Here is the error after running openvas-check-setup:
Running openvas-check-setup again, we get a whole new error:
20160811
OpenVAS error
Well, I like to use OpenVAS, but it is the most frustrating install I ever do, and after troubleshooting it I always think I will remember how to do it next time. And I might, but I will make a note here just in case I have to look it up again.
Here is the error after running openvas-check-setup:
Digging around a bit, I found this helpful post, and this helpful tip. But, the takeaway was I need to modify the file /etc/redis/redis.conf, adding the lines after port 0
And finally, start the redis server at the command prompt, specifying the new configuration file, with this command: redis-server /etc/redis/redis.conf
Running openvas-check-setup again, we get a whole new error:
But you can solve the rest of the error by reading the error and the suggested fix.
Here is the error after running openvas-check-setup:
Running openvas-check-setup again, we get a whole new error:
20160523
Password Storage in Firefox
I got to thinking about password storage in Firefox recently, and wanted to figure out if they are easy to recover. A quick search led me to to Password Fox. I tried it out, and recovered the password pretty quickly (under a minute, maybe under 10 seconds).
I started with a decent string generator, and got this for a password:
Next, i made up an account and stored the password. Finally, using Password Fox I recovered the password, as seen here:
The passwords are stored in a javascript object notation (json) file. I added a few line breaks for easy reading, but it is this:
This is all covered fairly well on Mozilla's support forum.
I started with a decent string generator, and got this for a password:
I went back in and set a master password, and the same trick did not work. So, I recommend using this 'master password' if you're going to let Firefox store your passwords (but don't forget it).
This is all covered fairly well on Mozilla's support forum.
20160516
Add a user and hide from logon screen
This tip on how to add a user without adding them to the logon screen got me wanting to try that out on Windows 10. So, I went in there.
Here is the list of users initially with the net users command:
I can add bob with net user bob pass /add
This adds bob, and bob is now on the home screen (you can note my anonymizing edits):
We can take a look at the registry with reg query "HKLM\software\microsoft\windows nt\currentversion\winlogon"
Next, we can add bob to the registered 'special accounts' that do not appear on the logon screen with reg add "hklm\software\microsoft\windows nt\currentversion\winlogon\specialaccounts\userlist" /v bob /t REG_DWORD /d 0 /f
Then, taking a look at the logon screen, there is no sign of bob:
And that's that. Thanks to Jose Quinones for the initial how-to.
Here is the list of users initially with the net users command:
20160501
A note about ARP
As you can see here, it is the nature of things that an Address Resolution Protocol (ARP) packet with an 'is-at' payload would have a destination MAC that is the same as the MAC it is describing in the packet.
We can see an example in this Wireshark capture:
That packet puts an entry in to the ARP cache like so:
To see what happens when we mix up the addresses, we can use scapy, the packet manipulation program. We can do this (at the scapy prompt):
To send this:
With only the Sender MAC inside the ARP protocol payload, we get this cache update:
So, as you can see, by changing the ARP payload, we can change which MAC is put in the cache. Also, the scapy payload was not sent in response to an ARP request, and the cache had not aged off. But, the cache was updated. With some tuning this technique could be used to accomplish ARP poisoning, and a man-in-the-middle attack.
We can see an example in this Wireshark capture:
That packet puts an entry in to the ARP cache like so:
To see what happens when we mix up the addresses, we can use scapy, the packet manipulation program. We can do this (at the scapy prompt):
To send this:
With only the Sender MAC inside the ARP protocol payload, we get this cache update:
So, as you can see, by changing the ARP payload, we can change which MAC is put in the cache. Also, the scapy payload was not sent in response to an ARP request, and the cache had not aged off. But, the cache was updated. With some tuning this technique could be used to accomplish ARP poisoning, and a man-in-the-middle attack.
20160423
Buffer Overflow - SLMail
Well, of course there is a module that will do the exploit for you, but I have joined the many people who have put together a video on how to do a buffer overflow using SLMail, Immunity Debugger, mona commands, and Kali Linux, and put the video on YouTube. Probably easier if you just watch the video, but the 'in a nutshell' version is:
1) Find a spot we can crash a program.
2) See if someone has already written a Proof of Concept for us.
3) See if it works.
4) Fix the parts that do not work.
5) Profit.
In the video we go from vulnerable service, and proof of concept, to a bind shell and a connection in msfconsole.
Hat tip to Offensive Security, whose Penetration Testing with Kali course was my first exposure to this level of detail in how a buffer overflow works. The same exercise is presented within that course, along with many others.
1) Find a spot we can crash a program.
2) See if someone has already written a Proof of Concept for us.
3) See if it works.
4) Fix the parts that do not work.
5) Profit.
In the video we go from vulnerable service, and proof of concept, to a bind shell and a connection in msfconsole.
Hat tip to Offensive Security, whose Penetration Testing with Kali course was my first exposure to this level of detail in how a buffer overflow works. The same exercise is presented within that course, along with many others.
Kali Bugs
I stumbled upon a slight error in Kali today. It was easily reproducible, so I went over to bugs.kali.org/ to report it. I had to register to report, but that was pretty painless. If you find things that you think (or know) are wrong, I encourage you to report them, too.
Oh, my thing? When I used the Applications --> Reverse Engineering --> NASM shell menu button, I got this:
So, I reported it as a broken link. Hopefully it will be fixed for all users soon.
Update: After i did a little bit of apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y the menu was fixed.
Oh, my thing? When I used the Applications --> Reverse Engineering --> NASM shell menu button, I got this:
So, I reported it as a broken link. Hopefully it will be fixed for all users soon.
Update: After i did a little bit of apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y the menu was fixed.
20160421
An expect script for bandit labs
If you have tried the bandit series of labs over at over the wire you have experienced trying to paste an SSH password in to the prompt, only to be unable to see what you pasted and needing to hope for the best. But, you can use an expect script like this one to log in for you, and that will save you a second here and there.
This is the script:
This is the script:
#!/usr/bin/expect
set level [lindex $argv 0]
set password [lindex $argv 1]
spawn ssh bandit$level@bandit.labs.overthewire.org
expect "password: "
send $password\r
sleep 2
send ls\r
expect "$ "
interact
You can invoke it with script_name # PASS, where script_name is whatever you name the script, # is the level number you are on, and PASS in the password for that level. If you name the script ssh_bandit, you can get to the first level (level 0) with:
ssh_bandit 0 bandit0
To look at the script line - by - line, we can see it:
1) Tells bash what program to use to run the script.
2) Sets the level variable to the first argument value.
3) Sets the password variable to the second argument value.
4) Starts an SSH session as the bandit<level#> user @ the server.
5) Waits for the password prompt.
6) Sends the password, and return.
7) Waits two seconds.
8) Sends the ls command, and a newline. (This is handy because you will often want to do a directory listing first thing.)
9) Waits for a prompt.
10) Switches to interactive mode. (Without this, typing exit to leave the SSH shell exits the bash shell.)
(Note: This may not cover the first connection for you, since the bandit server's key may not be in your known hosts, and it does not account for this variation. Feel free to improve upon it.)
(Note: This may not cover the first connection for you, since the bandit server's key may not be in your known hosts, and it does not account for this variation. Feel free to improve upon it.)
Subscribe to:
Posts (Atom)