoyed this brief post. Till the next time.

-bostonlink

Creating a lab environment gives the user an opportunity to explore new technologies, test configurations, test exploitation methods, create scripts, and more. This is why creating a lab environment is an imperative task. In this article I will go over building lab environments specific to penetration testing. However, any one could modify these lab guidelines and create their own specific lab environment. This article is not a definitive guide on how to setup a lab environment to suit everyone’s needs. Instead it is an overview of how to start a penetration testing lab environment.

A lab environment is necessary to learn specific penetration testing techniques that would be illegal if not given specific permission to test public facing systems. Thus, setting up a private environment of your own in which you can launch any attack, tool, exploit, and do whatever you like within the environment is essential to the learning process, plus it is a lot of fun. Another reason for a pentest lab is if you are tasked with a penetration test of a client, and are unfamiliar with an exploit that one of their systems may be vulnerable too, then you can setup a test system that mirrors the original client’s system configuration to the best of your knowledge to test and/or rewrite the exploit to make sure it acts as described. On another note, personally I like to re-write all exploits that are not directly ported within an exploit framework. This assures that the exploit does and performs exactly how I want it too; additionally it gives me peace of mind to know what the shellcode within the exploit does. However, this is out of the scope of this article.

The lab can be small or large but gives you the ability to run multiple operating systems, different configurations, and software to test. Virtualization makes an excellent lab environment and cuts down on the need of a lot of hardware. There are many virtualization solutions on the market today. However, in my opinion VMware products are the best. I may be biased since I started with VMware for this reason this article will be focused on using VMware technology since all of my labs are setup within VMware.

Depending on your setup at minimum you should have a dedicated box or if you don’t want to go the dedicated route the desktop or laptop running your lab should be able to at least run 2-3 virtual machines consecutively without degrading the performance of your system and making it inoperable. Within my lab environments, I have two dedicated servers each with 12GB of ram running Vmware esxi 3.5 and 4.0. However, you do not need a setup like this if you just want too setup a couple of virtual machines to get started with and test against. I do have a VMware workstation lab environment on my desktop as well with 8GB of ram. Additionally, since I travel a lot I installed 8GB or ram on my laptop so I can test against VM’s locally if needed while at a client site or in a hotel room.

That being said I suggest you start off with VMware workstation or server. Workstation is much more robust then VMware server, however it is not free like VMware server edition. It is up too you which virtualization platform you want too run. However, if you are a student VMware does offer educational discounts for VMware Workstation and Fusion (If you have a Mac).

VMware workstation and fusion also gives the user the ability to choose what kind of networking you want too enable on the host. There are three default options, bridged, NAT, and host only. Here are some high –level definitions of the three types of networking. (For more information read the VMware documentation)

Bridged Networking – Assigns the guest system a IP address within the Physical LAN that the host is on.

NAT – Uses Network address translation to assign the guest a NATed IP address which can reach your LAN and the internet through your hosts internet connection.

Host-only – will assign a IP address to the guest that is only accessible on the host system. Host-only basically sandboxes the network to your host, you will not be able to access the Internet or any resources on the LAN which the host is on.

This is good since it gives you many options for your host. However, I highly suggest sticking with host-only when running exploits or testing malware within your lab environment. This will restrict the exploits to a sandboxed network and the exploit or malware will not have the ability to access resources on your production LAN.

Another thing to consider is where to get iso images of operating systems you want too install to play with or test against. For Microsoft builds this can be costly. However, I suggest a technet professional subscription, it will allow you to download Microsoft operating system iso’s for development purposes. Additionally you will want a variety of vm’s setup to test different exploits and tools against. At the least setup the following victim machines within you lab environment:

Windows XP SP2
Windows XP SP3
Windows Vista
Windows 7
Windows Server 2003
Windows Server 2008
Server 2008 R2
Several Linux flavors I like Ubuntu and CentOS
PFsense or Monowall Firewall (Optional)
BT4 and Soon BT5 (Attacker)

This will give you many targets within your environment, which you can test against. As well as, an attacking box, I love backtrack, and the guys who make the backtrack linux distribution possible do a phenomenal job. Backtrack is my preferred attacking box within my lab and while conducting a real-life penetration tests. It is highly recommended since it has the majority of the tools you will need to learn and get to know intimately pre-installed.

