 |
| |
| |
|
Who's Online |
|
We have 48 guests and 1 member online |
|
| |
|
|
 |
|
EH-Net
|
|
May 18, 2013, 02:05:20 PM
|
 Show Posts
|
|
Pages: 1 2 3 [4] 5 6 ... 37
|
|
46
|
Ethical Hacking Discussions and Related Certifications / Network Pen Testing / Re: Book: Metasploit: A Penetration Testers Guide (Jul, '11)
|
on: April 23, 2012, 11:23:01 AM
|
1. How do we know these aren't owned by secmaniac? Is the tipoff the fact that it's "DOMAINCONTROL.COM" as opposed to "SECMANIAC.COM"?
We know these aren't OWNED by secmaniac because of the domain: DOMAINCONTROL.com which is a separate company altogether. You can dig out THEIR information using another whois: whois -h whois.geektools.com domaincontrol.com Then match up who owns those domains 2. As before, I'm not clear on what in the printout indicates this is part of a residential range. I'm used to seeing 192.168.x.x but this one is new to me.
You're confusing things here. The IP address IS ALLOCATED for residential use. It is the PUBLIC IP addresses his provider assigned to him On a different note, I noticed that performing the same steps in BT yield different information. The different IP addresses (96.126.127.220 as opposed to 75.118.185.142) and different outputs on whois. The different IP addresses don't surprise me but the whois listing for 75.118.185.142 yeilds 4 lines while the current IP yields much more info. And does the book's ip listing still comes up because the whois database hasn't been updated?
You assume his addresses remain the same over time. If you took a look at his domain's history, you can see he has changed it 2x since the book: http://toolbar.netcraft.com/site_report?url=http://www.secmaniac.com |
|
|
|
|
47
|
Features / Book Reviews / Re: Good books on learning Linux?
|
on: April 23, 2012, 09:11:57 AM
|
What I love about Ubuntu is that there is SOOOOO much support right out of the box.
And this happens to be one of my biggest pet peeves for someone looking to learn especially in this arena (security). The issue with "support" when learning in this environment is that the learner will learn to skip truly learning as support is readily available. That type of reliance is a moot point when faced with making mission critical and time sensitive decisions in the real world. I think someone learning Linux should learn as much as they can by trial and error. You WILL NOT HAVE books in the field when performing penetration testing in say a client's environment. So the best bet is to aim to learn it as best as one can understand it on their own accord. Avoid using package managers (yum, YaST, apt-get, pkg_add) and configure things from scratch. Get used to the commands, get used to trouble shooting based on what you see. Imagine NOT being able to connect to a support forum. What then? Linux, BSD, Solaris, etc., are not difficult at all and too many people have used forums as a form of crutch. We all use forums but its better to learn it from the ground up. Make scenarios for yourself and understand what you are doing. E.g. week one create your own webserver. Do this without package managers. Week 2, make it a virtual hosting server (multiple domains), following week, add email, next add say monitoring. And so on and so on. Get used to doing things on your own by setting up tasks. you end up familiarizing yourself with tips and tricks not often found in books and your reliance on forums and or books will diminish as experience grows |
|
|
|
|
49
|
Ethical Hacking Discussions and Related Certifications / Other / Fun with VoIP devices
|
on: April 20, 2012, 12:56:37 PM
|
I was bored earlier in the week and was on a conference call so I began messing around with the web interface of one of the conference phones I have. Lo and behold, stupidity ensued www.infiltrated.net/konftel/Enjoy the 4 minute walkthrough. Sent the vendor a quick email, but alas fell on deaf ears. *shrugs* If you have to ask what can you do against this in a test environment, I suggest you read the PTES and OSSTMM documentation over and over again. Title explained the gist of it though |
|
|
|
|
50
|
Ethical Hacking Discussions and Related Certifications / Malware / Re: Practical Malware Analysis - Webinar/release
|
on: April 15, 2012, 02:13:19 PM
|
|
You're missing the point here. SANS' exam is whatever they want it to be not what another book places inside of it. You asked a specific question and got a specific answer. I have both books, Malware Analyst Cookbook and Practical Malware Analysis, while there is SOME content SIMILAR to what is on the GREM exam, the questions on the GREM exam are SPECIFIC to what is in SANS' content NOT the two other books. Can you pass it with just those two books? NO Does this mean you can't learn from those books? NO You WILL learn from those books but it will NOT be enough to do the GREM exam especially when during GREM training they use CONCEPTS, applications and approaches that differ from what is covered in those two books.
|
|
|
|
|
51
|
Ethical Hacking Discussions and Related Certifications / Malware / Re: Practical Malware Analysis - Webinar/release
|
on: April 15, 2012, 08:28:55 AM
|
|
Its better to get the content from SANS since questions can be centered around what you saw/learned in the course not the Practical Malware Analysis book. There are quite a few tools covered in SANS that are not even mentioned in the Practical book. I have the practical book and while its ok, there are certain subjects that are covered in depth during the course (SANS) but only brushed up on in the Practical book.
