Monthly Archives: May 2010

Code, Posts

Bruteforcing subdomain names with John the ripper

Leave a comment

A key phase in the steps to penetration testing is reconnaissance. Without reconnaissance, pentesters would be essentially blind.

In addition to this, pentesters have myriad of tools to help them with the recon phase.

When hunting down hosts that belong to an organization, dnsmap is a wonderful tool for finding subdomains.

After doing some experimenting with this tool, I stumbled upon a limitation. Dnsmap does not have the capability to read from stdin for keywords to use in the subdomain bruteforcing. It requires a word list. Well what if I want to use john the ripper?

So, I pondered to myself, “What’s wrong with just ‘host’ and ‘john’ in tandem to bruteforce subdomains?”. Well my friends, here’s an example:

john --incremental --stdout | while read words; 
   do host ${words}.google.com &> /dev/null; 
      if [ $? -eq 0 ]; 
          then echo "${words}.google.com"; 
      fi; 
   done

Of course you could change this to accordingly, but here’s it as a function and you could even add this to your .bashrc file.

function dnsbrute {
 if [ ${#} -lt 1 ];
   then 
      echo "I need a domain name...";
      return 1;
 fi
 john --incremental --stdout | while read words; 
   do host ${words}.${1} &> /dev/null; 
     if [ $? -eq 0 ]; 
        then echo "${words}.${1}"; 
     fi; 
   done
 return 0;
}

More to come as usual..

(I’m still dragging my feet on ettersploit.. 🙂 )

Code, Posts

Passively finding MDNS names (.local)

Leave a comment

Just a quicky:

If you’re in a local area network and you’re trying to do some passive information gathering using a sniffer, here is a great way to find .local host names:

tcpdump -i wlan0 -vv 2&>1 | egrep '*.local'

What’s beautiful about this method is you can usually find people’s full names, especially if they’re using Apple devices. Along with that, you’re not probing or alerting the targets.

Also, if you’re not in range of a wifi access point and can barely see the AP, you can use this method while trying to connect (it makes this method a little less passive..), but I’ve discovered Iphone device names via this method.

And now…. back to the books. 🙂

PS: I’m going to set aside time this week to put more effort into ettersploit.

Posts, Videos

Eavesdropping on bluetooth headsets with carwhisperer

2 Comments

The official tool is available here:

http://trifinite.org/trifinite_stuff_carwhisperer.html

It has also been ported to the Nokia N810:

http://talk.maemo.org/showthread.php?t=20780

I’ve downloaded it and installed it on my Nokia N810, but haven’t had a chance to test it since I don’t own any bluetooth headsets.

More to come as usual..

#Update 11/17/2015

It appears that video no longer works, this should suffice:


Eavesdropping on Bluetooth Headsets by DelwinWood

#Thanks Patryk

Posts

Anti-virus FAIL

Leave a comment

Securityemo writes “The Register is running an article about a new method to bypass antivirus software, discovered by Matousec. By sending benign code to the antivirus driver hooks, and switching it out for malicious code at the last moment, the antivirus can be completely bypassed. This attack is apparently much more reliable on multi-core systems. Here’s the original research paper.” El Reg notes that “The technique works even when Windows is running under an account with limited privileges,” but “it requires a large amount of code to be loaded onto the targeted machine, making it impractical for shellcode-based attacks or attacks that rely on speed and stealth. It can also be carried out only when an attacker already has the ability to run a binary on the targeted PC.”

http://tech.slashdot.org/story/10/05/09/1343239/Critical-Flaw-Found-In-Virtually-All-AV-Software

If you’re a techie, you have to love /. 🙂

Code, Posts

Kismet: passively sniffing wireless network traffic

Leave a comment

The threat of information leakage via unencrypted wireless networks is quite real and needs to be taken into consideration. Especially if you’re an organization/entity, who handles sensitive information.

Today I’ll be covering a simple demonstration that will have 3 hosts. The three hosts are as follows:

Host A (Attacker)
Host B (Client)
Host C (Server)

Host A will be running kismet, so it will not be connected to the network. The network will only have MAC filtering deployed. Host B and C will be wireless clients on the network, but I will set up netcat loops that will just simply print a string over the network.

Host B will be running this:

while true; do echo "CAPTURE THIS WHILE NOT CONNECTED" | nc -w2 hostC 8080; done

Host C will be running this:

while true; do nc -l -s hostCIP -p 8080 -vv; done

Host A which is the attacker, will simply be within close range of the network and will give the kismet log files a name as well by doing:

kismet -t capture-test

Once kismet has started to run, make sure to use ‘L’ to lock onto the channel that the wireless network is on. With this done, wait a few minutes and you should have captured the test string.

To view your captured information, you need to view the contents of the dump files. The dump files are located in/var/log/kismet.

Upon location of the dump file, what worked for me was using egrep to look for the captured string.

egrep 'CAP*' capture-test*.dump

This may ‘bork’ your terminal, so just use reset. Per contra, you should see the captured text.

This simple demo demonstrates how real of a threat passive wireless sniffing devices are. If you’re curious, I actually used my Nokia N810 as the attacker. 🙂

I’ll have more to come as usual… (I’m back in school so I’m going to have less time to work on ettersploit 🙁 )