Thursday, September 27, 2012

Be Safe...well at least try

I wanted to do this post after I saw a video on the Internet. The video shows just how much information there is about an individual and how it can used. It reminds me of my very first post and the article I wanted to make.  I wanted to explain that the threat of computer hacking is real and you should protect yourself "THE BEST YOU CAN".  I understand it can be daunting, but to completely ignore the threats is foolish.  You cannot just put your head in the sand.  I try to tell people that you should try your best to protect yourself.  The first thing that is asked, how do I do that?  Well, to begin, realize that you can guard your laptop/computer/yourself like Fort Knox and still get hacked.  People will relax in their protection, like leave their laptop unlocked/unguarded or execute the wrong file.  It is what it is.  However, you still want to make it as hard as you possibly can.  I made a list of do's and don't's from my experiences and articles on the Internet.

1. Create safe passwords which have significant length and are not from the dictionary.
2. Do not overuse passwords.
3.  Limit whatever information you can from the Internet (Facebook, Twitter, MySpace, Google+, LinkedIn, Flickr, Instagram, etc)
4. Update/patch your OS, antivirus and software applications as often as possible. (Come on, patch ms08-067)
5.  Keep your firewall on especially when you have your computer on someone else's network.
6.  Check your URL's! Ensure that the website you are logging into begins with "HTTPS://" (SSL)!!
7.  In addition, if you have the "HTTPS://" connection, but it is showing an untrusted certificate warning, do not log into the site without getting confirmation that it is safe to use.
8.  Do not download/execute files from untrusted websites!
9.  Do not open emails from unknown sources and DO NOT execute any files in the emails. 
10.  Lastly, make sure you have a strong, complex password on your home wireless network if you are using a pre-shared key and use WPA2 encryption level.
11. MAKE SURE YOUR KIDS READ 1- 10.  Just saying. 

If you still believe it never happens or it never affects anyone, ask TJ Maxx.  45 million credit cards and about 2 million dollars.  Or ask Barry Covert who had federal agents pointing guns at him in his own house.  It was all due to weak wireless practices.  You can believe that it rarely happens but is it worth it to not protect yourself as best you can. 

I do not want this to seem like a rant or a FUD but I just want to show what has happened once vulnerabilities have been exploited.  I am just hoping that this post can help someone avoid the threats that are out there. 










CREDIT:

http://www.wikihow.com/Be-Safe-on-the-Internet
http://www.stuff.co.nz/technology/digital-living/4927236/Wrongly-accused-of-porn-after-wifi-hacked
http://o.seattletimes.nwsource.com/html/nationworld/2014867387_wifi25.html
http://arstechnica.com/tech-policy/2011/04/fbi-child-porn-raid-a-strong-argument-for-locking-down-wifi-networks/
http://www.schneier.com/blog/archives/2011/04/security_risks_7.html
http://news.cnet.com/8301-13578_3-20001207-38.html

Monday, September 24, 2012

Education: HackingDojo

It has been a while since my last post as usual.  I have been working on getting my CCNA, but I am dealing with so many vendors/projects/work that I may have to do that at the end of the year.  It has been a good journey since I set up the CCNA hardware.  Next, I took the VMware ESXi course which was a fun experience.  I saw the benefit of storage vmotion which is awesome when you want to clean up your virtual machines that are on local disk of your ESX/ESXi servers.  However, you have to have the full license (ENTERPRISE) in order to use it.  Very expensive in my opinion but it is worth it.  VMware is a great company even though they have little Linux (Workstation) support. 

Next, I signed up to the HackingDojo by Thomas Wilhelm.  You can sign up for 150 dollars a month.  I think they have added a subscription where you can pay about 1000-1200 dollars for a lifetime subscription.  I subscribed for two months to keep myself sharp on my offensive skills.  I really liked the course and I think given enough time, it will be one of the best courses out there.   A little rundown of the course is that you have a 6 levels that you must reach.  You can start wherever you would like but I started at the Shodan level which is basically the 2nd level.  In order to advance to the next level you must pass an exam.   You are given about 48-hours to pass the exam.  You can schedule an attempt for the next level at any time.  However, I would suggest (and so would Thomas) that you look at the videos and read the forums to learn the lessons of the current level.  In addition to the videos, you were able to skype with a teacher who is highly qualified so he/she can answer questions and further explain any lessons you have trouble with.  Also, they would answer any personal questions you had such as career questions and suggestions.  Very helpful in my opinion.  I had a lot of experience already in a lot of the topics since I have already passed the OSCP, OSCE and GPEN courses.  However, the topic of password attacking (local and remote) was definitely an eye opener.  I thought I had a grasp however, as usual there are most aspects to learn.  It was actually stated on one my favorite sites, EthicalHacker.Net.  The url is "http://www.ethicalhacker.net/content/view/341/2/".  The short of it is that when you have hashed passwords that you want to crack, you have to take into account that you may be dealing with a password that was encoded in base64 instead of unicode before it was hashed.  

It seems that you run into that situation when you have passwords with special characters since it is based on words from different countries ( Japan, Germany, France, China, Africa, etc).  The special characters may sometimes be change to base64 substitution and then, hashed into SHA-1 or SHA384, SHA512, MD5, DES, 3DES, etc.  There is no way to tell if it was a base64 or unicode used in the hash so you have to try both.  Of course, Thomas has his students do homework assignments.  He gave a list of hashes to break and he gave you hints of the password origins such as  Germany or Africa.  I struggled a while until I setup a couple of scripts that converted wordlists I found from the Internet. 



Wordlists:
http://www.cotse.com/tools/wordlists1.htm
http://www.cotse.com/tools/wordlists2.htm
http://g0tmi1k.blogspot.gr/2011/06/dictionaries-wordlists.html?m=1
http://www.skullsecurity.org/wiki/index.php/Passwords
http://www.dicts.info/uddl.php
http://www.isdpodcast.com/resources/62k-common-passwords/
http://packetstormsecurity.org/Crackers/wordlists/

There are more wordlists on the Internet of course but I just wanted to list a few urls as examples.   Once you have collected relevant wordlists, you need to convert the words with special characters to UNICODE and BASE64.  Depending on the length of your wordlists, it will usually take a while.  Once that is done, you have to use the new "converted" wordlists against the given hashes.  You can use JTR [John the Ripper (http://www.openwall.com/john/)] or even use your own coding to test against the hashes.   In addition, to help with the wordlists, you can use programs such as cewl (http://www.digininja.org/projects/cewl.php) and rsmangler (http://www.digininja.org/projects/rsmangler.php).  I had the most success using the "cewl" tool.  It was very effective for me but I invite you to check it out for yourself. 

