Category Archives: Penetration Testing

Raspberry Pi Toybox – The bits …

English: The Castel Sant'Angelo looms in the b...

English: The Castel Sant’Angelo looms in the background from a bridge overlooking the Tiber River in Rome, Italy. (Photo credit: Wikipedia)

Well, it has all arrived ( Thank You Amazon ! ) and so here, without further ado, are the components:

I haven’t photographed them properly yet – [ I haven’t assembled them properly yet ! ] – but this is a rough look:*

DSC_0606_edited-1

The only things that I’m using other than the above are:

  • A Laptop1 with a SD Card Reader ( LINDY 46-in-1 PCMCIA Card Reader )
  • A keyboard and mouse (USB)
  • A monitor with an HDMI input
  • Elgato Game Capture HD ( See here for more information on this )
  • An 8GB Thinking Security USB Memory Stick
  • A 16GB SD card of one sort or another that I had lying around …

I’m planning using the Fedora 17 Remix – at least to start with – shouldn’t be a problem to obtain / compile pretty much anything to run on it ( famous last words those ! ). So seems like a reasonable way forward.

I’ve been a long time RedHat / Fedora fan – was my first Linux back in the day ( when RedHat was still free … I don’t recall, but probably RedHat 2.0 ) – I had it installed on my Pentium at University and used it, with a 14400 modem, to avoid the Edinburgh weather instead of having to go to the AI and CS labs for assignments … Sigh … The good old days …

Getting it onto the card is pretty straight forward, once you have your uncompressed image use Win32ImageWriter to write it to the card.2 This worked just fine, and booted up beautifully.

For screenshots & video of the Pi, I’m using the Elgato Game Capture HD ( see above ) – this works brilliantly, it has a USB connection to my laptop, an HDMI from the Pi and an HDMI to the monitor. It introduces no lag on the monitor side, but quite neatly captures – in full HD – the image on the way through. It’s a very neat way of getting screenshots off the Pi, which otherwise would prove a little troublesome. I’ve attached the video of the first boot ( and setup configuration ) below – more information and details will follow in due course !


*. The astute and keen eyed amongst you may have noticed that in this picture the two USB WiFi devices aren’t showing – that’s because they are currently in my Ubuntu PenTest laptop running aircrack-ng as a proof of concept for this project …

1. We’ve had some laptop issues at home, my other half’s MacBook Pro croaked – and seeing as I have an issued laptop from my current client, and she doesn’t – she’s taken my MacBook Pro with her SSD. I’ve spent the last few weeks turning an old Lenovo T61 into a usable computer again. First off – out with the old spinny platters and in with an SSD for the primary HD. Doubled the RAM again ( past the quoted manufacturer maximum ) to 8GB and got rid of the CD-RW drive ( never used it anyway ) and replaced it with a 750GB hybrid disk to hold my VM images, oh and, missing my screen real estate from my 17″ MBP I also acquired a portable Lenovo second screen – I really don’t know why I’ve not seen these around more – they are brilliant ! I’m not sure that I couldn’t have bought another laptop for the cost of all the upgrades, but – it was fun to do, and there is something quite stylish about the older Lenovos – that IBM feel still I think !3

2. Be prepared, this is a definite “cup of tea” part of the process. In my case unload and load the dish washer, make and drink cup of tea, have chat with Brother-in-Law on phone, get high score on Temple Run 2 and, finally, just to be sure, go and get the kids from school. But hey, it finished ! ( In all seriousness, I was getting about 1MB per second for 3GB – that’s about 50 minutes )

3. Slight update on the laptop front, picked up a sale Acer Aspire i3, 6GB RAM, 500GB HD which is currently running Ubuntu. Neat little bit of kit … Dirt cheap too !

Tagged , , , , , ,

Raspberry Pi Toybox

Roman depiction of the Tiber as a river-god (T...

Roman depiction of the Tiber as a river-god (Tiberinus) with cornucopia at the Campidoglio, Rome. (Photo credit: Wikipedia)

I must admit a certain love for the Raspberry Pi – we have two in the house just now – one which was doing a service as an XMBC box onto the TV ( something it was OK at, but not great – now replaced by a PS3, which just works better and I can play BioShock1 on it too ) and a second which was left by Santa in order to take up a role as a Python training device for the smaller members of the household ( although, having discovered yesterday Raspberry Pi Assembly Language Beginners: Hands On Guide: 1 and RISC OS for Pi2 they may well find themselves learning Assembly instead ). With the retirement of the first Pi from media player duties though, I’ve started to contemplate what it might become – it doesn’t pack a huge amount of punch, but for all of that, it’s small, light and exceedingly power efficient – so much so, it is feasible to run it from batteries.

