This guy put up a very nice post on how to turn your $40 Linksys router into a Kismet drone with GPS capability.

http://nixsecurity.com/?p=14

I haven’t acquired a new box for nix security testing yet. I’ve also spent far less time in the comsec world lately, less than I would like to admit… It’s getting rather annoying not being able to test all these new tools and methods I see everyday, but that should change soon. Even if I have to grab a piece of shit excuse for a computer from walmart to get back in the game.

My nix box died of acute hardware failure… I guess the second hand smoke finally got to it.

It was a good box, noted for its ancient hardware and unusually high uptime…

I will replace it when I get a few dollars together. Funny thing is that I have all the hardware laying around to build a new box except the motherboard… and if you give a mouse a cookie, as they say, he’ll want new ram

Found some vulnerable software today. I sometimes wonder what qualifies as stable these days.

Perhaps someone should consider updating the definition to include security as well.

http://packetstormsecurity.org/filedesc/seagull-063-xss.txt.html

http://packetstormsecurity.org/filedesc/efront-312-xss.txt.html

This was rather old, but I forgot to post it when I found it:

http://packetstormsecurity.org/0801-exploits/pMachinePro-241-xss.txt

I almost feel bad for posting XSS, but these guys need to fix their software, and sometimes the only way to get that done is to have their users bitch about it on their forums, etc.

Requirements:
Python 2.5.1 (install first):
http://www.python.org/download/
A windows Subversion client like TortoiseSVN:
http://tortoisesvn.net/downloads/
uTidylib:
http://developer.berlios.de/project/showfiles.php?group_id=1810
pyOpenSSL:
http://webcleaner.sourceforge.net/pyOpenSSL-0.6.win32-py2.5.exe
Win32 OpenSSL:
http://www.shininglightpro.com/products/Win32OpenSSL.html

Create a folder somewhere named w3af
Right click on it and hit SVN Checkout…
URL:
https://w3af.svn.sourceforge.net/svnroot/w3af/
Leave other options at defaults
Hit Ok to checkout

It is currently just under 25MB so be patient.

Ensure that the Python install folder is in your path
Open a command prompt (WinKey-R, cmd, ok)
cd to you w3af folder ie: cd Desktop\w3af if you created the folder on your desktop

cd extlib
cd fpconst-0.7.2
python setup.py install
cd ..
cd pygoogle
python setup.py install
cd ..
cd pywordnet
python setup.py install
cd ..
cd SOAPpy
python setup.py install
cd ..
cd pyPdf
python setup.py install
cd ..
cd ..
python w3af

All done!

I did my routine subversion checkout of w3af today and discovered an interesting new feature.

So, lets check it out shall we:

Very clean interface!

A simple scan on my one of my sandboxes:

Searchable http output log (draws a crazy wide window):

None of the top menu items work yet:

This is a very good start to an awesome feature. I would estimate that 98% of the core funtionality is in place already, making this a very usable alpha stage frontend.

Some things need work, such as the wide window that is rendered when you search the http output, and error handling when a plugin such as remoteFileInclude is not configured properly. Speaking of which, I have yet to get that particular plugin working on my local server instead of the w3af website. If anyone has a tip on getting it to work, leave me a comment.

Another plugin that seems to be broken is the web20Spider, which requires a special python module and apparently a Firefox plugin. I have yet to figure out this one, and even though I seem to have all the dependencies, it refuses to see them and will not run. The new GTK based UI has a browser built in, so they may be well on their way to making that function usable. Let’s hope so!

***Edit***

I have been informed by Andres Riancho that the GUI is actually closer to 60% complete. Expect to see added features such as exploit functionality in the near future.

Also, I would like to remind anyone interested in contributing to the w3af project to consider joining their users or developers mailing lists at sourceforge.

This goes along with my previous post on acquiring targets. In this example we have found an interesting site and want to see what we can find. This assumes we have access to siteA and we want siteB’s www directory.

Firstly, take your current site’s www directory:

/home/siteA/www.siteA.com/public_html/

Now cat /etc/password and look for siteB’s home directory:

siteA:x:1000:1000::/home/siteA:/bin/false

siteB:x:1001:1001::/home/siteB:/bin/false

cd /home/siteB/www.siteB.com/public_html/

I would say that this works on 9/10 servers including ones that use chroot or other methods of obscuring their other clients.

The reason that this works is because the daemon you are running the shell as has to have (read) access to every users web directory…

Rarely, I find servers that are configured to run the daemon under the specific users account. In this case, there is no way to access another users public_html directory unless it has 755 permissions. This will also fail on servers using openbasedir or safe mode for obvious reasons.

