Apr 052012
 

This post deals with gathering the information you need to use aircrack-ng to capture a WPA/WPA2 handshake for offline bruteforce attacks.  When running aireplay-ng to send out de-authentication packets you need the MAC address of the Access Point and a Client that is associated with it.  The way I would collect the information is run Kismet.  With the older version of Kismet I would monitor the client (panel view) and select (copy/paste) the access point and client MAC.  With the new version of Kismet you cannot select a MAC address.  So I wrote myself a quick Perl script to parse the Kismet NETXML file to create output with the MAC addresses of AP and associated client pairs.
Continue reading »

Nov 062009
 

As an auditor I liked to quickly analyze my Nmap scan results by parsing the XML output produced and loading it into my favorite spreadsheet application.
From there I could sort by host, port, service, or operating system for analysis. The parsed results are a lot easier to add to reports and workpapers. Just remember to keep the original Nmap results.
I’ve developed a LAMP framework to parse and load Nmap results into a database for reporting and analysis. However if you are just looking to quickly parse the results of individual scans I’ve got a Perl script for you!
Continue reading »

Jun 042009
 

On a recent pentest I was able to use SQLNINJA to exploit a SQL Injection vulnerability I had identified.  I documented the steps I took so that future auditors can take advantage of this tool.  Check out the tutorial here.

Mar 062009
 

During an audit I had to determine whether a particular remote control service was installed on the Domain workstations and servers. It was determined during the interview process that no remote control software was in use.  I decided to obtain the evidence to the contrary.  I had already compromised a Domain Administrator account so I had the appropriate permissions.
Continue reading »

Mar 062009
 

CACLS.exe is a great builtin Windows utility that allows you to list the permissions on a file or folder.  This command has been used in an audit to get the permissions of the folders on an agency file server that served the “private” shares to each Domain user.  The findings we would be looking for when examining the results are improper access to the “private” shares by other Domain users.

For CACLS options and how to interpret the results see this site.
Continue reading »