Dec 042013
 

I often review various vulnerability scanners.  When I review them, I look at several different things:

  • were they able to find a vulnerability I previously missed?
  • are they accurate in their findings?
  • how quickly do they complete an audit compared to “insert some other vulnerability scanner here”?
  • sometimes I will also grab the tcpdumps of the audits for even further analysis
  • how accessible and easy are they to use by “skiddies”?
  • based on the tcpdumps + noise generated on the server logs, are the audit signatures of wapiti easy to detect?

Continue reading »

Feb 102013
 

My desktop computer is a couple of years old.  It serves me well for what I do.  I just got a new laptop.  In terms of hardware, the laptop is much different.  The desktop is a quad-core AMD 900 series with an ATI 4500 series gpu running backtrack 5r3.  It has 8GB of memory and standard SATA drives.  The laptop is an Intel i7 cpu, with SSD drive, NVIDIA 660M gpu, and 8GB memory running backbox 3.  The internal SATA drive is slow as fuck (just putting that out there).  I have the OS on the SSD drive and my home folder on the SATA drive.

Here are the specs as seen by pyrit list_cores from each along with the benchmark tests:

Continue reading »

Feb 052013
 

So I wrote this script because I often need to run tcpdump on a remote host and then view it in wireshark.  The old method was to run tcpdump on remote host, scp/rsync the file back to my local machine, open it in wireshark, view it.  This script saves a lot of time.  It assumes you are logging in as root and will need modified if you are running as a normal user (change root to your username and make sure you have sudo privileges for tcpdump)

#!/bin/bash
 
# By Ed Wiget
# This runs tcpdump on a remote hosts and pipes it back locally to wireshark to view in realtime
 
# 20130205 - original script
 
if [ $1 == "" ]; then
	echo "What is the remote host by fqdn, i.e. server1.domain.com"
	read RHOST
else
	RHOST=$1
fi
 
wireshark -k -i <( ssh -l root ${RHOST} /usr/sbin/tcpdump -i eth0 -w - )
 
# after you kill wireshark, the tcpdump still runs on remove host...we need to kill it
PIDOF=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
 
echo "killing pid ${PIDOF} on ${RHOST}...please wait...."
ssh root@${RHOST} "pkill tcpdump"
 
# now we make sure it is killed
PIDOF2=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
if [ ${PIDOF2} == "" ]; then
	echo "pid check returns ${PIDOF2}"
else
	echo "pid check returns ${PIDOF2}"
fi

Oct 312012
 
#!/bin/bash
 
# By Ed Wiget
# This script grabs the latest nmap, zenmap, ncat, nping in rpm format and converts them to deb
 
# 20121031 - original script
 
# the version we are grabbing
VER=6.01-1
 
# the architecture we are using
ARCH=x86_64
 
# our working dir
TEMP_DIR=~/nmap-files
 
# check if it exists and if not, create it
if [ ! -d ${TEMP_DIR} ]; then
	mkdir -p ${TEMP_DIR}
fi
 
# check to make sure alien is installed and if not, install it
if [ ! -f /usr/bin/alien ]; then
	sudo apt-get install alien
fi
 
# cd to the working dir
cd ${TEMP_DIR}
 
# 386 files
# http://nmap.org/dist/nmap-6.01-1.i386.rpm
# http://nmap.org/dist/zenmap-6.01-1.noarch.rpm
# http://nmap.org/dist/ncat-6.01-1.i386.rpm
# http://nmap.org/dist/nping-0.6.01-1.i386.rpm
 
# x86_64 files
# http://nmap.org/dist/nmap-6.01-1.x86_64.rpm
# http://nmap.org/dist/ncat-6.01-1.x86_64.rpm
# http://nmap.org/dist/nping-0.6.01-1.x86_64.rpm
 
# no arch
# http://nmap.org/dist/zenmap-6.01-1.noarch.rpm
 
# grab the files
wget -O ${TEMP_DIR}/nmap-${VER}.${ARCH}.rpm http://nmap.org/dist/nmap-${VER}.${ARCH}.rpm
wget -O ${TEMP_DIR}/ncat-${VER}.${ARCH}.rpm http://nmap.org/dist/ncat-${VER}.${ARCH}.rpm
wget -O ${TEMP_DIR}/nping-0.${VER}.${ARCH}.rpm http://nmap.org/dist/nping-0.${VER}.${ARCH}.rpm
wget -O ${TEMP_DIR}/zenmap-${VER}.noarch.rpm http://nmap.org/dist/zenmap-${VER}.noarch.rpm
 
