tag:blogger.com,1999:blog-62163961979134197652024-03-13T21:01:10.370-07:00SecurityTube.net Hack of the DayAnonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-6216396197913419765.post-54295647646291843262015-07-23T05:23:00.000-07:002015-07-23T05:23:29.243-07:00Security Researcher at Pentester Academy<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
We've worked very hard to build a respected company in the information security training field and are proud to say we now serve thousands of professionals from over 90 countries! We are looking at expanding our research team, so here is the job description: </div>
<div>
<br /></div>
<div>
<br /></div>
We are looking for <b>security researchers</b> with specialization in at least one of the following areas:<div>
<br /></div>
<div>
<ol style="text-align: left;">
<li>Network Pentesting</li>
<li>Web Application Pentesting</li>
<li>Mobile platform and application security </li>
<li>Assembly and Shellcoding</li>
<li>Exploit Research</li>
<li>Reverse Engineering</li>
<li>Hardware hacking</li>
<li>Wi-Fi security </li>
<li>... and other relevant topics </li>
</ol>
<div>
<b>Your job will involve - </b></div>
</div>
<div>
<ul style="text-align: left;">
<li>researching on your area of interest full time </li>
<li>publishing bleeding edge work online under your name</li>
<li>creating live demos of your work </li>
<li>scripting proof of concept tools </li>
<li>helping us build a knowledge base on the subject</li>
<li>speaking at security conferences where your research will be accepted </li>
<li>basically live your research dream and help the company in the process</li>
</ul>
<div>
You will be working directly with Vivek Ramachandran.</div>
<div>
<br /></div>
<div>
<b>Who should apply?</b></div>
<div>
<b><br /></b></div>
<div>
Here is the litmus test you should take - Apply ONLY if: </div>
<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li>you are obsessed about your field</li>
<li>understand that only results matter, hours put in don't</li>
<li>love researching and experimentation</li>
<li>hammer on a problem even after failing a hundred times</li>
<li>insane drive to succeed and take your work to the world stage </li>
</ul>
</div>
<div>
<br /></div>
<div>
<b>Minimum requirements to apply:</b></div>
<div>
<br /></div>
<div>
We would only like to hire researchers with a proven track record. You at least have: </div>
<div>
<ul style="text-align: left;">
<li>spoken at good conferences worldwide</li>
<li>have written tools or products which are peer respected</li>
<li>authored books in your area of expertise</li>
<li>... any other significant research achievements in your field </li>
</ul>
</div>
<div>
<b>Location</b>: Pune, India. Relocation expense and assistance will be provided. </div>
</div>
<div>
<br /></div>
<div>
<b>Pay</b>: 8-20 Lakhs/year. </div>
<div>
<b>Number of positions available</b>: <span style="font-size: x-large;"> <span style="color: red;">5</span></span> </div>
<div>
<br /></div>
<div>
<b>Contact</b>: Email details to vivek [] binarysecuritysolutions.com . Please make sure you are as detailed in the description of your work as possible. What you don't write, we can never know. </div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com0tag:blogger.com,1999:blog-6216396197913419765.post-23747542445975800302015-04-04T07:19:00.000-07:002015-04-04T09:42:06.869-07:00Backtrack 5: Wireless Penetration Testing Beginner's Guide - Revised Edition<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-6GqZovgFyvo/VR_uaaF8pFI/AAAAAAAAAsE/2yq3NchHh4A/s1600/download.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-6GqZovgFyvo/VR_uaaF8pFI/AAAAAAAAAsE/2yq3NchHh4A/s1600/download.jpg" height="320" width="256" /></a></div>
<br />
I still remember writing the "<a href="http://www.amazon.com/BackTrack-Wireless-Penetration-Testing-Beginners/dp/1849515581/" target="_blank">Backtrack 5: Wireless Penetration Testing</a>" book - was super scared everyone would hate it and I'd be flamed. Now, almost 3.5 years after publication it's sold over 13,000 copies worldwide. I couldn't be happier.<br />
<br />
Anyway, the reason for this post is something different. It came to my notice today that the <a href="http://www.amazon.com/Kali-Linux-Wireless-Penetration-Beginner/dp/1783280417/" target="_blank">revised edition of the book</a> for Kali Linux was out last week. Since I am still retained as the primary author, I just wanted to post a few clarifications:<br />
<br />
<br />
<ol style="text-align: left;">
<li>Packt approached me to revise the book for Kali Linux but I refused</li>
<li>I did not review the book before release or receive a pre-release copy hence I do not know what additions/modifications have been made.</li>
<li>As I am still retained as the primary author, I think most of the changes might be screenshots using Kali. Again this needs to be verified.</li>
<li>Full credit for any new additions or making the previous examples better should go to the co-author Cameron Bunchanan. I had no contribution to these in anyway</li>
</ol>
<div>
<br /></div>
<div>
That's all folks! Thanks for supporting SecurityTube, Pentester Academy and me over the years! </div>
<br />
<br />
<div>
<br /></div>
<div>
<br /></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com0tag:blogger.com,1999:blog-6216396197913419765.post-86056360495985711652015-03-28T08:53:00.000-07:002015-03-28T06:18:23.823-07:00Airodump-NG Scan Visualizer ver 1.0<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-LYYORaHlV3Y/VRad-4YKTxI/AAAAAAAAAqw/dabBBl5QfnI/s1600/scanvisualizer.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-LYYORaHlV3Y/VRad-4YKTxI/AAAAAAAAAqw/dabBBl5QfnI/s1600/scanvisualizer.PNG" height="412" width="640" /></a></div>
<br />
We all love Airodump-NG! I am personally a fan of the entire Aircrack-NG tool suite and the fantastic work done by Mister_X over the years. As most of you know Airodump-NG can export the scan data as a CSV or a Kismet compatible Netxml file. The Airodump-NG Scan Visualizer takes this CSV file and allows you to filter and play around with this scan data in interesting ways.<br />
<br />
<br />
<h2 style="text-align: left;">
Getting Started with the Airodump-NG Scan Visualizer</h2>
<div style="background-color: white; box-sizing: border-box; color: #333333; font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 16px; line-height: 17.0666675567627px; margin-bottom: 16px;">
<strong style="box-sizing: border-box;">1) Start an Airodump-NG Scan with the "-w" option to write to file</strong></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://camo.githubusercontent.com/cdccf8743cfc40d2afd8aba37b1492181d5e0b73/687474703a2f2f7363616e76697375616c697a65722e73332e616d617a6f6e6177732e636f6d2f6169726f64756d702d6e672e504e47" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="221" src="https://camo.githubusercontent.com/cdccf8743cfc40d2afd8aba37b1492181d5e0b73/687474703a2f2f7363616e76697375616c697a65722e73332e616d617a6f6e6177732e636f6d2f6169726f64756d702d6e672e504e47" width="400" /></a></div>
<div>
<strong style="box-sizing: border-box;"><br /></strong></div>
<div>
<strong style="box-sizing: border-box;"><br /></strong></div>
<div>
<strong style="box-sizing: border-box;"></strong><br />
<div style="background-color: white; box-sizing: border-box; color: #333333; font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 16px; font-weight: normal; line-height: 17.0666675567627px; margin-bottom: 16px;">
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">2) Allow the Scan to run till you have enough data</strong></strong></div>
<strong style="box-sizing: border-box;">
</strong>
<br />
<div class="separator" style="clear: both; text-align: center;">
<strong style="box-sizing: border-box;"><a href="https://camo.githubusercontent.com/bb7432e420216dc47161770f64eb48fa97a84ee2/687474703a2f2f7363616e76697375616c697a65722e73332e616d617a6f6e6177732e636f6d2f747261636563706c6c656374696f6e2e504e47" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://camo.githubusercontent.com/bb7432e420216dc47161770f64eb48fa97a84ee2/687474703a2f2f7363616e76697375616c697a65722e73332e616d617a6f6e6177732e636f6d2f747261636563706c6c656374696f6e2e504e47" width="400" /></a></strong></div>
<strong style="box-sizing: border-box;">
</strong>
<br />
<div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><br /></strong></strong></div>
<strong style="box-sizing: border-box;">
</strong>
<br />
<div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><br /></strong></strong></div>
<strong style="box-sizing: border-box;">
</strong>
<div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"></strong><br /></strong>
<div style="background-color: white; box-sizing: border-box; color: #333333; font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 16px; font-weight: normal; line-height: 17.0666675567627px; margin-bottom: 16px;">
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">3) Locate the XXX-YY.CSV file in the current directory</strong></strong></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong>
</strong><br />
<div class="separator" style="clear: both; text-align: center;">
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><a href="https://camo.githubusercontent.com/5a1ba68efd613a4edb93766c7250c58f12b0711c/687474703a2f2f7363616e76697375616c697a65722e73332e616d617a6f6e6177732e636f6d2f75706c6f61646373762e504e47" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="https://camo.githubusercontent.com/5a1ba68efd613a4edb93766c7250c58f12b0711c/687474703a2f2f7363616e76697375616c697a65722e73332e616d617a6f6e6177732e636f6d2f75706c6f61646373762e504e47" width="400" /></a></strong></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong>
</strong><br />
<div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><br /></strong></strong></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong>
</strong><br />
<div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><br /></strong></strong></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong></strong>
<div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"></strong><br /></strong></strong>
<div style="background-color: white; box-sizing: border-box; color: #333333; font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 16px; font-weight: normal; line-height: 17.0666675567627px; margin-bottom: 16px;">
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">4) Upload the CSV file</strong></strong></strong></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong>
</strong><br />
<div class="separator" style="clear: both; text-align: center;">
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"></strong></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong>
</strong><br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<strong style="box-sizing: border-box;"><a href="http://3.bp.blogspot.com/-v0kjvuZKPeY/VRamNJ2RcUI/AAAAAAAAAq8/XdKyEk4VFoE/s1600/csv.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-v0kjvuZKPeY/VRamNJ2RcUI/AAAAAAAAAq8/XdKyEk4VFoE/s1600/csv.PNG" height="188" width="320" /></a></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><br /></strong></strong></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong>
</strong><br />
<div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><br /></strong></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong></strong>
<div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"></strong><br /></strong></strong>
<div style="background-color: white; box-sizing: border-box; color: #333333; font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif; font-size: 16px; font-weight: normal; line-height: 17.0666675567627px; margin-bottom: 16px;">
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">5) Click on Analyze! </strong></strong></strong></strong><br />
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><br /></strong></strong></strong></div>
<div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong>
</strong></strong><br />
<div class="separator" style="clear: both; text-align: center;">
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"></strong></strong></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong></strong>
</strong><br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<strong style="box-sizing: border-box;"><a href="http://2.bp.blogspot.com/-LYYORaHlV3Y/VRad-4YKTxI/AAAAAAAAAqw/dabBBl5QfnI/s1600/scanvisualizer.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-LYYORaHlV3Y/VRad-4YKTxI/AAAAAAAAAqw/dabBBl5QfnI/s1600/scanvisualizer.PNG" height="204" width="320" /></a></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><br /></strong></strong></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong></strong></strong></div>
<strong style="box-sizing: border-box;"><strong style="box-sizing: border-box;">
</strong></strong></div>
<strong style="box-sizing: border-box;">
</strong></div>
</div>
</div>
<br />
<br />
<h2 style="text-align: left;">
Features:</h2>
<div>
<b>1. Segregation of Access Points + Connected Clients and Roaming Clients: </b></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-AZLfAtlAPY4/VPXfoizTdsI/AAAAAAAAAmE/lPyJbBCNYF8/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-AZLfAtlAPY4/VPXfoizTdsI/AAAAAAAAAmE/lPyJbBCNYF8/s1600/1.png" height="82" width="320" /></a></div>
<div>
<br /></div>
<b>2. Advanced String Filtering on ESSID, BSSID, Channel, Privacy, Cipher and Authentication:</b><br />
<b><br /></b>
Each of the above Filters has either of the 3 options:<br />
<br />
<i><b>"Starts with"</b></i><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Uiv7nuncHZ8/VPXhi-DbVWI/AAAAAAAAAmQ/6BlbRAFAVtY/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Uiv7nuncHZ8/VPXhi-DbVWI/AAAAAAAAAmQ/6BlbRAFAVtY/s1600/2.png" height="194" width="320" /></a></div>
<br />
<br />
<br />
<b><i>"Contains"</i></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-dz9jru_cQmw/VPXh-m7pm4I/AAAAAAAAAmY/gE9tLmI4AiM/s1600/3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-dz9jru_cQmw/VPXh-m7pm4I/AAAAAAAAAmY/gE9tLmI4AiM/s1600/3.PNG" height="191" width="320" /></a></div>
<br />
<br />
<b><i>"Is"</i></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-hxdEauGphJk/VPXiKddtWfI/AAAAAAAAAmg/WmFgunwuebo/s1600/4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-hxdEauGphJk/VPXiKddtWfI/AAAAAAAAAmg/WmFgunwuebo/s1600/4.PNG" height="161" width="320" /></a></div>
<br />
We know a lot of times you will need to monitor multiple ESSIDs at the same time, hence we've allowed you to apply multiple filters per column which will be logically OR<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-5TNXGttOOTM/VPXjJg8es3I/AAAAAAAAAms/3vn5a1nHf2k/s1600/5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-5TNXGttOOTM/VPXjJg8es3I/AAAAAAAAAms/3vn5a1nHf2k/s1600/5.PNG" height="268" width="320" /></a></div>
<br />
<br />
<br />
There is no limit to the number of concurrent filters which you can apply to any column :)<br />
<br />
<b>3. Range Filters for Packets, Signal and Clients:</b><br />
<br />
You can mention a Minimum and/or a Maximum range for each of them as shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-ER-c4XKMjKQ/VPXjzRBR09I/AAAAAAAAAm0/jGkjGaqSTlw/s1600/6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-ER-c4XKMjKQ/VPXjzRBR09I/AAAAAAAAAm0/jGkjGaqSTlw/s1600/6.PNG" height="244" width="320" /></a></div>
<br />
<b>4. Filter Query shown live! </b><br />
<br />
As you apply filters to every column, see the filter expression change above the table so you can easily track what you have applied<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-P1GX2VnODc8/VPXkj4f0DeI/AAAAAAAAAnA/W5oQSHc4O1k/s1600/7.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-P1GX2VnODc8/VPXkj4f0DeI/AAAAAAAAAnA/W5oQSHc4O1k/s1600/7.PNG" height="179" width="640" /></a></div>
<br />
<br />
<b>5. Screenshots of both the Data Table and the Application screen</b><br />
<br />
We know Pentesters need screenshots for writing reports so we made taking screenshots just a click away!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-v8wi6tjMaNg/VPXleEpvaqI/AAAAAAAAAnI/aCxxsfANp6M/s1600/8.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-v8wi6tjMaNg/VPXleEpvaqI/AAAAAAAAAnI/aCxxsfANp6M/s1600/8.PNG" height="91" width="200" /></a></div>
<br />
<b>6. Search Roaming Clients by the ESSID they are probing for</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-3ukOp1xHy_E/VPXmUL2POvI/AAAAAAAAAnQ/WMRZZzPCK78/s1600/9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-3ukOp1xHy_E/VPXmUL2POvI/AAAAAAAAAnQ/WMRZZzPCK78/s1600/9.PNG" height="107" width="640" /></a></div>
<br />
<br />
<b>7. Annotations:</b><br />
<br />
Mark rows, columns, filters etc. on the screen with Annotations before taking screenshots to convey more information:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-aJEbjdmWT2I/VPXtfBQO6QI/AAAAAAAAAng/X-YMo1GL8Ew/s1600/10.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-aJEbjdmWT2I/VPXtfBQO6QI/AAAAAAAAAng/X-YMo1GL8Ew/s1600/10.PNG" height="366" width="400" /></a></div>
<br />
<br />
<b>8. Graphs and Charts:</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-_q_pxSgxB2s/VRanaQ3VTLI/AAAAAAAAArI/l0qA1UEJlkM/s1600/chart1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-_q_pxSgxB2s/VRanaQ3VTLI/AAAAAAAAArI/l0qA1UEJlkM/s1600/chart1.png" height="316" width="640" /></a></div>
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-qFOsmtMJ6cY/VRan_83zBHI/AAAAAAAAArQ/6WQ1OyK8jAE/s1600/chart2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-qFOsmtMJ6cY/VRan_83zBHI/AAAAAAAAArQ/6WQ1OyK8jAE/s1600/chart2.png" height="316" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-qanDfjNw6MQ/VRaoTk367KI/AAAAAAAAArY/Ht2VMmpK6W8/s1600/chart3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-qanDfjNw6MQ/VRaoTk367KI/AAAAAAAAArY/Ht2VMmpK6W8/s1600/chart3.png" height="385" width="640" /></a></div>
<br />
<h3 style="text-align: left;">
9. LIVE Mode - visualize data live from Airodump-NG! </h3>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-lHWbj3pzhbI/VRap3H_YudI/AAAAAAAAArk/cmkz3OrAvi0/s1600/livemode.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-lHWbj3pzhbI/VRap3H_YudI/AAAAAAAAArk/cmkz3OrAvi0/s1600/livemode.png" height="318" width="640" /></a></div>
<h3 style="text-align: left;">
</h3>
<h3 style="text-align: left;">
</h3>
<h3 style="text-align: left;">
and many other cool features! </h3>
<div>
<br /></div>
<h3 style="text-align: center;">
<span style="color: red;"><a href="http://www.pentesteracademy.com/course?id=18" target="_blank">Watch the Demos and Download Airodump-NG Scan Visualizer ver 1.0 </a></span></h3>
<br />
<br />
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com0tag:blogger.com,1999:blog-6216396197913419765.post-10665676649174196502015-03-16T23:11:00.003-07:002015-03-17T02:28:09.438-07:00Pcap2XML/Sqlite - Convert 802.11 Packets to XML and SQLITE<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-G2No0-huUaw/VQetI8hKlQI/AAAAAAAAAoQ/KCsSEmvgKxI/s1600/launch.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-G2No0-huUaw/VQetI8hKlQI/AAAAAAAAAoQ/KCsSEmvgKxI/s1600/launch.PNG" height="548" width="640" /></a></div>
<br />
This tool converts 802.11 packet traces (PCAP format) into an XML and SQLITE equivalent so you can now run XPATH/XQUERY/SQL queries on the packets.<br />
<br />
<h3 style="text-align: left;">
<b>Why do we need this?</b></h3>
<br />
Wireshark is great when it comes to capturing and filtering packet traces. However, it has no facility for macro level tasks. Here are some answers which Wireshark cannot give you out of the box:<br />
<br />
<br />
<ul style="text-align: left;">
<li>Give me all device MAC addresses in the PCAP</li>
<li>Give me a unique list of all Access Point/Ad-Hoc networks in the PCAP</li>
<li>... </li>
</ul>
<div>
Of course, this is by design. Wireshark is a packet capture tool and not a data analysis platform. </div>
<br />
<br />
This is where Pcap2XMl/Sqlite comes in! We map every header field in an 802.11 packet to an XML and SQLITE Equivalent. Once we convert every packet into these formats, it is extremely easy to run analysis tools on them as you shall see in latter part of this post.<br />
<br />
<h3 style="text-align: left;">
Where can this tool be used?</h3>
This tool can be used anywhere there is a need to analyze individual packets. However, we had the following purposes in mind:<br />
<br />
<br />
<ul style="text-align: left;">
<li>Teaching Wi-Fi security using Packet Analysis</li>
<li>Deriving Macro-Stats on a PCAP file as discussed in the previous section</li>
<li>Writing a simple Wi-Fi IDS :) </li>
<li>...</li>
</ul>
<br />
<br />
<h3 style="text-align: left;">
How does the tool work?</h3>
Below is an example of the tool running on a 50MB 802.11 packet trace and creating an XML and SQLITE file:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-VH86CR7KHG0/VQfwp31gd7I/AAAAAAAAAqA/BJ_j7ekOtfk/s1600/samples.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-VH86CR7KHG0/VQfwp31gd7I/AAAAAAAAAqA/BJ_j7ekOtfk/s1600/samples.PNG" height="354" width="640" /></a></div>
<br />
<h3 style="text-align: left;">
Examples of Analysis</h3>
As you can see in the previous section, the tool has created sample.db and sample.xml.<br />
<br />
Let us look at sample.db using Sqlite Browser:<br />
<br />
<h4 style="text-align: left;">
Table containing all the packets:</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-f5PVshNqY1E/VQe59w0ZHHI/AAAAAAAAApA/POaO9FmF_Ck/s1600/dbview.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-f5PVshNqY1E/VQe59w0ZHHI/AAAAAAAAApA/POaO9FmF_Ck/s1600/dbview.PNG" height="288" width="640" /></a></div>
<br />
<br />
<h4 style="text-align: left;">
Simple filter for Beacon Frames:</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-qLEYSf6i_3o/VQe6pTshZUI/AAAAAAAAApI/5oeEHa03utE/s1600/select.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-qLEYSf6i_3o/VQe6pTshZUI/AAAAAAAAApI/5oeEHa03utE/s1600/select.PNG" height="344" width="640" /></a></div>
<br />
<br />
<h4 style="text-align: left;">
Macro Stats - Get All Distinct Device MAC Addresses in the PCAP</h4>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-mPLOwom7FqE/VQe7eLCALBI/AAAAAAAAApQ/veYkivYgbwc/s1600/uniquemac.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-mPLOwom7FqE/VQe7eLCALBI/AAAAAAAAApQ/veYkivYgbwc/s1600/uniquemac.PNG" height="338" width="640" /></a></div>
<br />
<br />
<h4 style="text-align: left;">
Macro Stats - Select All Distinct MACs sending Beacon Frames</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-MdmaHS_Ol3M/VQe77Of0dPI/AAAAAAAAApY/w8ysMHEgwZo/s1600/becaon.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-MdmaHS_Ol3M/VQe77Of0dPI/AAAAAAAAApY/w8ysMHEgwZo/s1600/becaon.PNG" height="342" width="640" /></a></div>
<br />
<br />
<div>
<h4>
Macro Stats - Select All Distinct MACs receiving Data Frames</h4>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-bCMws3z7h5Y/VQe8dvVwBuI/AAAAAAAAApg/VYTd48DdBWg/s1600/data.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-bCMws3z7h5Y/VQe8dvVwBuI/AAAAAAAAApg/VYTd48DdBWg/s1600/data.PNG" height="340" width="640" /></a></div>
<div>
<br /></div>
<div>
<h4>
Macro Stats - Get the Average Frame Length</h4>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-kX-MJNHRDcQ/VQe833agQFI/AAAAAAAAApo/8ChVXae7R2I/s1600/framelen.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-kX-MJNHRDcQ/VQe833agQFI/AAAAAAAAApo/8ChVXae7R2I/s1600/framelen.PNG" height="343" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<h4>
