jolenzy's blog

Google, Blogger, Adsense, Analytics, ...

2009-03-08T23:29:00.002+01:00

Hey! These days I'm terible busy, so I won't start writing about Man in the Middle as I wanted. I will talk about man in the middle attack pretty much in the future. These days I'm exploring new type of Man in the Middle attacks, called active MitM. Very powerfull, and I will write about this, as soon as I find some time to play a little with this kind of attack.

Until then, I want to share with you one of my thoughts. It's about Google.

As I read a lot of blogs, couple days ago, I read something about Google and some google services, and this question just came to my mind.

Can you even imagine how much things Google knows about YOU?

Did you ever think about that?

Let me help you. Google knows things like:

- Eveything you search via Google

- Your real name, address, bank account, credit card number with Adsense service

- Everything about your mail, including content, sent items, contacts,....

- All informations about you, list of friends, interests,... via Orkut

- Which pictures have you been looking for, every photo you have uploaded to Picasa

- Subject of your site, what kind of users visits your pages, how many minutes they spend on page, their geographical location, IP adress and a lot more... via Adsense, Analytics

- Everything you have written to your blog via Blogger, every blog that you have visited, every your comment...

- Strategy, composition, aims and problems in company, where are APPS being used... via Apps

and a lot more information...

scary?

No need to be. Our secrets are safe with Google. For now. :)

Think about it.

Nmap Tips & Tricks

2009-03-02T19:15:00.002+01:00

Here is something usefull about Nmap...

Using the -iL command is easy way to specify host addresses in a file. For ports, the fast scan option, with a -F, provides a similar function.
Since port numbers will need to be scanned often and usually don’t change, the fast scan looks to the nmap-services file to get its list of ports to scan.
But, you need to know that the default nmap-services file contains over 2000 UDP and TCP port numbers! Yes, a lot! But, if you change this file, you can create a customized scan that will only identify the ports you specify.

Very good idea is to keep many different files handy for different situations. For example, you may want to keep a customized file that has a list of the port numbers that you’d never want to see open on your network.
Or list of some famous trojan/spyware/malware ports, or whatever else...

When you decide which of your files you will use, simply rename your file to nmap-services, use the fast scan option, and you’ll instantly have a customized Nmap scan that can hunt down the ones you want.
When you’re done with scaning, you can restore the original Nmap-services file and you’re back to normal.
So simple, and so usefull!

The nmap-services support file is found in the default nmap directory.

I've created my own nmap-services file in my home directory, and to start your hunting scan, do:

[jolenzy@bt3 ~]# nmap -F 192.168.0.1/24 --datadir .

Nmap fast scan use the --datadir option that points to our current directory in example above. This means that Nmap will look in the local directory for all of it's support files, including our customized nmap-services file.

This certainly makes the scan go much faster because we've cut down the total number of ports scanned per device. The --datadir parameter and a customized nmap-services support file makes all the difference!

Windows Registry Backdoor

2009-02-26T23:47:00.003+01:00

I'm working on some kind of malware for Windows systems(for testing purposes of course :) ) for some time, and since I'm very busy with all the things I'm doing at the moment, this little application won't be finished soon.

But in the last days I was coding something about startup, and I've remembered one way of hidden startup that is not so popular or known. And the strange thing is that Microsoft is not fixing this bug for a long time.

What is it all about?

Windows Registry Editor for 2k and XP systems has a design flaw that alows to hide registry information from viewing or editing. And the best thing is that this exploitation also includes even users with administrative access.

Easiest way to exploit this bug is to:

1. Create a new string value in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run with Registry editor(Regedit32.exe)

2. Fill the name of the key with some string of 258 characters

3. Create one more string value, and type some name(of you program), and for data insert the path to your program.

4. Now press F5 to refresh it, and voila :) the key disappeared!

5. Restart the system, and your program will be executed.

Simple as that... :)

Bug in mt:s??? :)

2009-02-21T10:46:00.005+01:00

For last two days I had some free time, and accidentally I found something very interesting in serbian mobile network mt:s.

If you call your own number, you'll see a "number busy" like message. Ok, that normal. :)

But, for a couple of minutes, you will receive an SMS from mt:s that you had a missed call.
And from who? Yes, your own number! :)

And that's not all. After that, you will receive another SMS from mt:s that the number you called(your own number) is now available! :)

Funny...

