Jul 272012
 

Glastopf is a web application honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications.  The principle behind it is very simple:  Reply the correct response to the attacker exploiting the web application.

This article is mostly to cover the installation, setup, usage, etc

Installation

Continue reading »

Jul 092012
 

Backtrack has dbpwaudit in /pentest/database/dbpwaudit, however, it does not come with the java jar files required.  So, first you have to go download them.  The easiest way I found out to do that is by simply searching for the aliases and then googling them.  You can get the aliases with the -L option:

user@HOST:/pentest/database/dbpwaudit$ ./dbpwaudit.sh -L
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net>
----------------------------------------------------
Oracle - oracle.jdbc.driver.OracleDriver
MySQL - com.mysql.jdbc.Driver
MSSql - com.microsoft.sqlserver.jdbc.SQLServerDriver
DB2 - com.ibm.db2.jcc.DB2Driver

Continue reading »

May 152012
 
#!/bin/bash
 
# By Ed Wiget
# This script sets up a proxy so that you can audit web servers anonymously over tor
# 20111113 - initial script (better method)
# enable next line for debugging
#set -x
 
echo "Please enter the ip address of the target host or a domain name"
read dom
 
# this checks to see if we set a domain name or ip address
# it sets the variable IP to the ip address of domain or ip entered
# if you are auditing more than .com, .net, .org, .edu addresses, you need to add them below
if [ "`echo ${dom} | egrep 'com|net|org|edu' | wc -l`" = "1" ]; then
		IP=`tor-resolve ${dom}`
	else
		IP=${dom}
fi
 
# for debugging to make sure we are setting IP correctly
#echo ${IP}
 
# here we set up a socat proxy listening on localhost port 8080
# it forwards any tcp requests to ${IP} port 80
# via the socks tor listening on localhost 9050
sudo socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:${IP}:80,socksport=9050 &
 
# the sleep is required or the check for listening fails below
sleep 2
 
if [ "`sudo netstat -ptane | grep 8080 | wc -l`" = "1" ]; then
	echo "proxy started successfully"
else
	echo "proxy not running"
	exit
fi
 
# here we are going to check port 80 for a web server which will likely tell us the
# operating system too via the results
sudo proxychains nmap -sT -PN -n -sV ${IP} -p80
 
# here we need to set up w3af_gui running as root in order to connect to our proxy
echo "when w3af opens, click on advanced target settings"
sleep 1
echo "set the target ip in w3af to http://127.0.0.1:8080"
sleep 1
echo "set the targetos and targetframework in w3af as returned by the nmap check above"
sleep 1
sudo /pentest/web/w3af/w3af_gui &

 

So now you can audit a web app using w3af.  If you wanted to use nessus or metasploit, just plug in the address as 127.0.0.1:8080

Feb 112012
 

You might also want to see my article Installing JTR On Backtrack for Multiprocessor Cores

I am too lazy to restore the old version of this file from my old website (it was hosted for years on mambo and I am just too lazy to do the db conversion).  Anyways, this website serves a couple of purposes, first is to keep some of my own notes handy and second to help others.  With that in mind, here is a collection of tips on using john the ripper:

Prepare Linux Shadow Passwords

umask 077
./unshadow /etc/passwd /etc/shadow > mypasswds

Continue reading »

Feb 042012
 

I created this because I always forget the command to enumerate snmp and I am often too lazy to read man pages 🙂

#!/bin/bash
 
# By Ed Wiget
# This script takes an input ip or domain and performs a snmpwalk using common community strings
# 20120204 - initial script
 
function proghelp (){
	echo ""
	echo ""
	echo "Help:"
	echo "./eds-smtpwalk.sh ip_address"
	echo ""
	echo "Example:"
	echo "./eds-smtpwalk.sh 127.0.0.1"
	echo ""
	echo ""
}
 
if [ $# -ne 1 ]
then
clear
proghelp
exit
fi
 
# set up the first input value
if [ "$1" == "" ]; then
 
        echo "What is the ip address to query?"
        read SVRIP
else
        SVRIP=$1
fi
 
if [ -f wordlist-common-snmp-community-strings.txt ]; then
	for COMSTG in `cat wordlist-common-snmp-community-strings.txt`
		do
# removed below in favor of auto list
# set up the second input value
#if [ "$2" == "" ]; then		
#        echo "What is the community string?"
#        read COMSTG
#else
#	COMSTG=$2
#fi
 
		snmpwalk -v2c -c ${COMSTG} $1 system
	done
 
else
 
echo "wordlist-common-snmp-community-strings.txt does not exist.......fetching now......please wait"
echo ""
wget http://fuzzdb.googlecode.com/svn/trunk/wordlists-misc/wordlist-common-snmp-community-strings.txt
echo ""
echo "please run again....."
fi

Aug 052011
 

Here is a simple installer script for arachni for backtrack 5.  It clones the git directory and builds from source.

#!/bin/bash
 
# Ed Wiget <security at rhpstudios dot com>
# Install arachni
# 20110801 - Initial script
 
sudo apt-get install libxml2-dev libxslt1-dev libcurl4-openssl-dev libsqlite3-dev
cd /pentest/enumeration
sudo git clone git://github.com/Zapotek/arachni.git arachni
cd arachni
sudo rake install

And this is a script I use to audit multiple domains from a list, 1 domain per line

Continue reading »

May 182011
 
openvas gsd interface

So backtrack 5 still using the older openvas-2 series and I actually like the newer version.  So here are the instructions on getting the latest version installed. This will install these versions: openvas libraries 4.0.5-1; openvas scanner 3.2.4-1; openvas client 3.0; openvas manager 2.0.4-1; openvas admin 1.1.1-1; gsa 2.0.1-1; gsd 1.2.0-1; openvas cli 1.1.2-1 as packaged by the opensuse build service.

 

NOTE: June 23, 2011 — if the version numbers have changed, you can browse the repository address and update this document accordingly.  Also, yes, this does work on my bt5 install on three different systems.  I am installing on a 4th system now and will update the steps because I think I may have left 1 or 2 out.

Continue reading »