A few years ago I went through a similar Mini-ITX phase, building a small footprint machine which ran very serviceably ( and the components still do I believe –  they were carved up for an Arcade project which is still uncompleted [ although the controller with two good arcade joysticks and some good buttons to thump was running very nicely over USB with MAME and Gauntlet !  Anyhoo, I digress more than usual ] ) at the time I was frequenting the rather good Mini-ITX.com and enjoying their project pages ( sadly no longer updated much – they used to be fun … )  – they had a link to “The Janus Project” – a self-contained wireless security test rig in a Pelican case.

Now I always liked this idea, didn’t have the money or the time, but I thought it was cool. Well, time and technology wait for no man, and since then we have had much in the way of efficiency and miniaturisation, not to mention some much more refined ways of cracking WiFi. To this end, I have intent to build a mini-Janus, a son of Janus – “The Tiberinus3 Project” if you will.

Given that time has moved on so much though, I find, that I have an opportunity to work on a smaller scale, and to be portable … So to that end, I have started to assemble the parts – to wit :

  • 1 x Raspberry Pi, OS & SD Card
  • 1 x Power Source ( 12000mAH battery pack )
  • 1 x GPS dohicky
  • 2 x WiFi dohickys
  • 1 x 3G Modem
  • 1 x Waterproof Case
  • 1 x USB Hub

The idea is to contain all of the above in a box which will be self contained for a period ( 12000mah – not sure, but reckon in excess of 8 hours runtime, although that will depend on the peripherals … ) and to be fairly autonomous in the collection of data – e.g. while it is on, it will constantly seek out WiFi sources. This device can then be left comfortably on client site for a period to perform an unobtrusive wireless audit as part of a PenTest. There are currently two WiFi dongles on the list, rather simply one to scan and one to manage, although, depending on the power consumption, it may be possible to run more than two through a powered USB hub, or to run two in scanning mode and leaving management out of the issue, or possibly even use the 3G Modem over USB to provide managment, and use two to scan … All an experimental theory at the moment !

Obviously, you should try this at home – what’s the point in writing it up otherwise – but remember the various legal requirements surrounding ( in the UK4 at least ) the Computer Misuse Act – you shouldn’t make use of anyone’s computer systems without their prior authorisation.

Parts are on order, and I’ll update as things assemble ! ( For the record though, I’ve been looking at doing some of the development work on the QEMU Pi Emulator … Not sure how that’s going to pan out either … )


1.  A game I _really_ enjoy, although, like most games – I suck. I’ve also been infuriated by the constant delays surrounding BioShock Infinite which has switched from a birthday present to a Christmas present and back again since it was supposed to be released …

2. My Junior School had just switched to Archimedes computers when I left, the Senior was RM IBM drclones. I actually never really got to play with them properly, although they always held a certain fascination – I’ve eyed up various 2nd hand bits of kit in the Vintage section of E-Bay, and have even bid, but never to a winning outcome – the port to Pi has got me all of a flutter !

3. “One tradition states that he came from Thessaly and that he was welcomed by Camese in Latium, where they shared a kingdom. They married and had several children, among which the river god Tiberinus (after whom the river Tiber is named).” – Encyclopaedia Mythica – I would so love to claim I knew that, but it was Google.

4. Other countries are available, and I could even recommend one or two as being nice places to go. However, make sure that what you are doing is acceptable under your local jurisdiction – fines, prison or worse awaits those who overstep the mark.

 

Tagged , , , , , ,

VirtualBox Install on Mac OS X

I thought that I’d give this a go – this is a very short run through of an install of VirtualBox on Mac OS X. Comments on production issues are very welcome, I’d like to improve these to the point of getting them useable !

Thanks !

 

Tagged , , , ,

NWrap Version 0.05 – NMap Wrapper with OPRP Database Dump

 

sshnuke hack in Matrix II 03

sshnuke hack in Matrix II 03 (Photo credit: guccio@文房具社)

 

Just a quick post, a few years ( in 2004 ! ) ago, I wrote a Perl wrapper on behalf of ISECOM for NMap that incorporates the data from the Open Protocol Resource Database (OPRP). It was featured in Professional Pen Testing for Web Applications by Andres Andreu, which was nice. However, it hasn’t been updated since then, and the ISECOM page has some issues with the OPRP download. I just thought I would (a) check that it still works and (b) bring it up to date if it doesn’t … Here, first, a quick example of it running: ( first without, and then with NWrap ).

