Mar 092013

As I use nginx more and more, one of the things I miss is being able to see who is connecting to the server and the request they are making.  This is often helpful in determining attacks.  So, I basically wrote this script which does it.

# By Ed Wiget
# This shows active GET and POSTS to port 80
# One of the things i hate about nginx is the lack of an apache style status page showing requests
# hence I wront this script....which does it at a network layer, using ngrep
# 20130308 - original script
## grep all HTTP GET or POST requests from network traffic on eth0 interface  ##
# sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
if [ `which ngrep | head -1 | wc -l` == "0" ]; then
	echo "missing ngrep....please install"
if [ $1 = "" ]; then
	echo "You must pass the interface as an option, i.e. eth0 or eth1, etc"
	read CIF
until [ $thing = "0" ]; do
	# uncomment top line if you dont need x-forward-for
        #sudo ngrep -l -q -d eth0 "^GET |^POST " tcp and port 80
        # use the next line if you do need x-forward-for
	#sudo ngrep -d eth1 -q 'X-Forwarded-For'  tcp and port 80
	ngrep -d ${CIF} -t '^(GET|POST) ' tcp and port 80
	sleep 1;


20130905 – added option to pass interface

Feb 102013

My desktop computer is a couple of years old.  It serves me well for what I do.  I just got a new laptop.  In terms of hardware, the laptop is much different.  The desktop is a quad-core AMD 900 series with an ATI 4500 series gpu running backtrack 5r3.  It has 8GB of memory and standard SATA drives.  The laptop is an Intel i7 cpu, with SSD drive, NVIDIA 660M gpu, and 8GB memory running backbox 3.  The internal SATA drive is slow as fuck (just putting that out there).  I have the OS on the SSD drive and my home folder on the SATA drive.

Here are the specs as seen by pyrit list_cores from each along with the benchmark tests:

Continue reading »

Feb 052013

So I wrote this script because I often need to run tcpdump on a remote host and then view it in wireshark.  The old method was to run tcpdump on remote host, scp/rsync the file back to my local machine, open it in wireshark, view it.  This script saves a lot of time.  It assumes you are logging in as root and will need modified if you are running as a normal user (change root to your username and make sure you have sudo privileges for tcpdump)

# By Ed Wiget
# This runs tcpdump on a remote hosts and pipes it back locally to wireshark to view in realtime
# 20130205 - original script
if [ $1 == "" ]; then
	echo "What is the remote host by fqdn, i.e."
	read RHOST
wireshark -k -i <( ssh -l root ${RHOST} /usr/sbin/tcpdump -i eth0 -w - )
# after you kill wireshark, the tcpdump still runs on remove host...we need to kill it
PIDOF=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
echo "killing pid ${PIDOF} on ${RHOST}...please wait...."
ssh root@${RHOST} "pkill tcpdump"
# now we make sure it is killed
PIDOF2=`ssh root@${RHOST} "ps aux | grep [t]cpdump" | awk -F" " '{print$2}'`
if [ ${PIDOF2} == "" ]; then
	echo "pid check returns ${PIDOF2}"
	echo "pid check returns ${PIDOF2}"

Jul 272012

Glastopf is a web application honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications.  The principle behind it is very simple:  Reply the correct response to the attacker exploiting the web application.

This article is mostly to cover the installation, setup, usage, etc


Continue reading »

May 152012
# By Ed Wiget
# This script sets up a proxy so that you can audit web servers anonymously over tor
# 20111113 - initial script (better method)
# enable next line for debugging
#set -x
echo "Please enter the ip address of the target host or a domain name"
read dom
# this checks to see if we set a domain name or ip address
# it sets the variable IP to the ip address of domain or ip entered
# if you are auditing more than .com, .net, .org, .edu addresses, you need to add them below
if [ "`echo ${dom} | egrep 'com|net|org|edu' | wc -l`" = "1" ]; then
		IP=`tor-resolve ${dom}`
# for debugging to make sure we are setting IP correctly
#echo ${IP}
# here we set up a socat proxy listening on localhost port 8080
# it forwards any tcp requests to ${IP} port 80
# via the socks tor listening on localhost 9050
sudo socat TCP4-LISTEN:8080,fork SOCKS4:${IP}:80,socksport=9050 &
# the sleep is required or the check for listening fails below
sleep 2
if [ "`sudo netstat -ptane | grep 8080 | wc -l`" = "1" ]; then
	echo "proxy started successfully"
	echo "proxy not running"
# here we are going to check port 80 for a web server which will likely tell us the
# operating system too via the results
sudo proxychains nmap -sT -PN -n -sV ${IP} -p80
# here we need to set up w3af_gui running as root in order to connect to our proxy
echo "when w3af opens, click on advanced target settings"
sleep 1
echo "set the target ip in w3af to"
sleep 1
echo "set the targetos and targetframework in w3af as returned by the nmap check above"
sleep 1
sudo /pentest/web/w3af/w3af_gui &


