Web Hosting:
Help Irongeek.com pay for bandwidth and research equipment:
Irongeek.com
Irongeek.com
Welcome to Irongeek.com, Adrian Crenshaw's Information
Security site (along with a bit about weightlifting and other things that strike
my fancy). As I write articles
and tutorials I will be posting them here. If you would like to republish one of
the articles from this site on your webpage or print journal please e-mail me. Enjoy
the site and write us if you have any good ideas for articles or links.
At some point, I will start putting up some of my own content :) I have done
some tricks that I hope will make the page load better, but I'm not sure about
the browser compatibility. In the mean time, here is some more of Jeremy's work:
Using Metasploit Hashdump Post Exploit Module Creds Table And John
This video shows how to have the hashdump post exploitation module automatically
populate the creds table in the metasploit database, then export the credentials
to a file suitible to pass to the john the ripper tool in order to audit the
passwords.
Using Metasploit Community Edition To Determine Exploit For Vulnerability
In previous versions of Metasploit it was possible to run "db_autopwn -t -x" in
the msfcomsole in order to have metasploit guess the best exploits for a given
vulnerability. This video looks at alternative functionality for the depreciated
"db_autopwn -t -x" option in older versions of Metasploit's msfconsole.
Metasploit Community Edition has similar exploit analysis functionality
accessible via the web based GUI.
Jeremy had two
more videos for you. It's beginning to become a load problem with all the iframe
embedded videos :). I'm willing to take suggestions.
Using Hydra To Brute Force Web Forms Based Authentication Over Http
This video covers using nmap to ping sweep network then discover ports on two
machines to locate a web server on which Mutillidae is running. Once the web
server is running, the site is loaded into Firefox and the login page is
located. Using View-Source, Burp-Suite, and the sites registration, the login
process is studied. Potential usernames are gathered from using Reconnoitter,
CeWL, and the sites own blog page. A password file from john the ripper is used.
With the potential usernames and passwords in hand, hydra is used in
http-post-form mode to search for a username and password which can log into the
site.
Connect To Unreachable Web Site Through Meterpreter Port Forwarding
This video covers accessing a web site that is normally unreachable from our
Backtrack 5 box. However, after gaining a session on a third box, we forward our
web browser through the compromised host in order to browse the website. The
port forwarding is done via a meterpreter session on the compromised host. After
setting up the port forward, the browser is able to use the compromised host as
a relay (almost like a web proxy) in order to browse to the "internal" web
application.
04/27/2012
DerbyCon tickets go on sale this today!
(Friday April 27th) – CFP OPEN!
We will be opening up ticket sales on Friday at 1:00PM EST on April 27th 2012.
Both training and normal conference tickets will be going on sale at this time.
We feel we have a very stable ticketing system at this point from the tests last
week and don’t anticipate any major issues! We look forward to seeing everyone
at DerbyCon this year… It’s going to be amazing!!!
Call for papers are also open! Check out the
CFP section on the
DerbyCon here.
Some of the current speakers: Jeff Moss, Dan Kaminsky, Kevin
Mitnick, Martin Bos, Adrian Crenshaw, HD Moore, Dave Kennedy, Ryan Elkins,
Johnny Long, Chris Nickerson, Chris Gates, Eric Smith, Paul Asadoorian, Rob
Fuller, Larry Pesce, Chris Hadnagy, John Strand, Peter Van Eeckhoutte, int0x80,
Thomas d’Otreppe, Jack Daniel, Jason Scott, Deviant Ollam, Jayson E. Street,
James Lee, Rafal Los, Kevin Johnson, Tom Eston, Rick Hayes, Georgia Weidman and
Karthik Rangarajan
Notacon 9 (2012) Videos
These are the videos from
the 9th Notacon conference held April
12th-15th, 2012. Not all of them are security related, but I hope my
viewers will enjoy them anyway. Thanks to Froggy and Tyger for having me up, and to the video
team: SatNights, Widget, Securi-D, Purge, Bunsen, Fry Steve and myself. Sorry about
the sound issues, but there is only so much pain I want to go through in post. Also for some videos we only
have the slides or the live
video, but not both.