To make things slightly easier, I have written (read stole/chopped up) a simple python script to grab the home dirs from a passwd file:

#!/usr/bin/python
#dumps home directories from a passwd file

import sys
if len(sys.argv) != 2:
	print "Usage: ./homedirext.py passwd"
	sys.exit(1)

pwfile = sys.argv[1]
try:
  pws = open(pwfile, “r”)
except(IOError):
  print “Error: Check your file path\n”
  sys.exit(1)
pws = pws.readlines()
print “\nHomeDirs:\n”
try:
	import pwd
except(ImportError):
	print “Missing pwd module?\n”
	sys.exit(1)
lst = pwd.getpwall()
for dir in lst: print dir[5]

Note that this is simply a modified version of d3hydr8’s user extract script.

Example usage:

fuzion@fuzion-sandy:~/Projects$ python homedirext.py /etc/passwd|grep home

/home/syslog

/home/klog

/home/cupsys

/home/festival

/home/fuzion


      
1 comment       
    

I was digging around for some windows based scanners and found that they are all either insanely expensive, or just plain out of date.

One exception was Sandcat (http://www.syhunt.com/section.php?id=sandcat) which is up to date and comes in both free and professional editions.

While testing Sandcat, I noticed that it produces results that resemble those of both Nikto2 and Acunetix. Given that one of those is free and the other costs a metric fuckton of money (though still cheaper than CORE), it seems that Sandcat is a viable alternative to expensive products, although it seems that none are close to an alternative to manual scanning. I noticed that Sandcat produces a lot of results based on fingerprinting, for instance, /Admin/, /admin/, /ADMIN/ all show up as different potential vulnerabilities. I understand that these companies don’t want to be seen as the guys who hand the kiddies the tools to hack corporate servers, but they should at least put some capability into their products. I also know that they want people to purchase their “professional” versions, but I wouldn’t expect them to put any real additional scanning capability into these costly versions.

As far as I can tell, none of the products on the market are even capable of doing anything more than fingerprint based scanning, which some companies have even misnamed as “fuzzing”. Perhaps these guys should take a look at what a real fuzzer does, and its benefit over traditional fingerprint based methods. First, they should have an option to go through the source code and find potential vulnerabilities, then check to see if the vulnerability exists online as well. This way, we can see if the coder has put any additional protection on their scripts.

Most of the good scanners that actually produce real results are only checking the source for bad code. If the commercial guys want to make a good product, they will make a product that searchs the source first, then see if the results actually show up on a live site.

Meh, I guess thats too much to ask. It’s not like the commercial guys are gonna make any money off a project like that.

Edit:

More of a reminder to my self, but here is a free one that offers some features that you don’t see with other products.

http://blueinfy.com/wsScanner.zip

Requires .NET (which blows, but you can’t have everything )

I want to share my methods for acquiring access to a specific target for “vulnerability testing”.
I won’t go into what to do after you have your target, that will be up to you. I will be using some handy web based tools for this tutorial, making it easy for those still using Windows for whatever reason.

In this example we want to find a way into the servers that host our unfriendly competition.

First thing we should do is find out what services they have running.
I prefer YouGetSignal’s Open Ports Tool, it’s almost like an web based nmap quick scan:
http://www.yougetsignal.com/openPortsTool/

Put your target’s IP into the box
At the bottom right of the page, click Scan all common ports
I haven’t checked to see what data they collect or send, so it would be wise to use this tool via a proxy.

Once you have the open ports (if any), write them down somewhere.

The next thing I like to do is check what other domains are hosted on that IP. This is especially useful if they are on a shared hosting plan. Just because the target has locked down his website doesn’t mean that everyone else on his box has too.

I prefer the web based lookup tool at MyIPNeighbors.
This site does not proxy anything, so use your own.
http://www.myipneighbors.com/

Even if the target is on a dedicated or VPS, you will likely see other domains or subdomains they have registered.

Once you have checked other domains for entry points (i hope you found one:)) we can move on to my next favorite web based tool.

http://serversniff.net/ is a free “swiss army knife” site with tons of nice features.

I will focus on its subdomain search, as it has proven very handy for finding “secret” subdomains such as admin.foo.com and other stuff you won’t find on google…
This is likely a dictionary based search, so don’t expect to find ai4038502.foo.com or whatever.

Once you have found some (hopefully vulnerable) subdomains, you may notice that some of them have different IP addresses from the original. Go search for those on myipneighbors and look for more possible entry points. Repeat this process until you have mapped out pretty much everything web related for your target.

Here are a few other web based tools that offer similar free services that can be helpful:
http://news.netcraft.com/ ye olde faithful. Can tell you what a site is running, known subdomains, similar TLD’s and other handy info.

http://centralops.net/co/DomainDossier.aspx another nice web tool, has service scan, whois records, etc.
http://centralops.net/co/ btw has a bunch of other tools, none really unique though.

I hope this tutorial has shown you something about the power these web based tools can add to your arsenal.