May 182013
 

A long time ago, I created a database to hold passwords and their respective hashes for some 16 various hash types.  It has approximately 310,261,848 passwords for each type and is growing nearly every day as more password lists become available.  I found a pretty quick way to generate the hashes for these wordlists and wanted to share how it is done.  These hashes only work with unsalted/unpeppered passwords.

First, lets look at my table schema, which is very simple and very effective.  It uses an index on the hash + password column so there can not be any two hashes+passwords that are the same.  The types table is a  simple lookup table that references data.type 1 to a name like DES.  The primary key is on the name column.  I don’t claim to be a db administrator so if you spot any errors, let me know.

Continue reading »

May 152012
 
#!/bin/bash
 
# By Ed Wiget
# This script sets up a proxy so that you can audit web servers anonymously over tor
# 20111113 - initial script (better method)
# enable next line for debugging
#set -x
 
echo "Please enter the ip address of the target host or a domain name"
read dom
 
# this checks to see if we set a domain name or ip address
# it sets the variable IP to the ip address of domain or ip entered
# if you are auditing more than .com, .net, .org, .edu addresses, you need to add them below
if [ "`echo ${dom} | egrep 'com|net|org|edu' | wc -l`" = "1" ]; then
		IP=`tor-resolve ${dom}`
	else
		IP=${dom}
fi
 
# for debugging to make sure we are setting IP correctly
#echo ${IP}
 
# here we set up a socat proxy listening on localhost port 8080
# it forwards any tcp requests to ${IP} port 80
# via the socks tor listening on localhost 9050
sudo socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:${IP}:80,socksport=9050 &
 
# the sleep is required or the check for listening fails below
sleep 2
 
if [ "`sudo netstat -ptane | grep 8080 | wc -l`" = "1" ]; then
	echo "proxy started successfully"
else
	echo "proxy not running"
	exit
fi
 
# here we are going to check port 80 for a web server which will likely tell us the
# operating system too via the results
sudo proxychains nmap -sT -PN -n -sV ${IP} -p80
 
# here we need to set up w3af_gui running as root in order to connect to our proxy
echo "when w3af opens, click on advanced target settings"
sleep 1
echo "set the target ip in w3af to http://127.0.0.1:8080"
sleep 1
echo "set the targetos and targetframework in w3af as returned by the nmap check above"
sleep 1
sudo /pentest/web/w3af/w3af_gui &

 

So now you can audit a web app using w3af.  If you wanted to use nessus or metasploit, just plug in the address as 127.0.0.1:8080

Nov 302011
 

I have set up many laptops and netbooks with linux and have always used either full-disk encryption or ~/ encrypted.  Its really easy to do and ANY laptop/netbook/tablet/pad/whatever_next mobile device should be encrypted.  I won’t get into the mechanics of why, just do it.  The last article I wrote about this is no longer online (Maysville Linux Users Group, circa 2007) and it was much harder to accomplish back then, often requiring custom kernels to be compiled, etc.  Backtrack has “nearly” everything it takes right on the live cd.

Prerequisites

  1. A laptop
  2. bootable media (backtrack on usb stick, cdrom, some other distro, etc)
  3. Internet connection (backtracks only requirement is to download two files)

Continue reading »

May 102011
 

A lot of recent talks about “securing the cloud” but let me give you my take on it.

I am in the cloud, businesses are in the cloud, but which cloud?  Is any one cloud environment more secure than the other?  Let me give you a few things I have learned about the cloud….cause this might seem rather alarming to some or most.

Treat all cloud environments as a hostile environment.  Treat it like a wide open door to your business infrastructure, matter of fact, treat it like something blew 2 of the 4 outer parameter walls off of your business along with half of the roof coming down.  Rethink what you consider secure, how you secure services and applications, and treat it like you just handed everything to a blackhat hacker.

Almost every cloud environment I have used or tested offers a “private ip address” but is it really private?  If you dig around, you will find that it is not.  Matter of fact, it seems that others with those private ip addresses believe they have their own vlan switch of private ip address ranges segregated from everyone else….but fact is, you share your data on your private ip address range with many other clients on the same private ip address range.  Why?  Because you are all sharing a cut of the cpu, memory, network cards, etc of the same physical server.  Even though you might secure your forward facing applications, you would be surprised how many applications within the private ip addresses are not secured.  Why?  Because people automatically think of it in terms of “our local network or private lan”.  Why?  Because its in the same ip range as a private network.

See EXAMPLE 1 below

And because people treat it like a private lan network, they do the craziest things like “unpatched apache or other insecure software”, how about mysql root without a password on the private lan for ease of administration, or what about using the private lan to send critical confidential customer (or patient) records across to another failover server on the private lan….unencrypted.  You see where this is going??

See EXAMPLE 2 below

And then lets talk about pre-made cloud environments…..

Continue reading »