Macro Stats - Get the inter-packet time delta! </h4>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-4IBOQJLOAwM/VQe9UXzC-VI/AAAAAAAAApw/Hdqv1gEu1CQ/s1600/interpacket.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-4IBOQJLOAwM/VQe9UXzC-VI/AAAAAAAAApw/Hdqv1gEu1CQ/s1600/interpacket.PNG" height="344" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
... there are tons of such examples possible as you can see. </div>
<br />
<br />
<h3 style="text-align: left;">
Can you outline some of the other interesting features?</h3>
<br />
<ul style="text-align: left;">
<li>Ability to select only a packet range or selected packets</li>
<li>Ability to monitor a PCAP file live for new packets</li>
<li>Automatic update checker for newer versions</li>
<li>...</li>
</ul>
<div>
We highly recommend you <a href="http://www.pentesteracademy.com/course?id=17" target="_blank">check out the video tutorials</a> we are making on this tool. </div>
<br />
<br />
<h3 style="text-align: left;">
How are the 802.11 headers mapped to XML and SQLITE?</h3>
<br />
In version 1.0, we are only mapping the 802.11 MAC Header for all frames (Management, Data and Control).<br />
<br />
Here is the XML Schema:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-pl863Tpo2Bg/VQe5JUHSsjI/AAAAAAAAAo0/lteEebIqr1Q/s1600/xmlschema.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-pl863Tpo2Bg/VQe5JUHSsjI/AAAAAAAAAo0/lteEebIqr1Q/s1600/xmlschema.PNG" height="576" width="640" /></a></div>
<br />
Here is the SQLITE DB Schema:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-BpuTIucGtoA/VQe4qMFdozI/AAAAAAAAAos/41ggCSzTK2g/s1600/schemadb.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-BpuTIucGtoA/VQe4qMFdozI/AAAAAAAAAos/41ggCSzTK2g/s1600/schemadb.PNG" height="640" width="600" /></a></div>
<br />
<br />
Future versions will have all frames mapped apart from the Data frame payloads.<br />
<br />
<h3 style="text-align: left;">
I need an output in other formats e.g. CSV, JSON, MySQL etc.</h3>
<h3 style="text-align: left;">
</h3>
<div>
We chose XML and SQLITE because one could easily write simple tools in Python or other languages to convert this to other formats. At this time, we have no plans to support any other format.<br />
<br /></div>
<h3 style="text-align: left;">
What is the feature roadmap?</h3>
<br />
<ul style="text-align: left;">
<li>Parse and map all Management Packets (April 2015)</li>
<li>Parse and map all Control Packets (May 2015)</li>
<li>Parse and map some fields from Data Packet (May 2015)</li>
<li>Integrate with Graphs and Charting tools (June 2015)</li>
<li>Allow reverse conversion from XML, SQLITE to PCAP (July 2015) </li>
<li>Integrate and test with PCAP to Air tools for Packet replay (July 2015) </li>
<li>...</li>
</ul>
<br />
<br />
<h3 style="text-align: left;">
Is the tool open source? </h3>
<div>
<br /></div>
<div>
The tool will always be free to use but currently the source code is not public. We might change this later once we feel the tool is stable enough for collaborating. The tool is digitally signed with our certificate for authenticity.<br />
<br /></div>
<h3 style="text-align: left;">
Where can I Download this? are there any Tutorials/Documentation?</h3>
<div>
<br /></div>
<div>
<a href="http://www.pentesteracademy.com/course?id=17" target="_blank">Download link and Video Tutorials are available here!</a></div>
<br />
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com0tag:blogger.com,1999:blog-6216396197913419765.post-30581036631607393702014-07-24T03:56:00.003-07:002014-07-24T04:16:22.788-07:00Call for Volunteers - SecurityTube DEFCON 22 Booth<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-r8dMB74CrWg/U9Dh7dQN6cI/AAAAAAAAAfY/MiYD3xPF88Q/s1600/hacking_artwork_characters_defcon_hacking_conference_1024x768_22440.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-r8dMB74CrWg/U9Dh7dQN6cI/AAAAAAAAAfY/MiYD3xPF88Q/s1600/hacking_artwork_characters_defcon_hacking_conference_1024x768_22440.jpg" height="150" width="200" /></a></div>
<br />
We have some really exciting news to share! We will be putting up a booth in the <a href="http://defcon.org/" target="_blank">DEFCON 22</a> Vendor Area next month. We plan to give out some free stuff and hope to meet SecurityTube Users and our Students.<br />
<br />
With close to 13,000+ hackers expected at DEFCON 22, we know we need help in managing our booth and I thought its best to ask help from the community. So this is our official Call for Volunteers!<br />
<br />
<br />
The Vendor Booth area will be running between 10AM-7PM on Friday, Saturday and Sunday (8th-10th Aug) and we are looking for volunteers to help us for <b>5 hour slots</b>. You are allowed to select multiple slots.<br />
<br />
<h2 style="-webkit-text-stroke-width: 0px; color: black; font-family: Times; font-style: normal; font-variant: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: left; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;">
<b>What do Volunteers get?</b></h2>
<div>
<b><br /></b></div>
To show our appreciation, <b>for every 5 hour slot</b> that you volunteer, you get the following:<br />
<br />
<ul style="text-align: left;">
<li>$250 worth of courseware which you can select from <a href="http://securitytube-training.com/" target="_blank">SecurityTube Training</a></li>
<li>$177 worth of <a href="http://pentesteracademy.com/" target="_blank">Pentester Academy</a> subscription (3 months) </li>
<li>$125 worth of goodies - $100 exam voucher + ALFA Wireless Card </li>
<li>SecurityTube Official T-Shirt </li>
<li>Lunch or Dinner is on us! (depending on your slot)</li>
</ul>
<div>
We'd probably estimate<b> a total of $600+ in giveaways for 5 hours of volunteering</b>. Not bad :)<br />
<br />
Please note that you will have to manage your own travel, accommodation and entry into DEFCON.</div>
<div>
<br /></div>
<h2 style="text-align: left;">
<b>What work can you expect?</b></h2>
<div>
<ul style="text-align: left;">
<li>Giving out a ton of FREE stuff to conference attendees coming to our booth</li>
<li>Giving out our Flyers</li>
<li>We would expect you to wear the SecurityTube T-Shirt while at the booth </li>
</ul>
<div>
<br /></div>
</div>
<h2 style="text-align: left;">
<b>Who is Volunteer #1? </b></h2>
<div>
Vivek Ramachandran, chief trainer at SecurityTube Training and Pentester Academy will be at the booth most of the time (if not all the time).<br />
<br /></div>
<h2 style="text-align: left;">
<b>How do you apply?</b></h2>
<div>
<b><a href="https://docs.google.com/forms/d/1cnNNnQOkytIBQ1K-EP_gvi4eOYGrK7afnLVPiRYkZxM/viewform" target="_blank">Please fill this form and we will be in touch</a></b>. We understand that most of us prefer to be anonymous online but you'll have to trust us with some information about yourself, if you want us to trust you with our booth :) </div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<br />
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com0tag:blogger.com,1999:blog-6216396197913419765.post-90665306931654408502014-07-22T04:40:00.001-07:002014-07-22T04:40:50.990-07:00File Upload Vulnerability<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.pentesteracademy.com/video?id=414" target="_blank"><span id="goog_1094438920"></span><img border="0" height="211" src="https://gallery.mailchimp.com/950872c698a3cf5cfcf752971/images/8807ec46-3cad-45e3-aab2-5a37f65807c5.png" width="640" /><span id="goog_1094438921"></span></a></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="background-color: white; font-size: small; line-height: 16.8px;"><br /><br />File Upload Vulnerability is an extremely interesting topic with various twists and turns such as - Content-Type Checks, Bypassing Blacklists, Double Extensions, Defeating Getimagesize() checks, Null byte injection, getting a Meterpreter on the box via File Uploads etc.</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="background-color: white; font-size: small; line-height: 16.8px;"><br />We just wanted to share one of the interesting videos on this topic - "<b>Defeating Getimagesize() Checks in File Uploads</b>" </span></span></div>
<div style="text-align: left;">
<br />
<br /></div>
<div style="text-align: left;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="http://www.pentesteracademy.com/video?id=429" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://videos.pentesteracademy.com.s3.amazonaws.com/videos/sase/thumbnail-038-defeating-getimagesize-checks-file-upload.mp4.jpeg" height="125" width="200" /></a></td></tr>
<tr><td class="tr-caption"><span style="font-size: small;"><span style="color: blue;"><b style="background-color: white; font-family: Arial,Helvetica,sans-serif; line-height: 16.8px; text-align: justify;"><a href="http://www.pentesteracademy.com/video?id=414" target="_blank">Defeating Getimagesize() Checks in File Uploads</a></b></span></span></td></tr>
</tbody></table>
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="background-color: white; font-size: small; line-height: 16.8px;">In the above video, we go step by step and uncover how we can embed a webshell into an image and have it executed by the remote server, even if it uses APIs like Getimagesize() to verify the presence of an image.</span></span><br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="font-size: small;"><br style="background-color: white; line-height: 16.8px;" /></span></span>
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="background-color: white; font-size: small; line-height: 16.8px;">Here are other videos in the series, available only to Pentester Academy subscribers:</span></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=409" target="_blank"><img border="0" src="http://videos.pentesteracademy.com.s3.amazonaws.com/videos/sase/thumbnail-033-file-upload-vulnerability-basics.mp4.jpeg" height="125" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=409" target="_blank"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="color: #0000ee; font-size: small;"><b><u>File Upload Vulnerability Basics</u></b></span></span></a><br />
<h2 class="title-divider">
</h2>
</td></tr>
</tbody></table>
<div style="text-align: left;">
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><img border="0" src="http://videos.pentesteracademy.com.s3.amazonaws.com/videos/sase/thumbnail-034-file-upload-bypass-content-type.mp4.jpeg" height="125" width="200" /></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=410" target="_blank"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="color: blue; font-size: small;"><b><u>Beating Content-Type Check in File Uploads</u></b></span></span></a></td></tr>
</tbody></table>
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"> <b><a href="http://www.pentesteracademy.com/video?id=428" target="_blank"></a></b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><a href="http://www.pentesteracademy.com/video?id=428" target="_blank"></a></b></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=430" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://videos.pentesteracademy.com.s3.amazonaws.com/videos/sase/thumbnail-035-Bypassing-Blacklists-file-upload.mp4.jpeg" height="150" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=411" target="_blank"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="color: #0000ee; font-size: small;"><b><u>Bypassing Blacklists in File Upload</u></b></span></span></a></td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=431" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://videos.pentesteracademy.com.s3.amazonaws.com/videos/sase/thumbnail-036-bypassing-blacklists-withphpx.mp4.jpeg" height="150" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=412" target="_blank"><span style="font-family: Arial,Helvetica,sans-serif;"><span style="color: blue; font-size: small;"><b><u>Bypassing Blacklists using PHPx</u></b></span></span></a></td></tr>
</tbody></table>
</div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=430" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://videos.pentesteracademy.com.s3.amazonaws.com/videos/sase/thumbnail-037-bypassing-whitelists-using-double-extensions-in-file-uploads.mp4.jpeg" height="150" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=413" target="_blank"><span style="color: #0000ee; font-family: Arial, Helvetica, sans-serif; font-size: small;"><b><u>Bypassing Whitelists using Double </u></b></span></a><br />
<a href="http://www.pentesteracademy.com/video?id=413" target="_blank"><span style="color: #0000ee; font-family: Arial, Helvetica, sans-serif; font-size: small;"><b><u>Extensions in File Uploads</u></b></span></a></td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="http://www.pentesteracademy.com/video?id=431" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://videos.pentesteracademy.com.s3.amazonaws.com/videos/sase/thumbnail-038-defeating-getimagesize-checks-file-upload.mp4.jpeg" height="150" width="200" /></a></td></tr>
<tr><td class="tr-caption"><a href="http://www.pentesteracademy.com/video?id=414" target="_blank"><span style="color: blue; font-family: Arial, Helvetica, sans-serif; font-size: small;"><b><u>Defeating Getimagesize() Checks in File Uploads</u></b></span></a></td></tr>
</tbody></table>
</div>
</div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<br />
<div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=430" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://videos.pentesteracademy.com.s3.amazonaws.com/videos/sase/thumbnail-039-null-bye-injection-file-uploads.mp4.jpeg" height="150" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=415" target="_blank"><span style="color: #0000ee; font-family: Arial, Helvetica, sans-serif; font-size: small;"><b><u>Null Byte Injection in File Uploads</u></b></span></a></td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td><a href="http://www.pentesteracademy.com/video?id=431" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://videos.pentesteracademy.com.s3.amazonaws.com/videos/sase/thumbnail-040-exploiting-file-uploads-to-get-meterpreter.mp4.jpeg" height="150" width="200" /></a></td></tr>
<tr><td class="tr-caption"><a href="http://www.pentesteracademy.com/video?id=416" target="_blank"><span style="color: blue; font-family: Arial, Helvetica, sans-serif; font-size: small;"><b><u>Exploiting File Uploads to get Meterpreter</u></b></span></a></td></tr>
</tbody></table>
</div>
</div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span>
<br />
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span>
<br />
<br />
<br />
<span style="font-family: Arial,Helvetica,sans-serif;"><span style="background-color: white; font-size: small; line-height: 12px;">Happy Uploading!</span><span style="font-size: small;"><br style="background-color: white; line-height: 12px;" /><br style="background-color: white; line-height: 12px;" /><br style="background-color: white; line-height: 12px;" /><span style="background-color: white; line-height: 12px;"></span></span></span></div>
<br />
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><u><br /></u></span></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6216396197913419765.post-36703351569969863492014-07-08T23:27:00.000-07:002014-07-09T01:37:47.228-07:00Google XSS Game: Challenge Accepted!<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.pentesteracademy.com/course?id=8" target="_blank"><img border="0" src="http://3.bp.blogspot.com/-qKih7ghvb38/U7uySs7aIdI/AAAAAAAAAAM/FYGa17cAk1o/s1600/Newsletter+-+July+7th.jpg" height="211" width="640" /></a></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: justify;">
<span style="font-family: Arial, Helvetica, sans-serif;">Google put out an XSS Game not so long ago and we decided to take a shot at it. We've created our own XSS lab for <a href="http://www.pentesteracademy.com/" target="_blank">Pentester Academy</a> and it was really fun to see that these challenges were way easier to solve than those in our lab! </span></div>
<div style="text-align: justify;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: justify;">
<span style="font-family: Arial, Helvetica, sans-serif;">So, take a shot at the Google XSS Game - Links to the individual challenge solutions are provided below to help you get started. </span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; margin-right: 1em; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=428" target="_blank"><img border="0" src="http://4.bp.blogspot.com/-xKYw6zhvytE/U7u03_bLsJI/AAAAAAAAAAY/kk3UKOY7Vzg/s1600/Google+XSS+Challenge+1.jpg" height="125" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=428" target="_blank"><span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;"><span style="color: blue; font-size: x-small;"></span></span></a><span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;"><span style="color: blue; font-size: x-small;"><a href="http://www.pentesteracademy.com/video?id=428" target="_blank"><b>Google XSS Challenge 1</b></a></span> <b><span style="color: red;">Free</span></b></span><br />
<h2 class="title-divider">
</h2>
</td></tr>
</tbody></table>
<div style="text-align: left;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=429" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://2.bp.blogspot.com/-H-jwnhTqnI0/U7u4Vzvuu0I/AAAAAAAAAAk/c5cjj-6ZFdM/s1600/Google+XSS+Challenge+2.jpg" height="125" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=429" target="_blank"><span style="color: blue;"><span style="font-family: Arial,Helvetica,sans-serif;"><b><span style="font-size: x-small;">Google XSS Challenge 2</span></b></span></span> <span style="color: red;"><b><span style="font-size: xx-small;"><span style="font-family: Arial,Helvetica,sans-serif;">Free</span></span></b></span></a></td></tr>
</tbody></table>
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: center;">
<span style="font-family: Arial, Helvetica, sans-serif;"> <b><a href="http://www.pentesteracademy.com/video?id=428" target="_blank"></a></b></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><b><a href="http://www.pentesteracademy.com/video?id=428" target="_blank"></a></b></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=430" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://1.bp.blogspot.com/-e-ubtXwKGjs/U7u5vzTfrDI/AAAAAAAAAAw/0XkCryE4BPI/s1600/Google+XSS+Challenge+3.jpeg" height="150" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=430" target="_blank"><span style="color: blue;"><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><b></b></span></span></a><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><b><a href="http://www.pentesteracademy.com/video?id=430" target="_blank">Google XSS Challenge 3</a></b></span><span style="font-size: x-small;"> </span></td></tr>
</tbody></table>
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=431" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://3.bp.blogspot.com/-kWD70Ka6Mfc/U7vb3XtoNSI/AAAAAAAAABA/mv9tzZxHDbY/s1600/Google+XSS+Challenge+4.jpeg" height="150" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: blue;"><a href="http://www.pentesteracademy.com/video?id=431" target="_blank"><b><span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;"></span></b></a><b><span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;"><a href="http://www.pentesteracademy.com/video?id=431" target="_blank"><span style="color: blue;"><span style="font-size: x-small;">Google XSS Challenge 4</span></span> </a></span></b></span></td></tr>
</tbody></table>
</div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="float: left; text-align: left;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=432" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://2.bp.blogspot.com/-di0w8emOZgM/U7vcryICeAI/AAAAAAAAABI/k7a_Eu8r_JA/s1600/Google+XSS+Challenge+5.jpeg" height="150" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="color: blue;"><a href="http://www.pentesteracademy.com/video?id=432" target="_blank"><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><b></b></span></a><span style="font-family: Arial, Helvetica, sans-serif; font-size: x-small;"><b><a href="http://www.pentesteracademy.com/video?id=432" target="_blank">Google XSS Challenge 5</a></b></span></span></td></tr>
</tbody></table>
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span>
<br />
<table cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="http://www.pentesteracademy.com/video?id=433" imageanchor="1" style="clear: left; margin-bottom: 1em; margin-left: auto; margin-right: auto;" target="_blank"><img border="0" src="http://2.bp.blogspot.com/-sbawA-D4gQs/U7vdw3TmbOI/AAAAAAAAABU/1l3kO6q_9Ow/s1600/Google+XSS+Challenge+6.jpg" height="125" width="200" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><span style="font-size: x-small;"><a href="http://www.pentesteracademy.com/video?id=433" target="_blank"><span style="color: blue;"><b><span style="font-family: Arial, Helvetica, sans-serif;">Google XSS Challenge 6</span></b></span></a> </span><span style="font-family: Arial, Helvetica, sans-serif; font-size: xx-small;"><b><span style="color: red;">Free</span></b></span></td></tr>
</tbody></table>
<span style="font-family: Arial, Helvetica, sans-serif;"></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"></span>
<span style="font-family: Arial, Helvetica, sans-serif;"></span>
<span style="font-family: Arial, Helvetica, sans-serif;"></span>
<span style="font-family: Arial, Helvetica, sans-serif;"></span>
<span style="font-family: Arial, Helvetica, sans-serif;"></span>
<span style="font-family: Arial, Helvetica, sans-serif;"></span>
<span style="font-family: Arial, Helvetica, sans-serif;"></span>
<span style="font-family: Arial, Helvetica, sans-serif;"></span><span style="font-family: Arial, Helvetica, sans-serif;"> </span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">These videos are a part of <span style="color: blue;"><a href="http://www.pentesteracademy.com/course?id=5" target="_blank">Web Application Security Course</a></span> at <span style="color: blue;"><a href="http://www.pentesteracademy.com/" target="_blank">Pentester Academy</a></span>. We are hosting interesting <span style="color: blue;"><a href="http://www.pentesteracademy.com/course?id=8" target="_blank">Web Application Security Challenges</a> </span>in this section for our students to try out. </span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;">We also have many more interesting courses related to various other topics in the InfoSec domain. To know more, please visit: <a href="http://pentesteracademy.com/topics" target="_blank">http://PentesterAcademy.com/topics</a> </span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: Arial, Helvetica, sans-serif;"><u><br /></u></span></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-6216396197913419765.post-17620615800274752812013-09-16T08:18:00.001-07:002013-09-16T08:28:56.057-07:00Joe's Pentester Lab <div dir="ltr" style="text-align: left;" trbidi="on">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
mso-themecolor:hyperlink;
text-decoration:underline;
text-underline:single;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-noshow:yes;
mso-style-priority:99;
color:purple;
mso-themecolor:followedhyperlink;
text-decoration:underline;
text-underline:single;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<div class="MsoNormal">
Hello All, today I’m really excited to tell you about
something new and very interesting. My good friend <a href="https://twitter.com/j0emccray">Joe
McCray</a>
has just built and launched his <a href="http://strategicsec.com/services/training-services/pentester-lab/">Pentester
Lab Network</a>. I met Joe for the first time at Hacktivity 2011 and since then we've been really great friends. Being the curious type I decided to take a look for myself.