List:
This video takes a detailed look at the traceroute program in Linux. The newer
traceroute is used (version 2.0.18). The later versions have the ability to send
packets of different protocols (i.e. TCP) to the target. This feature was
previously found in the LFT (Layer Four Traceroute) tool but not found in the
Linux traceroute. While LFT still is more feature-rich than the traceroute built
into Linux, the new features in Linux traceroute make the tool very useful and
quite capible. It helps to understand how the traceroute tool forms the packets,
to what ports the packets are sent, and what protocols can be used to send the
packets. This information can be used to get traceroute commands to work through
firewalls and HIPS systems when ICMP and/or UDP and/or most TCP ports are
blocked.
This video is an introduction to the tcpdump network packet sniffer/capture
tool. The video is relatively long because of the demo used required "building
up" to the HTTP capture. The video only covers the basics but is meant to be a
good introduction to practical use of tcpdump.
This video looks at using Maltego to both gather and organize information in a
customer pen-test. Maltego is a GUI-based tool for Linux which is included in
the Backtrack 5 R2 release. The tool is able to gather information from public
sources on entities. The Community Edition (used in this video) is free. There
is a paid-version with more features. The site used in this video is
irongeek.com and was used with written permission from the owner. If following
along, please use a domain for which you have permission.
04/08/2012
Finding Comments And File Metadata Using Multiple Techniques
Jeremy Druin has made a new video:
This video has two related parts. The first part discusses finding the comments
in Mutillidae related to the "comments challenge". This is an easy challenge in
Mutillidae but the techniques can be extended to search entire sites for
comments. The second part of the video looks at finding metadata in general
using a variety of tools.
The tools used are Firefox "View Source", W3AF, grep, wget, Burp Suite, exiftool
and strings. The demo site used is Mutillidae, which is a free open-source fully
functional PHP site with a MySQL database. The site runs on localhost or it can
be run in a virtual network as a practice target or capture the flag target. It
is not a good idea to run Mutillidae publically because it will get hacked.
Mutillidae is available at Sourceforge and Irongeek.com. Along with the project
is several documents and an installation guide for Windows 7.
Pen-testing practice in a box: How to assemble a virtual network
This is the first in a line of classes Jeremy Druin will be giving on
pen-testing and web app security featuring
Mutillidae for the Kentuckiana
ISSA. Topics: Virtual Box Installation, Installing virtual machines,
Configuring virtual networks - bridged, nat, hostonly, USB devices in virtual
machines, Wireless networks in virtual machines, Installing Guest Additions, How
to install Mutillidae in Windows on XAMPP, How to install Mutillidae in Linux
Samurai
04/05/2012
Mutillidae How To Use Dradis To Organize Nmap And Nessus Scan Results
New video from
Jeremy Druin:
The latest version of Dradis (2.9) has excellent import speed compared to
version 2.7. This video looks at using the import features of Dradis to organize
the scan results from an nmap scan and a Nessus 5 scan. Dradis is a tool that
allows pen testers, auditors, and vulnerability assessors to organize their work
by server or other categories. The Dradis starts a web server which other team
members can share information as well.
04/03/2012
Homoglyph
Attack Generator Updated
I found a list of IDN blacklisted characters on Mozilla's site and added them. I
also added a table of the homoglyphs I'm using.
This video looks at upgrading
Nessus 4 to Nessus 5. The operating system used in the video is Backtrack 5 R2.
Nessus 4 was successfully registered and running on this OS prior to attempting
to upgrade to Nessus 5. If a fresh Nessus install is needed, the process is
different.
Nmap reporting is excellent with the XML option but this is not used in a lot
of cases. The XML output from nmap can be imported into other tools such as the
Metasploit Community Edition (Import button), metasploit DB, and other tools.
