Security « Security related discussions, articles, and tutorials

April 26th, 2011

The Power of Information

Information within today’s society is a very interesting topic for discussion.  Add on security and we will have an all out debate.  Overall, information rules our society, everything runs off of some form of information in one way or another.  This is why information is power.  For example let’s say company xyz.com was breached and proprietary information was obtained by the attackers.  Well not so good for xyz.com but lets analyze the motivations of such attacks.  The majority of the time the motivation behind such attacks are to gain information which will lead to financial gain for the attackers.  There are many breaches every year, however the exact numbers are out of scope and not what this article is intended to be about.  Information is a priceless commodity which in the wrong hands can bring down an entire company, cost the company lots of money, ruin reputations, and feed the attackers to breach more companies.  Knowing this sheds light on how much power information has within our society.

What is information?  Information is just about everywhere to name a few, data, databases, webpages, intellectual property, credit card numbers, identities, social security numbers, drivers license numbers, addresses, etc.  I believe there is a need to protect sensitive and confidential information.  This boils down to how to classify information with categories such as Top Secret, Classified, and Public to name a few classifications.  If information is not classified by the nature of the information then how would we know what to secure and what information to make public?  Therefore, information classification should be one layer within a multi-layered information security program.

As a pentester I get a thrill out of trying to circumvent security layers and gain unauthorized access to a box who doesn’t.  However, the main reason behind a pentest is to identify vulnerabilities and use the vulnerabilities to successfully breach a organizations system and report the risk to the organization of the specific vulnerabilities and exploits discovered.  Well to truly report the risk of a vulnerability to an organization the tester needs to analyze what can be done once he has successfully exploited a system.  This is called post-exploitation.  Is it enough that I got a shell on a box during a pentest?  No, a full scale penetration test should include post-exploitation tasks too see what information can be gained from the attack.  Yes it is helpful to let the organization know if a server is vulnerable to a remote code execution vulnerability or a SQL injection attack.  However, it would be more valuable to the organization if the tester was able to identify and gain access to sensitive information within the institution.  There are numerous security researchers who actively research post exploitation and methods to achieve different types of information from a system or network.  Metasploit started to port post-exploitation scripts into actual modules.  As well as Carlos Perez, who has done some awesome research and crafted some excellent scripts for post-exploitation work.

To sum this all up, information is key to any profession within the security industry.  My opinion is not new, I just felt compelled to write a brief blog stating my opinion.  Overall, my motivation behind this article was seeing many client pentest reports that companies gave them automatically generated scan reports and nothing else.  This is not good for the simple fact that it does not indicate a proper penetration test was conducted for the client.  For a great description of what penetration testing should include for an organization I highly recommend heading over to PTES (Penetration Testing Execution Standard).

No Comments »
April 5th, 2011

Mac OSX nmap nse script search

OK,

I was tired of listing the directory manually everytime I wanted to use a nmap nse scrip on my mac. Therefore, I wrote this simple script to either display all nmap nse script or search for a string and list the relevant scripts. Call me lazy but I am all about saving time and increasing efficiency. I also love the challenge =)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
#!/usr/bin/python

""" Nmap Script search, this script displays all nmap scripts, or searches for a
string within the title of the nmap script"""

import sys,subprocess,os

# to see if nmap is installed and the script directory is in default directories

usage = """
nmap nse search script coded by bostonlink @ pentest-labs.org
example1: ./nse_search.py -l
example2: ./nse_search.py -s smb"""

help = """
Nmap nse search script options

-l = lists all nmap nse scripts within the /nmap/scripts directory

-s [search string] = searches all nse scripts and prints ones that matches the search string\n"""

if len(sys.argv) <= 1:
    print usage
    print help
    sys.exit(0)

cwd = os.getcwd()
script_path = '/usr/local/share/nmap/scripts/'

def chg_dir():
    if cwd != script_path:
        os.chdir('/usr/local/share/nmap/scripts/')
        print '\nChanged CWD to default nmap script directory\n'

def list_all():
    cmd1 = subprocess.Popen(["ls","-l"], stdout=subprocess.PIPE)
    lista = cmd1.stdout.read()
    cmd1.wait()
    print lista

def list_search():
    if len(sys.argv) <= 2:
        print usage
        print help
        sys.exit(0)
    else:
        search_string = sys.argv[2]
        cmd1 = subprocess.Popen(["ls"], stdout=subprocess.PIPE)
        lista = cmd1.stdout.read()
        cmd1.wait()
        lista1 = lista.strip().split()
        for i in lista1:
            if search_string in i:
                print i

if sys.argv[1] == '-l':
    chg_dir()
    list_all()

if sys.argv[1] == '-s':
    chg_dir()
    list_search()