|
|
|
|
|
52
|
Ethical Hacking Discussions and Related Certifications / General Certification / Re: OSCP and Pentesting 101
|
on: April 11, 2012, 09:51:04 AM
|
By the way, the reasoning for the mixture in awk, perl and ruby in my example, is to get you guys to see other variations across different languages. Improvisation
I knew I was setting myself to get schooled, yet I posted anyway...  Nah no way, not schooling at all, offering the same in an alternative form  I don't really use oA at all with nmap, here is how I would do it if using nmap with your one liners based off the crap in my office: [root@kenji ~]# nmap -sS -O --version-intensity 7 -sV -p `awk '$3 >= .25{print}' /usr/local/share/nmap/nmap-services |\
awk -F "/" '!/^#/{print $1}' |\
awk '{print $2}'|\
perl -p -e 's:\n:,:g'|\
ruby -pe 'gsub(/,$/, "")'` 10.4.4.1,55,72 |awk '!/closed|filtered/'
Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-11 10:49 EDT
Nmap scan report for 10.4.4.1
Host is up (0.00041s latency).
PORT STATE SERVICE VERSION
MAC Address: 00:16:76:2F:A1:6E (Intel)
Device type: firewall|general purpose
Running: Genua OpenBSD 4.X, OpenBSD 4.X|5.X
OS CPE: cpe:/o:genua:openbsd:4 cpe:/o:openbsd:openbsd:4.1 cpe:/o:openbsd:openbsd:5
OS details: Genua GeNUGate Firewall 7.0 (OpenBSD 4.6), OpenBSD 4.1, OpenBSD 4.1 (x86), OpenBSD 4.1 - 4.3, OpenBSD 4.3, OpenBSD 4.5, OpenBSD 5.0 GENERIC
Network Distance: 1 hop
Nmap scan report for 10.4.4.55
Host is up (0.00018s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.10 ((Linux/SUSE))
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: SHISEI)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Nmap scan report for kenji.infiltrated.net (10.4.4.72)
Host is up (0.000017s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.22 ((FreeBSD) PHP/5.3.10 with Suhosin-Patch mod_ssl/2.2.22 OpenSSL/0.9.8q DAV/2)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.61TEST5%E=4%D=4/11%OT=80%CT=123%CU=35801%PV=Y%DS=0%DC=L%G=Y%TM=
OS:4F859A3E%P=i386-portbld-freebsd9.0)SEQ(SP=101%GCD=2%ISR=10C%TI=I%CI=I%TS
OS:=21)OPS(O1=M5B4NW6ST11%O2=M578NW6ST11%O3=M280NW6NNT11%O4=M3FD8NW6ST11%O5
OS:=M218NW6ST11%O6=M109ST11)WIN(W1=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=
OS:FFFF)ECN(R=Y%DF=Y%T=41%W=FFFF%O=M5B4NW6SLL%CC=N%Q=)T1(R=Y%DF=Y%T=41%S=O%
OS:A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=41%W=FFFF%S=O%A=S+%F=AS%O=M109NW6
OS:ST11%RD=0%Q=)T4(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=4
OS:1%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=41%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T7(R=Y%DF=Y%T=41%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=41%IPL=38%
OS:UN=0%RIPL=G%RID=G%RIPCK=Z%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=41%CD=S)
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 3 IP addresses (3 hosts up) scanned in 39.06 seconds
[root@kenji ~]#
My scans tend to stay in SYN land and I always (without fail) go deep in versioning when possible. |
|
|
|
|
54
|
Ethical Hacking Discussions and Related Certifications / General Certification / Re: OSCP and Pentesting 101
|
on: April 11, 2012, 09:29:04 AM
|
sort -r -k3 /usr/local/share/nmap/nmap-services | grep $3 | grep -v ^# | sed -n "$1,$2p" | cut -d"/" -f1 | cut -f2 | tr "\n" "," | sed s/.$// Would never work in BSD or Solaris  awk '$3 >= .25{print}' /usr/local/share/nmap/nmap-services |\
awk -F "/" '!/^#/{print $1}' |\
awk '{print $2}'|\
perl -p -e 's:\n:,:g'|\
ruby -pe 'gsub(/,$/, "")' In action via FreeBSD: # nmap -p `awk '$3 >= .25{print}' /usr/local/share/nmap/nmap-services |\
awk -F "/" '!/^#/{print $1}' |\
awk '{print $2}'|\
perl -p -e 's:\n:,:g'|\
ruby -pe 'gsub(/,$/, "")'` 10.4.4.72
Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-11 10:29 EDT
Nmap scan report for kenji.infiltrated.net (10.4.4.72)
Host is up (0.000018s latency).