I also learned more about passive information gathering.  There is a lot of information about a person, group or organization on the Internet that you can find for free or a small fee.  The best tool for this kind of recon work is of course Google.  You can actually search a web cached version of a website which is helpful if you have a scope that limits your interaction with a target website.  You can use it with the url: "http://webcache.googleusercontent.com/search?q=cache:www.testtargetsite.com".  You can also use the "wayback" site: "http://archive.org/web/web.php" to find older versions of the target site if it is available.  These are some of the sites I used to find information on targets:

https://www.google.com
http://www.zabasearch.com/
http://www.dogpile.com/
http://www.zoominfo.com/
http://www.spokeo.com/
http://www.alexa.com/
http://www.zoominfo.com/


Again, there are more sites to use but I had success with those sites.  In conclusion, I have to say, the HackingDojo is a course to take if you want to learn more about hacking and penetration testing.  I was very happy with the course and I learned a lot.  I wanted to take a pause from the course, so I can sharpen my python skills.  I want to take the course from SecurityTube: "http://securitytube-training.com/certifications/securitytube-python-scripting-expert/".  It looks like I will be a better python programmer after taking a course like that.  I will try to provide info once I have started the course.  Till next time.  Oh, here are the conversion scripts.  I am sure there are better ways to script these, but again, I am a work in progress. 

Conversion Scripts

#!/usr/bin/python
# -*- coding: utf-8 -*-
'''
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
# Name:          splitdictionary.py                                                                                                                    
# Original Author:        Agoonie                                                                                                                          
# The script is to pull dictionaries and grab words. Then, it converts the words to base64 if they have special character entities...           
# Created:       08/25/2012                                                                                                                               
# Last Edited:   08292012                                                                                                                               
# Version Num:   1                                                                                                                                         
# Requirements:  Written and tested in Python 2.65                                                                                    
#   CREDIT:                                                                                                                   
#      I used information from all of the following:                                                                                   
#      Author: J-rock                                                                                                             
#      J-rock Script:  base64_to_text.py                                                                                                                      
#      gomputor.wordpress.com/2008/09/27/search-replace-multiple-words-or-characters-with-python/                                       
#      http://wiki.webz.cz/dict/                                                                                                   
#      http://www.dicts.info/uddl.php                                                                                               
#      stackoverflow.com/questions/6116978/python-replace-multiple-strings                                                            
#      docs.python.org/library/stdtypes.html                                                                                       
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
'''

import re,string
import os,sys
import os.path

codes = {'"': '&#34;', '&': '&#38;', '<': '&#60;', '>': '&#62;',
                '¡': '&#161;', '¢': '&#162;', '£': '&#163;', '¤': '&#164;',
                '¥': '&#165;', '¦': '&#166;', '§': '&#167;', '¨': '&#168;',
                '©': '&#169;', 'ª': '&#170;', '«': '&#171;', '¬': '&#172;',
                '­': '&#173;', '®': '&#174;', '¯': '&#175;', '°': '&#176;',
                '±': '&#177;', '²': '&#178;', '³': '&#179;', '´': '&#180;',
                'µ': '&#181;', '¶': '&#182;', '·': '&#183;', '¸': '&#184;',
                '¹': '&#185;', 'º': '&#186;', '»': '&#187;', '¼': '&#188;',
                '½': '&#189;', '¾': '&#190;', '¿': '&#191;', 'À': '&#192;',
                'Á': '&#193;', 'Â': '&#194;', 'Ã': '&#195;', 'Ä': '&#196;',
                'Å': '&#197;', 'Æ': '&#198;', 'Ç': '&#199;', 'È': '&#200;',
                'É': '&#201;', 'Ê': '&#202;', 'Ë': '&#203;', 'Ì': '&#204;',
                'Í': '&#205;', 'Î': '&#206;', 'Ï': '&#207;', 'Ð': '&#208;',
                'Ñ': '&#209;', 'Ò': '&#210;', 'Ó': '&#211;', 'Ô': '&#212;',
                'Õ': '&#213;', 'Ö': '&#214;', '×': '&#215;', 'Ø': '&#216;',
                'Ù': '&#217;', 'Ú': '&#218;', 'Û': '&#219;', 'Ü': '&#220;',
                'Ý': '&#221;', 'Þ': '&#222;', 'ß': '&#223;', 'à': '&#224;',
                'á': '&#225;', 'â': '&#226;', 'ã': '&#227;', 'ä': '&#228;',
                'å': '&#229;', 'æ': '&#230;', 'ç': '&#231;', 'è': '&#232;',
                'é': '&#233;', 'ê': '&#234;', 'ë': '&#235;', 'ì': '&#236;',
                'í': '&#237;', 'î': '&#238;', 'ï': '&#239;', 'ð': '&#240;',
                'ñ': '&#241;', 'ò': '&#242;', 'ó': '&#243;', 'ô': '&#244;',
                'õ': '&#245;', 'ö': '&#246;', '÷': '&#247;', 'ø': '&#248;',
                'ù': '&#249;', 'ú': '&#250;', 'û': '&#251;', 'ü': '&#252;',
                'ý': '&#253;', 'þ': '&#254;', 'ÿ': '&#255;', 'Œ': '&#338;',
                'œ': '&#339;', 'Š': '&#352;', 'š': '&#353;', 'Ÿ': '&#376;',
                'ƒ': '&#402;', 'ˆ': '&#710;', '˜': '&#732;', 'Α': '&#913;',
                'Β': '&#914;', 'Γ': '&#915;', 'Δ': '&#916;', 'Ε': '&#917;',
                'Ζ': '&#918;', 'Η': '&#919;', 'Θ': '&#920;', 'Ι': '&#921;',
                'Κ': '&#922;', 'Λ': '&#923;', 'Μ': '&#924;', 'Ν': '&#925;',
                'Ξ': '&#926;', 'Ο': '&#927;', 'Π': '&#928;', 'Ρ': '&#929;',
                'Σ': '&#931;', 'Τ': '&#932;', 'Υ': '&#933;', 'Φ': '&#934;',
                'Χ': '&#935;', 'Ψ': '&#936;', 'Ω': '&#937;', 'α': '&#945;',
                'β': '&#946;', 'γ': '&#947;', 'δ': '&#948;', 'ε': '&#949;',
                'ζ': '&#950;', 'η': '&#951;', 'θ': '&#952;', 'ι': '&#953;',
                'κ': '&#954;', 'λ': '&#955;', 'μ': '&#956;', 'ν': '&#957;',
                'ξ': '&#958;', 'ο': '&#959;', 'π': '&#960;', 'ρ': '&#961;',
                'ς': '&#962;', 'σ': '&#963;', 'τ': '&#964;', 'υ': '&#965;',
                'φ': '&#966;', 'χ': '&#967;', 'ψ': '&#968;', 'ω': '&#969;',
                'ϑ': '&#977;', 'ϒ': '&#978;', 'ϖ': '&#982;', '–': '&#8211;',
                '—': '&#8212;', '‘': '&#8216;', '’': '&#8217;', '‚': '&#8218;',
                '“': '&#8220;', '”': '&#8221;', '„': '&#8222;', '†': '&#8224;',
                '‡': '&#8225;', '•': '&#8226;', '…': '&#8230;', '‰': '&#8240;',
                '′': '&#8242;', '″': '&#8243;', '‹': '&#8249;', '›': '&#8250;',
                '‾': '&#8254;', '⁄': '&#8260;', '€': '&#8364;', 'ℑ': '&#8465;',
                '℘': '&#8472;', 'ℜ': '&#8476;', '™': '&#8482;', 'ℵ': '&#8501;',
                '←': '&#8592;', '↑': '&#8593;', '→': '&#8594;', '↓': '&#8595;',
                '↔': '&#8596;', '↵': '&#8629;', '⇐': '&#8656;', '⇑': '&#8657;',
                '⇒': '&#8658;', '⇓': '&#8659;', '⇔': '&#8660;', '∀': '&#8704;',
                '∂': '&#8706;', '∃': '&#8707;', '∅': '&#8709;', '∇': '&#8711;',
                '∈': '&#8712;', '∉': '&#8713;', '∋': '&#8715;', '∏': '&#8719;',
                '∑': '&#8721;', '−': '&#8722;', '∗': '&#8727;', '√': '&#8730;',
                '∝': '&#8733;', '∞': '&#8734;', '∠': '&#8736;', '∧': '&#8743;',
                '∨': '&#8744;', '∩': '&#8745;', '∪': '&#8746;', '∫': '&#8747;',
                '∴': '&#8756;', '∼': '&#8764;', '≅': '&#8773;', '≈': '&#8776;',
               '≠': '&#8800;', '≡': '&#8801;', '≤': '&#8804;', '≥': '&#8805;',
                '⊂': '&#8834;', '⊃': '&#8835;', '⊄': '&#8836;', '⊆': '&#8838;',
                '⊇': '&#8839;', '⊕': '&#8853;', '⊗': '&#8855;', '⊥': '&#8869;',
                '⋅': '&#8901;', '⌈': '&#8968;', '⌉': '&#8969;', '⌊': '&#8970;',
                '⌋': '&#8971;', '〈': '&#9001;', '〉': '&#9002;'}