So now you can audit a web app using w3af.  If you wanted to use nessus or metasploit, just plug in the address as

Mar 022012
echo "deb revolution main microverse non-free testing" >> /etc/apt/sources.list 
apt-get update 
apt-get dist-upgrade

And it includes these new tools:

arduino	bluelog	bt-audit	dirb	dnschef	dpscan	easy-creds	extundelete
findmyhash	golismero	goofile	hashcat-gui	hash-identifier	hexorbase	horst	hotpatch
joomscan	killerbee	libhijack	magictree	nipper-ng	patator	pipal	pyrit
reaver	rebind	rec-studio	redfang	se-toolkit	sqlsus	sslyze	sucrack
thc-ssl-dos	tlssled	uniscan	vega	watobo	wcex	wol-e	xspy

Feb 112012

You might also want to see my article Installing JTR On Backtrack for Multiprocessor Cores

I am too lazy to restore the old version of this file from my old website (it was hosted for years on mambo and I am just too lazy to do the db conversion).  Anyways, this website serves a couple of purposes, first is to keep some of my own notes handy and second to help others.  With that in mind, here is a collection of tips on using john the ripper:

Prepare Linux Shadow Passwords

umask 077
./unshadow /etc/passwd /etc/shadow > mypasswds

Continue reading »

Feb 112012

Lets face it, John the Ripper has been around a long time and the reason its been around a long time is because its damn good at cracking passwords.  Yea, hashcat and oclhashcat are great for gpu cracking, but it doesn’t support as many algorithms as JTR.  So, imagine my surprise when I fire up John The Ripper on backtrack 5 64 bit and find out it is using a single CPU.  That is letting a potential 75% of my system sit there wanting to do something.  Luckily the fix is easier than fixing a sandwich.

If you already have jtr installed, you may want to see my john tips article.

First, lets grab the jumbo sourcecode….

Continue reading »

Feb 042012

I created this because I always forget the command to enumerate snmp and I am often too lazy to read man pages 🙂

# By Ed Wiget
# This script takes an input ip or domain and performs a snmpwalk using common community strings
# 20120204 - initial script
function proghelp (){
	echo ""
	echo ""
	echo "Help:"
	echo "./ ip_address"
	echo ""
	echo "Example:"
	echo "./"
	echo ""
	echo ""
if [ $# -ne 1 ]
# set up the first input value
if [ "$1" == "" ]; then
        echo "What is the ip address to query?"
        read SVRIP
if [ -f wordlist-common-snmp-community-strings.txt ]; then
	for COMSTG in `cat wordlist-common-snmp-community-strings.txt`
# removed below in favor of auto list
# set up the second input value
#if [ "$2" == "" ]; then		
#        echo "What is the community string?"
#        read COMSTG
		snmpwalk -v2c -c ${COMSTG} $1 system
echo "wordlist-common-snmp-community-strings.txt does not exist.......fetching now......please wait"
echo ""
echo ""
echo "please run again....."

Jan 182012


I usually don’t disable apache, php, nginx headers because to me that is just security through obscurity.

My thoughts are this…..

  1. if someone doesn’t know what version of software you are running and they decide to hack your domain or server, they will simply throw every public exploit at it that exists for said product or even simply “fingerprint” it for the correct version
  2. It makes my life easier because I can also query for those headers if for some reason I don’t remember the version of software (which saves me from logging in to the server or using other methods that might take longer – efficiency is key!)
  3. skiddies are going to throw everything at it anyways

On the flipside…..

Continue reading »