I sent an email to Joe and requested if I could have access and check it out myself. After I signed up I spoke to Joe about how it all worked and he even gave me
some access to the management side of the infrastructure as well.</div>
<div class="MsoNormal">
If you don't have too much time to read this in detail, scroll down to the end of this post! The rest of the post is a quick walk through of what I saw and how much it impressed me!</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>How You Connect To The Lab</b></div>
<div class="MsoNormal">
The lab network must be accessed via an OpenVPN client. So
you can use any host such as BackTrack/Kali Linux, your Mac, your Windows
machine, even a tablet, or smartphone. Joe provides you with an Ubuntu virtual
machine that is pre-configured to connect to the lab network VPN. Both the
username and password for this virtual machine is ‘strategicsec’</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-IMBzElbp1ag/Ujcd-21pJ1I/AAAAAAAAAVM/10mJ_-xBTQ4/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="http://2.bp.blogspot.com/-IMBzElbp1ag/Ujcd-21pJ1I/AAAAAAAAAVM/10mJ_-xBTQ4/s320/1.png" width="320" /></a></div>
<br />
<div class="MsoNormal">
<br /></div>
<br />
<br />
<div class="MsoNormal">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
</div>
<br />
<div class="MsoNormal">
You’ll be presented with an empty desktop.<span style="mso-spacerun: yes;"> </span>Open a Terminal window by holding down
[Ctrl+Alt] and then pressing T.<span style="mso-spacerun: yes;"> </span>Or find
it through the left sidebar by clicking on Dash home</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-fi4rV1HfNjI/UjceM0jkt5I/AAAAAAAAAVU/RWlLPeXxmkc/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="136" src="http://2.bp.blogspot.com/-fi4rV1HfNjI/UjceM0jkt5I/AAAAAAAAAVU/RWlLPeXxmkc/s320/2.png" width="320" /></a></div>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<div class="MsoNormal">
then typing “terminal” in the search bar</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-tg_h48aoEIQ/UjceXvoR2rI/AAAAAAAAAVc/_EdqmASqeZU/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="144" src="http://1.bp.blogspot.com/-tg_h48aoEIQ/UjceXvoR2rI/AAAAAAAAAVc/_EdqmASqeZU/s320/3.png" width="320" /></a></div>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<div class="MsoNormal">
and selecting “Terminal”.<span style="mso-spacerun: yes;">
</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
At the newly open Terminal window, type the command: <b style="mso-bidi-font-weight: normal;">vpn</b></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-aAPjUbdULcc/Ujceitrgm9I/AAAAAAAAAVk/s4Fz9IZUpOg/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="91" src="http://2.bp.blogspot.com/-aAPjUbdULcc/Ujceitrgm9I/AAAAAAAAAVk/s4Fz9IZUpOg/s320/4.png" width="320" /></a></div>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<div class="MsoNormal">
The VPN service will start and will ask you for your
username, then your password.<span style="mso-spacerun: yes;"> </span>This is
the Username and Password that has been provided to you by Joe McCray.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-mVeIq0_cGFA/UjcewTqOfFI/AAAAAAAAAVs/7mFi0gxDdX8/s1600/5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="70" src="http://1.bp.blogspot.com/-mVeIq0_cGFA/UjcewTqOfFI/AAAAAAAAAVs/7mFi0gxDdX8/s320/5.png" width="320" /></a></div>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<div class="MsoNormal">
When this completes, you can open another Terminal window or
tab and type the command: <b style="mso-bidi-font-weight: normal;">ifconfig</b></div>
<div class="MsoNormal">
<br /></div>
This will show you all of your network interfaces and you
can verify that a tap0 interface has been created and you have been assigned an
IP address in the lab.
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-8_qoVX3Fdr0/Ujce_bGxJzI/AAAAAAAAAV0/aTUXRdINekk/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="94" src="http://1.bp.blogspot.com/-8_qoVX3Fdr0/Ujce_bGxJzI/AAAAAAAAAV0/aTUXRdINekk/s320/6.png" width="320" /></a></div>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<div class="MsoNormal">
Congratulations you are ready to begin working in the
Strategic Security Lab!</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>What is a Pathway?</b></div>
<div class="MsoNormal">
Joe provides what he calls ‘Pathways’ which basically
step-by-step walk-throughs of attack sequences in the network. These pathways
are designed to take the student through learning a myriad of pentesting skills
by performing the steps in each respective pathway. Students are strongly
encouraged to submit pathways as well. I decided to try a pathway and see what
it was like. Here is one that walks a user through a web application attack
that transitions to a host-based attack.</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-5sa5n3pANtE/UjcfZ-_nZgI/AAAAAAAAAV8/IY2MBDM05TU/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="http://3.bp.blogspot.com/-5sa5n3pANtE/UjcfZ-_nZgI/AAAAAAAAAV8/IY2MBDM05TU/s320/7.png" width="320" /></a></div>
<br />
<div class="MsoNormal">
<br /></div>
<br />
<br />
<div class="MsoNormal">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
</div>
<br />
<div class="MsoNormal">
In the search field I checked for the first step of sql
injection a nice single quote in the search bar</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-iEJkKGAIMmY/Ujcfw_5lPmI/AAAAAAAAAWE/hW8DLIbjLCg/s1600/8.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="107" src="http://4.bp.blogspot.com/-iEJkKGAIMmY/Ujcfw_5lPmI/AAAAAAAAAWE/hW8DLIbjLCg/s320/8.png" width="320" /></a></div>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<div class="MsoNormal">
Well that’s a nice error message</div>
<div class="MsoNormal">
After playing around with site a bit and some google
searches I tried to execute operations in the URL bar.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-PCDINqlLpW4/Ujcf95D3JcI/AAAAAAAAAWM/0jfbqkVa-3M/s1600/9.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="26" src="http://1.bp.blogspot.com/-PCDINqlLpW4/Ujcf95D3JcI/AAAAAAAAAWM/0jfbqkVa-3M/s320/9.png" width="320" /></a></div>
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<div class="MsoNormal">
This shows me that there is SQL injection and I can execute
operations. To try and get a shell ill use metasploit and a sql injection
exploit (ideas for this also came from the pathway pdf)</div>
<div class="MsoNormal">
Lets check it with metasploit</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Setg LHOST 10.10.5.128</div>
<div class="MsoNormal">
Set RHOST 10.10.10.105</div>
<div class="MsoNormal">
Set GET_PATH <span style="mso-spacerun: yes;"> </span>/bookdetail.aspx?id=2;[SQLi]</div>
<div class="MsoNormal">
Using the reverse tcp meterpreter payload</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-490OVok4kGU/UjcgIS_D9-I/AAAAAAAAAWU/kNQzm6AN7ig/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="163" src="http://1.bp.blogspot.com/-490OVok4kGU/UjcgIS_D9-I/AAAAAAAAAWU/kNQzm6AN7ig/s400/10.png" width="400" /></a></div>
<br />
<br />
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
<br />
<div class="MsoNormal">
This is not the complete pathway of course. Each pathway
that I looked at was well over 50 pages. The pathway goes on to cover
post-exploitation steps such as hashdumping and pivoting. I must say that I was
very impressed.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>How big is this infrastructure?</b></div>
<div class="MsoNormal">
Joe gave me a great deal of access to the infrastructure so
I could understand how all of it worked. Brace yourself ladies and gentlemen –
this network is HUGE.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-yz6HIhBZtRA/UjcgWjkhvpI/AAAAAAAAAWc/clmoshXelM8/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="315" src="http://1.bp.blogspot.com/-yz6HIhBZtRA/UjcgWjkhvpI/AAAAAAAAAWc/clmoshXelM8/s640/11.png" width="640" /></a></div>
<br />
<br />
<br />
<div class="MsoNormal">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
</div>
<br />
<div class="MsoNormal">
Joe uses a VMWare ESX infrastructure with several ESX
servers managed by VMWare VCenter.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-D5yikCWOQ-w/UjcghvGE44I/AAAAAAAAAWk/Kol0g993-qY/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="243" src="http://3.bp.blogspot.com/-D5yikCWOQ-w/UjcghvGE44I/AAAAAAAAAWk/Kol0g993-qY/s400/12.png" width="400" /></a></div>
<br />
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
</div>
<div class="MsoNormal">
When this screenshot was taken there were only 9 ESX
servers, but Joe has told me that he now how has nearly 50 ESX servers and is
deploying a few each month. Each ESX server can comfortably run dozens of
virtual machines.</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-g3Y4zVj7_2g/UjcgupfonGI/AAAAAAAAAWs/OgcVYl-RYhY/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="364" src="http://1.bp.blogspot.com/-g3Y4zVj7_2g/UjcgupfonGI/AAAAAAAAAWs/OgcVYl-RYhY/s640/13.png" width="640" /></a></div>
<br />
<div class="MsoNormal">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;
mso-font-charset:1;
mso-generic-font-family:roman;
mso-font-format:other;
mso-font-pitch:variable;
mso-font-signature:0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;
mso-font-charset:0;
mso-generic-font-family:auto;
mso-font-pitch:variable;
mso-font-signature:3 0 0 0 1 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{mso-style-unhide:no;
mso-style-qformat:yes;
mso-style-parent:"";
margin-top:0cm;
margin-right:0cm;
margin-bottom:10.0pt;
margin-left:0cm;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoChpDefault
{mso-style-type:export-only;
mso-default-props:yes;
font-size:11.0pt;
mso-ansi-font-size:11.0pt;
mso-bidi-font-size:11.0pt;
font-family:Calibri;
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:Calibri;
mso-fareast-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
.MsoPapDefault
{mso-style-type:export-only;
margin-bottom:10.0pt;
line-height:115%;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 90.0pt 72.0pt 90.0pt;
mso-header-margin:36.0pt;
mso-footer-margin:36.0pt;
mso-paper-source:0;}
div.WordSection1
{page:WordSection1;}
-->
</style>
</div>
<div class="MsoNormal">
<b>What kind of support do you get?</b></div>
<div class="MsoNormal">
Joe told me that he built a trouble ticket system so
partipants can submit trouble tickets when a target host is no longer
exploitable or has become unresponsive. He built an IRC server and Wiki for the
lab network participants to communicate with each other and get help as well.</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Joe is going to give you a one-time price of $300 for 6 months of access starting on <span class="aBn" data-term="goog_874326467" tabindex="0"><span class="aQJ">1 October</span></span>. Go ahead and jump on this because it is only going to make this offer to the first 50 people that sign up. </div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Don’t wait – sign up now!</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Here is the payment link for this offer:</div>
<a href="https://www.paypal.com/cgi-bin/webscr?cmd=_xclick&business=joe%40strategicsec%2ecom&item_name=Pentester%20Lab%20Network%20For%20SecurityTubers&item_number=PentesterLabNetworkSecurityTubers&amount=300%2e00&no_shipping=0&no_note=1&currency_code=USD&lc=US&bn=PP%2dBuyNowBF&charset=UTF%2d8" target="_blank">Sign Up with Paypal!!!</a><br />
<br />
<div class="MsoNormal">
<span style="color: #1f497d; font-family: "Calibri","sans-serif"; font-size: 11.0pt;">Main Lab Page:</span></div>
<div class="MsoNormal">
<span style="color: #1f497d; font-family: "Calibri","sans-serif"; font-size: 11.0pt;"><a href="http://strategicsec.com/services/training-services/pentester-lab/" target="_blank">http://strategicsec.com/<wbr></wbr>services/training-services/<wbr></wbr>pentester-lab/</a></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="color: #1f497d; font-family: "Calibri","sans-serif"; font-size: 11.0pt;">Lab Network Datasheet:</span></div>
<span style="color: #1f497d; font-family: "Calibri","sans-serif"; font-size: 11.0pt;"><a href="http://strategicsec.com/What-Is-The-Pentester-Lab-Network.pdf" target="_blank">http://strategicsec.com/What-<wbr></wbr>Is-The-Pentester-Lab-Network.<wbr></wbr>pdf</a></span><br />
<br />
<br />
<br />
<div class="MsoNormal">
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com0tag:blogger.com,1999:blog-6216396197913419765.post-5748340594814808082013-04-10T04:10:00.001-07:002013-04-10T05:41:43.756-07:00Finding Publicly Readable Files in your Amazon S3 Account<div dir="ltr" style="text-align: left;" trbidi="on">
<a href="http://aws.amazon.com/s3/" target="_blank">Amazon S3</a> is a cloud storage service which is used by thousands of Enterprises worldwide. The most common use case is data backups. Before going into the specifics, lets try and understand how Amazon S3 organizes data. A registered Amazon S3 user can organize his data (files) into Buckets. A file can be fetched using its unique key. The user can access his file using the full path http://<b>Bucket_Name</b>.s3.amazonaws.com/<b>Key </b><br />
<br />
e.g. <a href="http://code.securitytube.net.s3.amazonaws.com/IP-Packet-Injection.c">http://code.securitytube.net.s3.amazonaws.com/IP-Packet-Injection.c</a><br />
<br />
In the above example <b>code.securitytube.net</b> is the bucket name and <b>IP-Packet-Injection.c</b> is the Key. <br />
<br />
The service is great but is prone to easy misconfiguration by Sys Admins
who may be new to the cloud. As lame as it might sound, the <i><b>most
common mistake seems to be to make your S3 data publicly readable</b></i>. Robin Wood (<a href="https://twitter.com/digininja" target="_blank">@digininja</a>) was the <a href="http://www.digininja.org/blog/whats_in_amazons_buckets.php" target="_blank">first to point this out</a> and wrote a tool called <a href="http://www.digininja.org/projects/bucket_finder.php" target="_blank">Bucket Finder</a>. Buckets with public-read have directory indexing enabled as an XML listing. The tool can try and download files from the bucket using the listing. Below is an example: <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-wY_OHm4c3tE/UWU8L_fOWDI/AAAAAAAAARM/AORAmzPrgx8/s1600/Screen+Shot+2013-04-10+at+3.44.52+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="http://1.bp.blogspot.com/-wY_OHm4c3tE/UWU8L_fOWDI/AAAAAAAAARM/AORAmzPrgx8/s640/Screen+Shot+2013-04-10+at+3.44.52+PM.png" width="640" /></a></div>
<br />
If a Bucket is private, we cannot fetch the listing:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-zckft1U40D8/UWU8vbbxGNI/AAAAAAAAARU/ewCAOhf2kQE/s1600/Screen+Shot+2013-04-10+at+3.49.16+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="170" src="http://2.bp.blogspot.com/-zckft1U40D8/UWU8vbbxGNI/AAAAAAAAARU/ewCAOhf2kQE/s640/Screen+Shot+2013-04-10+at+3.49.16+PM.png" width="640" /></a></div>
However, interestingly files inside a private bucket could be mistakenly have public-read enabled on them.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-tQh4GMAD0fo/UWU9dYj8PyI/AAAAAAAAARc/ebZpqAhwt3w/s1600/Screen+Shot+2013-04-10+at+3.52.08+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="227" src="http://1.bp.blogspot.com/-tQh4GMAD0fo/UWU9dYj8PyI/AAAAAAAAARc/ebZpqAhwt3w/s640/Screen+Shot+2013-04-10+at+3.52.08+PM.png" width="640" /></a></div>
<br />
What this means is that you could use tools which try to find "Hidden" files and directories on Web Servers in this scenario once you are aware that the Bucket exists but is private. <br />
<br />
Recently the Metasploit team did some analysis on a larger sample of S3 buckets and published an article which confirmed that many <a href="https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets" target="_blank">Enterprises have misconfigured their S3 buckets</a> to be publicly readable.<br />
<br />
<span style="color: red;"><b>Now coming to the goal of this post:</b></span> If you use Amazon S3 what should you do? Immediately check your S3 buckets for files and make any world readable files private, if you accidentally have them public right now.<br />
<br />
If you have thousands of files, how would you check and do this? Definitely not manually :) In this post, I will show you how to trivially automate the process using a Python library called Boto.<br />
<br />
Let us first try and understand how the permission sets look like from a programmer's perspective. Below is a simple script to learn about permissions:<br />
<br />
<script src="https://gist.github.com/securitytube/5353560.js"></script>
Let us set the permission set to "<b>private</b>" on the bucket "<b>hackoftheday</b>" and see the response:<br />
<br />
<a href="http://1.bp.blogspot.com/-HHRl0dOGuj0/UWVBz9w51nI/AAAAAAAAARs/YZzlcDAwuY4/s1600/Screen+Shot+2013-04-10+at+4.11.01+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="http://1.bp.blogspot.com/-HHRl0dOGuj0/UWVBz9w51nI/AAAAAAAAARs/YZzlcDAwuY4/s640/Screen+Shot+2013-04-10+at+4.11.01+PM.png" width="640" /></a>Let us now set the permission to "<b>public-read</b>" on the bucket "<b>hackoftheday</b>":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-kPlMlalzL4U/UWVC3U5ta3I/AAAAAAAAAR4/tmF1ke3vu2g/s1600/Screen+Shot+2013-04-10+at+4.15.00+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="http://3.bp.blogspot.com/-kPlMlalzL4U/UWVC3U5ta3I/AAAAAAAAAR4/tmF1ke3vu2g/s640/Screen+Shot+2013-04-10+at+4.15.00+PM.png" width="640" /></a></div>
<br />
<br />
Fantastic! So we basically note that "<b>READ</b>" is set whenever "<b>public-read</b>" is there on the bucket. Please note that if you go through the documentation in detail, READ can also be set when you do not make the bucket publicly readable, but readable to an <a href="http://boto.s3.amazonaws.com/s3_tut.html#setting-getting-the-access-control-list-for-buckets-and-keys" target="_blank">authenticated user on Amazon S3</a>. This is unsafe as well as this could pretty much be ANY other S3 user.<br />
<br />
Now, all we have to do is check for <b>READ</b> on every file our bucket to check if any of them were supposed to be private. Here is the code to do it:<br />
<br />
<br />
<script src="https://gist.github.com/securitytube/5353620.js"></script>
<br />
Let us run this against "<b>hackoftheday</b>" now. The bucket itself is private but a file inside is public readable:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-vOqBbmzCI0k/UWVEhPK2ceI/AAAAAAAAASI/M3uMj8EotdQ/s1600/Screen+Shot+2013-04-10+at+4.22.34+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="176" src="http://2.bp.blogspot.com/-vOqBbmzCI0k/UWVEhPK2ceI/AAAAAAAAASI/M3uMj8EotdQ/s400/Screen+Shot+2013-04-10+at+4.22.34+PM.png" width="400" /></a></div>
<br />
<br />