Note: same path in a Ubuntu Linux environment

you can use wget to download the script http://pentest-labs.org/downloads/nse_search.py

No Comments »
February 21st, 2011

Quick Website Link puller script

I know it has been a while but what can I say I have been busy =)

Anyway, I scripted a quick link puller script that parses a website source code and prints all links within the code to the terminal. I found it useful so I thought I would share it with you all. I know there are some other programs out there that probably do the same thing, but hey I like the challenge of thinking through the scripting process and miking my scripts work. Hope you all enjoy.

ex: ./link_puller.py http://pentest-labs.org

Script:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/usr/bin/python

"""URL Puller - pulls the source and parses links from a specified website"""

import urllib2,sys

usage = '''
link_puller.py coded by: bostonlink @ pentest-labs.org
example: ./link_puller.py http://pentest-labs.org
'''

if len(sys.argv) != 2:
    print(usage)
    sys.exit(0)

url_html = urllib2.urlopen(sys.argv[1])
html_read = url_html.read()

for url in html_read.split():
    if 'http://' in url:
        if 'href=' in url:
            urls = url.lstrip('href=').split('>')
            for i in urls:
                if 'http://' in i:
                    print(i.lstrip("'\"").rstrip("'\""))
    else:
        continue
No Comments »
November 28th, 2010

Updated exploit_db_search_v2.py

Ok,

I just cleaned up the code a bit and made some very minor changes now all links will link to the v2 version of the script. Too see the changes click the link provided below.

http://pentest-labs.org/downloads/exploit_db_search_v2.py

Have fun.. Happy Hacking!

-bostonlink

No Comments »
November 28th, 2010

Shodan Python API module install in Backtrack 4 R2

So, if you read my post below on my script that searches the exploit-db.com database for exploits for anything, there was a problem installing the shodan module in BT4 R2.  With a late night and a few beers in hand I went at this problem and got the shodan python module working.  I believe that it is due to the versions of python in BT4 R2 they are 2.4 and 2.5, where 2.5 is the default interpreter that is executed when running a script or just the IDE, python 2.6 does not have this issue at least on my macbook pro.  Below are the steps I took to get the shodan module sucessfully working on BT 4 R2.

first we install the ‘python-simplejson’ module that the sodan api.py is dependent on and download the shodan module’s source
[code]
apt-get install python-simplejson
wget http://pypi.python.org/packages/source/s/shodan/shodan-0.2.tar.gz
gzip -d shodan-0.2.tar.gz
tar xvf shodan-0.2.tar
cd shodan-0.2/shodan
nano api.py
[/code]

Now if we try to run the ‘setup.py install’ the module will error out and not install, so we have to edit the api.py file and change a couple of lines for it to install. the first line we need to edit is the first line of the file where it states ‘ from json import dumps,loads’ to ‘import simplejson as json’ then we go down to line 59 of the file and where it says ‘data = loads(data)’ change this too ‘data = json.loads(data)’ now save and exit the api.py file, and run the following commands:

[code]
cd ..
python setup.py install
[/code]
Now it successfully installs with no errors, and we have the shodan python api working.

-bostonlink

No Comments »
November 27th, 2010

Exploit-db search python script

I just coded a nice little script while messing around with the shodan python library. It allows you to search for a string, list all exploits that were found, show a specific exploit (code), download a specific exploit, and change the search string. This is version 1 I just coded in a couple of hours to make sure everything works fine before posting to my blog. If you have any requests to add feel free to email me or add them yourself =).  I hope people find this useful I sure will.  I did code it on my Macbook pro due to the easy_install method of the shdan library returned errors in BT R2, not sure exactly why and didn’t bother looking further into it yet.  Just a heads up you will need to signup at http://www.shodanhq.com/ to get the API key which is needed to run this script.  The script is as follows, you can also download it from:
http://pentest-labs.org/downloads/exploit_db_search_v2.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#!/usr/bin/python

"""Searches exploit-db exploit database"""
# coded by: bostonlink @ pentest-labs.org
# thanks to shodanhq and exploit-db
# usage: ./exploit_db_search.py

import sys,shodan,urllib2

usage = '''\nexploit_db_search.py coded by: bostonlink @ pentest-labs.org
     usage: ./exploit_db_search.py [search_string]
          example: ./exploit_db_search.py php
'''

SHODAN_API_KEY = 'Enter Your Shodan API key here'
api = shodan.WebAPI(SHODAN_API_KEY)

if len(sys.argv) < 2 or len(sys.argv) > 3:
    print(usage)
    sys.exit(0)