def replace_all(text,dic):
    for k,v in dic.items():
        text = text.replace(k,v)
    return text

if len(sys.argv) != 3:
    print "[+] Usage: ./filename [wordlist-to-split] [newwordlist]"
    sys.exit(1)

wordlist= sys.argv[1]
finallist = sys.argv[2]
mywordlist = []
finalwordlist = []

if os.path.exists(wordlist):
    print "I have found your wordlist!\n\n" + wordlist + "\n\n"
    file = open(wordlist,'r').read()
    words = re.split(r'[\t,\n,\s]', file)
    for word in words:
        mywordlist.append(word)
else:
    print "I cannot find the file! "

mywordlist = list(set(mywordlist))
mywordlist.sort()

filename = "tempname.txt"
f = open(filename,'w')
f.write("\n".join(mywordlist))
f.close

akey =[]
for key,value in codes.iteritems():
    akey.append(key)

for line in mywordlist:
    finalwordlist.append(replace_all(line,codes))
    for char in akey:
        if char in line:
            finalwordlist.append(line)

finalwordlist = list(set(finalwordlist))
finalwordlist.sort()
g = open(finallist,'w')
g.write("\n".join(finalwordlist))
g.close

os.remove("tempname.txt")
print "Your new file is done and it is called " + finallist



#!/usr/bin/python
# -*- coding: utf-8 -*-
'''
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
# Name:          splitdictionary.py                                                                                                                    
# Original Author:        Agoonie                                                                                                                          
# The script is to pull dictionaries, grab words from docs in a directory. Then, it converts the words to base64 if they have special character entities...           
# Created:       08/25/2012                                                                                                                               
# Last Edited:   08292012                                                                                                                               
# Version Num:   1                                                                                                                                         
# Requirements:  Written and tested in Python 2.65                                                                                    
#   CREDIT:                                                                                                                   
#      I used information from all of the following:                                                                                   
#      Author: J-rock                                                                                                             
#      J-rock Script:  base64_to_text.py                                                                                                                      
#      gomputor.wordpress.com/2008/09/27/search-replace-multiple-words-or-characters-with-python/                                       
#      http://wiki.webz.cz/dict/                                                                                                   
#      http://www.dicts.info/uddl.php                                                                                               
#      stackoverflow.com/questions/6116978/python-replace-multiple-strings                                                            
#      docs.python.org/library/stdtypes.html                                                                                       
#-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------#
'''