Lets check <b>js.securitytube.net</b> now:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-BSndWRQkffs/UWVEwxeRkZI/AAAAAAAAASU/HV2m4QamSs8/s1600/Screen+Shot+2013-04-10+at+4.23.16+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="http://1.bp.blogspot.com/-BSndWRQkffs/UWVEwxeRkZI/AAAAAAAAASU/HV2m4QamSs8/s640/Screen+Shot+2013-04-10+at+4.23.16+PM.png" width="595" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Awesome! So you see how just a few lines of Python can allow you to create your own S3 scanner to ensure your S3 files are safe :) </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you like Video Demos, please <a href="http://www.securitytube.net/video/7313" target="_blank">checkout my explanation here</a>. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://lh6.googleusercontent.com/proxy/rukNXSDmhfJMrXFi_tvt4eyorcYXTUP8OzquUoUV3IeMqNrGUcZjZud8c0hmMJStyhBgWeP7ugAtSTQ55Y48eMEwM6EBaCkMHx-KdPi-3tDvVIWL068UqDUsIWqJhV4jjIYQ8A084fI1BCtWqgYDr-IK1sTodSb1aQ" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="153" src="https://lh6.googleusercontent.com/proxy/rukNXSDmhfJMrXFi_tvt4eyorcYXTUP8OzquUoUV3IeMqNrGUcZjZud8c0hmMJStyhBgWeP7ugAtSTQ55Y48eMEwM6EBaCkMHx-KdPi-3tDvVIWL068UqDUsIWqJhV4jjIYQ8A084fI1BCtWqgYDr-IK1sTodSb1aQ" width="320" /></a>If you are interested in learning how to use Python for Pentesting then please have a look at our <a href="http://securitytube-training.com/online-courses/securitytube-python-scripting-expert/" target="_blank"><b>SecurityTube Python Scripting Expert </b></a>course.
This course is ideal for penetration testers, security enthusiasts and
network administrators who want to learn to automate tasks or go beyond
just using ready made tools. We will be covering topics in system
security, network security, attacking web applications and services,
exploitation techniques, malware and binary analysis and task
automation.We have students from 73+ countries taking this course
already!</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
</div>
<!-- Blogger automated replacement: "http://images-onepick-opensocial.googleusercontent.com/gadgets/proxy?container=onepick&gadget=a&rewriteMime=image%2F*&url=http%3A%2F%2Fsecuritytube-training.com%2Fwp-content%2Fuploads%2F2012%2F03%2FScreen-Shot-2012-03-29-at-12.16.57-PM.png" with "https://lh6.googleusercontent.com/proxy/rukNXSDmhfJMrXFi_tvt4eyorcYXTUP8OzquUoUV3IeMqNrGUcZjZud8c0hmMJStyhBgWeP7ugAtSTQ55Y48eMEwM6EBaCkMHx-KdPi-3tDvVIWL068UqDUsIWqJhV4jjIYQ8A084fI1BCtWqgYDr-IK1sTodSb1aQ" -->Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com1tag:blogger.com,1999:blog-6216396197913419765.post-83304235874829072872013-04-05T23:47:00.000-07:002013-04-07T03:12:45.164-07:00My Code made it to a Hollywood Movie<div dir="ltr" style="text-align: left;" trbidi="on">
One of the first things I do every morning is check the Twitter chatter about my website (<a href="https://twitter.com/SecurityTube" target="_blank">@SecurityTube</a>) . I was pleasantly surprised to see this:<br />
<br />
<div align="center">
<blockquote class="twitter-tweet">
@<a href="https://twitter.com/whd">whd</a> Seems you stole h@x0r code from the internet... orig: <a href="http://t.co/EWYtmMFlIY" title="http://goo.gl/VzY3Q">goo.gl/VzY3Q</a>WHD: <a href="http://t.co/5HldHdfA55" title="http://i49.tinypic.com/2vnrkw8.png">i49.tinypic.com/2vnrkw8.png</a><a href="https://twitter.com/search/%23fail">#fail</a> <a href="https://twitter.com/search/%23lol">#lol</a> <a href="https://twitter.com/search/%23WhiteHouseDown">#WhiteHouseDown</a><br />
— EvE Skunk (@eveskunk) <a href="https://twitter.com/eveskunk/status/320329532970246146">April 6, 2013</a></blockquote>
<script async="" charset="utf-8" src="//platform.twitter.com/widgets.js"></script>
</div>
<br />
I've embedded the image from the tweet:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://oi49.tinypic.com/2vnrkw8.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="364" src="http://oi49.tinypic.com/2vnrkw8.jpg" width="640" /></a></div>
<br />
Source: <a href="http://oi49.tinypic.com/2vnrkw8.jpg">http://oi49.tinypic.com/2vnrkw8.jpg</a><br />
<br />
I've verified that this really is from the movie White House Down due for release in 2013 from their <a href="http://youtu.be/4AXbiCdmXgw?t=1m40s" target="_blank">YouTube trailer at 1:39</a><br />
<br />
<iframe allowfullscreen="" frameborder="0" height="315" src="http://www.youtube.com/embed/4AXbiCdmXgw" width="560"></iframe>
<br />
The code is question seems to be from multiple programs which I had written way back in 2007-2008 to demonstrate the use of Raw Sockets in writing Packet Injection programs. Here is a list of the code files (GIST embeds at the end of the post) :<br />
<br />
<ol style="text-align: left;">
<li><a href="http://code.securitytube.net/Programming-an-ARP-DoS-Tool.c">http://code.securitytube.net/Programming-an-ARP-DoS-Tool.c</a></li>
<li><a href="http://code.securitytube.net/Generic-Packet-Injection-Program.c">http://code.securitytube.net/Generic-Packet-Injection-Program.c</a></li>
<li><a href="http://code.securitytube.net/Ethernet-Packet-Injection.c">http://code.securitytube.net/Ethernet-Packet-Injection.c</a></li>
<li><a href="http://code.securitytube.net/TCP-Packet-Injection.c">http://code.securitytube.net/TCP-Packet-Injection.c</a></li>
<li><a href="http://code.securitytube.net/IP-Packet-Injection.c">http://code.securitytube.net/IP-Packet-Injection.c</a></li>
</ol>
I know most of code snippet in the image could have been pretty much from any low level networking tool, so I am just going to focus on the comments :) which are almost like a programmer's signature.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-WPrpJpyJJOc/UV-1p69GnxI/AAAAAAAAAPs/HRXIZyftFKs/s1600/Screen+Shot+2013-04-06+at+11.11.17+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="76" src="http://3.bp.blogspot.com/-WPrpJpyJJOc/UV-1p69GnxI/AAAAAAAAAPs/HRXIZyftFKs/s640/Screen+Shot+2013-04-06+at+11.11.17+AM.png" width="640" /></a></div>
<br />
<b>/* First Get the Interface Index */</b> and <b>"Error getting Interface index !\n"</b> code is there in all the files:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-QXs-Q9QPVrA/UV-2A4UMF8I/AAAAAAAAAP0/tLAPNwG2bz4/s1600/Screen+Shot+2013-04-06+at+11.13.12+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="http://1.bp.blogspot.com/-QXs-Q9QPVrA/UV-2A4UMF8I/AAAAAAAAAP0/tLAPNwG2bz4/s640/Screen+Shot+2013-04-06+at+11.13.12+AM.png" width="640" /></a></div>
Here is the next couple of lines in the screenshot:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-5ySkVnEUIqk/UV-2aAcV4QI/AAAAAAAAAP8/CmL5lQIVGhU/s1600/Screen+Shot+2013-04-06+at+11.14.21+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="112" src="http://3.bp.blogspot.com/-5ySkVnEUIqk/UV-2aAcV4QI/AAAAAAAAAP8/CmL5lQIVGhU/s640/Screen+Shot+2013-04-06+at+11.14.21+AM.png" width="640" /></a></div>
<br />
Most of the files listed above, contain the "<b>Bind our raw socket to this interface */</b>" as well followed by the sockaddr_ll structure fill:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-7ToVNumKlA8/UV-21UNXuqI/AAAAAAAAAQE/bNNZ5tVnncc/s1600/Screen+Shot+2013-04-06+at+11.15.50+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="168" src="http://2.bp.blogspot.com/-7ToVNumKlA8/UV-21UNXuqI/AAAAAAAAAQE/bNNZ5tVnncc/s640/Screen+Shot+2013-04-06+at+11.15.50+AM.png" width="640" /></a></div>
The next part of the screenshot is partially cut:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-YF6WaSVNF_o/UV-3QnZY6fI/AAAAAAAAAQM/7FO2-_oi2Qc/s1600/Screen+Shot+2013-04-06+at+11.18.09+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="76" src="http://1.bp.blogspot.com/-YF6WaSVNF_o/UV-3QnZY6fI/AAAAAAAAAQM/7FO2-_oi2Qc/s640/Screen+Shot+2013-04-06+at+11.18.09+AM.png" width="640" /></a></div>
<br />
So, I used the YouTube video to take a better shot:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-BWdTQRugjvs/UV-3hMlqwKI/AAAAAAAAAQU/4NO5QXaeiH0/s1600/Screen+Shot+2013-04-06+at+11.19.23+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="66" src="http://1.bp.blogspot.com/-BWdTQRugjvs/UV-3hMlqwKI/AAAAAAAAAQU/4NO5QXaeiH0/s640/Screen+Shot+2013-04-06+at+11.19.23+AM.png" width="640" /></a></div>
<br />
"<b>A simple write on the socket ..thats all it takes ! */</b>" is the partial comment, which many of you may agree is an unconventional comment :) There is there in almost all the code files as well:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-_BSTxkFMLdQ/UV-4F-ufqsI/AAAAAAAAAQc/0QXtsDZqz-o/s1600/Screen+Shot+2013-04-06+at+11.21.58+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="182" src="http://4.bp.blogspot.com/-_BSTxkFMLdQ/UV-4F-ufqsI/AAAAAAAAAQc/0QXtsDZqz-o/s640/Screen+Shot+2013-04-06+at+11.21.58+AM.png" width="640" /></a></div>
<br />
The last part of the screenshot is below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-hw78Snhbxok/UV-5F5HsWOI/AAAAAAAAAQk/jsv9oGb3738/s1600/Screen+Shot+2013-04-06+at+11.25.31+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="108" src="http://3.bp.blogspot.com/-hw78Snhbxok/UV-5F5HsWOI/AAAAAAAAAQk/jsv9oGb3738/s640/Screen+Shot+2013-04-06+at+11.25.31+AM.png" width="640" /></a></div>
<br />
<br />
Looks like this was from the <a href="http://code.securitytube.net/Generic-Packet-Injection-Program.c" target="_blank">Generic Packet Injection program</a>, if you look closely:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-uHaIhjkND-A/UV-5bQm6LgI/AAAAAAAAAQs/fzyNdMDJyxU/s1600/Screen+Shot+2013-04-06+at+11.27.35+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="258" src="http://4.bp.blogspot.com/-uHaIhjkND-A/UV-5bQm6LgI/AAAAAAAAAQs/fzyNdMDJyxU/s400/Screen+Shot+2013-04-06+at+11.27.35+AM.png" width="400" /></a></div>
<br />
The special effects guys seem to have removed most of the whitespace, so you see longer lines but it is clear to identify the code if you look close enough.<br />
<br />
<b>[Update Added Later] More Proof that the code is mine</b><br />
<br />
The original code was posted on 2 of my sites: security-freak.net and then later on securitytube.net. I eventually discontinued security-freak.net . A quick whois search will tell you both the sites belong to me.<br />
<br />
I used the <a href="http://web.archive.org/" target="_blank">WayBack Machine</a> as 3rd party validation. Here is the exact code link mined from my site on June 29th 2007 by the wayback machine's spiders:<br />
<br />
<a href="http://web.archive.org/web/20070629181430/http://www.security-freak.net/packet-injection/PacketInjection.c">http://web.archive.org/web/20070629181430/http://www.security-freak.net/packet-injection/PacketInjection.c</a><br />
<br />
The original Packet Injection basics page where this and the other code presented here are linked. The wayback machine has a copy dating back to July 9th 2007:<br />
<br />
<a href="http://web.archive.org/web/20070708223642/http://www.security-freak.net/packet-injection/packet-injection.html">http://web.archive.org/web/20070708223642/http://www.security-freak.net/packet-injection/packet-injection.html</a><br />
<br />
During the same time, I had even announced that I had made some free videos on Packet Sniffing, <b>Packet Injection</b> (<i><b>this is where all the code is form</b></i>) etc. and sent an <a href="http://www.securityfocus.com/archive/105/469249/30/0/threaded" target="_blank">email to the SecurityFocus.com</a> mailing list.<br />
<br />
Original email:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-cvPkH8CXjvo/UWFCoIRRygI/AAAAAAAAAQ8/5zL3GjCl1co/s1600/Screen+Shot+2013-04-07+at+3.24.05+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="278" src="http://4.bp.blogspot.com/-cvPkH8CXjvo/UWFCoIRRygI/AAAAAAAAAQ8/5zL3GjCl1co/s640/Screen+Shot+2013-04-07+at+3.24.05+PM.png" width="640" /></a></div>
<br />
<br />
A few google searches led me to open source projects and even Wiki pages who have used my code. Some cited the original site (security-freak.net) while others did not. <br />
<br />
<br />
<span style="color: red;"><b>How do I feel about this?</b></span> Great :) If not me, at least my code made it to a 3 second clip in a Hollywood Movie :) Also, the character in front of the computer seems quite excited (hands raised) as he is downloading / viewing / running my code :) What could make a developer more happy than to see his code inciting such thrill! :) <br />
<br />
<span style="color: red;"><b>Quirks: </b></span><br />
<br />
<ul style="text-align: left;">
<li>I hope the code would be compiled before use! :) </li>
<li>The source / destination MAC, IP, etc. are hardcoded in most of the scripts so hopefully the hacker in the movie changed them before using :)</li>
<li>The Generic Packet Injection program just sends "A"* 1024 times onto the wire. This was just to demonstrate it's possible to send arbitrary data on the wire with raw sockets, even total garbage :)</li>
</ul>
<br />
The only thing I felt a bit dissapointed about was to see a couple of open source projects use snippets of my code without any form of acknowledgement.<br />
<br />
OK, finally here are all the Code Snippets if you want to play with them. They are pretty old so some of the #includes may have to be changed based on the platform you are using. Note that the original links on the Internet have been posted above, the Gists were created today to embed them here. <br />
<br />
<div align="center">
<a class="twitter-share-button" data-lang="en" data-via="securitytube" href="https://twitter.com/share">Tweet</a>
<g:plusone annotation="none" size="medium"></g:plusone>
<su:badge layout="2"></su:badge>
<br />
<div class="fb-like" data-layout="button_count" data-send="true" data-show-faces="true" data-width="250">
</div>
</div>
<!-- Twitter JS -->
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
<br />
<div id="fb-root">
</div>
<script>(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
<script type="text/javascript">
(function() {
var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
po.src = 'https://apis.google.com/js/plusone.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
})();
</script>
<!-- Place this snippet wherever appropriate -->
<script type="text/javascript">
(function() {
var li = document.createElement('script'); li.type = 'text/javascript'; li.async = true;
li.src = window.location.protocol + '//platform.stumbleupon.com/1/widgets.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(li, s);
})();
</script>
<br />
<br />
<script src="https://gist.github.com/securitytube/5324911.js"></script>
<script src="https://gist.github.com/securitytube/5325109.js"></script>
<script src="https://gist.github.com/securitytube/5325118.js"></script>
<script src="https://gist.github.com/securitytube/5325122.js"></script>
<script src="https://gist.github.com/securitytube/5325126.js"></script>
</div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com19tag:blogger.com,1999:blog-6216396197913419765.post-1560466465866134412013-04-05T05:30:00.000-07:002013-04-05T05:56:53.713-07:00Demystifying the Execve Shellcode (Stack Method)<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
We launched the <a href="http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/" target="_blank">SecurityTube Linux Assembly and Shellcoding Expert </a>course recently. The course introduces the student to the basics of Assembly Language, Shellcoding, Encoders, Crypters and Polymorphism. I've decided to take up some of the course material and write posts about them. Even if you are not a student of the course, you should be able to follow these posts. Hopefully, this will be a lot of fun for both of us! :)</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In this first post, I am going to take a look at probably the most popular shellcode - Execve! There are multiple ways to write shellcode but the most popular implementations use the Stack and the JMP-CALL-POP method. The subject of this post is creating Execve shellcode using the Stack method.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If you have no clue what Shellcode is, then have a look at the explanation on <a href="http://en.wikipedia.org/wiki/Shellcode" target="_blank">Wikipedia</a>. I will assume that you understand the basics of IA-32 assembly language and at least know what Shellcode is.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
OK, let the games begin! </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Objective:</b> <span style="color: #990000;"><b>To create an Execve Shellcode which can launch /bin/sh</b></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Lab Setup </b>I am using is Ubuntu 12.04 32-bit Desktop Edition. Most of the steps would remain the same even if you use other flavors of Linux. </div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br />
Let's look at the whole process in a step-by-step way:</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="color: #cc0000;"><b>Step 1:</b></span> Find the system call number for Execve</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-svpHw_iLkTA/UV6ckQ9oZvI/AAAAAAAAAKg/amGMFwRa5iY/s1600/Screen+Shot+2013-04-05+at+3.12.00+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://1.bp.blogspot.com/-svpHw_iLkTA/UV6ckQ9oZvI/AAAAAAAAAKg/amGMFwRa5iY/s400/Screen+Shot+2013-04-05+at+3.12.00+PM.png" width="331" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
As you can see from the image above, Execve has system call number 11.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="color: #cc0000;"><b>Step 2:</b></span> We need to call Execve in our shellcode, so we would need to know the arguments it takes as input. Man pages to our rescue!</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-gxjakP5hFtY/UV6eX-D3EKI/AAAAAAAAAKs/bAHoTIiYpr8/s1600/Screen+Shot+2013-04-05+at+3.19.59+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="218" src="http://4.bp.blogspot.com/-gxjakP5hFtY/UV6eX-D3EKI/AAAAAAAAAKs/bAHoTIiYpr8/s640/Screen+Shot+2013-04-05+at+3.19.59+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The 3 arguments must contain the following:</div>
<div style="text-align: justify;">
<br /></div>
<ul style="text-align: left;">
<li><b><span style="color: #351c75;">filename</span></b> must point to a string containing the path of the binary we want to execute. In our case, this would be the string "/bin/sh". If you are not from the C world, "point" means the address of the string, and not the string itself. </li>
<li><span style="color: #20124d;"><b>argv[]</b></span> is the list of arguments to the program. Most programs will use mandatory / option arguments to run e.g. telnet 192.168.1.10 The argument here is "192.168.1.10". In our case, we only want to execute "/bin/sh" without any more arguments, so the argument list is just a NULL pointer (0x00000000 address). However, there is a twist :) by convention, the first argument is the filename we want executed. So, argv[] would really be ['/bin/sh'. 0x00000000]</li>
<li><span style="color: #20124d;"><b>envp[] </b></span>is the list of any additional environment options you want to pass to the program in key:value format. This will be NULL pointer / 0x00000000 for our purpose</li>
</ul>
<br />
<span style="color: #cc0000;"><b> Step 3:</b></span> Lets map the CPU Registers for the Execve call. The following registers will be used for the system call using INT 0x80 <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-1pqyCKSssEs/UV6kXwC-YpI/AAAAAAAAALA/VjRBPuaaRPg/s1600/Screen+Shot+2013-04-05+at+3.45.15+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://3.bp.blogspot.com/-1pqyCKSssEs/UV6kXwC-YpI/AAAAAAAAALA/VjRBPuaaRPg/s400/Screen+Shot+2013-04-05+at+3.45.15+PM.png" width="400" /></a></div>