To add, once you have all of your test victim machines setup. I highly suggest you store them and make clones and snapshots of the systems this will enable you to revert the systems if they get hosed or corrupt. Clones also come in handy when having to install new vulnerable software on the system. Clones enable you to just clone an existing virtual machine instead of having to install an OS from scratch thus saving precious time.

Overall, having a virtual lab environment for testing purposes can go a long way, as well as, allow you to learn many tasks and methods that you may not have used before. Within your lab environment you are only limited by your mind. I hope you enjoyed my high-level overview of setting up a basic lab environment, and the main idea is to learn and have fun while learning new technology and testing methodologies. I hope you learned how important having a virtual lab environment could be professionally and personally you can learn so much and actually see how many types of technology and operating systems work and how they are different. Therefore, have fun, setup a nice lab and I hoped this article will help you out. Till next time =)

-bostonlink

I know it has been a while but what can I say I have been busy =)

Anyway, I scripted a quick link puller script that parses a website source code and prints all links within the code to the terminal. I found it useful so I thought I would share it with you all. I know there are some other programs out there that probably do the same thing, but hey I like the challenge of thinking through the scripting process and miking my scripts work. Hope you all enjoy.

ex: ./link_puller.py http://pentest-labs.org

Script:

Ok,

I just cleaned up the code a bit and made some very minor changes now all links will link to the v2 version of the script. Too see the changes click the link provided below.

http://pentest-labs.org/downloads/exploit_db_search_v2.py

Have fun.. Happy Hacking!

-bostonlink

I just coded a nice little script while messing around with the shodan python library. It allows you to search for a string, list all exploits that were found, show a specific exploit (code), download a specific exploit, and change the search string. This is version 1 I just coded in a couple of hours to make sure everything works fine before posting to my blog. If you have any requests to add feel free to email me or add them yourself =).  I hope people find this useful I sure will.  I did code it on my Macbook pro due to the easy_install method of the shdan library returned errors in BT R2, not sure exactly why and didn’t bother looking further into it yet.  Just a heads up you will need to signup at http://www.shodanhq.com/ to get the API key which is needed to run this script.  The script is as follows, you can also download it from:
http://pentest-labs.org/downloads/exploit_db_search_v2.py

if you are going to use this code use the link above and wget, this is because of the wordwrap within my blog posts.

-bostonlink

Simple dns info script which tells the user the nameservers, MX records, and attempts zone transfers on all nameservers. Check it out.
Click here to view and download the script.

Example:

root@bt:~/my stuff/scripts/python_dev# ./dns_script_2.py google.com

************************************************************
google.com nameservers
************************************************************

google.com name server ns1.google.com.
google.com name server ns2.google.com.
google.com name server ns4.google.com.
google.com name server ns3.google.com.

************************************************************
google.com mailservers
************************************************************

google.com mail is handled by 200 google.com.s9a2.psmtp.com.
google.com mail is handled by 100 google.com.s9a1.psmtp.com.
google.com mail is handled by 300 google.com.s9b1.psmtp.com.
google.com mail is handled by 400 google.com.s9b2.psmtp.com.

************************************************************
google.com zone transfer against ns1.google.com
************************************************************

; Transfer failed.
Using domain server:
Name: ns1.google.com
Address: 216.239.32.10#53
Aliases:

Host google.com.localdomain not found: 5(REFUSED)
; Transfer failed.

************************************************************
google.com zone transfer against ns2.google.com
************************************************************

snip……….

-bostonlink

To start I was doing some nmap scans of my own network of course =) and I was looking for multiple targeted ports on my network.  I got real tired of typing and even arrowing up and changing the IP address ranges while conducting my scans.  So I figured why not turn this into a python exercise. I quickly coded a python script with my targeted ports I was looking for, also I made the ip address range a command line option as well as the nmap file output name a command line option.  This script saves me a lot of time while scanning. See the code below. Click here to view and download the script.

Hope you enjoy!

-bostonlink

I have been extremely busy for the past couple of months, hence no new posts.  I am getting ready to head out to Las Vegas at the end of this month to go to Defcon 18, which I try to make every year.  Last year was a blast met a lot of new people and went to some exciting talks as well as visited the bar a lot, what can I say it’s Vegas.  I can’t wait to get out of the everyday routine and relax in Vegas for a few days while gaining some exciting and interesting knowledge about the infosec industry.  I will be updating the site when I get back with pictures and my experiences while in Vegas and at Defcon. Stay Tuned.