OSINT Gathering

The following is the process I’ve followed for gathering intel during security assessments I’ve participated in.  OSINT gathering shouldn’t require you to send any packets to your target organization and as such, can usually be done in advance to an assessment date.

People OSINT

1. Run theharvester and Maltego against the target domain (likely email domain) to generate a list of email addresses for importing into Recon-ng.
   • python theHarvester.py -d <targetDomain> -b all -v -f <outputFile>
   • import into Recon-ng using import/list
2. Run the following Recon-ng modules to check which users have been involved in any public credential leaks:
   • hibp_breach
   • hibp_paste
3. I use Recon-ng as the basis for storing the majority of the data gathered.  I’ll create a separate workspace for each assessment and start by uploading the results from step one and then run salesmaple to finish up the email address gathering.  I haven’t had much success with the Facebook or LinkedIn modules, so tend to do that research more manually.
4. For gathering intel on particular individuals (more for social engineering components of a security assessment), Michael Bazzell’s books and website have been invaluable.  Specifically his centralized search portal.  I highly recommend you at least watch the Free Video to get an idea of the power of some of the search tools in the portal.
   • The “Custom Search Tools” are what I’ve used the most.  The Facebook search tool can pull out all sorts of information that Facebook makes difficult to access if you are not friends with someone.  You do have to have to be logged into a Facebook account for this tool to work, and as a warning, whatever your account name is will likely show up on the target’s Facebook page suggesting that they become friends with you (and vice-a-versa); you may want to create an anonymous account (a good precaution for searches you make on any tools that require an account).
   • The Search Engines Tools is great for searching for a person’s name or other identifying information across a number of search engines (you do need to make sure you allow pop-ups if you want the results for each browser to be displayed in separate tabs, otherwise you can only search one at a time).
   • The Person Search, Username Search, Pastebin Search, Document Search, and others have been very useful.
5. An additional resource for researching a specific person is any database that your Library has access to.  I can login to several different premium background search databases through different public library portals free of charge.
6. Some premium services cost very little per month and are another resource (e.g., intelius.com, pipl.com, spokeo.com)
7. Some other resources for gathering information on individuals
   • Search for Amazon wishlists
   • wigle.net
   • echosec.net
   • articles published by local newspapers

Technology OSINT

1. Searching whois for netblocks belonging to the target organization is good place to start.  Be creative with how you search for the target entity’s name, often times the names are truncated or just different altogether.  You can use an asterisk (*) in your searches as a wildcard.  Recon-ng does a decent job at querying whois [whois_miner], provided you have a variety of company names to search by in your companies table.
2. Load any known domains into your Recon-ng db (or use modules to populate them) and run the following modules:
   • netblocks-hosts/reverse_resolve
   • google_site_web
   • yahoo_domain
   • baidu_site
   • bing_domain_web
   • hosts-hosts/resolve
   • pgp_search
   • salesmaple
   • census_2012 (dated, but could be useful)
   • xssed
   • xssposed
   • netcraft
   • ssl_san
   • punkspider
   • builtwith (this is best run if you redirect the output to a text file and then use some sed/awk magic to strip out the technologies in use, otherwise this data doesn’t get stored in the db)
   • vpnhunter
3. Maltego is a great resource.  Running any of their machines on various entities can provide a wealth of information.
4. Censys.io is another resource and relatively new.  It has an API and Recon-ng has a module for it, but it wasn’t working at the time of this post.  You can get scan data on your target without sending any packets.

PwnPad Installation Tutorial thru Kali VM

I attended the Pwnie Express PwnPad Installation class at DerbyCon 3.0 and found out how to install the PwnPad image on my Nexus7 (16GB, 1st generation, WiFi only) thru a Kali VM image.  I won’t write out the entire process, just the differences from their installation document.