PORT STATE SERVICE
80/tcp open http
123/tcp closed ntp
137/tcp closed netbios-ns
138/tcp closed netbios-dgm
161/tcp closed snmp
445/tcp closed microsoft-ds
631/tcp closed ipp
1434/tcp closed ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 2.29 seconds
|
|
|
|
|
56
|
Ethical Hacking Discussions and Related Certifications / General Certification / Re: OSCP and Pentesting 101
|
on: April 11, 2012, 07:48:41 AM
|
Some are, some aren't. Scripting is nothing more than running successive commands. For example, I need to check if there is a shadow or master.passwd file on this machine, and if so, I since I may not have privileges to copy or view it, let me see who in the sudoers group may have access to do what I need done (this helps since I can also attack that account as opposed to targeting root) and also who from the passwd file may have privs # more ehnet-scripting-example
if [ -e /etc/shadow ]
then cp /etc/shadow /tmp
else
if [ -e /etc/master.passwd ]
then
printf "must be a BSD machine\nFinding out who has sudo privs\n"
awk '!/#/ && !/\n/' /usr/local/etc/sudoers | sort -u
grep ":0:" /etc/passwd
fi
fi
# sh ehnet-scripting-example
must be a BSD machine
Finding out who has sudo privs
%wheel ALL=(ALL) NOPASSWD: ALL
root ALL=(ALL) ALL
root:*:0:0:Charlie &:/root:/usr/local/bin/bash
toor:*:0:0:Bourne-again Superuser:/root:
sil:*:1001:0:sil:/home/sil:/bin/sh
As explained, scripting is nothing more than successive commands. I would run something like this as it gives me more targets to aim for as opposed to aiming for the holy grail. I wouldn't need to as I can also target the account "sil" who is in group wheel, who has sudo privs without a password. |
|
|
|
|
57
|
Resources / Career Central / Re: Feeling rejected and dont know what to do.
|
on: April 11, 2012, 07:32:06 AM
|
Name one individual in this world who as a child growing up didn't fall on their ass. When you can find this person in history then come back and let me know who it is because I'd be skeptical about their story. Everyone goes through their ups and downs. Its what helps us learn and progress. I have been through those ups and downs and they're tough, but that's when you put on your thinking cap. There are plenty of companies in this world and I think you are isolating yourself based on geographic location when the reality is, you could hit up sites like e-lance.com (read this review: http://www.techerator.com/2011/03/how-to-make-money-online-elance-com/) and others. Your first goal is to obviously pay the bills. For this you WILL HAVE to either settle for what you can get, or position yourself differently (move to another town, etc). If you feel that strongly about security, don't give it up however, knowledge and training aren't going to fall into your lap. You need to learn more. Whether it is technical, socially, and so forth. Try writing an honest email to your old company to the tune of: Dear XBoss, I sincerely appreciate having worked in BusinessX and I am searching for methods to improve myself. I would sincerely and honestly appreciate any feedback you may have for things I could have done better. Its all about progression and sitting around thinking about yesterday's spilled milk isn't going to do anything but waste time that could be better spent learning and or looking for something else. |
|
|
|
|
58
|
Ethical Hacking Discussions and Related Certifications / General Certification / Re: OSCP and Pentesting 101
|
on: April 10, 2012, 03:23:14 PM
|
Quick question - I've read several OSCP reviews where the person states something to the effect: "I would have cracked that first box in half the time had I not [made a programming error]."
This confuses me. Are the programs you create for the test the kind where you don't get any feedback (i.e. find out you made a mistake) until they're finished running?
If you're writing your own tool, its up to you to direct how the output appears to you. Think about that for a moment... YOU are the one writing the program, what is it you want you're program to do. How should it connect, what should it do when it connects, what should it do if successful, if it fails. |
|
|
|
|
60
|
Ethical Hacking Discussions and Related Certifications / General Certification / Re: OSCP and Pentesting 101
|
on: April 10, 2012, 01:07:30 PM
|
This is a great post, last night I was enumerating users in a smtp service, during that time I was thinking how can I increase the performance or do something else with this? and I remember your post.
Another thing I do to cut time, is distributed password cracking. I fortunately have access to quite a few machines. What I do is parse out my word lists and split it between machines. For example: [root@kenji ~/WORDLISTS]# wc -l MEGALIST.txt
472567089 MEGALIST.txt
I will split this into about 16 files, and send them to 8 different machines. Since they're sorted alphanumerically, it becomes a divide and conquer. Where as if I had one machine starting at say A, it would take N amount of time to reach Z. If each file consisted of say 3.5 of the alphabet, my time is shortened. (File 1 = A - Ch, File 2 = Ch - Fa, File 3....). My wordlists are created using a buckload of words, iterations on those words and contain the MD5 and SHA1's of each instance. So I can just grep a word or a hash and see one another: [root@kenji ~/WORDLISTS]# grep 1361067 MHASHED.txt
1361067 db402c6afef2cbe85da35ebe4e40cba3
[root@kenji ~/WORDLISTS]# grep d3d0472e95296db8d01e401e7d8206d6 MHASHED.txt
123098 d3d0472e95296db8d01e401e7d8206d6
Rather than wait until the last second, these are little things anyone can lay out beforehand. Before I even go the cracking route though I will try out some stuff online so I waste even less time: http://www.md5decrypter.co.uk/ |
|
|
|
|
Loading...
|
|
|
|
General Certification : CPT Practical Submission
