Creating Password Hashes From Wordlists And Storing Them In a Database

 Debian, Hå¢kïñg, Kali, Lïñµx, Rê§êår¢h, Uncategorized, §¢rïþ†§, §¥§†êm ÄÐmïñ阮rå†ïðñ, †êå¢hïñg, †µ†ðrïål§  No Responses »
May 182013
 

A long time ago, I created a database to hold passwords and their respective hashes for some 16 various hash types.  It has approximately 310,261,848 passwords for each type and is growing nearly every day as more password lists become available.  I found a pretty quick way to generate the hashes for these wordlists and wanted to share how it is done.  These hashes only work with unsalted/unpeppered passwords.

First, lets look at my table schema, which is very simple and very effective.  It uses an index on the hash + password column so there can not be any two hashes+passwords that are the same.  The types table is a  simple lookup table that references data.type 1 to a name like DES.  The primary key is on the name column.  I don’t claim to be a db administrator so if you spot any errors, let me know.

Continue reading »

Pyrit: Testing New Laptop vs Desktop

 Backbox, Hå¢kïñg, Lïñµx, Rê§êår¢h, ßå¢k†rå¢k, §¥§†êm ÄÐmïñ阮rå†ïðñ  No Responses »
Feb 102013
 

My desktop computer is a couple of years old.  It serves me well for what I do.  I just got a new laptop.  In terms of hardware, the laptop is much different.  The desktop is a quad-core AMD 900 series with an ATI 4500 series gpu running backtrack 5r3.  It has 8GB of memory and standard SATA drives.  The laptop is an Intel i7 cpu, with SSD drive, NVIDIA 660M gpu, and 8GB memory running backbox 3.  The internal SATA drive is slow as fuck (just putting that out there).  I have the OS on the SSD drive and my home folder on the SATA drive.

Here are the specs as seen by pyrit list_cores from each along with the benchmark tests:

Continue reading »

Bash: script to run tcpdump on remote host and pipe it back to local wireshark

 Arch, Backbox, Debian, Diagnostics, Gêñ†ðð, Hå¢kïñg, Lïñµx, Monitoring, Netbook, Redhat, Rê§êår¢h, ßå¢k†rå¢k, Ubuntu, §¢rïþ†§, §¥§†êm ÄÐmïñ阮rå†ïðñ  No Responses »
Feb 052013
 

So I wrote this script because I often need to run tcpdump on a remote host and then view it in wireshark.  The old method was to run tcpdump on remote host, scp/rsync the file back to my local machine, open it in wireshark, view it.  This script saves a lot of time.  It assumes you are logging in as root and will need modified if you are running as a normal user (change root to your username and make sure you have sudo privileges for tcpdump)

#!/bin/bash
 
# By Ed Wiget
# This runs tcpdump on a remote hosts and pipes it back locally to wireshark to view in realtime
 
# 20130205 - original script
 
if [ $1 == "" ]; then
	echo "What is the remote host by fqdn, i.e. server1.domain.com"
	read RHOST
else
	RHOST=$1
fi
 
wireshark -k -i <( ssh -l root ${RHOST} /usr/sbin/tcpdump -i eth0 -w - )
 
# after you kill wireshark, the tcpdump still runs on remove host...we need to kill it
PIDOF=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
 
echo "killing pid ${PIDOF} on ${RHOST}...please wait...."
ssh root@${RHOST} "pkill tcpdump"
 
# now we make sure it is killed
PIDOF2=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
if [ ${PIDOF2} == "" ]; then
	echo "pid check returns ${PIDOF2}"
else
	echo "pid check returns ${PIDOF2}"
fi

Glastopf Web Application Honeypot

 Debian, Hå¢kïñg, Lïñµx, Rê§êår¢h, Web Application Honeypot, §¢rïþ†§, §¥§†êm ÄÐmïñ阮rå†ïðñ, Ðïgï†ål £ðrêñ§ï¢§, †êå¢hïñg, †µ†ðrïål§  No Responses »
Jul 272012
 
glastopf-box

Glastopf is a web application honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications.  The principle behind it is very simple:  Reply the correct response to the attacker exploiting the web application.

This article is mostly to cover the installation, setup, usage, etc

Installation

Continue reading »

Auditing mysql passwords with dbpwaudit

 Hå¢kïñg, Lïñµx, Rê§êår¢h, ßå¢k†rå¢k, §¢rïþ†§, §¥§†êm ÄÐmïñ阮rå†ïðñ, †µ†ðrïål§  No Responses »
Jul 092012
 

Backtrack has dbpwaudit in /pentest/database/dbpwaudit, however, it does not come with the java jar files required.  So, first you have to go download them.  The easiest way I found out to do that is by simply searching for the aliases and then googling them.  You can get the aliases with the -L option:

user@HOST:/pentest/database/dbpwaudit$ ./dbpwaudit.sh -L
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net>
----------------------------------------------------
Oracle - oracle.jdbc.driver.OracleDriver
MySQL - com.mysql.jdbc.Driver
MSSql - com.microsoft.sqlserver.jdbc.SQLServerDriver
DB2 - com.ibm.db2.jcc.DB2Driver

Continue reading »

Sniffing the Cloud

 ÇlðµÐ, Hå¢kïñg, Rê§êår¢h, §¥§†êm ÄÐmïñ阮rå†ïðñ  No Responses »
Oct 212011
 

This is part 2 of Securing the Cloud.

