Mar 092013
 

As I use nginx more and more, one of the things I miss is being able to see who is connecting to the server and the request they are making.  This is often helpful in determining attacks.  So, I basically wrote this script which does it.

#!/bin/bash
 
# By Ed Wiget
# This shows active GET and POSTS to port 80
# One of the things i hate about nginx is the lack of an apache style status page showing requests
# hence I wront this script....which does it at a network layer, using ngrep
 
# 20130308 - original script
 
## grep all HTTP GET or POST requests from network traffic on eth0 interface  ##
# sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
 
if [ `which ngrep | head -1 | wc -l` == "0" ]; then
	echo "missing ngrep....please install"
	exit
fi
 
if [ $1 = "" ]; then
	echo "You must pass the interface as an option, i.e. eth0 or eth1, etc"
	read CIF
else
	CIF=$1
fi
 
thing=1
 
until [ $thing = "0" ]; do
	# uncomment top line if you dont need x-forward-for
        #sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
        # use the next line if you do need x-forward-for
	#sudo ngrep -d eth1 -q 'X-Forwarded-For'  tcp and port 80
	ngrep -d ${CIF} -t '^(GET|POST) ' tcp and port 80
	echo
	sleep 1;
done

CHANGES

20130905 – added option to pass interface

Feb 102013
 

My desktop computer is a couple of years old.  It serves me well for what I do.  I just got a new laptop.  In terms of hardware, the laptop is much different.  The desktop is a quad-core AMD 900 series with an ATI 4500 series gpu running backtrack 5r3.  It has 8GB of memory and standard SATA drives.  The laptop is an Intel i7 cpu, with SSD drive, NVIDIA 660M gpu, and 8GB memory running backbox 3.  The internal SATA drive is slow as fuck (just putting that out there).  I have the OS on the SSD drive and my home folder on the SATA drive.

Here are the specs as seen by pyrit list_cores from each along with the benchmark tests:

Continue reading »

Feb 052013
 

So I wrote this script because I often need to run tcpdump on a remote host and then view it in wireshark.  The old method was to run tcpdump on remote host, scp/rsync the file back to my local machine, open it in wireshark, view it.  This script saves a lot of time.  It assumes you are logging in as root and will need modified if you are running as a normal user (change root to your username and make sure you have sudo privileges for tcpdump)

#!/bin/bash
 
# By Ed Wiget
# This runs tcpdump on a remote hosts and pipes it back locally to wireshark to view in realtime
 
# 20130205 - original script
 
if [ $1 == "" ]; then
	echo "What is the remote host by fqdn, i.e. server1.domain.com"
	read RHOST
else
	RHOST=$1
fi
 
wireshark -k -i <( ssh -l root ${RHOST} /usr/sbin/tcpdump -i eth0 -w - )
 
# after you kill wireshark, the tcpdump still runs on remove host...we need to kill it
PIDOF=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
 
echo "killing pid ${PIDOF} on ${RHOST}...please wait...."
ssh root@${RHOST} "pkill tcpdump"
 
# now we make sure it is killed
PIDOF2=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
if [ ${PIDOF2} == "" ]; then
	echo "pid check returns ${PIDOF2}"
else
	echo "pid check returns ${PIDOF2}"
fi

Jul 272012
 

Glastopf is a web application honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications.  The principle behind it is very simple:  Reply the correct response to the attacker exploiting the web application.

This article is mostly to cover the installation, setup, usage, etc

Installation

Continue reading »

May 152012
 
#!/bin/bash
 
# By Ed Wiget
# This script sets up a proxy so that you can audit web servers anonymously over tor
# 20111113 - initial script (better method)
# enable next line for debugging
#set -x
 
echo "Please enter the ip address of the target host or a domain name"
read dom
 
# this checks to see if we set a domain name or ip address
# it sets the variable IP to the ip address of domain or ip entered
# if you are auditing more than .com, .net, .org, .edu addresses, you need to add them below
if [ "`echo ${dom} | egrep 'com|net|org|edu' | wc -l`" = "1" ]; then
		IP=`tor-resolve ${dom}`
	else
		IP=${dom}
fi
 
# for debugging to make sure we are setting IP correctly
#echo ${IP}
 
# here we set up a socat proxy listening on localhost port 8080
# it forwards any tcp requests to ${IP} port 80
# via the socks tor listening on localhost 9050
sudo socat TCP4-LISTEN:8080,fork SOCKS4:127.0.0.1:${IP}:80,socksport=9050 &
 
# the sleep is required or the check for listening fails below
sleep 2
 
if [ "`sudo netstat -ptane | grep 8080 | wc -l`" = "1" ]; then
	echo "proxy started successfully"
else
	echo "proxy not running"
	exit
fi
 
