Owning Windows 7 - Double hack (physical access required)
Pangolin and your data
Information Gathering: Delicious
Delicious is a service for keeping your bookmarks in one place (online), it's social bookmarking.
So let's go with an example; if you have some nicknames from your target, you can search directly on their Delicious profile, all their public links, for example my profile:
http://delicious.com/laramies
Remember that users can mark a link as private, but here is where we can be lucky if they forget to save it as private.
Another way of searching in Delicious, is using target company URL's or IP's, in this example i will use just a standard internal ip:
192.168.1.1
And look the second result:
The root password in the url :)
In particular cases you can obtain interesting results
-CMM
ProxyStrike Plugins update
Now each plugin is a file, and here is an example of a plugin for gathering all the email addresses:
class email_detect(AttackPlugin):
def __init__(self):
AttackPlugin.__init__(self,name="email detect",variableSet=False,iface=True,type="tree",fields=["Url","Email"])
self.emailre=re.compile("[a-z0-9_.-]+@[a-z0-9_.-]+",re.I)
def process(self,req):
html=req.response.getContent()
a=self.emailre.findall(html)
results=[]
for i in a:
results.append([i])
if a:
self.putRESULTS([req.completeUrl,results])
You can find more examples inside the plugin folder, just get your copy via subversion:svn checkout http://proxystrike.googlecode.com/svn/trunk/ proxystrike-read-only
More information in the wiki, and you can follow updates by deepbit in his new blog
Enjoy
-CMM
Meterpreter Post exploitation - Recap
Meterpreter, short for The Meta-Interpreter, is an advanced payload that is included in the Metasploit Framework. Its purpose is to provide complex and advanced features that would otherwise be tedious to implement purely in assembly. The way that it accomplishes this is by allowing developers to write their own extensions in the form of shared ob ject (DLL) files that can be uploaded and injected into a running process on a target computer after exploitation has occurred. Meterpreter and all of the extensions that it loads are executed entirely from memory and never touch the disk, thus allowing them to execute under the radar of standard Anti-Virus detection.
- cachedump Dump (decrypted) domain hashes from the registry
- hashdump Dump (decrypted) LM and NT hashes from the registry
- hivelist Print list of registry hives
- hivescan Scan for _CMHIVE objects (registry hives)
- lsadump Dump (decrypted) LSA secrets from the registry
- Disable_Audit: Disable auditing, by changing the local security policy
- GetGui: Script for enabling RDP service on target host.
- GetTelnet: this script will enable the Telnet Service on Win2003 and XP, and will install it on Vista and 2008.
- Memdump: Automation for mdd
- WinEnum: Script that will gather a big amount of information about the host
- Scheduleme: this will allow for task scheduling on target host. Will run the commands as System.
- NetEnum: Performs network enumeration, ping sweeps, reverse dns lookups, etc.
- Soundrecorder: Allows you to record sound on the target machine :)
- GetCounterMeasure: this script will identify antivirus,HIPS,HIDS, Firewalls, etc.
From Oracle to the OS with Metasploit
ProxyStrike v2.0 released!
Great Job from Carlos del Ojo (deepbit) for this new release
-CMM
Security Industry Salary and Certification Survey 2008
Salaries for information security professionals are high. Over 38% of respondents earn US $100,000 or more per year.
41% of the respondents said their organizations use certifications as a factor when determining salary increases.
The overall mean funding for training was US $2,854 per year with a median of US $2,000 per year.
Digital forensics, intrusion detection, and penetration testing are the technical topics respondents are most interested in learning in 2009.
As of late November 2008, just over 79% of respondents forecast no information security personnel reductions in the next 12 months.
Over 25% of respondents plan to deploy the following technologies in 2009:
- Configuration Management
- SIEM (Security Information and Event Management)
- Storage Security
- Wireless Security Solutions
The best places to find an information security position are in the metro areas of Las Vegas, Nevada; Dallas, Texas; and Washington, DC.