import re,string
import os,sys
import os.path
import glob

codes = {'"': '&#34;', '&': '&#38;', '<': '&#60;', '>': '&#62;',
                '¡': '&#161;', '¢': '&#162;', '£': '&#163;', '¤': '&#164;',
                '¥': '&#165;', '¦': '&#166;', '§': '&#167;', '¨': '&#168;',
                '©': '&#169;', 'ª': '&#170;', '«': '&#171;', '¬': '&#172;',
                '­': '&#173;', '®': '&#174;', '¯': '&#175;', '°': '&#176;',
                '±': '&#177;', '²': '&#178;', '³': '&#179;', '´': '&#180;',
                'µ': '&#181;', '¶': '&#182;', '·': '&#183;', '¸': '&#184;',
                '¹': '&#185;', 'º': '&#186;', '»': '&#187;', '¼': '&#188;',
                '½': '&#189;', '¾': '&#190;', '¿': '&#191;', 'À': '&#192;',
                'Á': '&#193;', 'Â': '&#194;', 'Ã': '&#195;', 'Ä': '&#196;',
                'Å': '&#197;', 'Æ': '&#198;', 'Ç': '&#199;', 'È': '&#200;',
                'É': '&#201;', 'Ê': '&#202;', 'Ë': '&#203;', 'Ì': '&#204;',
                'Í': '&#205;', 'Î': '&#206;', 'Ï': '&#207;', 'Ð': '&#208;',
                'Ñ': '&#209;', 'Ò': '&#210;', 'Ó': '&#211;', 'Ô': '&#212;',
                'Õ': '&#213;', 'Ö': '&#214;', '×': '&#215;', 'Ø': '&#216;',
                'Ù': '&#217;', 'Ú': '&#218;', 'Û': '&#219;', 'Ü': '&#220;',
                'Ý': '&#221;', 'Þ': '&#222;', 'ß': '&#223;', 'à': '&#224;',
                'á': '&#225;', 'â': '&#226;', 'ã': '&#227;', 'ä': '&#228;',
                'å': '&#229;', 'æ': '&#230;', 'ç': '&#231;', 'è': '&#232;',
                'é': '&#233;', 'ê': '&#234;', 'ë': '&#235;', 'ì': '&#236;',
                'í': '&#237;', 'î': '&#238;', 'ï': '&#239;', 'ð': '&#240;',
                'ñ': '&#241;', 'ò': '&#242;', 'ó': '&#243;', 'ô': '&#244;',
                'õ': '&#245;', 'ö': '&#246;', '÷': '&#247;', 'ø': '&#248;',
                'ù': '&#249;', 'ú': '&#250;', 'û': '&#251;', 'ü': '&#252;',
                'ý': '&#253;', 'þ': '&#254;', 'ÿ': '&#255;', 'Œ': '&#338;',
                'œ': '&#339;', 'Š': '&#352;', 'š': '&#353;', 'Ÿ': '&#376;',
                'ƒ': '&#402;', 'ˆ': '&#710;', '˜': '&#732;', 'Α': '&#913;',
                'Β': '&#914;', 'Γ': '&#915;', 'Δ': '&#916;', 'Ε': '&#917;',
                'Ζ': '&#918;', 'Η': '&#919;', 'Θ': '&#920;', 'Ι': '&#921;',
                'Κ': '&#922;', 'Λ': '&#923;', 'Μ': '&#924;', 'Ν': '&#925;',
                'Ξ': '&#926;', 'Ο': '&#927;', 'Π': '&#928;', 'Ρ': '&#929;',
                'Σ': '&#931;', 'Τ': '&#932;', 'Υ': '&#933;', 'Φ': '&#934;',
                'Χ': '&#935;', 'Ψ': '&#936;', 'Ω': '&#937;', 'α': '&#945;',
                'β': '&#946;', 'γ': '&#947;', 'δ': '&#948;', 'ε': '&#949;',
                'ζ': '&#950;', 'η': '&#951;', 'θ': '&#952;', 'ι': '&#953;',
                'κ': '&#954;', 'λ': '&#955;', 'μ': '&#956;', 'ν': '&#957;',
                'ξ': '&#958;', 'ο': '&#959;', 'π': '&#960;', 'ρ': '&#961;',
                'ς': '&#962;', 'σ': '&#963;', 'τ': '&#964;', 'υ': '&#965;',
                'φ': '&#966;', 'χ': '&#967;', 'ψ': '&#968;', 'ω': '&#969;',
                'ϑ': '&#977;', 'ϒ': '&#978;', 'ϖ': '&#982;', '–': '&#8211;',
                '—': '&#8212;', '‘': '&#8216;', '’': '&#8217;', '‚': '&#8218;',
                '“': '&#8220;', '”': '&#8221;', '„': '&#8222;', '†': '&#8224;',
                '‡': '&#8225;', '•': '&#8226;', '…': '&#8230;', '‰': '&#8240;',
                '′': '&#8242;', '″': '&#8243;', '‹': '&#8249;', '›': '&#8250;',
                '‾': '&#8254;', '⁄': '&#8260;', '€': '&#8364;', 'ℑ': '&#8465;',
                '℘': '&#8472;', 'ℜ': '&#8476;', '™': '&#8482;', 'ℵ': '&#8501;',
                '←': '&#8592;', '↑': '&#8593;', '→': '&#8594;', '↓': '&#8595;',
                '↔': '&#8596;', '↵': '&#8629;', '⇐': '&#8656;', '⇑': '&#8657;',
                '⇒': '&#8658;', '⇓': '&#8659;', '⇔': '&#8660;', '∀': '&#8704;',
                '∂': '&#8706;', '∃': '&#8707;', '∅': '&#8709;', '∇': '&#8711;',
                '∈': '&#8712;', '∉': '&#8713;', '∋': '&#8715;', '∏': '&#8719;',
                '∑': '&#8721;', '−': '&#8722;', '∗': '&#8727;', '√': '&#8730;',
                '∝': '&#8733;', '∞': '&#8734;', '∠': '&#8736;', '∧': '&#8743;',
                '∨': '&#8744;', '∩': '&#8745;', '∪': '&#8746;', '∫': '&#8747;',
                '∴': '&#8756;', '∼': '&#8764;', '≅': '&#8773;', '≈': '&#8776;',
               '≠': '&#8800;', '≡': '&#8801;', '≤': '&#8804;', '≥': '&#8805;',
                '⊂': '&#8834;', '⊃': '&#8835;', '⊄': '&#8836;', '⊆': '&#8838;',
                '⊇': '&#8839;', '⊕': '&#8853;', '⊗': '&#8855;', '⊥': '&#8869;',
                '⋅': '&#8901;', '⌈': '&#8968;', '⌉': '&#8969;', '⌊': '&#8970;',
                '⌋': '&#8971;', '〈': '&#9001;', '〉': '&#9002;'}

def replace_all(text,dic):
    for k,v in dic.items():
        text = text.replace(k,v)
    return text

if len(sys.argv) != 2:
    print "[+] Usage: ./filename directory"
    sys.exit(1)

path = sys.argv[1]
mywordlist = []
finalwordlist = []

for wordlist in glob.glob(os.path.join(path,'*.txt')):
    file = open(wordlist,'r').read()
    words = re.split(r'[\t,\n,\s]', file)
    for word in words:
        mywordlist.append(word)
    (filepath, ffilename) = os.path.split(wordlist)
    finallist = "c_"+ffilename
    mywordlist = list(set(mywordlist))
    mywordlist.sort()
    filename = "tempname.txt"
    f = open(filename,'w')
    f.write("\n".join(mywordlist))
    f.close
    akey =[]
    for key,value in codes.iteritems():
            akey.append(key)
    for line in mywordlist:
        finalwordlist.append(replace_all(line,codes))
        for char in akey:
            if char in line:
                finalwordlist.append(line)
    finalwordlist = list(set(finalwordlist))
    finalwordlist.sort()
    g = open(finallist,'w')
    g.write("\n".join(finalwordlist))
    g.close
    os.remove("tempname.txt")
    print "Your new file is done and it is called " + finallist

Sunday, June 24, 2012

Education 2012 Update

I wanted to get another post out since it has been so long. This time, it was for a good reason.  I have been busy with projects and a little research. First, I have finally decided to work on getting my CCNA and CCNA:Security certification. I grabbed some cisco equipment from ebay and created a network lab for studying.  I will hopefully complete this by the end of the summer.  I have some cisco books to use while I am using the switches/routers consoles.  I also started some research on the Google tool "Reaver", which can crack wireless networks using the WPS vulnerability.  I did not just want to show I can use the tool like any 10 grader could. I wanted to see what the average user could do to prevent it. From what I found, not much more than turning off WPS to begin with.  Even that is not as easy as it sounds. There are a lot of vendor that still turn it on without your knowledge.  I went through a few for about two weeks.