# here we are going to check port 80 for a web server which will likely tell us the
# operating system too via the results
sudo proxychains nmap -sT -PN -n -sV ${IP} -p80
 
# here we need to set up w3af_gui running as root in order to connect to our proxy
echo "when w3af opens, click on advanced target settings"
sleep 1
echo "set the target ip in w3af to http://127.0.0.1:8080"
sleep 1
echo "set the targetos and targetframework in w3af as returned by the nmap check above"
sleep 1
sudo /pentest/web/w3af/w3af_gui &

 

So now you can audit a web app using w3af.  If you wanted to use nessus or metasploit, just plug in the address as 127.0.0.1:8080

Mar 022012
 
echo "deb http://updates.repository.backtrack-linux.org revolution main microverse non-free testing" >> /etc/apt/sources.list 
apt-get update 
apt-get dist-upgrade

And it includes these new tools:

arduino	bluelog	bt-audit	dirb	dnschef	dpscan	easy-creds	extundelete
findmyhash	golismero	goofile	hashcat-gui	hash-identifier	hexorbase	horst	hotpatch
joomscan	killerbee	libhijack	magictree	nipper-ng	patator	pipal	pyrit
reaver	rebind	rec-studio	redfang	se-toolkit	sqlsus	sslyze	sucrack
thc-ssl-dos	tlssled	uniscan	vega	watobo	wcex	wol-e	xspy

Feb 112012
 

You might also want to see my article Installing JTR On Backtrack for Multiprocessor Cores

I am too lazy to restore the old version of this file from my old website (it was hosted for years on mambo and I am just too lazy to do the db conversion).  Anyways, this website serves a couple of purposes, first is to keep some of my own notes handy and second to help others.  With that in mind, here is a collection of tips on using john the ripper:

Prepare Linux Shadow Passwords

umask 077
./unshadow /etc/passwd /etc/shadow > mypasswds

Continue reading »

Feb 112012
 

Lets face it, John the Ripper has been around a long time and the reason its been around a long time is because its damn good at cracking passwords.  Yea, hashcat and oclhashcat are great for gpu cracking, but it doesn’t support as many algorithms as JTR.  So, imagine my surprise when I fire up John The Ripper on backtrack 5 64 bit and find out it is using a single CPU.  That is letting a potential 75% of my system sit there wanting to do something.  Luckily the fix is easier than fixing a sandwich.

If you already have jtr installed, you may want to see my john tips article.

First, lets grab the jumbo sourcecode….

Continue reading »

Feb 042012
 

I created this because I always forget the command to enumerate snmp and I am often too lazy to read man pages 🙂

#!/bin/bash
 
# By Ed Wiget
# This script takes an input ip or domain and performs a snmpwalk using common community strings
# 20120204 - initial script
 
function proghelp (){
	echo ""
	echo ""
	echo "Help:"
	echo "./eds-smtpwalk.sh ip_address"
	echo ""
	echo "Example:"
	echo "./eds-smtpwalk.sh 127.0.0.1"
	echo ""
	echo ""
}
 
if [ $# -ne 1 ]
then
clear
proghelp
exit
fi
 
# set up the first input value
if [ "$1" == "" ]; then
 
        echo "What is the ip address to query?"
        read SVRIP
else
        SVRIP=$1
fi
 
if [ -f wordlist-common-snmp-community-strings.txt ]; then
	for COMSTG in `cat wordlist-common-snmp-community-strings.txt`
		do
# removed below in favor of auto list
# set up the second input value
#if [ "$2" == "" ]; then		
#        echo "What is the community string?"
#        read COMSTG
#else
#	COMSTG=$2
#fi
 
		snmpwalk -v2c -c ${COMSTG} $1 system
	done
 
else
 
echo "wordlist-common-snmp-community-strings.txt does not exist.......fetching now......please wait"
echo ""
wget http://fuzzdb.googlecode.com/svn/trunk/wordlists-misc/wordlist-common-snmp-community-strings.txt
echo ""
echo "please run again....."
fi

Jan 182012
 

 

I usually don’t disable apache, php, nginx headers because to me that is just security through obscurity.

My thoughts are this…..

  1. if someone doesn’t know what version of software you are running and they decide to hack your domain or server, they will simply throw every public exploit at it that exists for said product or even simply “fingerprint” it for the correct version
  2. It makes my life easier because I can also query for those headers if for some reason I don’t remember the version of software (which saves me from logging in to the server or using other methods that might take longer – efficiency is key!)
  3. skiddies are going to throw everything at it anyways

On the flipside…..

Continue reading »