<br />
<br />
This would be the mapping then. EAX would contain "11" which is the system call number for Execve as found in Step 1<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Nq9qJh1G8Yk/UV7J_7H77WI/AAAAAAAAAPc/0ZWZVl6ojgs/s1600/Screen+Shot+2013-04-05+at+6.25.30+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="340" src="http://2.bp.blogspot.com/-Nq9qJh1G8Yk/UV7J_7H77WI/AAAAAAAAAPc/0ZWZVl6ojgs/s640/Screen+Shot+2013-04-05+at+6.25.30+PM.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span style="color: #cc0000;"><b> Step 4:</b></span> Let the coding begin! I am using the below skeleton code for our program<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-9VKEvURzu7w/UV6naJ2hDzI/AAAAAAAAALk/-CX5khl6m40/s1600/Screen+Shot+2013-04-05+at+3.58.25+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="http://4.bp.blogspot.com/-9VKEvURzu7w/UV6naJ2hDzI/AAAAAAAAALk/-CX5khl6m40/s320/Screen+Shot+2013-04-05+at+3.58.25+PM.png" width="320" /></a> </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I've only defined the TEXT section and the entry point into this executable would be _start. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #cc0000;"><b>Step 5:</b></span> We will now setup the Stack with all the arguments required for Execve as discussed in Step 3. Remind yourself that the stack for IA-32 grows from High Memory to Low Memory.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-dNEzuodd4yE/UV6pJzkNNKI/AAAAAAAAALs/js6vWUHVAUM/s1600/Screen+Shot+2013-04-05+at+4.05.54+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="http://4.bp.blogspot.com/-dNEzuodd4yE/UV6pJzkNNKI/AAAAAAAAALs/js6vWUHVAUM/s640/Screen+Shot+2013-04-05+at+4.05.54+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<span style="color: #cc0000;"><b>Step 6:</b></span> Let us setup the EBX register first. EBX needs to point to "/bin/sh" in memory. Now the string would have to be '\x0' terminated. Let us setup the NULL first by pushing a 0x00000000 onto the stack. Now we cannot do a "PUSH 0x00000000" because Shellcode cannot contain NULLs as this is the most common bad character. Hence we will have to create 0x00000000 in one of the registers and PUSH the register on the stack. We will use the XOR operation to zero out EAX and then PUSH EAX on the stack:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-QnHX3iDxNHw/UV6urKWm6hI/AAAAAAAAAMA/-aSiZJQmGKQ/s1600/Screen+Shot+2013-04-05+at+4.29.34+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="330" src="http://1.bp.blogspot.com/-QnHX3iDxNHw/UV6urKWm6hI/AAAAAAAAAMA/-aSiZJQmGKQ/s400/Screen+Shot+2013-04-05+at+4.29.34+PM.png" width="400" /></a></div>
<br />
The stack should look like this right now:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-RVRx5lGQyGU/UV6u8SddpqI/AAAAAAAAAMI/aGY_VDTMJYY/s1600/Screen+Shot+2013-04-05+at+4.30.42+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="http://3.bp.blogspot.com/-RVRx5lGQyGU/UV6u8SddpqI/AAAAAAAAAMI/aGY_VDTMJYY/s640/Screen+Shot+2013-04-05+at+4.30.42+PM.png" width="640" /></a></div>
<br />
<div style="text-align: justify;">
We now need to PUSH "/bin/sh" on the Stack. As the Stack grows from High Memory to Low Memory in x86 we will need to push "/bin/sh" in reverse order :) Also, it would be easier to push data which is a multiple of 4 with the least number of instructions. This is desirable as the smaller the shellcode, the greater the number of scenarios where we can use it. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now, "/bin/sh" is 7 bytes and we need to convert it to 8 bytes without messing up the filename. On Linux this is easy to do because "/bin/sh" invokes the same program as "//bin/sh". Multiple "/" in succession does not cause any problems as you can see below:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-FjT662DszVk/UV6wYh0ePyI/AAAAAAAAAMU/meiUZmo1Ifs/s1600/Screen+Shot+2013-04-05+at+4.36.28+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="http://2.bp.blogspot.com/-FjT662DszVk/UV6wYh0ePyI/AAAAAAAAAMU/meiUZmo1Ifs/s640/Screen+Shot+2013-04-05+at+4.36.28+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Awesome! Now we need to PUSH "//bin/sh" (8 bytes) in reverse on the Stack i.e. "hs/nib//" Here is a quick way in Python to generate the value in hex:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-GwbG5i6jVHg/UV6xR_OZH_I/AAAAAAAAAMg/np-NLIw6OlE/s1600/Screen+Shot+2013-04-05+at+4.40.38+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="100" src="http://3.bp.blogspot.com/-GwbG5i6jVHg/UV6xR_OZH_I/AAAAAAAAAMg/np-NLIw6OlE/s400/Screen+Shot+2013-04-05+at+4.40.38+PM.png" width="400" /></a></div>
<div style="text-align: justify;">
<br />
Don't we all just LOVE Python :) Let's add the PUSH in the code now with the hex values above.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-jsAOW5_QmOA/UV6x6JJHhUI/AAAAAAAAAMo/y73m072jOLQ/s1600/Screen+Shot+2013-04-05+at+4.43.20+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="251" src="http://4.bp.blogspot.com/-jsAOW5_QmOA/UV6x6JJHhUI/AAAAAAAAAMo/y73m072jOLQ/s400/Screen+Shot+2013-04-05+at+4.43.20+PM.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
After the 2 PUSH instructions, this is how the Stack should look like:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-9DdK2TO6eZw/UV6ys0g2A1I/AAAAAAAAAM8/R7HA2Db7KgA/s1600/Screen+Shot+2013-04-05+at+4.46.37+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="http://2.bp.blogspot.com/-9DdK2TO6eZw/UV6ys0g2A1I/AAAAAAAAAM8/R7HA2Db7KgA/s640/Screen+Shot+2013-04-05+at+4.46.37+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Awesome! Now let us make EBX point to the top of the Stack! This would really mean EBX is now contains the address of "//bin/sh" in memory. This can be easily done by copying ESP into EBX</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-ZrW6sAfzJa4/UV6znW4OkFI/AAAAAAAAANM/PZ0ZjZrjQrs/s1600/Screen+Shot+2013-04-05+at+4.50.33+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="252" src="http://2.bp.blogspot.com/-ZrW6sAfzJa4/UV6znW4OkFI/AAAAAAAAANM/PZ0ZjZrjQrs/s400/Screen+Shot+2013-04-05+at+4.50.33+PM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="color: #cc0000;"><b>Step 7:</b></span> Let us now setup EDX which if you remember should point to a NULL pointer. This can be easily achieved by a PUSH EAX (remember EAX contains 0x00000000) and copying ESP into EDX.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-q-U4mlWRn1c/UV61aeZk-fI/AAAAAAAAANY/MIxVoQES0t0/s1600/Screen+Shot+2013-04-05+at+4.58.09+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="283" src="http://2.bp.blogspot.com/-q-U4mlWRn1c/UV61aeZk-fI/AAAAAAAAANY/MIxVoQES0t0/s400/Screen+Shot+2013-04-05+at+4.58.09+PM.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The Stack looks like this right now:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-ak9ZbUwiYQs/UV61-cjlFJI/AAAAAAAAANk/ORMsQyEQkoI/s1600/Screen+Shot+2013-04-05+at+5.00.38+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="232" src="http://1.bp.blogspot.com/-ak9ZbUwiYQs/UV61-cjlFJI/AAAAAAAAANk/ORMsQyEQkoI/s640/Screen+Shot+2013-04-05+at+5.00.38+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="color: #cc0000;"><b>Step 8:</b></span> The last piece of the puzzle ECX still remains! ECX needs to contain the address of [Address of //bin/sh in memory, 0x0000000] as discussed previously. Currently EBX contains the address of "//bin/sh" in memory so let's PUSH EBX on the Stack</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-iVz_n5oQvgg/UV65QVIVMDI/AAAAAAAAAN0/wSQK84nBaQs/s1600/Screen+Shot+2013-04-05+at+5.14.03+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="236" src="http://1.bp.blogspot.com/-iVz_n5oQvgg/UV65QVIVMDI/AAAAAAAAAN0/wSQK84nBaQs/s640/Screen+Shot+2013-04-05+at+5.14.03+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If you notice, the top of the Stack now points to [Address of //bin/sh in memory, 0x00000000] This is exactly what we wanted! So let's write out the code to copy ESP into ECX</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-knp_bwtYz2g/UV656fQ6xhI/AAAAAAAAAN8/TFymOT-LQ_M/s1600/Screen+Shot+2013-04-05+at+5.17.25+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="242" src="http://1.bp.blogspot.com/-knp_bwtYz2g/UV656fQ6xhI/AAAAAAAAAN8/TFymOT-LQ_M/s400/Screen+Shot+2013-04-05+at+5.17.25+PM.png" width="400" /></a></div>
<div style="text-align: justify;">
<span style="color: #cc0000;"><b><br /></b></span></div>
<div style="text-align: justify;">
<span style="color: #cc0000;"><b>Step 9:</b></span> All the arguments for Execve are now setup on the Stack and EBX, ECX and EDX are pointing to them. The Stack looks like this right now:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-U20Y9h9ghus/UV66UU0u5lI/AAAAAAAAAOE/SLiPhfHgbbM/s1600/Screen+Shot+2013-04-05+at+5.19.18+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="234" src="http://4.bp.blogspot.com/-U20Y9h9ghus/UV66UU0u5lI/AAAAAAAAAOE/SLiPhfHgbbM/s640/Screen+Shot+2013-04-05+at+5.19.18+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="color: #cc0000;"><b>Step 10:</b></span> Let us now call Execve! We setup EAX to contain "11" and invoke Interrupt 0x80 </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-pYkklu-T4vA/UV66z03lc5I/AAAAAAAAAOM/UCzJd-NTlPU/s1600/Screen+Shot+2013-04-05+at+5.21.25+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="108" src="http://2.bp.blogspot.com/-pYkklu-T4vA/UV66z03lc5I/AAAAAAAAAOM/UCzJd-NTlPU/s640/Screen+Shot+2013-04-05+at+5.21.25+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The code for Execve-Stack.nasm is available below for copying:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br />
<script src="https://gist.github.com/securitytube/5318765.js"></script>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now let us Assembly, Link and Test the code:</div>
<div style="text-align: justify;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-s9-scxGXHJY/UV69E709_NI/AAAAAAAAAOc/O-uAntuGk08/s1600/Screen+Shot+2013-04-05+at+5.30.40+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="248" src="http://1.bp.blogspot.com/-s9-scxGXHJY/UV69E709_NI/AAAAAAAAAOc/O-uAntuGk08/s640/Screen+Shot+2013-04-05+at+5.30.40+PM.png" width="640" /></a></div>
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Let us look at the binary using Objdump (we could also use the .o file) The highlighted hex values are the actual IA-32 opcodes.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-AqcZWxjCi3g/UV69_31VoRI/AAAAAAAAAOs/5vN932PXXpA/s1600/Screen+Shot+2013-04-05+at+5.34.49+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="290" src="http://2.bp.blogspot.com/-AqcZWxjCi3g/UV69_31VoRI/AAAAAAAAAOs/5vN932PXXpA/s400/Screen+Shot+2013-04-05+at+5.34.49+PM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
We need to extract all the opcodes to create our shellcode. As cumbersome as this looks, I am happy to report there is a <a href="http://www.commandlinefu.com/commands/view/6051/get-all-shellcode-on-binary-file-from-objdump" target="_blank">shortcut available</a>: <br />
<br /></div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-nbnK_troVwA/UV6-9y6_wEI/AAAAAAAAAO4/kRHKgRjWEFE/s1600/Screen+Shot+2013-04-05+at+5.38.21+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="82" src="http://3.bp.blogspot.com/-nbnK_troVwA/UV6-9y6_wEI/AAAAAAAAAO4/kRHKgRjWEFE/s640/Screen+Shot+2013-04-05+at+5.38.21+PM.png" width="640" /></a></div>
<br /></div>
<div style="text-align: justify;">
Here is the final extracted Shellcode - pretty much looks like ... any other piece of Shellcode :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Q-N62KQDr3U/UV6_TUnY4ZI/AAAAAAAAAPA/IqvKrSzXjDU/s1600/Screen+Shot+2013-04-05+at+5.40.35+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="16" src="http://3.bp.blogspot.com/-Q-N62KQDr3U/UV6_TUnY4ZI/AAAAAAAAAPA/IqvKrSzXjDU/s640/Screen+Shot+2013-04-05+at+5.40.35+PM.png" width="640" /></a></div>
<br /></div>
<div style="text-align: justify;">
<span style="color: #cc0000;"><b>Step 11</b></span>: I am going to use the following C program to test the shellcode to ensure we have not mistakenly used any hardcoded address and anything else which would disallow this shellcode from running inside another process.<br />
<br />
<script src="https://gist.github.com/securitytube/5318838.js"></script>
Let us now compile shellcode.c and run it to test!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-z-p5qPz_AHg/UV7Alk8BxQI/AAAAAAAAAPM/dVlneqn465U/s1600/Screen+Shot+2013-04-05+at+5.45.53+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="204" src="http://2.bp.blogspot.com/-z-p5qPz_AHg/UV7Alk8BxQI/AAAAAAAAAPM/dVlneqn465U/s640/Screen+Shot+2013-04-05+at+5.45.53+PM.png" width="640" /></a></div>
<br />
Fantastic! So our Execve Shellcode is working great! In the next post we will look at automating Shellcode generation for Execve using N arguments using Python. Stay tuned!<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://securitytube-training.com/wp-content/uploads/SLAE_logo2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="160" src="http://securitytube-training.com/wp-content/uploads/SLAE_logo2.jpg" width="320" /></a></div>
If you've never done Assembly Language / Shellcoding etc. before then please checkout my <a href="http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/" target="_blank">SecurityTube Linux Assembly and Shellcoding</a> course which aims to teach the basics of assembly language on the Linux platform from a security perspective and its application to writing shellcode, encoders, decoders and crypters, among other things. The course material is over 9 hours of HD videos! <br />
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com10tag:blogger.com,1999:blog-6216396197913419765.post-87084415284610288712013-04-04T08:11:00.002-07:002013-04-10T03:59:14.368-07:00Simulating an SSH Worm using Python<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
The topic of SSH Worms came up when I was speaking with a couple of students attending my workshop at Blackhat Europe in Amsterdam last month. One of the students was curious about the <a href="http://www.tuaw.com/2009/11/23/protect-yourself-from-ssh-based-iphone-worms/" target="_blank">iPhone SSH Worm</a> which has been around since 2009 and the technical complexity of writing a worm for academic and research purposes. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
After explaining to him how the worm worked I realized that many think "network worms" are really complex digital beasts and only the super elite blackhats can write them. In reality, nothing could be further away from the truth. The only complex part in most worms is the exploits they use for breaking in (which in most cases might be ripped from sites like exploitdb). The network propagation and replication aspects are quite simple.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I decided to create a "simple worm" demo in Python for demonstration purposes. Why Python? HLLs like Python are easy to understand even by non-programmers as they are very readable by design. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The SSH worm in question was really using the default password "alpine" on jailbroken phones to break in and propagate. We will take a short detour and instead Bruteforce the SSH password using a word list.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
So, if I were to breakup our "demo worm" functionality wise, it would do the following:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
1. Scan a new IP address and if SSH is running try and bruteforce the login / password </div>
<div style="text-align: justify;">
2. If the worm succeeds, then upload a copy of itself to the host</div>
<div style="text-align: justify;">
3. Run the copy, so it can now scan and do (1)-(3) </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Important</b>: <i>I am not going to give out the whole source code, rather will look at components separately. This is to prevent script kiddies from using the code as is. The video at the end of this post shows a full demo on my lab setup with a couple of victim machines. </i></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The above steps (1)-(3) can be broken down into just 2 functions:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
1. <b>SSHDictionaryAttack</b>()</div>
<div style="text-align: justify;">
2. <b>UploadAndExecute</b>()</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now SSH is a complicated protocol and to write the low level transport encryption code will be a pain :) This is where Python is gonna be of help to us. We will be using <a href="http://www.lag.net/paramiko/" target="_blank">Paramiko as our SSH Library.</a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Below is the code for a Dictionary based attack on SSH:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<script src="https://gist.github.com/securitytube/5308280.js"></script>
</div>
<div style="text-align: justify;">
The sample username:password file would be in the following format:</div>
<div style="text-align: justify;">
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-Ti-2QOwo2GY/UV0egIgRfJI/AAAAAAAAAJI/wy-dk1IB1jc/s1600/Screen+Shot+2013-04-04+at+12.02.03+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="108" src="http://4.bp.blogspot.com/-Ti-2QOwo2GY/UV0egIgRfJI/AAAAAAAAAJI/wy-dk1IB1jc/s320/Screen+Shot+2013-04-04+at+12.02.03+PM.png" width="320" /></a></div>
<br /></div>
<div style="text-align: justify;">
A sample run of the script against a vulnerable SSH installation:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-OKte-EcJpek/UV0e3wxIG2I/AAAAAAAAAJQ/jCQSlsXuCxI/s1600/Screen+Shot+2013-04-04+at+12.03.44+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="222" src="http://4.bp.blogspot.com/-OKte-EcJpek/UV0e3wxIG2I/AAAAAAAAAJQ/jCQSlsXuCxI/s640/Screen+Shot+2013-04-04+at+12.03.44+PM.png" width="640" /></a></div>
<br /></div>
<div style="text-align: justify;">
Awesome! Now lets look at once you have a valid SSH username:password, how we would go about implementing <b>UploadAndExecute</b>()<br />
<br />
<br />
<script src="https://gist.github.com/securitytube/5308423.js"></script>
Lets do a quick run of the <b>UploadAndExecute</b>() code:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-hiyyY_c_WoE/UV0mfzO3nMI/AAAAAAAAAJg/IG6TAgXlG5g/s1600/Screen+Shot+2013-04-04+at+12.36.04+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="520" src="http://2.bp.blogspot.com/-hiyyY_c_WoE/UV0mfzO3nMI/AAAAAAAAAJg/IG6TAgXlG5g/s640/Screen+Shot+2013-04-04+at+12.36.04+PM.png" width="640" /></a></div>
<br />
Awesome! We can see that Payload.py was upload and executed. This end up creating the directory hacked.<br />
<br />
Now, one of the issues with Python and using 3rd Party Libraries like Paramiko is that if the worm were to run in the "Python" form then the victim's would need to have Python + Paramiko installed. This is not a very practical expectation. So what do we do? <a href="http://www.pyinstaller.org/" target="_blank">PyInstaller</a> to the rescue!<br />
<br />
