#!/zitstif.no-ip.org/

After having some down time, which started on May 29th, I scrambled around to find a quick solution to the problem.

The problem came to light after noticing a few nights prior to May 29th, that my web server was not responding correctly and I could not log into it what so ever.

So, ergo I had to actually get on my server (physically) and noticed a bunch of read errors, and the first thought that came to mind was “Bad hard drive!”.

With that in mind, I backed up my server contents as needed and booted my server off of a usb drive which contained a live Linux distro and used:

python -m SimpleHTTPServer 80

to host a simple page displaying what had happened.

At a later time I then realized that I had a spare 10 GB hard drive in my basement and that is what the server is currently running on. Hopefully it lasts for quite some time…

My goal with my server is to: top out the specs for it (max out the memory, and hard drive capacity) and have some virtual hosts on it.

For those of you who are fans (I sincerely doubt there are any, but I can hope!), zitstif.no-ip.org is back up!

A key phase in the steps to penetration testing is reconnaissance. Without reconnaissance, pentesters would be essentially blind.

In addition to this, pentesters have myriad of tools to help them with the recon phase.

When hunting down hosts that belong to an organization, dnsmap is a wonderful tool for finding subdomains.

After doing some experimenting with this tool, I stumbled upon a limitation. Dnsmap does not have the capability to read from stdin for keywords to use in the subdomain bruteforcing. It requires a word list. Well what if I want to use john the ripper?

So, I pondered to myself, “What’s wrong with just ‘host’ and ‘john’ in tandem to bruteforce subdomains?”. Well my friends, here’s an example:

john --incremental --stdout | while read words; 
   do host ${words}.google.com &> /dev/null; 
      if [ $? -eq 0 ]; 
          then echo "${words}.google.com"; 
      fi; 
   done

Of course you could change this to accordingly, but here’s it as a function and you could even add this to your .bashrc file.

function dnsbrute {
 if [ ${#} -lt 1 ];
   then 
      echo "I need a domain name...";
      return 1;
 fi
 john --incremental --stdout | while read words; 
   do host ${words}.${1} &> /dev/null; 
     if [ $? -eq 0 ]; 
        then echo "${words}.${1}"; 
     fi; 
   done
 return 0;
}

More to come as usual..

(I’m still dragging my feet on ettersploit.. 🙂 )

Just a quicky:

If you’re in a local area network and you’re trying to do some passive information gathering using a sniffer, here is a great way to find .local host names:

tcpdump -i wlan0 -vv 2&>1 | egrep '*.local'

What’s beautiful about this method is you can usually find people’s full names, especially if they’re using Apple devices. Along with that, you’re not probing or alerting the targets.

Also, if you’re not in range of a wifi access point and can barely see the AP, you can use this method while trying to connect (it makes this method a little less passive..), but I’ve discovered Iphone device names via this method.

And now…. back to the books. 🙂

PS: I’m going to set aside time this week to put more effort into ettersploit.

The threat of information leakage via unencrypted wireless networks is quite real and needs to be taken into consideration. Especially if you’re an organization/entity, who handles sensitive information.

Today I’ll be covering a simple demonstration that will have 3 hosts. The three hosts are as follows:

Host A (Attacker)
Host B (Client)
Host C (Server)

Host A will be running kismet, so it will not be connected to the network. The network will only have MAC filtering deployed. Host B and C will be wireless clients on the network, but I will set up netcat loops that will just simply print a string over the network.

Host B will be running this:

while true; do echo "CAPTURE THIS WHILE NOT CONNECTED" | nc -w2 hostC 8080; done

Host C will be running this:

while true; do nc -l -s hostCIP -p 8080 -vv; done

Host A which is the attacker, will simply be within close range of the network and will give the kismet log files a name as well by doing:

kismet -t capture-test

Once kismet has started to run, make sure to use ‘L’ to lock onto the channel that the wireless network is on. With this done, wait a few minutes and you should have captured the test string.

To view your captured information, you need to view the contents of the dump files. The dump files are located in/var/log/kismet.

Upon location of the dump file, what worked for me was using egrep to look for the captured string.

egrep 'CAP*' capture-test*.dump 

This may ‘bork’ your terminal, so just use reset. Per contra, you should see the captured text.

This simple demo demonstrates how real of a threat passive wireless sniffing devices are. If you’re curious, I actually used my Nokia N810 as the attacker. 🙂

I’ll have more to come as usual… (I’m back in school so I’m going to have less time to work on ettersploit 🙁 )

http://www.google.com/search?q=%22compatible%3B+MSIE+6.0%3B+Windows+NT+5.1%3B+SV1%22+inurl%3A%2Fvar%2Flog&btnG=Search&hl=en&

Ah google what can’t you do?? 🙂

More to come.. (Currently working on ettersploit, taking a break).