I am still doing the usual fuzzing of application software to find 0-day vulnerabilities. I have received a lot of denial of service errors, however, I have not reach the holy grail "RCE".  I am sure I will get there eventually. There are plenty of software apps to test. I just want to mention, if you have not tried the Offensive Security Certified Expert (OSCE) course yet. Do it! You cannot stop testing after you have taking the course by the OffSec guys.

Lastly, I am about to take a VMware Vsphere course. It will give some skills for VMware ESXi v5 and Vsphere 5. It should be very informative. After that is done, I am sure I will be going for the VCP 5.0 certification. I have the VCP 3.0 certification and I think it about time for me to check out what new lessons they have.  I will give more details in later posts but I wanted to get something down.

Monday, April 23, 2012

SEC560/GPEN Review


In December of 2011, Donald Donzai, founder of EthicalHacker.net, awarded me the prize of the SANS560 course. In March of 2012, I attended the course using the vLive, online-based training from the SANS Institute. The training was attended by people who were at the SANS course in Orlando, Florida or connected through vLive (Virtual Training Lab). In addition, there were people who signed up using the OnDemand and Mentor program. The SANS SEC560: Network Penetration and Ethical Hacking Course is set to teach you the skills of an ethical penetration tester.  It is a 6-day course that goes step-by-step with topics that are similar to the popular pentesting methodologies. The course roadmap consists of "planning and recon", "scanning", "exploitation","password attacks", "wireless attacks" and "web app attacks". They also have a Capture the Flag event on the last day of the course. In addition, the course is worth 36 cpe points towards security certifications such as the CISSP and the C|EH. The course started on Sunday and ended on Friday, from 9 AM to 5:30 PM.  One nice thing about the course is that it is available on-line for 6 months after the course ends. That is a major plus if you miss any of the course material that is broadcasted over the Internet. About 10 days before the course began, I received a SANS package in the mail. It contained 6 manuals of the coursework, 2 small pamphlets and 1 SANS DVD full of software with vmware ISO's, cheatsheets and documents. We used most of items in the SANS package during the entire course. The documents also included a "Rules of Engagement" and "Scope" template. In addition, a sample penetration report is present on the DVD.

Day 1 Sunday March 25th
Planning and Recon:

On day one, we were introduced to Ed Skoudis and his team. Ed, well-known author and security expert, has over 15 years of offensive and defensive information security. He also had moderators that helped us if the sound or video went out during our vLive connection. We did have either sound or video problems everyday but it never lasted longer than 5 minutes.  It did not take away from the experience of the course. The moderators usually kept us informed of what was going on even if we could not see it or hear it.  We learned about the planning involved to be an effective ethical hacker and penetration tester. That includes creating a well-stocked lab and testing tools.  In addition, you should create a software toolbox, proper hardware and network infrastructure. Ed Skoudis spent some time on the format of a good penetration test and where a lot of testers have been failing in their pentest reports. Ed illustrated that the two worst areas in most pentest reports are the executive summary (brief information meant for the company executives) and the methodology (which describes the process of the penetration test or ethical hacking engagement).  That was very helpful especially if I can avoid common mistakes in future pentest reports. Also, an email was sent by SANS to test our connection to the vLive video cast. I connected using linux and it had no problem running the java applet to see the video or audio from Orlando. We also talked about the "Rules of Engagement" and "Scope" when dealing with the customer. I really enjoyed this part of the day. We broke into teams to emulate the debriefing of a pentester and the client so we can choose the right questions for a customer.  It helps to determine if a client truly wants a pentest or a vulnerability assessment. It was a good lesson to learn that you should not assume the customer knows exactly what they want.

The rules of engagement was defined as how the penetration test will run and who should be involved in the whole testing process. Also, the scope was described as the assets that you can target and which ones you cannot and should not attack. In addition, Ed explained that you should have a limitation of liability and appropriate insurance especially if you are running your own security firm. The last point I want to mention is that you have to pay attention to not only the US laws, but also the laws of other countries. You may be breaking another countries laws during a penetration test if you are not careful. Ed Skoudis gave great effort to bring out this point. Your target may be in another country, so you may have to consult with your lawyer to make sure the attacks you send do not break the laws of your targets country AND the countries in between.

Day 2 Monday March 26th
Scanning:

On day two, the course focused on scanning a target environment. Ed illustrated the importance of having an inventory of assets and their vulnerabilities. I think every student knew how important this was, but it becomes very apparent at the end of the course. It is very upsetting/frustrating when you are trying to exploit vulnerabilities and you do not have enough information to send an effective attack.  The course also described the tools that can be used for quality network scanning. Some of the tools discussed were Nessus, nmap, tcpdump, traceroute/tracert, scapy and netcat.  We went over some of the additional scripts that come with nmap. In addition, we got some insight into how Ed feels about Wireshark vs tcpdump. He explained that tcpdump is lighter, faster and has a smaller attack surface than wireshark.  There seems to be more exploits such as buffer overflows designed for wireshark. As a side note, I do want to mention that Ed did spend time explaining that you want to use "safe" tools and scans for your penetration test. You do not want to be the cause of an inadvertent DOS because you were not aware of what your tools are doing.  Know your tools. Also, he explained that you should have alternatives to your tools, in case, you cannot use them on the network you are testing. "What if netcat is not in that environment?  What would you do?"

Day 3 Tuesday March 27th
Exploitation:

On day three, we worked on exploitation and the infamous MetaSploit. We went thru the commands, exploits and payloads of the MetaSploit console and Meterpreter.  If you have taken the OSCP, you know a lot of this module already. It is still an enjoyable section in which you are bound to pick up something new. He walked us through setting up the database to connect with MetaSploit so you can keep records of machines and their vulnerabilities.  We also went through the auxillary section of MetaSploit which can be helpful at finding a vulnerability quickly in a network range of IP addresses.  Also, a very important point Ed made during this section was the "portfwd" command in MetaSploit. This is how you can setup "pivot" points into an organization to gain further access into additional machines. It can help bypass blocked ports and firewalls by getting inside the organization through just one host. We worked on windows commands since you may not have all your usual techniques/commands in the environment you find yourself in. The two commands we worked with were sc and wmic. We used the sc (service console) and the wmic commands usually to identify running services/processes and to stop them if they interferred with our progress. 