Shell tips & tricks

2009-02-17T22:06:00.002+01:00

I think I need to mention some more usefull shell commands, so here they are:

# uptime //everybody knows this (shows how long the system has been running)

# man hier //description of the file system hierarchy

# dmesg // detected hardware and boot messages

# lsdev // information about installed hardware

# cat /proc/cpuinfo //cpu info

# cat /proc/meminfo //memory info

# free -m // used and free memory in MB

# cat /proc/devices //configured devices

# cat /proc/net/dev //shows network adapters and statistics

# lshal // shows a list of all devices with their properties

# top //nice display and update of top cpu processes

# tail -n 500 /var/log/messages //last 500 kernel/syslog messages

# tail /var/log/warn //system warning messages

# sysctl -a //view all system limits

# sysctl fs.file-max //view max open files limit

# sysctl kern.ipc.numopensockets //how many open sockets are in use

# ps -auxefw // nice display of all running processes

# fuser -va 22/tcp //list processes using port 22

# tar c dir/ | gzip | ssh user@remote 'dd of=dir.tgz' // arch dir/ and store remotely.

enjoy and see you soon...

Back to road!

2009-02-12T21:03:00.006+01:00

I was thinking about the path of my blog, and changed my decision for now. I realized that it's not my point to teach about penetration testing, and I need to write more actual stuff.

So, in the future, I won't continue to write about steps in penetration testing, and some global points of ethical hacking.
I'm going to write about real things, situations, scenarios etc. So stay tuned!

So, here are some very usefull commands and tips in everyday Linux use.

Configuring additional IP addresses:
# ifconfig eth0 10.4.0.1 netmask 255.255.0.0
# ifconfig eth0:0 10.4.0.2 netmask 255.255.0.0

Changing MAC address:
# ifconfig eth0 hw ether 00:11:22:33:44:55

Adding and deleting a route:
# route add 210.110.0.0/16 192.168.10.10
# route delete 210.110.0.0/16
# route add default 192.168.10.10

To see open ports:
# netstat -an | grep LISTEN //displays all Internet connections
# lsof -i //displays list of open sockets
# netstat -tup //displays list of active connections to and from system
# netstat -tupl // displays list of listening ports from system

IP forward for routing(pay attention on this :) )
# cat /proc/sys/net/ipv4/ip_forward // to chek IP forwarding -> 0=off, 1=on
# echo 1 > /proc/sys/net/ipv4/ip_forward //turning IP forwarding on

Print routing table:
# route -n

Add route permanently:
# static_routes="someroute"
# route_someroute="-net 210.110.0.0/16 192.168.10.10"

Firewall stuff:
# iptables -L -n -v // for status
# iptables -P INPUT ACCEPT //open everything
# iptables -X //delete all chains
# iptables -F // flush all chains

That's it for now. Ciao!

BackTrack 4

2009-02-10T16:29:00.005+01:00

Hey!
Something interesting is happening these days... BackTrack 4 Beta is going to be released every moment!

I'm waiting for a release, and I'll try it as soon as I find some free time these days...

More info you can find at http://backtrack4.blogspot.com

And here is the manual for installing: http://www.offensive-security.com/documentation/bt4install.pdf

See you soon...

Active Information Gathering - Part 2

2009-01-22T23:07:00.004+01:00

Here we are, in a new year, with new motivation! Hello to everybody!
I'm going to say something more about active information gathering, and the next topic will be about scanning and footprinting. Sound interesting? Well, it is! :)

Very nice tool I want to mention is DIG, or Domain Information Gopher. It's a command line tool, and it's similar to NSLookup, but there are some advantages of course. It's much easier to find name servers for a domain, than using NSLookup, but you should know that DIG can generate traceable network traffic! Very easy to use, you have to try DIG.

There are a lot of free and commercial applications in this purpose, and I thought that it would be good to talk about them also, but I changed my mind. That's why this post is so short.
You are free to try, Google will tell you where you can find them :)

As I said, more interesting things coming! Stay tuned...

Active Information Gathering

2008-12-10T17:06:00.006+01:00

Hello again! I'm pretty late with this post, but I am very busy all this time, so there wasn't time for my blogging... Now I'm back :)

Next thing I'm going to talk about is active information gathering.
So, what is it? What is the difference from passive information gahtering?
The difference is that now we are going to make some contact with our target. Let see how it looks like...

We are going to begin with Ping. I suppose that everyone sometimes heard for ping command.
Well, that is very useful command to find active machines on the network. Ping command sends an Internet Control Message Protocol (ICMP) ECHO_REQUEST to obtain an ICMP_ECHO_RESPONSE from a host. I'm not going to talk more about this command, it's very simple, has several options and it's very easy to use.
So, we use ping to see if our target is up.

Next very useful command is tracert(traceroute in windows os).
Tracert command attempts to trace the route an IP packet follows to an Internet host by launching UDP probe packets with a small maximum time-to-live, then listening for a ICMP_TIME_EXCEEDED from gateways along the route.
It's very easy to use, has several options, so enough about it.