Also, the XML format can be opened in a web browser to produce a well-formatted
report suitable for attachment to a pen-test.
03/29/2012
Outerz0ne Video Move
Still working on moving videos to YouTube to support more devices. Since
Outerz0ne is coming up I decided to move
their videos next:
Manual Directory Browsing To Reveal Mutillidae Easter Egg File
Jeremy has made another video:
This video looks at manual testing for directory browsing misconfiguration
vulnerabilities in Mutillidae. For directory browsing brute forcing, OWASP
DiRBuster or Burp-Suite Intruder are great tools. However, Mutillidae gives away
some of its directory paths when serving PDF and other files. These can be
tested manually to reveal the Mutillidae Easter egg file. Also common directory
names like "include" and "includes" can be tried quickly just using a browser
before firing up the tools.
This is a class we gave for the Kentuckiana ISSA
on the the subject of password exploitation. The Password Exploitation Class was
put on as a charity event for the Matthew Shoemaker Memorial Fund. The speakers
were Dakykilla,Purehate_ and Irongeek.
This is a class I gave for the
Kentuckiana ISSA on the the subject of Anti-forensics. It's about 3 hours long,
and sort of meandering, but I hope you find it handy. For the record, Podge was
operating the camera :) Apparently it was not on me during the opening joke, but
so be it, no one seemed to get it. I spend way to much time on the Internet it
seems. Also, I'm in need of finding video host to take these large files. This
class video is 3 hours, 7 min and 1.2GB as captured.
The
following are videos from the Footprinting/OSInt/Recon/Cyberstalking class I did
up in Fort Wayne Indiana for the Northeast Indiana Chapter of ISSA. I've split
the class into three videos by subtopic, and included the text from the
presentation for quick linking.
03/24/2012
Mutillidae Injecting Cross Site Script Into Logging Pages Via Cookie Injection
Jeremy has made another video (I can't keep up):
By setting the values of browser cookies, then purposely browsing to a web page
that logs the value of user cookies, it may be possible to inject cross site
scripts into the log files or the log data table of the web site. Later when the
logs are reviewed by Administrators, the cross site scripts may execute in the
administrators browser. The video uses the Mutillidae capture data pages as an
example. In Mutillidae one of the capture the flag events is to poison the
attackers browser by purposely exposes the attacker to a cross site script. This
can be done by infecting a cookie then "letting" the attacker trick you into
visiting the capture data page.
03/24/2012
Mutillidae Generate Cross Site Scripts With SQL Injection
Jeremy has made another video:
This video discusses an advanced SQL injection technique. The SQL injection is
used to generate cross site scripting. This is useful when cross site scripts
cannot be injected into a webpage from a client because web application
firewalls or other scanners are in place. When an SQL injection can be snuck
past the WAF, it is possible to have the SQL injection generate the Cross Site
Script dynamically.
03/22/2012
DOJOCON
2010 Videos Migrated To YouTube
I've started to migrate the con videos I record and embed on this site to
YouTube. I'm doing this for a few reasons:
1. Vimeo took down Dave Marcus' talk because they said it was in
violation of their TOS, and when I tried to explain to them what it was about
they would not email me back (and I was a paying customer to their service at the
time).
2. I'm now allowed longer videos on YouTube, so why not.
3. This should support more devices.
I've started with DOJOCON 2010 to get Dave's talk back up. Below
are the videos from the conference, at least the ones I can show :), enjoy.
Web Application Pen-testing Tutorials With Mutillidae
When I started the
Mutillidae project it was with the intention of using it as a teaching tool
and making easy to understand video demos. Truth be told, I never did as much
with it as I intended. However, after Jeremy Druin (@webpwnized)
took over the development it really took off. I have since come to find out he
has been doing A LOT of YouTube video tutorials with Mutillidae, which he said I
could share here. I will be copying his descriptions with slight editing and
embedding his videos in this page. Videos include:
Crypto & Block Cipher Modes (OpenSSL, AES 128, ECB, CBC)
Hopefully this will give a nice visual illustration of how Electronic codebook (ECB)
and Cipher-block chaining (CBC) work using AES-128 and OpenSSL. You can learn a
lot from a known plain text, and repeating patterns. Inspired by labs from Kevin
Benton & "Crypto Lab 1" SEED.