According to their website: <b>PyInstaller</b> is a program that converts (packages) Python programs into stand-alone executables, under Windows, Linux, Mac OS X, Solaris and AIX. Its main advantages over similar tools are that PyInstaller works with any version of Python since 2.3, it builds smaller executables thanks to transparent compression, it is fully multi-platform, and use the OS support to load the dynamic libraries, thus ensuring full compatibility.<br />
<br />
This is exactly what we need! Lets convert both the above scripts to stand-alone executables using Pyinstaller as below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-4ZXhS1SntwM/UV0n6LatFAI/AAAAAAAAAJs/YiQv50bqVc0/s1600/Screen+Shot+2013-04-04+at+12.41.57+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="308" src="http://3.bp.blogspot.com/-4ZXhS1SntwM/UV0n6LatFAI/AAAAAAAAAJs/YiQv50bqVc0/s640/Screen+Shot+2013-04-04+at+12.41.57+PM.png" width="640" /></a></div>
<br />
Fantastic! Remember to use the "--onefile" option! Now let me bring together the above components into one script and call it SSH-Worm-Demo.py! Sorry I cannot share the source code for fear of abuse, but if you've understood the above code samples, I am sure you understand how the code works. Basically SSH-Worm-Demo.py does the following:<br />
<br />
<ul>
<li>Figures out the subnet IP addresses and scans for SSH services</li>
<li>Launched the Dictionary Attack on an SSH Service</li>
<li>Uploads and Executes a copy on the victim if it manages to break in</li>
<li>All files are created in the /tmp/ folder by the worm</li>
<li>It calls "wall" with the word "hacked" so that it can be displayed on the terminal</li>
<li>I've used Pyinstaller to convert SSH-Worm-Demo.py into a single executable file ssh-worm </li>
</ul>
<br />
I've setup 4 Ubuntu 12.04 Server machines as victims. Before I run the worm, this is how the /tmp looks like on each of them:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-4U60FkdTaX0/UV2UYXW4O9I/AAAAAAAAAKA/RemvEKlWys0/s1600/Screen+Shot+2013-04-04+at+6.42.07+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="464" src="http://3.bp.blogspot.com/-4U60FkdTaX0/UV2UYXW4O9I/AAAAAAAAAKA/RemvEKlWys0/s640/Screen+Shot+2013-04-04+at+6.42.07+PM.png" width="640" /></a></div>
<br />
I run the worm from Victim-1 and very soon you see the "Hacked" messages appear on all terminals:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-SnR9IL0K5wg/UV2UklGV28I/AAAAAAAAAKI/foPJTHlikmc/s1600/Screen+Shot+2013-04-04+at+6.43.48+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="470" src="http://1.bp.blogspot.com/-SnR9IL0K5wg/UV2UklGV28I/AAAAAAAAAKI/foPJTHlikmc/s640/Screen+Shot+2013-04-04+at+6.43.48+PM.png" width="640" /></a></div>
<br />
As this is a simple demo code, I am not checking if the worm has already infected the machine and hence we are having duplicate infections :) Below is a screenshot of the /tmp as the infection spreads:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-ZF-xhsc6vag/UV2U4lsM2rI/AAAAAAAAAKQ/UldPmCC5Z_8/s1600/Screen+Shot+2013-04-04+at+6.44.27+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="402" src="http://3.bp.blogspot.com/-ZF-xhsc6vag/UV2U4lsM2rI/AAAAAAAAAKQ/UldPmCC5Z_8/s640/Screen+Shot+2013-04-04+at+6.44.27+PM.png" width="640" /></a></div>
<br />
As you can see, every new infection creates a new executable file (the green ones with random names) and *.wall file.<br />
<br />
Below is a short video demo of the same:<br />
<br />
<br />
<br />
<div align="center">
<object height="360" width="480"><param name="movie" value="http://www.youtube.com/v/irsKyEHyUTY?version=3&hl=en_US&rel=0"></param>
<param name="allowFullScreen" value="true"></param>
<param name="allowscriptaccess" value="always"></param>
<embed src="http://www.youtube.com/v/irsKyEHyUTY?version=3&hl=en_US&rel=0" type="application/x-shockwave-flash" width="480" height="360" allowscriptaccess="always" allowfullscreen="true"></embed></object>
</div>
<br />
<br />
Awesome! Worm behavior simulated with Python!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://securitytube-training.com/wp-content/uploads/2012/03/Screen-Shot-2012-03-29-at-12.16.57-PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="153" src="http://securitytube-training.com/wp-content/uploads/2012/03/Screen-Shot-2012-03-29-at-12.16.57-PM.png" width="320" /></a></div>
If you are interested in learning how to use Python for Pentesting then please have a look at our <a href="http://securitytube-training.com/online-courses/securitytube-python-scripting-expert/" target="_blank"><b>SecurityTube Python Scripting Expert </b></a>course.
This course is ideal for penetration testers, security enthusiasts and
network administrators who want to learn to automate tasks or go beyond
just using ready made tools. We will be covering topics in system
security, network security, attacking web applications and services,
exploitation techniques, malware and binary analysis and task
automation.We have students from 73+ countries taking this course
already!<br />
<br />
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com1tag:blogger.com,1999:blog-6216396197913419765.post-6078756534925679262013-04-03T10:00:00.001-07:002013-04-04T02:27:18.355-07:00Bypassing Jailbroken Checks in iOS Applications using GDB and Cycript<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
I've been teaching <a href="http://securitytube-training.com/online-courses/securitytube-ios-security-expert/" target="_blank">iOS Application Security and Auditing to pentesters</a> and developers (secure programming guidelines) online / real world and one of the questions which always comes up is can Anti-Piracy measures work if implemented in the application? Pentesters want to know if they could run into problems with applications implementing runtime protections. Developers on the other hand, want to know if they can sleep well if they implement such protections.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The short answer is NO, if your code runs on a platform controlled by the attacker, and if he is skilled enough, he would eventually figure out how to subvert your protection. This is especially true for a Jailbroken device where the attacker can pretty much run anything. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I can already see pentesters smiling :) If you know how to do runtime analysis using Cycript and GDB, then you should be able to subvert most protections. However, as this is significantly different from other application pentests (web and network) and involves a component of reverse engineering an application on the ARM platform, this might get interesting and challenging! </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
This blog post is the first in the series I am planning to talk about the common techniques used by developers today to check for jailbreaking and how an attacker could subvert them.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In order to try things out and we need a sample application! :) I've created a simple AntiPiracyDemo Application for iOS which I use for my online iOS course. <a href="http://code.securitytube.net.s3.amazonaws.com/AntiPiracyDemo.ipa" target="_blank">You can download the IPA here</a>. Please note that this is a self-signed application and would require a Jailbroken device (iPhone / iPad) to run.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
You can install the application using installipa as shown below:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://3.bp.blogspot.com/-pq7i2u2slwI/UVxIexNyjEI/AAAAAAAAAFI/GnWg-okGYIg/s1600/Screen+Shot+2013-04-03+at+8.48.53+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="116" src="http://3.bp.blogspot.com/-pq7i2u2slwI/UVxIexNyjEI/AAAAAAAAAFI/GnWg-okGYIg/s400/Screen+Shot+2013-04-03+at+8.48.53+PM.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://3.bp.blogspot.com/-BDNiQ-dzKFQ/UVxImUdLaQI/AAAAAAAAAFQ/tXZopmgaSYI/s1600/photo+(1).PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://3.bp.blogspot.com/-BDNiQ-dzKFQ/UVxImUdLaQI/AAAAAAAAAFQ/tXZopmgaSYI/s200/photo+(1).PNG" width="133" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The application has been tested on iOS 5.1.1 and 6.1.2. Once you run the application, you can confronted with a simple screen to check for Jailbroken state:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://4.bp.blogspot.com/-_KTqyQXwofU/UVxIsnAl4CI/AAAAAAAAAFY/nLu9uC8vr24/s1600/photo.PNG" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="http://4.bp.blogspot.com/-_KTqyQXwofU/UVxIsnAl4CI/AAAAAAAAAFY/nLu9uC8vr24/s200/photo.PNG" width="133" /></a></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Clicking on the button, confirms this application is running on a
Jailbroken phone. The developer of a real world application can now exit
or send a report (privacy violation? :) ) back to his server to notify.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Objective:</b> <span style="color: red;"><b>To bypass the is Jailbroken check implemented by the iOS Application</b></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b> Step 1:</b> Find the application PID and the directory in which it is installed. This is easy to do using "ps" along with a "grep" for the application name</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://1.bp.blogspot.com/-7xLUaOk0P70/UVxKbmSE03I/AAAAAAAAAFk/VX7qxlsfw98/s1600/Screen+Shot+2013-04-03+at+8.57.15+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="56" src="http://1.bp.blogspot.com/-7xLUaOk0P70/UVxKbmSE03I/AAAAAAAAAFk/VX7qxlsfw98/s640/Screen+Shot+2013-04-03+at+8.57.15+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 2:</b> Go to the Application directory and locate the actually application binary</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://1.bp.blogspot.com/-DdLQFoWlzK4/UVxKxDorGNI/AAAAAAAAAFw/1CK9-cZ0BWA/s1600/Screen+Shot+2013-04-03+at+8.58.43+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="106" src="http://1.bp.blogspot.com/-DdLQFoWlzK4/UVxKxDorGNI/AAAAAAAAAFw/1CK9-cZ0BWA/s640/Screen+Shot+2013-04-03+at+8.58.43+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 3:</b> Native iOS applications are written in Objective-C which is a dynamically typed language. This requires that all the class information be available at runtime and hence is embedded into the binary. We can extract this class information using a tool called <a href="https://code.google.com/p/networkpx/wiki/class_dump_z" target="_blank">class-dump-z</a> as show below:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://1.bp.blogspot.com/-O8lL42xsB1w/UVxLXXXuqnI/AAAAAAAAAF4/87bjYwJTVTw/s1600/Screen+Shot+2013-04-03+at+9.01.26+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="138" src="http://1.bp.blogspot.com/-O8lL42xsB1w/UVxLXXXuqnI/AAAAAAAAAF4/87bjYwJTVTw/s640/Screen+Shot+2013-04-03+at+9.01.26+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<b>Step 4:</b> View the class information file - there is a ton of information in there! :) </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://4.bp.blogspot.com/-6e1IQ97ZpGU/UVxLxQRvJgI/AAAAAAAAAGA/Izxr0ZGHlik/s1600/Screen+Shot+2013-04-03+at+9.02.58+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="396" src="http://4.bp.blogspot.com/-6e1IQ97ZpGU/UVxLxQRvJgI/AAAAAAAAAGA/Izxr0ZGHlik/s640/Screen+Shot+2013-04-03+at+9.02.58+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 5:</b> We need to find the rootViewController for the current window. This can be done using a tool called <a href="http://www.cycript.org/" target="_blank">Cycript,</a> which uses <a href="http://iphonedevwiki.net/index.php/MobileSubstrate" target="_blank">Mobile Substrate</a> to hook into any running application. We can find the current rootViewController as below:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://2.bp.blogspot.com/-SNzdmFnsNIY/UVxM6Ie6oYI/AAAAAAAAAGI/7KW7khqpw7M/s1600/Screen+Shot+2013-04-03+at+9.08.02+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="128" src="http://2.bp.blogspot.com/-SNzdmFnsNIY/UVxM6Ie6oYI/AAAAAAAAAGI/7KW7khqpw7M/s400/Screen+Shot+2013-04-03+at+9.08.02+PM.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 6:</b> Lets go back to the out of class-dump-z in Step 4 and find the "@interface" section for <b>AntiPiracyViewController</b></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://3.bp.blogspot.com/-f7iRAxA1-vI/UVxNcLx-LGI/AAAAAAAAAGQ/DXafePR_v-8/s1600/Screen+Shot+2013-04-03+at+9.09.58+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="http://3.bp.blogspot.com/-f7iRAxA1-vI/UVxNcLx-LGI/AAAAAAAAAGQ/DXafePR_v-8/s640/Screen+Shot+2013-04-03+at+9.09.58+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 7:</b> We see a "<b>checkPiracy</b>" method and more interestingly - we see a method called "<b>isJailbroken</b>" which returns a BOOL and takes no inputs which probably means this checks for a jailbroken state.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://1.bp.blogspot.com/-Ar7IC_GvUXU/UVxOQ2gCLgI/AAAAAAAAAGY/EVRn6N_o-50/s1600/Screen+Shot+2013-04-03+at+9.12.48+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="46" src="http://1.bp.blogspot.com/-Ar7IC_GvUXU/UVxOQ2gCLgI/AAAAAAAAAGY/EVRn6N_o-50/s320/Screen+Shot+2013-04-03+at+9.12.48+PM.png" width="320" /></a></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
We can use 2 different techniques to bypass this protection -- </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="color: red;">1. Runtime Modification using GDB </span></div>
<div style="text-align: justify;">
<span style="color: red;">2. Method Swizzling using Cycript</span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Let's take up <span style="color: red;"><b>Runtime Modification using GDB</b></span> first</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 1:</b> Attach GDB to AntiPiracyDemo using the PID</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://2.bp.blogspot.com/-U1-X398FtSU/UVxP6d_ytNI/AAAAAAAAAGk/k5e5KgEYRAA/s1600/Screen+Shot+2013-04-03+at+9.20.43+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="70" src="http://2.bp.blogspot.com/-U1-X398FtSU/UVxP6d_ytNI/AAAAAAAAAGk/k5e5KgEYRAA/s640/Screen+Shot+2013-04-03+at+9.20.43+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 2:</b> Set a Breakpoint for the isJailbroken </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://2.bp.blogspot.com/-S87MOM6Eqbw/UVxQSABtNXI/AAAAAAAAAGs/NYEwM4boQ-U/s1600/Screen+Shot+2013-04-03+at+9.22.23+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="96" src="http://2.bp.blogspot.com/-S87MOM6Eqbw/UVxQSABtNXI/AAAAAAAAAGs/NYEwM4boQ-U/s640/Screen+Shot+2013-04-03+at+9.22.23+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 3:</b> Continue running the application and then click on the "Am I Pirated" button to see if we hit the breakpoint</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://3.bp.blogspot.com/-y771FHNR5O8/UVxQtg3SlSI/AAAAAAAAAG4/WwOEdRiL0sI/s1600/Screen+Shot+2013-04-03+at+9.24.14+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="72" src="http://3.bp.blogspot.com/-y771FHNR5O8/UVxQtg3SlSI/AAAAAAAAAG4/WwOEdRiL0sI/s640/Screen+Shot+2013-04-03+at+9.24.14+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 4:</b> Disassemble! :) Be Prepared for some unfamiliar looking symbols if ARM Assembly is not your thing :)</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://1.bp.blogspot.com/-Nnd2rcskrEU/UVxRF8D3JNI/AAAAAAAAAHA/MtKiCmiZnnk/s1600/Screen+Shot+2013-04-03+at+9.25.23+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="http://1.bp.blogspot.com/-Nnd2rcskrEU/UVxRF8D3JNI/AAAAAAAAAHA/MtKiCmiZnnk/s640/Screen+Shot+2013-04-03+at+9.25.23+PM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://1.bp.blogspot.com/-8yaHTh8yQH4/UVxRM4m366I/AAAAAAAAAHI/LNf2hgKY7xA/s1600/Screen+Shot+2013-04-03+at+9.25.35+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="http://1.bp.blogspot.com/-8yaHTh8yQH4/UVxRM4m366I/AAAAAAAAAHI/LNf2hgKY7xA/s640/Screen+Shot+2013-04-03+at+9.25.35+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 5:</b> iOS devices have an ARM based processor and what you are seeing is ARM Assembly. If you are from the x86 world then there is only one thing you need to keep in mind when working with ARM assembly - the arguments are passed via the registers R0, R1, R2, R3. More than 4 arguments are passed on the stack. Here is the <a href="http://developer.apple.com/library/ios/documentation/Xcode/Conceptual/iPhoneOSABIReference/iPhoneOSABIReference.pdf" target="_blank">ABI document</a> if you are interested. </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://2.bp.blogspot.com/-897z5VwnmKM/UVxR2-ovSfI/AAAAAAAAAHQ/QSo1n7rVtMY/s1600/Screen+Shot+2013-04-03+at+9.29.08+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="246" src="http://2.bp.blogspot.com/-897z5VwnmKM/UVxR2-ovSfI/AAAAAAAAAHQ/QSo1n7rVtMY/s320/Screen+Shot+2013-04-03+at+9.29.08+PM.png" width="320" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<b> Step 6:</b> In the disassembly in Step 4, you see a lot of <b>"blx 0x98fe4 <dyld_stub_objc_msgSend>"</b> <a href="http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0068b/CIHFJFDG.html" target="_blank">BLX</a> is "Branch with Link" which basically ends up calling <a href="https://developer.apple.com/library/mac/#documentation/Cocoa/Reference/ObjCRuntimeRef/Reference/reference.html#//apple_ref/c/func/objc_msgSend" target="_blank">objc_msgSend</a> which has the following definition:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://1.bp.blogspot.com/-SYFYsyHHe40/UVxT1eTO3EI/AAAAAAAAAHY/M4lxef6obh4/s1600/Screen+Shot+2013-04-03+at+9.37.08+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="300" src="http://1.bp.blogspot.com/-SYFYsyHHe40/UVxT1eTO3EI/AAAAAAAAAHY/M4lxef6obh4/s640/Screen+Shot+2013-04-03+at+9.37.08+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The above is the from Apple Developer site. Objc_msgSend is really the "carrier" of all messages inside an iOS application. Using the ABI we can conclude that:</div>
<div style="text-align: justify;">
<br /></div>
<ol style="text-align: justify;">
<li>theReceiver would be pointed to by R0</li>
<li>theSelector would be pointed to by R1</li>
<li>First argument pointed to by R2</li>
</ol>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 7:</b> We could set a breakpoint for objc_msgSend but I would prefer to add breakpoints in all locations its called to better illustrate the concept. So, let's set the breakpoints:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://4.bp.blogspot.com/-9legRj0ig2w/UVxVNnaRuFI/AAAAAAAAAHg/_828ty2mGO8/s1600/Screen+Shot+2013-04-03+at+9.43.23+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="148" src="http://4.bp.blogspot.com/-9legRj0ig2w/UVxVNnaRuFI/AAAAAAAAAHg/_828ty2mGO8/s200/Screen+Shot+2013-04-03+at+9.43.23+PM.png" width="200" /></a></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<b>Step 8:</b> Let's continue running the application and let's dump R0/R1 when we hit the Breakpoint 2. This will help us understand the receiver of the message and its respective selector</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://2.bp.blogspot.com/-hhDMC2f-f2s/UVxV6DlaOOI/AAAAAAAAAHo/g7FXSWuHpM4/s1600/Screen+Shot+2013-04-03+at+9.46.25+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="http://2.bp.blogspot.com/-hhDMC2f-f2s/UVxV6DlaOOI/AAAAAAAAAHo/g7FXSWuHpM4/s640/Screen+Shot+2013-04-03+at+9.46.25+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>NSSString alloc</b> is not interesting, Let's repeat the same for other breakpoints. Below is the output when we hit Breakpoints 4 and 5. </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://1.bp.blogspot.com/-cqa8sK9Dcm8/UVxWdpDpDPI/AAAAAAAAAHw/hOhdJzzbJug/s1600/Screen+Shot+2013-04-03+at+9.48.40+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="324" src="http://1.bp.blogspot.com/-cqa8sK9Dcm8/UVxWdpDpDPI/AAAAAAAAAHw/hOhdJzzbJug/s640/Screen+Shot+2013-04-03+at+9.48.40+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Breakpoint 4 tells us that the application is using NSFileManager and <b>Breakpoint 5 tells us it is checking for "FileExistsAtPath:" for "/private/var/lib/apt" Very interesting! </b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