Next command I'm going to mention is NSLookup.
NSLookup command queries the Internet domain name servers in two modes. Interactive mode alows you to query the name servers for informations such as hosts and domains, or to print a list of hosts in some domain, while in the non-interactive mode the names and requested information are printed for a specified host or domain.
You can enter the interactive mode when you type just nslookup without any arguments, or when the first argument is - (minus sign) and the second argument is the host name or Internet address of a name server. The nslookup command executes in non-interactive mode when the first argument is the name of Internet address of the host that we are searching for.
Very useful, and simple to use.

Next command is Finger. The finger command is used to gahter and locate user information on our target system. The finger provides a list of all the users who are logged at the system in that time. By default, finger lists the login name, full name, the host and the terminal name, write status, idle time, login time, login location, and all that for each user.
One more, very simple to use, and can be pretty useful in information gathering.

Ok, this is it for now. In next post I'm going to continue about active information gahtering, and I'll explain some more advanced technics and tools for that purpose.
It's getting more and more interesting... so, stay tuned...

Information gathering

2008-09-25T22:07:00.003+02:00

Information gahtering is generally divided into two categories, passive information gathering and active information gathering.
Passive information gathering can be defined as collecting information without making any active connections, like port scans, ... For this purpose, we can use search engines, on-line scanners and Internet archives, like Usenet, web page cashes,...

So, what is the most powerfull tool for this? I guess you know the answer... Google!
Beside Google, there are some more search engines that can be very usufull, like:

teoma.com
excite.com
metacrawler.com

Back to Google. Google has many advanced features, like operators, which can help us in finding informations.
You can see operators here: http://www.google.com/help/operators.html

We should not forget to search newsgroups, p2p networks, job and spam databases, b2b portals...
or to check whois database information or query dns information online.
All of this sources can yield useful information about our target.
Imagine a question on newsgroups like: "New patch for my apache version 2.0.59 is not working, can someone help?". You see your way here... :)
Or from job databases, you can see what your target(organization/company) requires from system administrator,... or something like that... and you got the picture slowly... :)

Another excellent resource is netcraft.com, which gives a lot of information about a given domain and much
more. Check it out...

That's it for now about passive information gathering...

Penetration Testing

2008-09-08T14:21:00.003+02:00

First of all, what is penetration testing?

It's a process of establishing weaknesses in a computer infrastructure or network. A team of specialists uses real-world hacking techniques to exploit targeted system or network. This process is also known as Vulnerability Assessment or Ethical Hacking.

There are two main approaches of a comprehensive penetration test, black-box testing and white-box testing. Black-box testing is conducting a test with no prior knowledge of the infrastructure, while white-box testing is conducting a test with a complete knowledge of the network infrastructure.

Steps in penetration testing should be:
1. Information Gathering - gathering maximum information on the remote host/organization
2. Fingerprinting/Footprinting - getting detailed information on remote host

3. Newtork Surveying - combination of data collection, information gathering, and policy control

4. Services Identification - port scanning, finding vulnerable services
5. Evading Firewall Rules - firewall evasion techniques are used to bypass firewall rules
6. Vulnerability Scanning - identifying, understanding and verifying the weaknesses, misconfigurations and vulnerabilities associated with remote host
7. Exploiting Services - the weaknesses found in the remote services are exploited
8. Password Cracking - validating password strength
9. Denial of Service Testing - denial of service attacks
10. Escalation of Privileges - elevation id privileges is the type of rights the attacker gains over the remote system

Of course, some steps can have different order, some of steps are not so imortant as others, but it all depends of situation and system we are testing.
I'm going to write a lot about every step, you just keep visiting and reading :)

Shall we...?

2008-07-30T14:35:00.005+02:00

Well, I can say that I'm satisfied with BT3... But, if you wanna become good penetration tester, security expert,... good tools are just not enough! Good knowledge of theory is not enough! Everything is about practice and experience in this world...
So, from now on, I'm going to write about penetration testing process, all kind of methods and technics included in penetration testing process, etc.

At the moment, I'm occupied with experimenting about some new possibilities of Man In The Middle attacks and some new ideas I have...

BT3

2008-07-19T15:45:00.004+02:00

I have installed BackTrack 3 yesterday on my USB flash disc, and I can say it's working great!
New things are:
- there is no installer
- Snort - Auto installs, has snortsam patches, can act as an IDS.
- Karma-msf scripts - evilap.sh
- Compiz in USB release
- Several featured tools by SV - spoonwep, ezpwn, etc.
- VMware Edition installed originally on VMware Server 1.0.6 - VMWare tools installed
- Orinoco drivers excluded
- Broadcom cards inject well now
- etc...

I will play with it in the next several days...

Welcome

2008-07-07T12:11:00.002+02:00

Hey :)

Well, for this first post, I won't write nothing special... This is something like an intro...

So, what every penetration tester must have in his "tool colection"? It's definitively Backtrack OS! You can find it at: http://www.remote-exploit.org/backtrack.html

See you soon...