# initial exploit-db search search
search_query = sys.argv[1]
results = api.exploitdb.search(search_query)

if len(results) > 0:
    print("Searching................\n")
    print("Search Executed Successfully")
    print("There are %s Exploits Found that relate to %s" % (results['total'],search_query))
    print("See Menu below for options")

# menu options
def menu():
    print('\nMenu Options\n')
    print('1 - list all exploits found')
    print('2 - select the type of exploits to display')
    print('3 - select a exploit to view')
    print('4 - write exploit to a file in the CWD')
    print('5 - change search string')
    print('6 - exit')
    global selection
    selection = raw_input('\nSelect an option from above: ')

menu()
# menu options end

# if statements
while True:

    if selection == '1':
        print('\nexploit id: description\n')
        for exploit in results['matches']:
            print('%s: %s' % (exploit['id'],exploit['description']))

    if selection == '2':
        print('exploit types : remote, webapps, dos, local, shellcode')
        exploit_type = raw_input('enter the type of exploit: ')
        print('\ndisplaying %s exploits\n' % exploit_type)
        for exploit in results['matches']:
            if exploit_type == exploit['type']:
                print('%s: %s' % (exploit['id'],exploit['description']))

    if selection == '3':
        exploit_id = raw_input('\nenter the exploit id to be displayed: ')
        for exploit in results['matches']:
            if exploit_id == str(exploit['id']):
                exploit_file = api.exploitdb.download(exploit['id'])
                print 'Filename: %s' % exploit_file['filename']
                print 'Content-type: %s' % exploit_file['content-type']
                print exploit_file['data']

    if selection == '4':
        exploit_id = raw_input('\nenter exploit id: ')
        for exploit in results['matches']:
            if exploit_id == str(exploit['id']):
                exploit_dl = api.exploitdb.download(exploit['id'])
                output = open(exploit_dl['filename'], 'w')
                output.write(exploit_dl['data'])
                output.close()

    if selection == '5':
        new_search = raw_input('enter new search string: ')
        results = api.exploitdb.search(new_search)
        print("Searching................\n")
        print("Search Executed Successfully")
        print("There are %s Exploits Found that relate to %s" % (results['total'],new_search))
        print("See Menu below for options")

    if selection == '6':
        print('Happy Hacking!')
        sys.exit(0)

    menu()

if you are going to use this code use the link above and wget, this is because of the wordwrap within my blog posts.

-bostonlink

No Comments »
October 31st, 2010

Simple time saving dns info script

Simple dns info script which tells the user the nameservers, MX records, and attempts zone transfers on all nameservers. Check it out.
Click here to view and download the script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/python

# a script that uses the host command to lookup various dns information of a target
# coded by: bostonlink

import sys,subprocess
usage = """\ndns_script.py coded by bostonlink @ pentestlabs.org\n
Usage: ./dns_script.py domainname
Example: ./dns_script.py google.com\n"""

if len(sys.argv) != 2:
    print(usage)
    sys.exit(0)

target = sys.argv[1]
print("\n" + "*" * 60)
print("%s nameservers" % sys.argv[1])
print("*" * 60 + "\n")

pro1 = subprocess.Popen(["host","-t","ns",target], stdout=subprocess.PIPE)
ns = pro1.stdout.read()
pro1.wait()
print(ns)

print("\n" + "*" * 60)
print("%s mailservers" % sys.argv[1])
print("*" * 60 + "\n")

pro2 = subprocess.Popen(["host","-t","mx",target], stdout=subprocess.PIPE)
mx = pro2.stdout.read()
pro2.wait()
print(mx)

ns_list = ns.strip().split()
for nameserver in ns_list:
    if nameserver.endswith("."):
        zone_tr = nameserver.rstrip(".")
        print("\n" + "*" * 60)
        print("%s zone transfer against %s" % (sys.argv[1],zone_tr))
        print("*" * 60 + "\n")
        pro3 = subprocess.Popen(["host","-l",target,zone_tr], stdout=subprocess.PIPE)
        ztrans = pro3.stdout.read()
        pro3.wait()
        print(ztrans)
    else:
        continue

print("\nScript completed")

Example:

root@bt:~/my stuff/scripts/python_dev# ./dns_script_2.py google.com

************************************************************
google.com nameservers
************************************************************

google.com name server ns1.google.com.
google.com name server ns2.google.com.
google.com name server ns4.google.com.
google.com name server ns3.google.com.