Here is an interesting idea I have had some success with.  You spin up a new cloud instance, get a new ip that has been reissued.  Immediately start sniffing the traffic while doing some research to identify who previously had been using that IP address.  What can you obtain?  Maybe an admin will try to log into the old server via ip address, so now you have a valid admin username and password.  If the ip was reissued prior to every isp’s dns cache updating, you will likely obtain hits to services still cached at those isp’s, such as ftp accounts via domain, ssh accounts accounts via domains, and for hosted servers….you can at least grab some of the domains hosted at that previous ip.

You would be surprised just the type of information you can grab…..something to think about.

þ姧wðrÐ þrð†ê¢†ïñg wþ-åÐmïñ wï†h ñgïñx

 ÇlðµÐ, Lïñµx, ñgïñx, Rê§êår¢h, §¢rïþ†§, §¥§†êm ÄÐmïñ阮rå†ïðñ  No Responses »
Sep 122011
 

This is just a quick note on how to password protect wp-admin using nginx.

You may have to fiddle with the location of the lines in the site.conf file.

Where I thought the config variables needed to go, gave me a “download file” of type bin in nginx after authentication.

So, here is how I did it:

server {
   listen 80;
   server_name domain.com www.domain.com;
   access_log /logs/domain.com-access.log;
   error_log /logs/domain.com-error.log;
   root /var/www/sites/domain.com/htdocs;
location / {
try_files $uri $uri/ /index.php?q=$request_uri;
	   }
include /usr/nginx/conf/staticfiles.conf;
include /usr/nginx/conf/php.conf;
include /usr/nginx/conf/drop.conf;
 
        # password protect wp-admin
                location ~ ^/wp-admin {
                auth_basic “Restricted”;
                auth_basic_user_file /path/to/htpasswd/file;
                try_files $uri $uri/ /index.php?q=$request_uri;
                }
}

Quick Fix for Apache CVE-2011-3192

 Apache, Lïñµx, Redhat, Rê§êår¢h, §¢rïþ†§, §¥§†êm ÄÐmïñ阮rå†ïðñ  4 Responses »
Aug 242011
 

Thought I would share this quick fix ref CVE-2011-3192 with the POC available here:
http://seclists.org/fulldisclosure/2011/Aug/175

First, if you are an apache admin, get this fixed ASAP. I was able to take down a small test server with 7 http get requests.

Login to the server and run this command to see if you have mod_headers installed:

locate mod_headers

If you see mod_headers.so in that list, you can continue to Configuring Apache.  Otherwise go to Compiling Mod_Headers

Continue reading »

ßħH: RåñÐðmïzïñg Ðå†å

 Hå¢kïñg, Lïñµx, Rê§êår¢h, ßå¢k†rå¢k, §¢rïþ†§, §¥§†êm ÄÐmïñ阮rå†ïðñ  No Responses »
Jul 222011
 

I am often on the go, and sometimes I only have a few hours to do something.  A scenario came up where I have a few hours of time and I wanted to do a quick pentest of a few sites during that time.  I had a long list of domains to audit, and during the previous two days I had started at the top of the list and worked my way down.  I had made it through about 13 domains, but had 150+ left to go.  So its during these brief periods where I could perform the bulk scan of a few domains that could help me stay on track to get this job completed on time.  Except, I didn’t have a way to really select 5 or 6 domains from the list without doing it manually.

I came up with an idea, what if I could randomly select a few hosts from the list, then keep track of the hosts I had audited this way….eventually I would get through the entire list.  The following script is what I came up with…

Continue reading »

ßå¢k†rå¢k: ĵ†ðmå†ïñg þêñ†ê§†

 Hå¢kïñg, Lïñµx, Rê§êår¢h, ßå¢k†rå¢k, Uncategorized, §¢rïþ†§, §¥§†êm ÄÐmïñ阮rå†ïðñ  No Responses »
Jul 102011
 

So like most people who do pentesting, I am always strapped for time and always have way too many things on my plate.  So, what I have done over the years is try to automate the things I do on a regular basis.  This allows me to repeat the results consistently.  It also allows me to run a consistent pentest weekly, monthly, or however often I need to schedule them to be done.

I will go ahead and tell you now, these tests are extremely noisy.  They generate a lot of traffic, and I don’t try to slide under any IDS’s or anything else.  Why?  Because I am authorized to conduct these penetration tests.

Continue reading »

 Older Entries