APT is probably is one of the first binaries to be installed on a Jailbroken phone to manage packages from Cydia. Looks like the developer is checking for the presence of this binary. </div>
<div style="text-align: justify;">
<b> </b></div>
<div style="text-align: justify;">
<b>Step 9: </b>So where do we go from here? The return value is stored in R0 and if you check the documentation of <a href="https://developer.apple.com/library/mac/#documentation/Cocoa/Reference/Foundation/Classes/NSFileManager_Class/Reference/Reference.html" target="_blank">NSFileManager FileExistsAtPath</a> it returns a BOOL. This means "0" will be returned in case the device is NOT Jailbroken and "1" will be returned if it IS Jailbroken. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In our case, as our iPhone is jailbroken, it will return "1". We can verify this by setting a breakpoint in the next line of code and checking the value of R0 as below:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://3.bp.blogspot.com/-gsJI5WmwbEg/UVxYheZkLNI/AAAAAAAAAIA/3Mc7ztKoaxw/s1600/Screen+Shot+2013-04-03+at+9.57.23+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="134" src="http://3.bp.blogspot.com/-gsJI5WmwbEg/UVxYheZkLNI/AAAAAAAAAIA/3Mc7ztKoaxw/s640/Screen+Shot+2013-04-03+at+9.57.23+PM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 10:</b> The easiest way to subvert this mechanism would be to change the value of R0 from "1" to "0" so that it indicates to the application that the APT does not exists and hence the device is not Jailbroken. We can do this very easily:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://4.bp.blogspot.com/-LH4UNLsuFjM/UVxY_POxLaI/AAAAAAAAAII/SD02zX9Abxk/s1600/Screen+Shot+2013-04-03+at+9.59.35+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="78" src="http://4.bp.blogspot.com/-LH4UNLsuFjM/UVxY_POxLaI/AAAAAAAAAII/SD02zX9Abxk/s200/Screen+Shot+2013-04-03+at+9.59.35+PM.png" width="200" /></a></div>
<div style="text-align: justify;">
<b>Step 11:</b> If we check the Application now - it happily tells us that "This iPhone is NOT Jailbroken"</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-T6dPTD4IDDE/UVxZcIb7hRI/AAAAAAAAAIQ/Ge4uGBqH224/s1600/photo+(2).PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://1.bp.blogspot.com/-T6dPTD4IDDE/UVxZcIb7hRI/AAAAAAAAAIQ/Ge4uGBqH224/s320/photo+(2).PNG" width="213" /></a></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Of course, we have not patched the check in the binary so you would need do this every time :) I will take up Application Patching in another blog post. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now let us look at the other technique - <span style="color: red;"><b>Method Swizzling using Cycript</b></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 1:</b> Attack to the application using Cycript</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<a href="http://1.bp.blogspot.com/-v-YzBg7F5Rk/UVxadWR5qyI/AAAAAAAAAIY/M2uR4C2UZZk/s1600/Screen+Shot+2013-04-03+at+10.05.47+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="108" src="http://1.bp.blogspot.com/-v-YzBg7F5Rk/UVxadWR5qyI/AAAAAAAAAIY/M2uR4C2UZZk/s320/Screen+Shot+2013-04-03+at+10.05.47+PM.png" width="320" /></a></div>
<div style="text-align: justify;">
</div>
<br />
<br />
<div style="text-align: justify;">
</div>
<b>Step 2:</b> <a href="http://cocoadev.com/wiki/MethodSwizzling" target="_blank">Method Swizzling</a> allows you to change the mapping for a given method to your own implementation of it. To get the list of messages available we use <b>isa.messages</b> <br />
<br />
<div class="separator" style="clear: both;">
<a href="http://2.bp.blogspot.com/-ISeIee-fdUs/UVxbOMzFnKI/AAAAAAAAAIg/a7S78-WHaho/s1600/Screen+Shot+2013-04-03+at+10.09.01+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="272" src="http://2.bp.blogspot.com/-ISeIee-fdUs/UVxbOMzFnKI/AAAAAAAAAIg/a7S78-WHaho/s640/Screen+Shot+2013-04-03+at+10.09.01+PM.png" width="640" /></a></div>
<br />
The above command should give you a ton of output! You can clearly see <b>isJailbroken</b> is there in it as highlighted. What is really isa.messages?<br />
<br />
If you look at the Objective-C runtime implementation, then isa is really a pointer to the class structure itself. <br />
<br />
Implementation File: <br />
<br />
<a href="http://www.opensource.apple.com/source/objc4/objc4-532/runtime/runtime.h">http://www.opensource.apple.com/source/objc4/objc4-532/runtime/runtime.h</a><br />
<br />
isa is never exposed to the programmer directly but with Cycript we are able to access it. Quoting from Apple's website:<br />
<br />
<i>If you’re a procedural programmer new to object-oriented concepts, it might help at first to think of an object as essentially a structure with functions associated with it. This notion is not too far off the reality, particularly in terms of runtime implementation.<br /><br />Every Objective-C object hides a data structure whose first member—or instance variable—is the isa pointer. (Most remaining members are defined by the object’s class and superclasses.) The isa pointer, as the name suggests, points to the object’s class, which is an object in its own right (see Figure 2-1) and is compiled from the class definition. The class object maintains a dispatch table consisting essentially of pointers to the methods it implements; it also holds a pointer to its superclass, which has its own dispatch table and superclass pointer. Through this chain of references, an object has access to the method implementations of its class and all its superclasses (as well as all inherited public and protected instance variables). The isa pointer is critical to the message-dispatch mechanism and to the dynamism of Cocoa objects.</i><br />
Please read the rest here: <a href="https://developer.apple.com/library/mac/#documentation/Cocoa/Conceptual/CocoaFundamentals/CocoaObjects/CocoaObjects.html">https://developer.apple.com/library/mac/#documentation/Cocoa/Conceptual/CocoaFundamentals/CocoaObjects/CocoaObjects.html</a><br />
<br />
The last line of the above excerpt summarizes the importance of isa in message dispatching. Here is more information on it:<br />
<br />
<i>The key to messaging lies in the structures that the compiler builds for each class and object. Every class structure includes these two essential elements:</i><br />
<br />
<ul style="text-align: justify;">
<li><i>A pointer to the superclass.</i></li>
<li><i>A class dispatch table. This table has entries that associate method selectors with the class-specific addresses of the methods they identify. </i></li>
</ul>
<div style="text-align: justify;">
</div>
<br />
Full Details here: <a href="https://developer.apple.com/library/mac/#documentation/Cocoa/Conceptual/ObjCRuntimeGuide/Articles/ocrtHowMessagingWorks.html">https://developer.apple.com/library/mac/#documentation/Cocoa/Conceptual/ObjCRuntimeGuide/Articles/ocrtHowMessagingWorks.html</a><br />
<br />
<b>Step 3:</b> It's OK if the above does not make any sense :) but it's good to know what is really happening in the background. Now let's change the implementation of<b> isJailbroken</b> with Cycript<br />
<br />
<div class="separator" style="clear: both;">
<a href="http://4.bp.blogspot.com/-AxEzLvrraDQ/UVxdHSn56CI/AAAAAAAAAIo/3U0QU-MgBJ0/s1600/Screen+Shot+2013-04-03+at+10.17.09+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="72" src="http://4.bp.blogspot.com/-AxEzLvrraDQ/UVxdHSn56CI/AAAAAAAAAIo/3U0QU-MgBJ0/s640/Screen+Shot+2013-04-03+at+10.17.09+PM.png" width="640" /></a></div>
<br />
<b>Step 4:</b> Now when you try Clicking on "Am I Pirated?" you will always get a "NO" :) W00t :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-86AOUX5dSMo/UVxfFKez_LI/AAAAAAAAAI4/jD7qqvXscWg/s1600/photo+(3).PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-86AOUX5dSMo/UVxfFKez_LI/AAAAAAAAAI4/jD7qqvXscWg/s320/photo+(3).PNG" width="213" /></a></div>
<br />
<br />
<br />
Hope you enjoyed this post. I will creating more posts on Bypassing more checks like Binary checks, Bundle and Hash checks etc. in coming posts. Stay tuned!<br />
<br />
<div align="center">
<a href="https://twitter.com/share" class="twitter-share-button" data-via="securitytube" data-lang="en">Tweet</a>
<g:plusone size="medium" annotation="none"></g:plusone>
<su:badge layout="2"></su:badge>
<div class="fb-like" data-send="true" data-layout="button_count" data-width="250" data-show-faces="true"></div>
</div>
<!-- Twitter JS -->
<script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0];if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src="//platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");</script>
<div id="fb-root"></div>
<script>(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "//connect.facebook.net/en_US/all.js#xfbml=1";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));</script>
<script type="text/javascript">
(function() {
var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;
po.src = 'https://apis.google.com/js/plusone.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);
})();
</script>
<!-- Place this snippet wherever appropriate -->
<script type="text/javascript">
(function() {
var li = document.createElement('script'); li.type = 'text/javascript'; li.async = true;
li.src = window.location.protocol + '//platform.stumbleupon.com/1/widgets.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(li, s);
})();
</script>
<br />
<div style="text-align: justify;">
<a href="http://securitytube-training.com/wp-content/uploads/2012/08/SISE_logo.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="160" src="http://securitytube-training.com/wp-content/uploads/2012/08/SISE_logo.jpg" width="320" /></a>If you are interested in learning how to methodically understand many of the above concepts and test iOS applications with a blackbox approach, then please have a look at my <a href="http://securitytube-training.com/online-courses/securitytube-ios-security-expert/" target="_blank"><b>SecurityTube iOS Security Expert (SISE)</b></a> is an online course and certification which focuses on the iOS platform and application security. This course is ideal for pentesters, researchers and the casual iOS enthusiast who would like to dive deep and understand how to analyze and systematically audit applications on this platform using a variety of bleeding edge tools and techniques.</div>
<br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com3tag:blogger.com,1999:blog-6216396197913419765.post-67185911027968630112013-04-02T08:53:00.007-07:002013-04-02T08:53:59.629-07:00Converting Airdecap-NG into a Word List based WEP Cracker<div dir="ltr" style="text-align: left;" trbidi="on">
We all know that WEP can be cracked, but can you crack a WEP network with only one Data packet?<br />
<br />
Traditionally WEP Cracking has always involved making the victim network generate a ton of WEP encrypted data packets. Then one uses tools like Aircrack-NG to crack the WEP key using various cryptographic flaws in WEP. The ballpark number of packets is roughly between 30k-120k data packets. I'd also like to take this opportunity to say how fantastic Aircrack-NG is and how my friend Mister_X, it's creator, is without a shadow of a doubt one of the most talented programmers / security researcher I have ever had the privilege of knowing. <br />
<br />
Now back to my blog post :) ---- However, what if you only have one WEP Data packet as in <span style="color: red;"><b><a href="https://github.com/securitytube/hack-of-the-day/blob/master/Challenge-1-Easy.cap?raw=true" target="_blank">this trace file</a></b></span>? Here is a quick look at the file with Wireshark:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-4Y00dZlPXK8/UVr3cnFnq1I/AAAAAAAAAEA/3lpUO5Fzfos/s1600/Screen+Shot+2013-04-02+at+8.40.06+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="420" src="http://2.bp.blogspot.com/-4Y00dZlPXK8/UVr3cnFnq1I/AAAAAAAAAEA/3lpUO5Fzfos/s640/Screen+Shot+2013-04-02+at+8.40.06+PM.png" width="640" /></a> </div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
To begin with there is no cryptographic attack which can crack WEP with just one Data packet. The only way would be to launch a dictionary attack against the Data packet. If we successfully decrypt it with a given key, then it is the right one. This really the same way we crack WPA/WPA2-PSK right now.<br />
<br />
The problem we run into is that most WEP cracking tools do not support a dictionary based attack on WEP. There is a tool in the Aircrack-NG suite - Airdecap-NG which can decrypt WEP packets if we know the key, but it cannot take a dictionary as input. Below is a quick dump of the it's options:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-RMmRPitlUvk/UVr5MNvl4lI/AAAAAAAAAEI/IKfbpusYpTk/s1600/Screen+Shot+2013-04-02+at+8.58.20+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="282" src="http://4.bp.blogspot.com/-RMmRPitlUvk/UVr5MNvl4lI/AAAAAAAAAEI/IKfbpusYpTk/s400/Screen+Shot+2013-04-02+at+8.58.20+PM.png" width="400" /></a></div>
<br />
The option that is interesting to me is the "-w" one. So with this, let me define our objective.<br />
<br />
<b>Objective: <span style="color: red;">To create a Python script which can use Airdecap-NG along with a Word List and try to Crack WEP with just a single Data packet</span></b><br />
<br />
Let's analyze the solution in steps:<br />
<br />
<br />
<b>Step 1:</b> If we called Airdecap-NG from within our script, how would we know it has managed to find the right WEP key? To solve this, let's look at the output of Airdecap-NG when it <b>FAILS</b> to decrypt a packet using the supplied WEP key<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-iLsrgn83Bd0/UVr6OlxKzsI/AAAAAAAAAEQ/wDH1S2rrK_E/s1600/Screen+Shot+2013-04-02+at+8.38.31+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="http://1.bp.blogspot.com/-iLsrgn83Bd0/UVr6OlxKzsI/AAAAAAAAAEQ/wDH1S2rrK_E/s640/Screen+Shot+2013-04-02+at+8.38.31+PM.png" width="640" /></a></div>
<br />
We clearly see that Line No 5 of the output "Number of decrypted WEP packets" is "0".<br />
<br />
Let's now see how it looks like when the decryption <b>SUCCEEDS</b> if we have the right WEP key:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-62g-cwKANoY/UVr605WB8tI/AAAAAAAAAEY/k1kpv7QMYuo/s1600/Screen+Shot+2013-04-02+at+8.39.09+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="192" src="http://1.bp.blogspot.com/-62g-cwKANoY/UVr605WB8tI/AAAAAAAAAEY/k1kpv7QMYuo/s640/Screen+Shot+2013-04-02+at+8.39.09+PM.png" width="640" /></a></div>
<br />
Fantastic! Line no 5 not has "1" in the rightmost column because we managed to decrypt the packet.<br />
<br />
<br />
<b>Step 2:</b> So we need to write a Python script which does the following:<br />
<br />
<ol style="text-align: left;">
<li>Takes a Word List and the Pcap file containing the WEP data packet as input</li>
<li>It uses all the words of length 5 or 13 characters as the WEP key is really 40/104bits in length</li>
<li>For each key, call airdecap-ng and check the output </li>
<li>If the output does not contain "1" in Line no 5, then continue with (3)</li>
<li>If the output contains "1" in Line no 5, then stop and print the WEP key used. This is the correct key</li>
</ol>
I wish I had the time to make a flow chart for the above :)<br />
<br />
<br />
<b>Step 3:</b> Let's code this up:<br />
<br />
<br />
<script src="https://gist.github.com/securitytube/5292925.js"></script>
<br />
<br />
<br />
<b>Step 4:</b> Let's run this against the pcap file and use the default dictionary in Backtrack.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-d7zr3tdo4mk/UVr8mKiM-BI/AAAAAAAAAEg/ybpi7OY0YmQ/s1600/Screen+Shot+2013-04-02+at+8.44.11+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="44" src="http://3.bp.blogspot.com/-d7zr3tdo4mk/UVr8mKiM-BI/AAAAAAAAAEg/ybpi7OY0YmQ/s640/Screen+Shot+2013-04-02+at+8.44.11+PM.png" width="640" /></a></div>
<br />
<b>Step 5:</b> Now the Python + Airdecap-NG are doing a lot of work for us. Let's appreciate that a bit by looking at the output while it is still running :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-tgFPg2W_mak/UVr84WvN5BI/AAAAAAAAAEo/3giJLAEco5c/s1600/Screen+Shot+2013-04-02+at+8.44.29+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="286" src="http://2.bp.blogspot.com/-tgFPg2W_mak/UVr84WvN5BI/AAAAAAAAAEo/3giJLAEco5c/s400/Screen+Shot+2013-04-02+at+8.44.29+PM.png" width="400" /></a></div>
<br />
Eventually, if the WEP key is in the wordlist, we will find it :)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-AQJbXYa8-4I/UVr9F5g7EOI/AAAAAAAAAEw/H8KL2ueOUfk/s1600/Screen+Shot+2013-04-02+at+8.37.10+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="460" src="http://2.bp.blogspot.com/-AQJbXYa8-4I/UVr9F5g7EOI/AAAAAAAAAEw/H8KL2ueOUfk/s640/Screen+Shot+2013-04-02+at+8.37.10+PM.png" width="640" /></a></div>
<br />
The WEP key used by the network was "tudes" as we can see from the last line of the output.<br />
<br />
<b>Step 6:</b> You can also see the decrypted packet using Wireshark<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-pzVTzmbcsFg/UVr9YEkBkTI/AAAAAAAAAE4/YOCRNIZ4ab8/s1600/Screen+Shot+2013-04-02+at+8.40.42+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="540" src="http://1.bp.blogspot.com/-pzVTzmbcsFg/UVr9YEkBkTI/AAAAAAAAAE4/YOCRNIZ4ab8/s640/Screen+Shot+2013-04-02+at+8.40.42+PM.png" width="640" /></a></div>
<br />
<br />
Awesome! Hopefully this has been an interesting illustration of how you can use Python for automating tasks using existing tools which are available, rather than wait for a new tool or a feature in an existing one.<br />
<br />
If you enjoyed, leave a comment behind or please Tweet / Share this post. Thanks!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://securitytube-training.com/wp-content/uploads/2012/03/Screen-Shot-2012-03-29-at-12.16.57-PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="153" src="http://securitytube-training.com/wp-content/uploads/2012/03/Screen-Shot-2012-03-29-at-12.16.57-PM.png" width="320" /></a></div>
If you are interested in learning how to use Python for Pentesting then please have a look at our <a href="http://securitytube-training.com/online-courses/securitytube-python-scripting-expert/" target="_blank"><b>SecurityTube Python Scripting Expert </b></a>course.