************************************************************
google.com mailservers
************************************************************

google.com mail is handled by 200 google.com.s9a2.psmtp.com.
google.com mail is handled by 100 google.com.s9a1.psmtp.com.
google.com mail is handled by 300 google.com.s9b1.psmtp.com.
google.com mail is handled by 400 google.com.s9b2.psmtp.com.

************************************************************
google.com zone transfer against ns1.google.com
************************************************************

; Transfer failed.
Using domain server:
Name: ns1.google.com
Address: 216.239.32.10#53
Aliases:

Host google.com.localdomain not found: 5(REFUSED)
; Transfer failed.

************************************************************
google.com zone transfer against ns2.google.com
************************************************************

snip……….

-bostonlink

No Comments »
October 28th, 2010

Nmap python script – defines targeted ports

To start I was doing some nmap scans of my own network of course =) and I was looking for multiple targeted ports on my network.  I got real tired of typing and even arrowing up and changing the IP address ranges while conducting my scans.  So I figured why not turn this into a python exercise. I quickly coded a python script with my targeted ports I was looking for, also I made the ip address range a command line option as well as the nmap file output name a command line option.  This script saves me a lot of time while scanning. See the code below. Click here to view and download the script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/usr/bin/python

# Targeted nmap scan script with 20 targeted ports defined

import subprocess,os,sys

author = "\n./targeted_nmap coded by bostonlink\n"
usage = """./targeted_nmap.py ip file_output_name
example: ./targeted_nmap.py 1.2.3.4 int_pentest\n"""
if len(sys.argv) != 3:
    print(author)
    print("check the arguments - script needs IP range or address and file name defined see usage and example below")
    print(usage)
    sys.exit(0)

subprocess.Popen("nmap -sS -PN %s -p T:21-23,25,80,110,135-139,443,445,3389,4444,8080,50000,10000 --reason -oA %s" % (sys.argv[1],sys.argv[2]), shell=True).wait()
print("\nNmap scan has finished see output files within the directory you ran this script in")
print("brought to you by: bostonlink - pentest-labs.org\n")

Hope you enjoy!

-bostonlink

No Comments »
August 3rd, 2010

Quick HTTP Header grabbing script

Just a quick script I came up with when I had to grab multiple url http headers. The script prints output to the terminal as well as writes an output file in the CWD you run the script from. The list of urls needs to have full http:// syntax and one url per line. Click here to view and download the script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
#!/usr/bin/python

# Simple program which opens a file of urls, retrives their headers and prints them to tty and writes to a file

import urllib2
import sys

usage = '''
Port 80 Headers - Multiple site list
Author: bostonlink
Usage:  ./80headers.py url_list'
Notes: Use a custom list of urls, each url should be on a new line.
eg:
http://google.com
http:yahoo.com
if there is an empty new line at the end of the file, the script will terminate when the '\n' newline is passed to it.
'''

if (len(sys.argv)!=2):
    print(usage)
    sys.exit(0)

usrfile = open(sys.argv[1], 'r')
outfile = open('output.txt', 'w')
outfile.close()

urls = usrfile.readlines()

for url in urls:
    if url == '\n':
        break
    else:
        url.rstrip()
        header = urllib2.urlopen(url).info()
        print('=' * 60)
        print(url)
        print('-' * 60)
        print(header)
        print('=' * 60)
        print('')
        f = open('output.txt', 'a')
        f.write(('=' * 60) + '\n' )
        f.write(url)
        f.write(('-' * 60) + '\n')
        f.write(str(header))
        f.close()

usrfile.close()
No Comments »
August 2nd, 2010

Defcon 18 == Awesomeness

I just returned from Las Vegas and Defcon 18.  The conference this year was awesome, I reconnected with people I met last year as well as met a lot of new attendees.  I always love meeting new people who have a passion for hacking and information security.  Here are some pictures not the greatest but I was there to learn and have fun, not to be a photographer.

Riviera Small Suite Upgrade - 10th floor

Riviera Small Suite Upgrade - 10th floor

My Defcon 18 Badge

My Defcon 18 Badge

Back of my badge

Back of my badge

Outside of the Riviera Hotel and Casino

Outside of the Riviera Hotel and Casino

Wall Of Sheep

Wall Of Sheep

Oh can you say unlocked badge

Oh can you say unlocked badge

Track 5

Track 5

Well it was great, all the speakers and talks, seeing the social-engineer.org CTF contest live, and making some new friends, was awesome.  I also came home with money in my pocket, not from gambling but from not gambling =) see you on the flip or next year at Defcon 19

No Comments »
Older Entries
Newer Entries