 

[root@perl ~]# nmap localhost
Starting Nmap 5.50 ( http://nmap.org ) at 2012-07-17 17:50 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000018s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp open ssh
Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds
[root@perl ~]# ./nwrap.pl localhost
#########################################
# nwrap.pl - Nmap and OPRP combined !   #
# (C) Simon Biles TS Ltd. '04           #
# http://www.isecom.org                 #
# http://www.thinking-security.co.uk    #
#########################################

Starting Nmap 5.50 ( http://nmap.org ) at 2012-07-17 17:50 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000018s latency).
Not shown: 999 closed ports
PORT STATE SERVICE
22/tcp : open 
 - Adore worm 
 - SSH 
 - Shaft DDoS
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
[root@perl ~]#

 

Now for the code:

 

#! /usr/bin/perl
# Nmap wrapper for OPRP data.
# (C) Simon Biles
# http://www.isecom.org
# Version 0.05
$version = "0.05";
# History - 0.01 Working version.
# 0.02 Changed use of ``s for output to opening a pipe.
# 0.03 Use the OPRP database dump directly, not through
# pre-parsed file
# 0.04 Included output switches and file writing stuff
# 0.05 Updated for CSO to TS name change and checked working (2012)
# OPRP Dump file has changed to HTML, converted to CSV and
# rewrote parser to work with CSV.# Read in from the OPRP data file created earlier.
# and fill in an internal table.
# Give us a little credit :) and show that it is running ...
print "\n#########################################\n";
print "# nwrap.pl - Nmap and OPRP combined ! #\n"; 
print "# (C) Simon Biles TS Ltd. '04 #\n";
print "# http://www.isecom.org #\n";
print "# http://www.thinking-security.co.uk #\n";
print "#########################################\n\n";
%services=();
open (DATA, "< oprp_services_dump.csv");
# New CSV parser code
while (){
# Split the data at comma separations
 ($port_no,$port_type,$name,$reference) = split(/,/, $_);
if ($port_type =~ /^UDP/){
 $port_prot = $port_no."/udp";
 push( @{$services{$port_prot}},$name);
 }
 elsif ($port_type =~ /^BOTH/){
 $port_prot = $port_no."/tcp";
 push( @{$services{$port_prot}},$name);
 $port_prot = $port_no."/udp";
 push( @{$services{$port_prot}},$name);
 }
 elsif ($port_type =~ /^TCP$/){
 $port_prot = $port_no."/tcp";
 push( @{$services{$port_prot}},$name);
 }
 elsif ($port_type =~ ""){
 $port_prot = $port_no."/unknown";
 push( @{$services{$port_prot}},$name);
 }
}# Just to keep things tidy !
close DATA;
# There are some output to file arguments that I hadn't thought about !
# Check for them here and set up some variables ...
# They then are pulled from the arguments so that we can do the output ...
# If more than one output option is specified ( which I'm not sure is legal anyway )
# the final switch will take priority
for($i = 0;$i < @ARGV;$i++){
 if (@ARGV[$i] =~ m/-o/){
 if (@ARGV[$i] =~ m/-oN/){$out_normal = 1; $out_xml = 0; $out_grep = 0; $arguments = $arguments." -oN - "; $i++; $filename = @ARGV[$i];}
 if (@ARGV[$i] =~ m/-oX/){$out_xml = 1; $out_normal = 0; $out_grep = 0; $arguments = $arguments." -oX - "; $i++; $filename = @ARGV[$i];}
 if (@ARGV[$i] =~ m/-oG/){$out_grep = 1; $out_xml = 0; $out_normal = 0; $arguments = $arguments." -oG - "; $i++; $filename = @ARGV[$i];}
 } else {
 $arguments = $arguments.@ARGV[$i];
 }
}
# O.k. ... So if there is a file specified, we had better open it to write to ...
if ($out_normal == 1 || $out_xml == 1 || $out_grep == 1){
 open(OUT,"> $filename") or die "Can't open $filename to write to ! $! \n";
}
# Run nmap with the provided command line args.
# doing it this way rather than with backticks, means that the output is "live"
open(NMAP, "nmap $arguments |") or die "Can't run nmap: $!\n";
# If necessary warn the user that they shouldn't expect to see any output ...
if ($out_xml == 1){
 print "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n";
 print "! Sorry. The XML output option only !\n";
 print "! ouputs to the filename specified !\n";
 print "! not to the screen. !\n";
 print "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n";
}
if ($out_grep == 1){
 print "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n";
 print "! Sorry. The Grep output option only !\n";
 print "! ouputs to the filename specified !\n";
 print "! not to the screen. !\n";
 print "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\n";
}
# Modify the output as required.
while(){
 if ($out_normal == 0 && $out_xml == 0 && $out_grep == 0){
 if ($_ =~ m/(^\d+\/)(tcp|udp)/){
 ($port,$state,$service)= split (/\s+/, $_);
 print "$port : $state \n";
 foreach $service ( sort @{$services{$port}}){
 print " - $service \n";
 }
 } else {
 print $_;
 }
 } elsif ( $out_normal == 1 && $out_xml == 0 && $out_grep == 0){
 if ($_ =~ m/(^\d+\/)(tcp|udp)/){
 ($port,$state,$service)= split (/\s+/, $_);
 print "$port : $state \n";
 foreach $service ( sort @{$services{$port}}){
 print " - $service \n";
 }
 print OUT "$port : $state \n";
 foreach $service ( sort @{$services{$port}}){
 print OUT " - $service \n";
 }
 } else {
 print $_;
 print OUT $_;
 }
 } elsif ( $out_xml == 1 && $out_normal == 0 && $out_grep == 0){
if ($_ =~ /port /){
 $_ =~ s/\/ /g;
 $_ =~ s/\"//g;
 (@array) = split (" ",$_);
 foreach (@array){
if ($_ =~ m/portid/){
 ($a, $port) = split ("=",$_);
 }
 if ($_ =~ m/state/){
 ($a,$state) = split ("=",$_);
 }
 if ($_ =~ m/protocol/){
 ($a,$protocol) = split ("=",$_);
 }
 if ($_ =~ m/conf/){
 ($a,$conf) = split ("=",$_);
 }
 if ($_ =~ m/method/){
 ($a,$meth) = split ("=",$_);
 }
 }
 $port_prot = $port."/".$protocol;
 foreach $service ( sort @{$services{$port_prot}}){
 print OUT "\\n";
 }
 } else {
 print OUT $_;
 }
 } elsif ( $out_grep == 1 && $out_normal == 0 && $out_xml == 0){
# This is all one bloody long line, so this should be fun ...
# Send the comments stright through ...
 if ( $_ =~ /^\#/ ){
 print OUT $_;
 } else {
 @array = split(",",$_);
 for($i=0;$i < @array; $i++){
 if(@array[$i] =~ /Host:/){
 ($a,$host_ip,$host_name,$b,$remainder)= split(" ",@array[$i]); 
 @array[$i] = $remainder;
 }
 if(@array[$i] =~ /Ignored/){
 ($port_data,@therest)= split(" ",@array[$i]);
 @array[$i] = $port_data;
 }
 }
 print OUT "$a $host_ip $host_name $b ";
 foreach (@array){
 $_ =~ s/\// /g;
 $_ =~ s/\,//g;
 $_ =~ s/\s+/:/g;
 ($nada,$port,$state,$protocol,$name) = split(":",$_);
 $port_prot = $port."/".$protocol;
 foreach $service ( sort @{$services{$port_prot}}){
 print OUT "$port/$state/$protocol//$service///,";
 } 
 }
 print OUT " ".join(" ",@therest)."\n";
 }
 }
}
# Tidy up the open files ... if they exist ...
if ($out_normal == 1 || $out_xml == 1 || $out_grep == 1){
 close OUT;
}
# That's it really !

