I am now done with studying for the CEH (passed exam last week) so I'm looking for my next endeavor. I'm currently taking an Offensive Security (penetration testing) course from Dakota State so I'm still keeping those skills somewhat fresh with the course.
I've decided to go back to Python and dig into it more. I read Think Python over the summer but didn't really put much effort into it. I basically just read it and did the examples in the book, didn't really do any of the exercises or anything like that. This time I am going to try to do the exercises and maybe post them on here just so that will motivate me to actually do them. I'm currently using the book at http://learnpythonthehardway.org/ right now but will also use Learning Python 5th Ed., Programming Python 4th Ed., Python Cookbook 3rd Ed., Violent Python, and Gray Hat Python. I really want to concentrate on how I can use Python to learn more about Pen Testing, Reverse Engineering, and Malware Analysis.
Hopefully I will be posting back soon with some answers to exercises as I'm diving into Python.
Sunday, September 8, 2013
Sunday, August 11, 2013
Building My Penetration Testing Lab
One of the key ingredients to learning the hacking techniques needed for penetration testing is having a decent lab to practice in. For the past year I've basically just been using VMWare Player on my PC and would run a VM running Kali Linux and one running Metasploitable. This was enough to play around with some tools while reading some of the books but I knew at some point I would want to have a little more complex lab to play around in.
My PC up until a few weeks ago was a 3-core box with 8 GB of RAM and about 300 GB of disk space. This is the main PC that my family uses so a lot of that disk space was allocated and it left me with a little space for VMs, maybe 2-4 at a time. 8GB of RAM was also a limiting factor when running VMs. I had contemplated building a server to run VMWare ESXi or Hyper-V on that would house my whole lab but I really haven't been able to justify the cost. What I ended up doing was just buying 16GB of RAM and an additional 1TB hard drive to get my machine in a state that it could handle running 6-8 VMs at a time.
Here is a picture of what my lab looks like right now in VMWare Player.
A couple of things I wanted to have in my lab were:
1) Internet Access but segregated from my home network
2) 2 separate subnets with a firewall in between
3) a system that I could watch the traffic on with wireshark and snort
4) a mixture of vulnerable VMs to practice on
I created 2 separate networks within VMWare Player, one named secure and one named unsecure. I have 2 "attacking" machines on the unsecure network, Kali Linux and Windows 7. On the secure network I have a Windows 2012 domain controller mainly to offer DNS and DHCP services for that subnet. I also will probably add a client to the domain and just sniff that traffic to see what it looks like when the client authenticates among other things. I also have an older Ubuntu 9 server, Metasploitable, UltimateLAMP, and Win XP w/ SP2 that I can bang around on and practice some of the techniques I am learning.
On the unsecure network, I have a m0n0wall distribution as the gateway for Internet access. It is just a basic default setup and nothing special. On the box named "Snort" that connects the 2 networks together, I just have IP forwarding turned on and some basic firewall rules that allow traffic between the two networks. The 3 rules I had to add on that box are:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
I had troubles getting the traffic between the two networks to work initially with the basic ACCEPT rules that are on iptables by default and adding these are the only way I could get it to work. I actually think just using the MASQUERADE rule is sufficient enough but I added the last 2 just in case. I intend to play around with iptables more at some point during my practicing to see how firewall rules will affect some traffic and see if there are ways to bypass the firewall. I have the box named "Snort" because when I originally created this VM it was going to just run Snort to watch traffic on the private network while I'm testing out techniques. I still haven't actually gotten around to setting up snort on the box but that is on my list of "To Dos".
Static routes are also needed on the Kali and WinPen boxes to the 192.168.10.0/24 that tell them to send traffic destined for that network to the 192.168.20.5 interface on "Snort". Otherwise, they will try to send the traffic out the 192.168.20.1 interface on "m0n0wall".
This is just a start to my lab, hopefully I will add some more vulnerable systems to the secure network. If you have any suggestions on good vulnerable systems to test with please let me know.
Monday, June 24, 2013
Quick Update
Just wanted to post a quick update since it has been quite a while since I've posted anything. The family finally made it through a hectic schedule the past few months and I will be working a more normal 9-5 schedule now. Hopefully I will be able to put some decent blog posts together soon.
I had blogged about possibly starting school at Western Governor's University but I have decided not to go that route. I came across the Information Assurance program at Dakota State and after checking out its offerings and classes I really like what I saw. I have been accepted to start the Information Assurance - Ethical Hacking Graduate Certificate this Fall. I'm really excited because it is in line with what I want to learn. If everything goes well with the Graduate Certificate then I plan to continue on with the Masters of Science in Information Assurance and Computer Security (MSIA) degree. It will be a long road but I think it will be well worth it.
My reading lately has been mostly around scripting. I'm in the middle of reading Learn Windows Powershell 3 in a Month of Lunches and recently just finished Think Python. I intend to dig deeper into both of these scripting languages, both are extremely powerful.
Hope everyone has a great summer.....
I had blogged about possibly starting school at Western Governor's University but I have decided not to go that route. I came across the Information Assurance program at Dakota State and after checking out its offerings and classes I really like what I saw. I have been accepted to start the Information Assurance - Ethical Hacking Graduate Certificate this Fall. I'm really excited because it is in line with what I want to learn. If everything goes well with the Graduate Certificate then I plan to continue on with the Masters of Science in Information Assurance and Computer Security (MSIA) degree. It will be a long road but I think it will be well worth it.
My reading lately has been mostly around scripting. I'm in the middle of reading Learn Windows Powershell 3 in a Month of Lunches and recently just finished Think Python. I intend to dig deeper into both of these scripting languages, both are extremely powerful.
