Jan 212014

You can probably get by with leaving off that last part of the title and still succeed with this attack.  Today we will be making a Password Pwn Stew.  Add a little Ettercap (link), with a dash of Metasploit (link), a smidgen of password cracking with Rcrack (link) and Rainbowtables (link), and if required a pinch of Hashcat (link) to taste.  You will have yourself some tasty pwnage.

Note, your mileage may vary with this stew.  I’m not Martha Stewart.  Also the stew analogy ends here 🙂
Continue reading »

Jan 022014

When you obtain a NetLM password hash with the known challenge of 1122334455667788 you are able to utilize the HALFLMCHALL rainbowtable to identify the first seven (7) characters of the password. The second half is left to identify. Tutorials exist (including my site, as well as here and here) on how to capture the NetLM hash using Metasploit. Metasploit comes with a Ruby script in the tools folder that will bruteforce the remaining characters of the password when you provide the complete NetLM hash and the first seven (7) characters of the recovered password. However, for passwords that are 11+ characters it is time prohibitive to bruteforce the remaining characters as show below.
Continue reading »

Dec 112013

So Tenable has made a bunch of changes and additions to the XML (.nessus) file and I’ve tried my best to incorporate them into the project.  First off they did something awesome which is alphabetize the XML elements.  So I’ve done that as well in the Nessus parse and report scripts.  It makes it so much easier to manage.  So with new elements comes new table columns.  If using this code base you should know that you need to clear all data from the DB.  I made the exploit table even less crappy and included the new XML elements around core, canvas, and d2 elliot frameworks.  I added “Show more/Show less” options for the vulnerability site indexes (CVE, BID, etc)  I noticed that listing them all out can create one long report and who really needs to have the links for all 30 CVEs around java anyway 🙂  I include any JS and CSS in the HTML instead of linking to a file.  I know…goes against all HTML teachings.  But this makes one neat file/report when you save the HTML as a file in any browser.  No more stupid folder with all the “files”.  I’ve also made some changes to the Executive report.  You now have an option to report on Nessus Plugin or CVE total.  Look for BID, OSVDB, etc in the near future.

Code here. (http://www.jedge.com/docs/projectRF.12.11.2013.zip)

Oh, and lastly…the Nessus Vuln Matrix is broken as I need to update the code to reflect all the changes.  It mostly centers around the CVSS field breaking out into four elements.

Apr 052012

This post deals with gathering the information you need to use aircrack-ng to capture a WPA/WPA2 handshake for offline bruteforce attacks.  When running aireplay-ng to send out de-authentication packets you need the MAC address of the Access Point and a Client that is associated with it.  The way I would collect the information is run Kismet.  With the older version of Kismet I would monitor the client (panel view) and select (copy/paste) the access point and client MAC.  With the new version of Kismet you cannot select a MAC address.  So I wrote myself a quick Perl script to parse the Kismet NETXML file to create output with the MAC addresses of AP and associated client pairs.
Continue reading »

Jun 072011

I put together another Technical Assessment Plan for assessing the SNMP protocol.  You will use open source and freely download-able utilities to assess the SNMP protocol.  This is for auditors that do not have access to or cannot afford the Solarwinds toolset.  This is version 0.1 of the document and I plan on making updates and add new tools in the future.

May 022011

I created Project RF to have a reporting framework that provides  consistent reports for various vulnerability scanning tools.  The  project started with support for Nessus back when I would parse nbe files.   I’ve  since included reporting for eEye Retina, Nmap, HP WebInpect,  AppScan AppDetective,  Kismet, and GFI Languard.  This project is still in its alpha stages as  I’m not a top notch web program developer.  Scan results are exported to  XML which is then uploaded, parsed, and imported into a backend MySQL  database.  I have found this framework very useful in generating reports  for my workpapers.  I still continue to work on this project even though I’m no longer an auditor.  Recently I stripped it down to just Nessus and I rewrote the Nessus portion to support the .nesses v2 xml output.  Installation and setup instructions can be found here.

This framework supports many options for report generation and executive reporting.

Feb 242011

I put together a Technical Assessment Plan that can be used to conduct external fingerprinting using the tools and utilities that a penetration tester would use.  The assessment plans are structured in a way to help with the documentation of evidence for inclusion in a work-paper process.  The plan provides helpful information on how to install, configure, and use the tools to obtain the evidence needed for an engagement.  The Technical Assessment Plans that I have created can be found here.

Nov 062009

As an auditor I liked to quickly analyze my Nmap scan results by parsing the XML output produced and loading it into my favorite spreadsheet application.
From there I could sort by host, port, service, or operating system for analysis. The parsed results are a lot easier to add to reports and workpapers. Just remember to keep the original Nmap results.
I’ve developed a LAMP framework to parse and load Nmap results into a database for reporting and analysis. However if you are just looking to quickly parse the results of individual scans I’ve got a Perl script for you!
Continue reading »

Jun 102009

An auditor’s interest in the Windows NTBACKUP Utility extends beyond examining their DR/BCP plan.

Suppose you just got command prompt access to a server (example tutorial 1, 2, & 3) but the host has anti-virus installed and you can’t disable it. You can’t use your trusty pwdump2 to dump the local password hashes (the same utility that SQLAT and SQLNINJA use). No problem, just use the ntbackup utility to make a current backup of the registry (including SAM and SYSTEM keys).

C:\>ntbackup backup systemstate /j "Auditor Owns Your Hashes" /f "%systemroot%\temp\%Username%SysState.bkf" /a
C:\>del "c:%systemroot%\temp\%Username%SysState.bkf"

You don’t need the backup file you created so it can be deleted (C:\>del %systemroot%\temp\%Username%SysState.bkf). When a backup is done of the systemstate the files in the %systemroot%\repair folder are updated. Copy the sam, system, and security files from %systemroot%\repair.

Once those files are obtained you can use the command line utilities from the creddump project to produce the same files obtained form PWDumpX (see tuturial).

Python needs to be installed for creddump to work.

Python version 2.5.4 from http://www.python.org/download/releases/2.5.4/
Pycrypto version 2.0.1 from http://jintoreedwine.com/files_and_stuff/pycrypto-2-0-1.zip

C:\creddump-0.1>pwdump.py SYSTEM SAM >> PWHashes.txt
C:\creddump-0.1>lsadump.py SYSTEM SECURITY >> LSASecrets.txt
C:\creddump-0.1>cachedump.py SYSTEM SECURITY >> PWCache.txt

Using RainbowCrack and the rainbowtables obtained from The Schmoo Group you will be able to obtain the passwords to any local account with a password 14 characters or less from PWHashes.txt.

See this tuturial on how to dictionary attack the passwords obtained from the PWCache.txt file.

You can review the LSASecrets.txt file to obtain plain text passwords for Windows service accounts. Often these accounts are also Domain accounts with the same password or even Domain Administrator accounts.

Jun 042009

On a recent pentest I was able to use SQLNINJA to exploit a SQL Injection vulnerability I had identified.  I documented the steps I took so that future auditors can take advantage of this tool.  Check out the tutorial here.