# remove any deb files currently in this dir
rm -f *.deb
 
# convert the downloaded files to deb
sudo alien nmap-${VER}.${ARCH}.rpm
sudo alien ncat-${VER}.${ARCH}.rpm
sudo alien nping-0.${VER}.${ARCH}.rpm
sudo alien zenmap-${VER}.noarch.rpm
 
# install the packages
sudo dpkg --install *.deb

Jul 132012
 

Credit where credit is due….The bulk of this article was obtained from the excellent article located here: http://www.xors.me/?p=4458

I found the original article and then modified it to fit my operating system and environment.  It has been modified to work with Backtrack Linux installation using native virtualbox-4.1 installation

Background

To provide some background, Cuckoo Sandbox performs automated malware analysis using system virtualization technologies.  At a high level, Cuckoo executes Python scripts, which then spawn a VirtualBox Virtual Machines (VM) environment running a Guest OS (ie. Windows XP), to execute and analyze malware code in a controlled environment. Once the Guest OS launches, VirtualBox uses local shares to access Python scripts located on the Host OS (ie. Ubuntu/Backtrack).  Python therefore needs to be installed on both the Guest and Host OS environments for this product to work.  Within the Guest OS, youwill also need vulnerable applications to help analyze code, by forcing malware binary or malicious URLs execution.  As the installation documentation provided with Cuckoo Sandbox is missing a few requirements, this post will show a user how to perform a functional install of Cuckoo Sandbox.

A link to the original video is below in avi format.

cuckoo sandbox working under a normal user account

Continue reading »

Jul 112012
 

One of my computers starting having a segmentation fault whenever I would try to run VirtualBox.  Looking into this further I found this error message when running virtualbox with strace command:

write(2, "VirtualBox: Error -10 in SUPR3Ha"..., 44VirtualBox: Error -10 in SUPR3HardenedMain!
) = 44
write(2, "VirtualBox: ", 12VirtualBox: )            = 12
write(2, "Effective UID is not root (euid="..., 65Effective UID is not root (euid=1001 egid=1001 uid=1001 gid=1001)) = 65
write(2, "\n", 1
)                       = 1
write(2, "\nVirtualBox: Tip! It may help to"..., 55
VirtualBox: Tip! It may help to reinstall VirtualBox.
) = 55
setresgid(1001, 1001, 1001)             = 0
setresuid(1001, 1001, 1001)             = 0
getresuid([1001], [1001], [1001])       = 0
getresgid([1001], [1001], [1001])       = 0
capset(0x19980330, 0, {CAP_NET_RAW, CAP_NET_RAW, 0}) = -1 EPERM (Operation not permitted)
clone(child_stack=0, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fd9d6a9c9f0) = 4340
exit_group(1)                           = ?
user@HOST:~$ <html><b>Effective UID is not root (euid=1001 egid=1001 uid=1001 gid=1001) (rc=-10)</b><br/><br/>Please try reinstalling VirtualBox.</html>

What I found the problem had ended up being was:

Continue reading »

Jul 092012
 

Backtrack has dbpwaudit in /pentest/database/dbpwaudit, however, it does not come with the java jar files required.  So, first you have to go download them.  The easiest way I found out to do that is by simply searching for the aliases and then googling them.  You can get the aliases with the -L option:

user@HOST:/pentest/database/dbpwaudit$ ./dbpwaudit.sh -L
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net>
----------------------------------------------------
Oracle - oracle.jdbc.driver.OracleDriver
MySQL - com.mysql.jdbc.Driver
MSSql - com.microsoft.sqlserver.jdbc.SQLServerDriver
DB2 - com.ibm.db2.jcc.DB2Driver

Continue reading »

Jun 182012
 

So, a few guys at work are using this and I was looking for something lighter than what I use when I need syntax highlighting, which normally I use kate or eclipse.  When I don’t need syntax highlighting I use vim.

First, from the web page “Sublime Text is a sophisticated text editor for code, html and prose. You’ll love the slick user interface and extraordinary features”.

Installation is really easy on ubuntu

Continue reading »

Jun 132012
 

I love tweetdeck, so imagine my surprise when Adobe decided to not support AIR on linux anymore.  So until today, I had still been using the native adobe air version of tweetdeck on linux.  Yesterday though, tweetdeck would randomly lock up.  Today, it wouldn’t post or anything so I set out to install the windows version on linux using wine.  Its actually pretty damn easy and so far, no problems.

This is how you do it in 5 steps or less in ubuntu’ish linux:

Continue reading »