 

In order to make it work you’ll need to download the CSV file of the OPRP database here.

 

Incidentally, if you are interested in Port Scanning and Penetration Testing and the like, you might find this series on Forensic Focus interesting.

 

Tagged , ,

Ports to Promisc Linux

It may be that you need to configure your network ports to listen in promiscuous mode – packet sniffing, IDS etc. Quick and easy configuration on Linux is available through /etc/network/interfaces and the addition of the following lines will do it assuming (eth2):

auto eth2
iface eth2 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down

Just a quick tip 😉

Tagged , , , ,

CEH – Self Study

I’ve been asked by a company to review a self-study course on the new CEH v7, and they have very kindly provided me with a full copy of their material. On a first look, it seems pretty good – I like the way that it is arranged, and it’s easy to use. Installation was no problem, although I have to use my PC rather than my Mac / Linux box, which isn’t exactly ideal ! So far my only issue with it is that there are some minor errors with the peripheral content ( the price of the exam quoted in the material is $250, I’ve not found it less than $300 for the online exam and $500 for the meat-space exam ). These are early days though, and I actually intend to follow the whole thing through and sit the exam – so there will be more detail comming soon.

UPDATE: Make sure that you read : CEH – Self Study – The Review

And also, if you are heading down this path of CEH perhaps you might like :  An Introduction to Penetration Testing

Tagged , , , ,