This course is ideal for penetration testers, security enthusiasts and
network administrators who want to learn to automate tasks or go beyond
just using ready made tools. We will be covering topics in system
security, network security, attacking web applications and services,
exploitation techniques, malware and binary analysis and task
automation.We have students from 73+ countries taking this course
already!<br />
<br />
<br />
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com3tag:blogger.com,1999:blog-6216396197913419765.post-75112091959103671992013-04-01T11:05:00.000-07:002013-04-02T07:58:34.166-07:00Wi-Fi SSID Sniffer in 11 Lines of Python using Raw Sockets<div dir="ltr" style="text-align: left;" trbidi="on">
I covered writing a <a href="http://hackoftheday.securitytube.net/2013/03/wi-fi-sniffer-in-10-lines-of-python.html" target="_blank">Wi-Fi SSID Sniffer using Scapy in just 10 lines</a> in a previous post. Interestingly, a lot of people (mostly developers) want to know how your code would look like if you did not use scapy?<br />
<br />
Here was the old scapy version I posted today:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-BzKquoLVAbw/UVkbT-bAbZI/AAAAAAAAAAk/6yraZ4d-WG4/s1600/Screen+Shot+2013-04-01+at+10.58.57+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="http://3.bp.blogspot.com/-BzKquoLVAbw/UVkbT-bAbZI/AAAAAAAAAAk/6yraZ4d-WG4/s640/Screen+Shot+2013-04-01+at+10.58.57+AM.png" width="640" /></a></div>
<br />
<br />
Here is a raw socket version of the same code :)<br />
<br />
<script src="https://gist.github.com/securitytube/5292856.js"></script>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
The above jumps over the Radiotap header, get the MAC address in address field 2 and then gets the first Tagged TLV (typically the SSID) from the Beacon header. This is definitely not the most production ready code :) and needs a lot of work (need to iterate through TLVs in case SSID is not the first one etc. ) but seems to work quite well -- below is a sample output.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-6YC3ds50yak/UVnL8T_xboI/AAAAAAAAADY/jeCuUJ-EnWk/s1600/Screen+Shot+2013-04-01+at+11.33.12+PM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="http://3.bp.blogspot.com/-6YC3ds50yak/UVnL8T_xboI/AAAAAAAAADY/jeCuUJ-EnWk/s320/Screen+Shot+2013-04-01+at+11.33.12+PM.png" width="320" /></a></div>
I'll probably do a more detailed writeup explaining the code later in the week with some more checks to make it reliable. I think its still possible to accomplish writing a SSID sniffer in under 25 lines with no 3rd party libs being used. We'll see - Good Night! :)<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://securitytube-training.com/wp-content/uploads/2012/03/Screen-Shot-2012-03-29-at-12.16.57-PM.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="153" src="http://securitytube-training.com/wp-content/uploads/2012/03/Screen-Shot-2012-03-29-at-12.16.57-PM.png" width="320" /></a></div>
<div style="text-align: justify;">
If you are interested in learning how to use Python for Pentesting then please have a look at our <a href="http://securitytube-training.com/online-courses/securitytube-python-scripting-expert/" target="_blank"><b>SecurityTube Python Scripting Expert </b></a>course. This course is ideal for penetration testers, security enthusiasts and network administrators who want to learn to automate tasks or go beyond just using ready made tools. We will be covering topics in system security, network security, attacking web applications and services, exploitation techniques, malware and binary analysis and task automation.We have students from 73+ countries taking this course already!</div>
<br />
<br /></div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com3tag:blogger.com,1999:blog-6216396197913419765.post-69084229880749381502013-03-31T23:30:00.001-07:002013-04-06T20:05:58.661-07:00Wi-Fi SSID Sniffer in 10 Lines of Python<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: justify;">
One of the things I left out when I put out the <a href="http://www.securitytube.net/groups?operation=view&groupId=9" target="_blank"><b>SecurityTube Wi-Fi Security Megaprimer</b></a> was the programming aspects of Wi-Fi Security and Hacking. Around a decade back, when I used to work as a programmer and researcher, most of my code for Wi-Fi fuzzers / sniffers / injectors was in C. However, C requires you to do everything from scratch. I may take up an example of a Wi-Fi Sniffer in C as a separate blog post. In this post, we will be looking at writing a Wi-Fi Sniffer in Python :) </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
I've probably used Python for over 6-7 years now and its really been my substitute for C when all I need is quick prototyping. This post should illustrate the power of Python and the great open source library support it has from the community.<br />
<br />
<i><b>[Update] Writing an SSID Sniffer in 11 Lines of Python using Raw Sockets (no 3rd Party Libs) </b></i><br />
<br />
<i>This post made it to reddit.com/r/programming and a lot of developers felt it was unfair to use scapy and claim 11 lines :) I agree, so here is an implementation using Raw Sockets: <b> </b></i><br />
<i><br /></i>
<i><a href="http://hackoftheday.securitytube.net/2013/04/wi-fi-ssid-sniffer-in-12-lines-of.html">http://hackoftheday.securitytube.net/2013/04/wi-fi-ssid-sniffer-in-12-lines-of.html</a></i><br />
<br />
<i>The code is not as readable as the one on this post but sufficiently proves without a doubt that it can be done :) </i><br />
</div>
<div style="text-align: justify;">
<b><br /></b>
<b>Objective:</b> <span style="color: red;">To Code a Wi-Fi SSID Sniffer in 10 Lines of Python </span></div>
<div style="text-align: justify;">
<br />
For those in a hurry, here is the code:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-BzKquoLVAbw/UVkbT-bAbZI/AAAAAAAAAAg/pSNj6zefomY/s1600/Screen+Shot+2013-04-01+at+10.58.57+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="188" src="http://3.bp.blogspot.com/-BzKquoLVAbw/UVkbT-bAbZI/AAAAAAAAAAg/pSNj6zefomY/s640/Screen+Shot+2013-04-01+at+10.58.57+AM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Requirements:</b> You already have a Wi-Fi card capable of sniffing the air using monitor mode. I am using the ALFA AWUS036H.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Now let me break up the whole process of writing the above. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<b>Step 1:</b> Find a library which can allow us to easily sniff Wi-Fi and hands us the packets. There are many libraries which allow us to do this - <a href="http://www.secdev.org/projects/scapy/" target="_blank">scapy</a> is one of the better ones. Install scapy (comes pre-installed in BT5) </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br />
<b>Step 2: </b>Scapy can be run in interactive mode or used as a library. The interactive mode is great for quick prototyping and we will use this. Run scapy and type in "conf" to see the current configuration.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-4m6SvHe3zP0/UVkdHnEHkQI/AAAAAAAAAAo/_lGQaucALgA/s1600/Screen+Shot+2013-04-01+at+11.07.20+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="http://1.bp.blogspot.com/-4m6SvHe3zP0/UVkdHnEHkQI/AAAAAAAAAAo/_lGQaucALgA/s640/Screen+Shot+2013-04-01+at+11.07.20+AM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b> Step 3: </b>Check for the value of "iface". The default interface is typically "eth0" </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-no5q3oiikRE/UVkdndpcpZI/AAAAAAAAAAw/ILqDSY6UlZQ/s1600/Screen+Shot+2013-04-01+at+11.09.10+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="478" src="http://2.bp.blogspot.com/-no5q3oiikRE/UVkdndpcpZI/AAAAAAAAAAw/ILqDSY6UlZQ/s640/Screen+Shot+2013-04-01+at+11.09.10+AM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 4:</b> Let set the interface to "mon0" out monitor mode wireless interface. Now we use the sniff() function to get packets from mon0. We specify the number of packets we want to sniff. Scapy will block till the time it does not receive that many number of packets. It returns the packets as a Python list. </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-UTEY9Ib4-_8/UVkeoHMSSvI/AAAAAAAAABA/YLRHECaCcIg/s1600/Screen+Shot+2013-04-01+at+11.13.42+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="181" src="http://4.bp.blogspot.com/-UTEY9Ib4-_8/UVkeoHMSSvI/AAAAAAAAABA/YLRHECaCcIg/s320/Screen+Shot+2013-04-01+at+11.13.42+AM.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div style="text-align: justify;">
</div>
<br />
<br />
<div style="text-align: justify;">
<b>Step 5:</b> We can look at a quick summary of the packets using .summary()</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-jcnnxk4rpkg/UVkfBVRxKfI/AAAAAAAAABQ/iRs0hoDS0LA/s1600/Screen+Shot+2013-04-01+at+11.15.18+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="132" src="http://3.bp.blogspot.com/-jcnnxk4rpkg/UVkfBVRxKfI/AAAAAAAAABQ/iRs0hoDS0LA/s640/Screen+Shot+2013-04-01+at+11.15.18+AM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<br />
<div style="text-align: justify;">
<b> Step 6:</b> Scapy has a really cool way to visualize packets real quick using .pdfdump() </div>
<div style="text-align: justify;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-bCtS7SRO7mg/UVkfdte0s2I/AAAAAAAAABg/S_AhNrHajUo/s1600/Screen+Shot+2013-04-01+at+11.17.23+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="60" src="http://1.bp.blogspot.com/-bCtS7SRO7mg/UVkfdte0s2I/AAAAAAAAABg/S_AhNrHajUo/s200/Screen+Shot+2013-04-01+at+11.17.23+AM.png" width="200" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 7:</b> This opens up a PDF with the whole packet visualized for you! wow! :) </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-VG7t0Tc7V24/UVkf2s721-I/AAAAAAAAABo/lO4kMYeUIRU/s1600/Screen+Shot+2013-04-01+at+11.18.56+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="http://2.bp.blogspot.com/-VG7t0Tc7V24/UVkf2s721-I/AAAAAAAAABo/lO4kMYeUIRU/s400/Screen+Shot+2013-04-01+at+11.18.56+AM.png" width="318" /></a></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 8:</b> A quick use of Wireshark to look at the Beacon frames tells us that the type = 0 and subtype = 8. Also, the AP MAC address is there in Addr2 and Addr3 (BSSID)</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-L15UyJkdE8k/UVkghK77MtI/AAAAAAAAAB4/7Nyx8TJ8q_4/s1600/Screen+Shot+2013-04-01+at+11.21.40+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="172" src="http://1.bp.blogspot.com/-L15UyJkdE8k/UVkghK77MtI/AAAAAAAAAB4/7Nyx8TJ8q_4/s400/Screen+Shot+2013-04-01+at+11.21.40+AM.png" width="400" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-3es2oFicApY/UVkgufkFlfI/AAAAAAAAACA/L16CIM_h62k/s1600/Screen+Shot+2013-04-01+at+11.22.39+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="130" src="http://2.bp.blogspot.com/-3es2oFicApY/UVkgufkFlfI/AAAAAAAAACA/L16CIM_h62k/s400/Screen+Shot+2013-04-01+at+11.22.39+AM.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: justify;">
<b>Step 9:</b> Awesome! So now we know that that we need to first filter for 802.11 packets, then check for Packet Type = 0 (Management Frame) and Packet Subtype = 8 (Beacon Frame). The AP MAC can picked up by Address 2 / 3 field in the packet. A closer look at the Scapy class documentation for 802.11 reveals that the SSID is available in the "info" field. Let's put all of this together in code:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-nvokZHyO_MY/UVkhqILmBvI/AAAAAAAAACQ/ZKsaLu_ALac/s1600/Screen+Shot+2013-04-01+at+11.26.34+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="113" src="http://2.bp.blogspot.com/-nvokZHyO_MY/UVkhqILmBvI/AAAAAAAAACQ/ZKsaLu_ALac/s400/Screen+Shot+2013-04-01+at+11.26.34+AM.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b> Step 10:</b> We are almost done! Lets now write out the prototype as a standalone Python script. We now import scapy as a library we will use. </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-ZFdmil2MG2c/UVkiTFp9m0I/AAAAAAAAACY/tzSRciFPJw8/s1600/Screen+Shot+2013-04-01+at+11.29.26+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="58" src="http://1.bp.blogspot.com/-ZFdmil2MG2c/UVkiTFp9m0I/AAAAAAAAACY/tzSRciFPJw8/s320/Screen+Shot+2013-04-01+at+11.29.26+AM.png" width="320" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 11:</b> Lets write out the whole packet parsing logic into a separate function called PacketHandler as shown below:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-e4biEuN59Pg/UVkilaGhwsI/AAAAAAAAACg/x5xSVHj6EgM/s1600/Screen+Shot+2013-04-01+at+11.30.09+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="78" src="http://4.bp.blogspot.com/-e4biEuN59Pg/UVkilaGhwsI/AAAAAAAAACg/x5xSVHj6EgM/s640/Screen+Shot+2013-04-01+at+11.30.09+AM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 12:</b> What we would really want is every time a new packet is received by our code, the PacketHandler function is invoked. Wouldn't it be great if scapy allowed us to define a callback function for every packet? :) Good news is - it does. All you have to do is mention the callback function with an additional argument "prn" to sniff.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-C7b5CpHyWQA/UVkj1w9A7qI/AAAAAAAAACo/PlqL4O-LkE0/s1600/Screen+Shot+2013-04-01+at+11.35.58+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="47" src="http://2.bp.blogspot.com/-C7b5CpHyWQA/UVkj1w9A7qI/AAAAAAAAACo/PlqL4O-LkE0/s320/Screen+Shot+2013-04-01+at+11.35.58+AM.png" width="320" /></a></div>
<br />
<div style="text-align: justify;">
</div>
<br />
<br />
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 13:</b> Full code view till now</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Rn-Ym37DywY/UVkm_zhvL4I/AAAAAAAAAC4/9Efoamxgigk/s1600/Screen+Shot+2013-04-01+at+11.49.13+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="156" src="http://2.bp.blogspot.com/-Rn-Ym37DywY/UVkm_zhvL4I/AAAAAAAAAC4/9Efoamxgigk/s640/Screen+Shot+2013-04-01+at+11.49.13+AM.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div style="text-align: justify;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Step 14:</b> Verification! Lets run the script.</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-fqkt176DMxM/UVklud1KgII/AAAAAAAAACw/8_Fd2nYQmfw/s1600/Screen+Shot+2013-04-01+at+11.43.54+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="http://2.bp.blogspot.com/-fqkt176DMxM/UVklud1KgII/AAAAAAAAACw/8_Fd2nYQmfw/s400/Screen+Shot+2013-04-01+at+11.43.54+AM.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<br />
<div style="text-align: justify;">
<b>Step 15:</b> Works Great! However, there is a small problem -- as every AP sends out tons of Beacon Frames we end up seeing the same access point over and over again. We need to do something to ensure that we only see new access points - so we have a comprehensive list of everything in the air. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The solution is really simple - we define a list called ap_list and add new access points we discover to it (the MAC address). We only display the AP when it is first added. The modified code is below. </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-BzKquoLVAbw/UVkbT-bAbZI/AAAAAAAAAAk/6yraZ4d-WG4/s1600/Screen+Shot+2013-04-01+at+10.58.57+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="190" src="http://3.bp.blogspot.com/-BzKquoLVAbw/UVkbT-bAbZI/AAAAAAAAAAk/6yraZ4d-WG4/s640/Screen+Shot+2013-04-01+at+10.58.57+AM.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b> Step 16:</b> Let's run this now! </div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-a9VDsNjp3SA/UVknQpwLOeI/AAAAAAAAADA/8KU1gTA1Rvg/s1600/Screen+Shot+2013-04-01+at+11.49.28+AM.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="220" src="http://1.bp.blogspot.com/-a9VDsNjp3SA/UVknQpwLOeI/AAAAAAAAADA/8KU1gTA1Rvg/s400/Screen+Shot+2013-04-01+at+11.49.28+AM.png" width="400" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
We see a couple of NULL SSID access points as well :) </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<span style="color: blue;"><b>I have this whole blog post explained as a 15 minute video on SecurityTube.net: <a href="http://www.securitytube.net/video/7262">http://www.securitytube.net/video/7262</a> This will help in case you need a more detailed explanation. </b></span></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Need more help with Wi-Fi Security or Python programming. Please checkout our paid courses on <a href="http://securitytube-training.com/" target="_blank">SecurityTube Training</a>. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Exercises you can try based on this code sample:</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
1. Print out more statistics about the Access Point such as the Channel, Rates etc. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
2. Can you detect the Clients which are connected to the Access Point? </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
3. Can you write a program to sniff all the Probe Requests made by Wi-Fi Clients? </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Full Source Code of this demo for easy copy/paste:<br />
<br />
<script src="https://gist.github.com/securitytube/5291959.js"></script>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
</div>
Anonymoushttp://www.blogger.com/profile/15979331398238239887noreply@blogger.com8