Day 4 Wednesday March 28th
Password Attacks:

On day four, the topic was password attacks. The main points of the password attacks are password guessing, password cracking and pass the hash. He split up the tools for password guessing and password cracking. For the former, he suggested hydra, Cain, xhydra and maybe your own personal scripts. For the latter, he demonstrated the use of the tools pwdump, fgdump, Cain (again), John the Ripper (compiled for NT-hashes with SSE2 functionality), and Ophcrack (rainbow tables). Some of these tools are just for extracting Microsoft password hashes to crack later for passwords.  Sidenote, Ed mentioned you have to be careful here. When using a password guessing technique, you want to check if there is account lockout policies enabled on the client network. You start by asking the client directly and never just take their word on it. Imagine using hydra on 10,000 accounts and locking 10,000 users out of their account during your pentest. It is an easy way to get fired.  Another idea that Ed Skoudis stressed was that you may have to use multiple password crackers to extract passwords from hashes. We learned that Windows and Linux store their passwords differently. Linux stores passwords in hashes that are actually salted. This adds another layer of defense since identical hashes may not have the same corresponding passwords unlike Windows hashes. Lastly, we were learning how devastating "passing the hash" can be once you have even one "good" password hash. We used the psexec exploit in MetaSploit to pass the password hashes. The whole time I was enjoying this SANS topic, I was wishing that I had built the box from "http://pauldotcom.com/2010/10/your-password-cracking-system.html".   

Day 5 Thursday March 29th
Wireless and Web Apps:

On day five, the course focused on two main topics, wireless attacks and web application attacks.  With wireless attacks, you want to make sure you have the right tools. You want the right wireless adapter cards, drivers, antennas, cables, cable connectors,  and GPS receivers. You may need multiple tools and apps also.  You want to start sniffing traffic with multiple apps such as wireshark, tcpdump, aircrack-ng and kismet. There are also commercial tools such as WildPackets' OmniPeek. In addition, you want to know how to get your wireless cards in managed/monitor mode. In monitor mode, you can get your wireless card to listen to all packets coming in on the interface. Also, we got a quick lesson in wireless, LISTEN TO JOSH WRIGHT. I caught a couple of his youtube videos [http://www.youtube.com/watch?v=EUcEcqJj24s], and he is definitely an expert in wireless penetration testing.  He is also starting a SANS class called SANS575: Mobile Device Security and Ethical Hacking.  It is definitely worth a look IMO. There are wireless tools on both Windows and Linux with their own pluses and minuses. You have CAIN, NetStumbler and InSSIDer with Windows. With Linux, you can use Kismet, Aircrack-ng, CoWPAtty, Airpwn and AirJack to name a few. You will probably have more luck if you use Linux as your wireless penetration testing OS. However, Ed Skoudis, kept reinforcing the point that you will want to use as many tools/techniques/OS' as possible to get the job done. As Ed would say, just use both. 

Finally, Ed also mentioned that not only should you attack the access point, but the clients as well. Here is where he mentions Karma with the help of MetaSploit.  You can attack clients whom are still sending out probe requests to their access points even though they are out of range of them. Karma will pretend to be their access point and give DHCP to them. With MetaSploit, it will serve up a series of exploits for various vulnerable clients when they try to connect to the "new" access point.  When we moved on to web application attacks, we discussed Nikto, Zap Proxy, XSS, XSRF, command injection and SQL injection.  All of these tools and techniques take advantage of vulnerabilities of a company's web site which usually are hosted on a company's network on the DMZ.  Most attacks, find flaws in 3 components and the way that they interact with each other: the logic of the web application on the web server, the web server and web browser's interactions, and the web server and database's interactions. We started with Nikto and the various web tests it can perform. Ed demonstrated that Nikto used the TRACE method to discover XSS and directory indexing for a "web application" from the course. 

In addition, we went through various proxies such OWASP Zed Attack Proxy (ZAP), Burp Proxy, Fiddler, w3af and paros. ZAP could interrupt HTTP requests and responses to give an attacker a better view at what was happening behind the scenes of a web application.  In addition, it had web crawling capabilities so you can index the entire site to find more vulneraibilities that may not be visible at first glance. Of course, it can scan the site directly to find XSS, SQLi flaws, private IP disclosure, indexable directories, and obsolete files.  It can also manipulate cookies to track if the web application will react differently.  This was a very big day in learning more web attack techniques that included cross-site request forgery (XSRF).  Today, IMO was the longest, most insightful day with the examples Ed gave with each technique. At the end of the day, SANS is hosting NetWars. I did not get a chance to see it but I am sure I would have loved it. It seems to be a set of security challenges like capture the flag. I think this is the one drawback with attending the course through vLive.  You are not present for some of the additional speakers and programs that happen after the course is over for the day. The students that were in Orlando, were about to sign up for NetWars or at least view it.  It would be nice in the future if you can get the recording of NetWars if you are connecting to vLive.  

Day 6 Friday March 30th
Penetration Testing Workshop and Capture the Flag:

The last day of the course consisted of "Capture the Flag".  This was my first CTF btw, so I was very excited for this last day.  We were broken into teams of 5 people.  However, we did not have enough people who were connected through vLive so we joined up into one big team.  Unfortunately, we did not capture the flag in time, but we were very close to coming in 2nd.  The exercise required for you to exam an environment, find encryption keys/files of 4 users of the network and to decrypt the files in order. We needed the last file decrypted by the time someone was declared a winner. I still had a great time however. The CTF included all the techniques that were taught in the course.  The CTF exercise illustrates to yourself how much you have actually learned and how big of an impact these techniques can have on an organization. The exercise allowed us to understand that we need to go step by step, recon, scanning exploitation and attacks. Without the proper recon and scanning, you will not get anywhere when you try to exploit vulnerabilities and attack a system or organization. The game started at 9:00 AM and ended at around 3:00 PM.  We were to treat the game as an actual pentest. It does create an atmosphere of a real pentest, just without the interaction with the client.  I think there were 3 teams that captured the flag at the end. I think the award was to get a signed copy of "CounterHack" book. Also, I received the CPE certificate of completion which amounted to 36 credits which helped me complete my CPE requirements for at least a year and half.





Conclusion:
I would recommend this course to anyone serious about becoming a pentester or any other security professional.  It gives many lessons that a security professional would learn during his/her every day responsibilities.  To be totally honest, I would recommend that you take this course in addition to the OffSec OSCP course.  I would not do them at the same time, of course, but I would take them both at some point. I think the compliment each other well, in their approach to teaching the technical and "soft" skills which are needed to be a professional penetration tester. You will understand how to engage the client, determine what kind of test you will perform, investigate the company along with its weaknesses, and present a high quality report that the customer can use to make well-informed business decisions about the security of their assets. The major plus of the course is the fact that I can go back to the SANS website and log back into the course.  Then, I can watch each day of recording and not only watch the videos again but also, review what was talked about in the chat section between the vLive students and the moderators. The moderators also added information to the course such as links to important information that was discussed by Ed Skoudis. One negative would be that the missing audio or video will also be included in these recordings. However, as I said before, it did not impact the overall success of the teachings of the course. In addition, I will be taking the GPEN exam in a few weeks. It is open book so all the books from the GIAC course should come in handy.