Hope everyone has a great summer.....
Friday, February 8, 2013
Use Powershell to Find Adobe Flash Version
Hello all!! Wanted to put up a post about a quick and dirty script that I wrote to check the Flash version on machines in a domain.
This can be run on all computers in the domain or you could specify the OU to search. This script will output to a tab delimited file named get_flash_version_output.txt by default but you can specify your own output file if desired. Here's the code:
Generic execution which will iterate through your whole domain and output to get_flash_version_output.txt
PS C:\> .\get_flash_version.ps1
Execution specifying a specific searchbase within Active Directory
PS C:\> .\get_flash_version.ps1 -searchbase "dc=Your,dc=Domain"
Put it all together -> use searchbase, verbose output, and write to a different output file
PS C:\> .\get_flash_version.ps1 -searchbase "dc=Your,dc=Domain" -verbose -output test.txt
Another feature I'd like to add is maybe have it grab the current version of Flash from HERE and let you know if you need to upgrade or not.
But that is for another time….
This can be run on all computers in the domain or you could specify the OU to search. This script will output to a tab delimited file named get_flash_version_output.txt by default but you can specify your own output file if desired. Here's the code:
[CmdletBinding()]
param(
$searchbase = $null,
$output = ".\get_flash_version_output.txt"
)
# if the searchbase isn't specified then use the default domain of the user
if($searchbase -eq $null)
{
$searchbase = ([adsi]'').distinguishedName.ToString()
}
#load all computer objects into a variable
$computers = Get-ADComputer -SearchBase $searchbase -Filter * -SearchScope Subtree
#iterate through each computer object
foreach($computer in $computers)
{
$name = $computer.name
# test to be sure you can communicate with the machine, ignoring any errors
if(Test-Connection $name -count 1 -ErrorAction SilentlyContinue)
{
# file that we will be querying for the version
$filename = "\\$name\c$\windows\system32\macromed\flash\flash*.ocx"
# test the path to be sure it exists before trying to check the version
if(Test-Path $filename)
{
$file = get-item $filename
$version = $file.versionInfo.fileversion -replace ",", "."
}
else
{
$version = "Not Installed"
}
write-verbose "$name`t$version"
"$name`t$version" | out-file -append $output
}
else
{
write-verbose "$name`tOffline"
"$name`tOffline" | out-file -Append $output
}
}
Generic execution which will iterate through your whole domain and output to get_flash_version_output.txt
PS C:\> .\get_flash_version.ps1
Execution specifying a specific searchbase within Active Directory
PS C:\> .\get_flash_version.ps1 -searchbase "dc=
Put it all together -> use searchbase, verbose output, and write to a different output file
PS C:\> .\get_flash_version.ps1 -searchbase "dc=
Another feature I'd like to add is maybe have it grab the current version of Flash from HERE and let you know if you need to upgrade or not.
But that is for another time….
Monday, February 4, 2013
Disable SSLv2 on Windows 2008
Recently I was tasked with disabling SSLv2 on a few Windows 2008 servers that are Internet-facing due to SSLv2 vulnerabilities. I have performed this change in the past but did not really use any tool to confirm my change worked at the time. This time I decided to poke around the Internet and see if there were any tools that I could run before and after the change to ensure SSLv2 wasn't "listening" anymore.
I eventually came across a great and simple to use perl script named CryptoNark. This tools was easy to get running on my Backtrack R3 box I have hanging around my desk. I did have to install a few dependencies first to get it running. I had to run the following 3 commands to install the dependencies.
After completing those commands I was able to run the script with the following syntax:
./cnark.pl -h "Hostname/IP" -p 443 --insecure
The --insecure is used to ignore self-signed certs. The result will look similar to this.
Now that we have confirmed that SSLv2 is alive and kicking on our server we need to disable it. I found the following page on an MSDN blog that did the trick for me. It is a simple registry change:
Open the registry and find:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
I believe I may have had to create the Server key.
Then add a new REG_DWORD with a name of DisabledByDefault. Give it a value of 0x1 to disable SSLv2 by default.
Once this was done I tried to just reset IIS to see if the change would be effective without a reboot but it did not work. After rebooting the system I ran the cnark.pl script again and the result looked like:
And there you have it, SSLv2 is disabled. This would definitely be something that could easily be added to a server build script or added to a base image so you don't have to do this every time.
Adios!!
I eventually came across a great and simple to use perl script named CryptoNark. This tools was easy to get running on my Backtrack R3 box I have hanging around my desk. I did have to install a few dependencies first to get it running. I had to run the following 3 commands to install the dependencies.
- cpan Modern::Perl
- Cpan Tie::Hash::Indexed
- Cpan Mozilla::CA
After completing those commands I was able to run the script with the following syntax:
./cnark.pl -h "Hostname/IP" -p 443 --insecure
The --insecure is used to ignore self-signed certs. The result will look similar to this.
Now that we have confirmed that SSLv2 is alive and kicking on our server we need to disable it. I found the following page on an MSDN blog that did the trick for me. It is a simple registry change:
Open the registry and find:
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server
I believe I may have had to create the Server key.
Then add a new REG_DWORD with a name of DisabledByDefault. Give it a value of 0x1 to disable SSLv2 by default.
Once this was done I tried to just reset IIS to see if the change would be effective without a reboot but it did not work. After rebooting the system I ran the cnark.pl script again and the result looked like:
And there you have it, SSLv2 is disabled. This would definitely be something that could easily be added to a server build script or added to a base image so you don't have to do this every time.
Adios!!
Subscribe to:
Posts (Atom)