Shared Hosting MD5 Change Detection Script
I was wanting a simple shell script that would monitor the files on a site, and
report any changed via email.
Dave Kennedy's Artillery was
close to what I needed (and does a lot more), but I wanted something I could run
on my shared hosting account. This is what I came up with, for better or worse.
If nothing else, it was a good exercise in BASH scripting, and may come in handy
for those that want to make something similar.
Night 1 “How Do You Know Your Colo Isn’t “Inside” Your Cabinet, A Simple Alarm Using Teensy” by David Zendzian “Bending SAP Over & Extracting What You Need!” by Chris John Riley “ROUTERPWN: A Mobile Router Exploitation Framework” by Pedro Joaquin “Security Is Like An Onion, That’s Why it Makes You Cry” by Michele Chubirka “Five Ways We’re Killing Our Own Privacy” by Michael Schearer
Night 2
“Cracking WiFi Protected Setup For Fun and Profit” by Craig Heffner “Passive Aggressive Pwnage: Sniffing the Net for Fun & Profit” by John Sawyer “Ressurecting Ettercap” by Eric Milam “Security Onion: Network Security Monitoring in Minutes” by Doug Burks “Remotely Exploiting the PHY Layer” by Travis Goodspeed
02/05/2012
ShmooCon Epilogue 2012 Talks
Includes:
Resurrection of Ettercap: easy-creds, Lazarus & Assimilation
Eric Milam - (Brav0Hax) &
Emilio Escobar
Media Hype and Hacks that Never Happened
Space Rouge
More than one way to skin a cat: identifying multiple paths to compromise a
target through the use of Attach Graph Analysis
Joe Klein
Proper Depth / Breadth testing for Vulnerability Analysis and fun with tailored
risk reporting metrics.
Jason M Oliver
Extending Information Security Methodologies for Personal User in Protecting
PII.
John Willis
Stratfor Password Analysis
Chris Truncer
Intro To Bro
Richard Bejtlich
Javascript obfuscation
Brandon Dixon
01/21/2012
Unix File Permissions and Ownership (CHOWN, CHMOD, ETC)
I'm taking a security class were we had a lab on Unix/Linux file system
permissions. I decided I might as well record it, and the steps taken, along
with explanations as to what I was doing to set the permissions such as read,
write, execute, SetUID, SetGID and the Stickybit. Kevin Benton created the lab,
so I'd like to give him credit for inspiring me to do this video.
01/16/2012
Basic Setup of Security-Onion: Snort, Snorby, Barnyard, PulledPork, Daemonlogger
Thanks to Doug Burks for making building a Network Security Monitoring Server
much easier. I mentioned Snort, Snorby, Barnyard, PulledPork and Daemonlogger in
the title, but there is a lot more on the distro than that. This is a nice way
to get an IDS up and running featuring pretty frontends without going into
dependency hell.
On the PIC side: Updated Firmware for the USB Host Module - PIC24FJ256GB106
to work with more keyboards.
On the Teensy side:
0.04:
* If a keyboard was plugged in after the keylogger was already
powered on, it would type "i7-". I added code
to fix this problem.
* Fixed RAW serial debug mode not to print key
* Changed name of variable "lasttenletters" to "lastfewletters" and
expanded it to 60.
* Ctrl+Alt+Y is now used for typing more debugging details.
* Implemented likely to fail code for unlocking workstation using
captured password.
* I had some problems with running out of SRAM because of all of my
static strings. I started using the F()
function to pull these strings from flash memory to solve this
issue.
* Fixed a case issue with lastfewletters. I did not know the method
changed it in place.
* Fixed a bug in HIDtoASCII that made it top row of number keys not
work right.