UPDATE: I took the GPEN exam and I think the books are great assets to have during the exam. I think people would have a little trouble with some of the questions without the books from the course.  The exam is for 4 hours and there are a lot of rules on what you can and cannot bring into the room with you. I think it would be a good idea for GIAC group to talk to the companies proctoring, so they are sure what is actually allowed.  There is a lot of confusion there from what I experienced. Do not take this exam for granted like I did.  It is a complete representation of the course and it will test all skills that you have learned in the course also. I think I just did not want to deal with multiple choice after taking OffSec courses.  I did not even take the practice courses which I probably should have.

Thanks again to Don and EthicalHacker.Net.

Sunday, March 25, 2012

Passed OSCE "Cracking the Perimeter"

First, I want to start by saying that I enjoyed the OffSec "Cracking the Perimeter" course and exam a lot. It was difficult, frustrating, time consuming, sleep depriving, exciting and very, very informative. It is a little different from the OffSec "Pentesting with Backtrack" (PwB). Ok, well, it is very different.  There are specific hacks that are to be learned and performed in the OSCE course. You learn about a variety of buffer overflow and web application exploits. You will also learn about 0day hunting thru the use of fuzzing and how it leads to computer, and later, network compromise. I found that the OSCE is shorter than the OSCP course. I think anyone trying to take the CTP course should do 60 days. That should be enough time to get all the concepts down and to practice in the OffSec lab environment.  The OSCP course was a lot longer as far as time for me. But with both courses, it was worth the time and effort. If you take a look at the course outline, you will see that you have 9 very tough modules.  All I can say is take your time. This course is all about the concepts. Make sure that you understand them, and you will do fine on the exam. Of course, practice, practice, practice.

Ok, you have looked at the syllabus and you are very excited. Ok, but first you have to take the prerequisite.  I know, lol.  This course is tough so what better way to find out if you are ready, then to take a pre-exam.  You start at http://www.fc4.me/. You need to find the "code" and final key.  Now, I took this prereq right after I passed the OSCP just to see if I could do it. I was able to do it in a day and a half. That was in April of last year. I took a break to relax and to save money for the OSCE.  I took the prereq again in November-December. This time, there was a new wrinkle. I do not want to give it away but be prepared to do some research and think. Once you get past that, and sign up, you will get the OffSec PDF(s) and the OffSec videos. I did the pdfs first and then the videos. Then, I went into the lab to practice.  That has always worked for me during the OffSec courses.  Why change now I guess. 

I'm just going to say that the 8th module, is by far, the hardest. I spent maybe two weeks just on that one module. It was worth it however, to understand manually encoding shellcode with bitwise operations. By the end of the course, you will be amazed by how much you have learned. From fuzzing, to exploit development to exploit writing.  You can manually encode executables to bypass an antivirus and can get a shell from misconfigured web applications. The course came to an end with me learning more about scapy for packet creation and manipulation. 

I took the exam after three weeks of the course ending. In that time, I studied from a number of resources besides the coursework. I would suggest to anyone about to take the exam, to practice from the exploitdb.com site. Practice using egghunters and OllyDBG/Immunity. Then, read:

http://grey-corner.blogspot.com
http://resources.infosecinstitute.com/author/lupin/
http://www.corelan.be/


Those three weeks really help me understand each module.  It helps that I had VMware Workstation on my laptop so I could practice no matter where I was. Barnes and Noble, library, dinner, etc. The family understood. :) I also loaded the laptop with 16 GB of memory just so I could use multiple VM's going.  It helped me.  Anyway, the exam email came and it was time.  I was able to get most of the exam done in the first day. I had one problem that held me up. It took me literally 21 hours to finally figure it out for the most part.  Of course, that meant I had 3 hours left to really exploit it. You have to love it. After the clock ran out, I decided to give myself a two hour break before the write up.  The write up took longer than I thought but it was on time. :) I did not have to wait the full 3 days which was cool. You are always nervous until you get that email telling you how you did. After about a day, I got the email saying I passed!

I got congrats from the fam and all of my co-workers. I had a lot of support since they knew I worked really hard on the course. You get what you put in from the offsec courses so when you get that pass email, it makes it so much sweeter.  Of course, I have the SANS560 course a week later but that is another post. For now, the OSCE is done and loved every minute of it.

Friday, March 9, 2012

Practice: OSCE


DVD X Player 5.5 Pro (SEH) Buffer Overflow Exploit
Preparing for the Offensive Security Certified Expert (OSCE) exam, I hopped on exploitdb.com to find vulnerable software to exploit buffer overflows.  Now, for the exam, I wanted to pick one, then ignore the exploit file, download the application and find out how to exploit it myself.  I think this would be the best way to simulate finding a 0day (besides finding a 0day), and exploiting it. I found the DVD X Player 5.5 software.  It is a computer media player that can run on Windows.  I am installing the software on Windows XP SP3 and Windows Vista.  Let start with Windows XP.




After the install it looks like it uses a playlist like WinAmp. The file extensions are PLF and SLS.  That goes with the original exploit for the software. Well, let's open up the FileFuzzer script and create a file with the buffer of 1000. Why not start small. We need to first open the DVD X Player app and then, open up OllyDbg. We will then attach the application running so we can catch the application's reaction to the buffer. 






Looks like we have a winner. The EIP and SE Handler was over-written.  Now, I increased the buffer size to 2000 once I saw where in the buffer overwrote the SEH. I figured that out by using the ruby script pattern_create.rb by MetaSploit. That will create a specific pattern of characters so we can find where EIP is.  Once we find what is located in the SEH, we can use another MetaSploit script called pattern_offset to find out how many characters(bytes) are before the SEH.  We put in the value for SEH and put it as a parameter for the script. It gives a value of 612.  So, after 612 "A" characters, you can control EIP and thus, execution flow. Sweet.


























Alright, next, we want to start making a exploit file now that we know the necessary buffer length. This will help us ensure that we have the right length of the buffer and how much space we have remaining to inject shellcode. That is easy enough.  We create 612 "A"s and 4 "B"s and the rest "C"s. Hopefully, our buffer gets to one of the registers, (if we are lucky). It looks like this is like most SEH exploits. It looks like our "C"s are after the exception handler so if we can find an address to get to a "POP POP RETN", we can land there. We go to 'View -> Executable Modules'.  Now, we have to avoid any ASLR enabled dll's and executables. We have one at #603022B8 in the "Configurations.dll".






