A fresh new look into Information Gathering v2
SOURCE BOSTON experience
Fist Conference - Source Boston
Warvox: Wardialing refreshed
One of the great things about the WarVOX model is that once the data has been gathered, it is archived and available for re-analysis as new signatures, plugins, and tools are developed.
This model allows WarVOX to find and classify a wide range of interesting lines, including modems, faxes, voice mail boxes, PBXs, loops, dial tones, IVRs, and forwarders. WarVOX provides the unique ability to classify all telephone lines in a given range, not just those connected to modems, allowing for a comprehensive audit of a telephone system.
Quick tip: Sharing a directory over the web easily
Client Side exploit Delivery - Word files
L0phtCrack is back with L0pht
15 Minutes Penetration test
Google Safe Browsing Diagnostic
*What is the current listing status for [the site in question]?We display the current listing status of a site and also information on how often a site or parts of it were listed in the past.*What happened when Google visited this site?This section includes information on when we analyzed the page, when it was last malicious, what kind of malware we encountered and so fourth. To help web masters clean up their site, we also provide information about the sites that were serving malicious software to users and which sites might have served as intermediaries.*Has this site acted as an intermediary resulting in further distribution of malware?Here we provide information if this site has facilitated the distribution of malicious software in the past. This could be an advertising network or statistics site that accidentally participated in the distribution of malicious software.*Has this site hosted malware?Here we provide information if the the site has hosted malicious software in the past. We also provide information on the victim sites that initiated the distribution of malicious software.
FIST Conference Barcelona March 2009
Next March 6th we are throwing a new edition of the FIST Conference here in Barcelona, so if you want to check the program, you can go here
Black Hat DC 2009 - Slides
The presentations of the last Black Hat DC conference are available online, here are some interesting talks:
- DNS 2008 and the New (old) Nature of Critical Infrastructure, Dan Kaminsky
- Windows Vista Security Internals, Michael Mukin
- Dissecting web attacks, Val Smith & Colin Ames
Fast-Track - Automated penetration testing suite
Fast-track is
"a compilation of custom developed tools that allow penetration testers the ease of advanced penetration techniques in a relatively easy manner"
Fast-Track has tools for MSSQL server, SQL Injection, Metasploit Autopwn Automation, Mass Client Side attacks, exploits and a Payload generator.
The idea is to provide easy and fast to use tools, that will usually take you many steps, or some minor coding on existing tools. I liked the integration with Metasploit payloads.
It's like executing scripts and tools combos :)
You can check a video of the SQLPwnage module in action:
Fast-Track SQLPwnage from David Kennedy on Vimeo
Presentation of Fast-Track at ShmooCon 2009, here
Download here
Enjoy
-CMM
CUDA and bruteforcing
"Pyrit is implementation allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff"
"CUDA is the compute engine in NVIDIA graphics processing units or GPUs, that is accessible to software developers through industry standard programming languages"
The world's fastest cross-platform MD4/MD5/NTLM crackingfor Windows/Mac/Linux
Backtrack 4 is here! - Cuda support
Web Services Security testing
Protecting users from password theft
PCI for dummies
DVL 1.5 - a hacking playground
Web Application vulnerability scanners comparison
Information Gathering III: Yasni and 123people
Information Gathering II : Pipl.com
HITB 2008 videos
Tight Budget, conferences and training
Recession is not a time to pull the cover over and crawl in. It's a time to work harder, work smarter and improve your own development just to maintain your competitiveness.
Information Gathering I : Spokeo
Zerowine: Malware behavior analysis
About Windows passwords, hashes and registry
- hashdump: dump the LanMan and NT hashes from the registry (deobfuscated).
- lsadump: dump the LSA secrets (decrypted) from the registry.
- cachedump: dump any cached domain password hashes from the registry. This will obviously only work if the memory image comes from a machine that was part of a domain.
Top 25 Most dangerous coding errors
- Software buyers will be able to buy much safer software. ( with a certificate of code beign free of these 25 bugs)
- Programmers will have tools that consistently measure the security of the software they are writing.
- Colleges will be able to teach secure coding more confidently.
- Employers will be able to ensure they have programmers who can write more secure code.