Wednesday, August 31, 2011

Finding stuff in Linux


So it's time for some Linux fun! chances are if you are a regular linux user that you used the find command before, but here we are gonna review this useful command and maybe you can learn something new :)

The basics

One of the most common searches you will be using is looking for a specific file name or even a pattern, you could try the locate command first but sometimes you get too many results back, or it may be a recent file that isn't yet in the locate database, so here is how a search by name using find would look like

find / -name myfile


/ being the path we want to start our search from, and of course 'myfile' the name of the file we want to find, we also could use a pattern for example if we wanted to find all mp3 file in our system...

find / -name '*.mp3'

so that's it for the basics, let's move on...

Searching by time

So let's say we just screwed up and unziped a large file into our current dir, and that left us with lot's of small files mixed with the stuff we had there before, so we would like to clear up this mess, find to the rescue!

We can use find to search for files created in the last 5min,

find . -cmin -5

There are different time searching switches, -Xmin and -Xtime, min being minutes and time being days, the X here refers to the file time attribute we want to use for our search, you can use this table:


Access Time | a

This is the time that the file was last accessed, read or written to.

Modify Time | m

This is the last time the actual contents of the file were last modified.

Change Time | c

This is the time that the inode information (permissions, name, etc., the metadata, as it were) was last modified.



For uncompressed files only the Change Time, actually changes, so that's why used that in this case.

Finally we can use the -exec option to execute a command on every file found, for example:

find . -cmin -10 -exec rm '{}' \;


Filtering by file type


For searching for specific file types, like directorys we can use the -type option, like this:

find /etc -type d

Here is a small table with some of the posible file types:

              d      directory
              f      regular file
              l      symbolic link; this is never true if the -L option or the -follow option is  in
                     effect, unless the symbolic link is broken.  If you want to search for symbolic
                     links when -L is in effect, use -xtype.


That's it for now! if you want to learn more about find, 'man find' is ur friend!


Thursday, August 18, 2011

Proxy detection via "Proxy-Connection" header

I found a site that threw this message to me while trying to use Burp proxy:




I fired up wireshark and captured a normal request and a burp request, then exported the headers to a file




A quick diff showed the difference




Now it's just a matter of using burp "match and replace" feature



Finally we can load the page correctly, but what if instead of showing us that helpful message the application just behaved differently?

Saturday, August 13, 2011

Beef-ng - The browser exploitation framework


Beef-ng is a complete rewrite in ruby of the old beef, so what is beef? basically a tool that will let us "hook" a brower and then we can send it arbitrary javascript code to execute, this could be from an inocent alert box to a java exploit, this is how the Beef-ng interface looks like:



Beef already comes with a set of predefined modules like keylogging, send the user to another site... and it can interact with metasploit to deliver a exploit directly to the hooked browser.

To get a browser hooked we will need to make it load, somehow, the beef hooking script which is: http://ip:3000/hook.js
for testing/demo pruposes you can use http://127.0.0.1:3000/demos/basic.html, but the real potential of this is exploiting XSS flaws, this is what it looks like when a browser is hooked into beef:




When can now select the hooked browser to view some information about it, we can also now launch a module or we can just send raw javascript if we choose to:

The browser details


The available modules

The version available on backtrack 5 is 0.4.2.7, while the lastest version at the time of this writing is 0.4.2.8.


Project site: http://beefproject.com/

That's it for now, until next time!

Thursday, August 11, 2011

Weaponizing Firefox - part 2


Ready for more? Let's continue to setup our browser, this time we are going to see how to install and use Firebug and Firecookie!


Firebug


Start by grabing it here > https://addons.mozilla.org/en-US/firefox/addon/firebug/

So what is firebug? This addon will let us, among other things, edit the current page without having to either download it or load our proxy and intercept the server response, it's worth noting that it can also serve as a JavaScript debugger.

Let's see a few examples of how this can be useful...


Getting rid of annoying restrictions:



Inspecting elements to see why our xss attempt didn't work:




Firecookie


Firecookie integrates with firebug to grant it the ability to manipulate cookies, the current version (
1.2.1)  does not work well with firebug 1.8, even the  one offered at the developer's site gives problems:

That is also a good place to take a look at it's features, but to get it working you will have to build your own from the svn http://code.google.com/p/firecookie/source/checkout or if you trust me just download it from here http://www.mediafire.com/?3nrmid7jgs73d7b which I build myself and can confirm that it works.




Tuesday, August 9, 2011

Weaponizing Firefox - part 1

First post! I could talk about alot of boring stuff but let's get right in to the meat :)
We are going to see how we can turn Firefox into a powerful tool for our hacking needs, this is intended just to be an aid and not the definitive tool, so I just made a small selection, other addons might include Tamper data, Live Http headers...

We will install the following addons: FoxyProxy, Firebug, Firecookie, Hackbar, on with the show!

FoxyProxy

This addon will let us quickly switch between proxys or just disable proxys and use our normal connection, this will be very useful to use web proxy tools like Burp suite , paros, webscarab...

We can grab it form here: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/
it will ask you to reboot the browser so proceed and now let's take a look at the configuration.




We just need to click on "Add new proxy" enter a name and proxy configuration, like this



We can also go to global settings and check "Show mode (text) on status bar" so we can quickly see what our active proxy setup is, at this point we should be ready to start using our new proxy switcher.




Stay tuned for next part: seting up firebug and firecookie!