We want to follow the flow by creating a breakpoint(F2) on our "POP POP RETN" at the address just mentioned. Then, by pressing F7, we can step thru execution one step at a time. After the "POP POP RETN", we land exactly 4 bytes behind our SEH.  Now, it looks like we have the option to either to make a jump forward or backwards. We have a space of roughly 608 bytes going back and approxiamately 1300 bytes ahead. I chose to jump ahead since it is a larger space.  If you  want to learn more about jumping, please go to CORELAN (https://www.corelan.be/index.php/2009/07/23/writing-buffer-overflow-exploits-a-quick-and-basic-tutorial-part-2/).








































Now, to jump ahead, we want to make sure we jump at least 6 bytes over to avoid overwriting our SEH jump. We want to land in 'NOP' AKA '\x90' commands to slide into the actual shellcode. Let's leave 10 'NOP' commands to slide into so we can go straight into our shellcode. Using MetaSploit, I generate a shellcode that will send a reverse shell to my local IP address on port 4444. We want to make sure that the size of our shellcode does not exceed our buffer. It is only 314 bytes so we are very safe from that. We just need to remember to subtract that from our remaining buffer size. We are looking at 1374 - 314 = 1060 which should be the remaining 'C's for our buffer.































Lastly, before creating our new PLF file, we want to create a listener to catch the new network connection coming from our 'victim'.  Bring on netcat! The command, 'nc -lvvp 4444' should do it. Now, run our new file to create the final PLF file. Run it on our victim, without the debugger and see what we get.






Wonderful.  We can do changes to the file to see how it would work.  We can jump backwards instead of forwards from the SEH. We could add an egghunter which I think I will do later. Hopefully, this helps another student of infosec besides myself. 


Tuesday, March 6, 2012

SEC560/EthicalHacker.Net

At the end of March, I will be experiencing my first SAN class, SEC560! I was awarded this chance by ETHICALHACKER.NET.  On the site, they hold monthly prizes for their registered users. I have been on the site since 2009 I do believe.  They have had discussions on Google, LulzSec, Anonymous, Breaches, FBI, etc.  It is where you can find and discuss IT security issues currently happening today.  It is a very informative site with some of the top security professionals posting articles from time to time.  If you want more information, check out this link (http://www.ethicalhacker.net/content/view/405/8/).  It was definitely a surprise since I usually do not win anything.  I guess it points out even further, that everyone has a chance to win the monthly prizes hosted at EthicalHacker.net. If you have time, try to check out the DIY Career article from Don Donzal if anything else (http://www.ethicalhacker.net/content/view/236/24/). 

Well, I just wanted to give a shot-out to the site before I take the SANS course. The SANS course will be all online which works out well for me.  It will be instructed by Ed Skoudis which I have heard is a great instructor by security professionals.  It will focus on network security and pen testing.  I like the fact that it will include the soft skills needs to be an effective penetration tester.  I have heard Mike Murray press on the fact that a pentester should have equally strong soft and technical skills to be beneficial to the client that you are pentesting.  WIN! The web application scanning looks good but I wonder how far they go.  Also, it looks like it has a CTF event too which I have never been in either.  I think this course (and the OSCE exam) will give me a good gauge to my progress in InfoSec. 

Once I am done, I want to do a review of the SANS course compared to the three Offsec security courses I have taken, OSWP, OSCP and OSCE.  I think the Offensive Security team are on their way to making courses that will set the standard for information security education.  Right now, C|EH by EC-Council, seems to be the standard, (at least for HR) which does not seem right to me.  When I did the self study for the C|EH course, and then, passed the exam, I had never even used netcat.  Uh, yeah that will not fly when you take a OffSec course.  I am not saying that they are perfect, but I would suggest to anyone that is serious about their security career, find a way to start taking the offsec courses.  Soon,  I will know if I need to include the SANS courses as well to that last statement.  From what I hear already, I should.  I will have the review by the end of April hopefully.   

Monday, March 5, 2012

FileFuzzer

While going through the OSCE course, I have created a number of fuzzing templates and files.  One that comes in handy, the python file fuzzer I made.  It is not mind blowing, but I have found some overflows with so it is nice to have for me at least.


#!/usr/bin/python

# File  Fuzzer
# By Agoonie
# Dated created 2/26/2012
# Kind of basic and wordy, but hey it works for me....

print "--------------------------------------------------------------------------------"
print "                                      Fuzzer Template                                   "
print "                                      Agoonie FileFuzz                                 "
print "--------------------------------------------------------------------------------"




fuzzchoice = raw_input('Do you want to create one file with a specific buffer size? yes or no. ')
if (fuzzchoice == 'y') or (fuzzchoice =='yes') or (fuzzchoice == 'Yes') or (fuzzchoice == 'Y'):
buff = raw_input('What is the buffer size for the file you want? ')
newextension = raw_input('What is the extension for the file you want? ')
print "Next, think of the character(s) you want to use in the buffer.  For example, A, B, C, %, *, X, &, ), (, #, @, !, etc. "
bchar= raw_input('What is the character(s) that will file the buffer in the file? ')
print "The filename will be: "
filename = "stest."+newextension
print filename
newbuff = int(buff)
if (newextension == 'm3u'):
junkchar = "#EXTM3U\n"
  junkchar += "#EXTINF:123,Agoonie - A goonie was here\n"
junkchar += bchar*newbuff
else:
junkchar = bchar*newbuff
bigbang = junkchar
bangcount = len(bigbang)
print "Just a reminder, this is the number of characters you have in your buffer: "
print bangcount
textfile = open(filename,"w")
textfile.write(bigbang)
textfile.close()
elif (fuzzchoice == 'n') or (fuzzchoice =='no') or (fuzzchoice == 'No') or (fuzzchoice == 'N'):
print "Buffer starts at 200 bytes and increments by 200 bytes "
buffsize = raw_input('What is the MAX buffer size for the file you want? ')
mbuffsize = int(buffsize)
cbuff = 200   # Current buffer size; starts at 200
num = 1
extension = raw_input('What is the extension for the file you want? ')
print "Next, think of the character(s) you want to use in the buffer.  For example, A, B, C, %, *, X, &, ), (, #, @, !, etc. "
bcharacter= raw_input('What is the character(s) that will file the buffer in the file? ')
while (cbuff <= mbuffsize):
print "The buffer size for the file is: "
print cbuff
snum = str(num)
filenames = snum+"_test."+extension
print filenames
junk = bcharacter*cbuff
num = num + 1
cbuff = cbuff + 200
exploit = junk
textfile = open(filenames,"w")
textfile.write(exploit)
textfile.close()
else:
print "I didn't understand your answer. Please run again. ./filefuzzer.py "