Unfortunately you can’t just “apt-get install adb fastboot” you have to add some french repositories and install a few other packages to get it going.  The following commands should get you through that (many thanks to the Kali developer that attended the DerbyCon class for this!) –

1. mkdir /opt/android && cd /opt/android
2. echo “deb-src http://debian.ens-cachan.fr/ftp/debian/ sid main contrib non-free” >> /etc/apt/sources.list
3. apt-get update
4. apt-get -y build-dep android-tools
5. apt-get -y source –build android-tools
6. dpkg -i android-tools-*.deb
7. cd ~
8. rm -rf /opt/android
9. sed -i ‘s/.*cachan\.fr.*//’ /etc/apt/sources.list

At command #6 I kept getting a “no space left on device” error, but running “apt-get clean” fixed that issue for me.  Once that’s done, you should be good to go.  Prep the USB drive like it says and follow the remaining instructions.

Once installed, open a root shell and hit enter a couple times, then type ‘yes’ when prompted to setup your ssh keys with a blank password (needed to run some of the scripts on the device).  Be sure to install the latest updates from pwnieexpress.com (it’s easiest to just browse there on your tablet and then copy/paste the wget command into a shell on the device.

Using RatProxy in Windows (Updated)

These instructions are largely copied from a post by SecureIdeas, but there were enough issues that I had to work through that I thought I’d post what was successful for me.   Using these instructions I was able to successfully install ratproxy on Windows XP SP3 and Windows 7 SP1, both 32-bit systems running in VMware Workstation.

Install Cygwin

1. Download the Cygwin installer from http://www.cygwin.com.
2. Run the Setup.exe installer.
3. Follow the on screen prompts, using the default is fine, until the Utilities screen appears.  Select the following packages:
   1. Select make from the devel package.
   2. Select gcc-core from the devel package.
   3. Search for “openssl” and select the following from the net package.
   • openssl-devel
   • libopenssl
   • openssl
4. Complete the installation.  This may take some time as it downloads all of the packages needed.

Install ratproxy

1. Download the package from http://code.google.com/p/ratproxy/.
2. Unzip the downloaded ratproxy distribution file into the Cygwin directory.  If cygwin was installed to C:\cygwin then ratproxy should be unzipped to C:\cygwin\ratproxy. 
3. Update Flare (used to decompile flash objects):
   1. For the latest instructions open the readme file in the \ratproxy\flare-dist directory.
   2. Open the URL for the Windows distribution and save the file.
   3. Unzip the file into the \ratproxy\flare-dist directory.
4. Open a Cygwin bash by double-clicking the C:\cygwin\Cygwin.bat file.
5. Navigate to the ratproxy directory.  If installed at C:\cygwin\ratproxy, type cd ../../ratproxy and press enter.
6. Type make and press enter.
   1. If you receive an error that looks like this: “ratproxy.c:1635: error: incompatible type for argument 2 of ‘waitpid'” the ratproxy.c file needs to be modified.
   2. Open ratproxy.c and modify line 1635 “while (waitpid(-1,&x,WNOHANG) > 0);” to be “while (waitpid(-1,(int*)&x,WNOHANG) > 0);“.
   3. run the make command again. This should run successfully.
7. Add cygwin to your path.
   1. Right-click “My Computer” and select “Properties”.
   2. Select “Advanced system settings” and then select “Environmental Variables”.
   3. Find the “Path” variable under “System Variables” and edit it.
   4. Add “;C:\Cygwin” (without the quotes) to the end of the “Variable Value”.

Before actually running ratproxy (after following the instructions on installing it), make sure that the following .dll files are in the ratproxy directory:

• cygcrypto-1.0.0.dll (if that’s the version of OpenSSL you installed)
• cyggcc_s-1.dll
• cygssl-1.0.0.dll
• cygwin1.dll
• cygz.dll

Simplify Running ratproxy

Also, I highly recommend using a batch file to simplify running the proxy, so you don’t have to remember which flags you like to use (just know that the batch file has to be located in the ratproxy directory, if you want it elsewhere, just create a shortcut).

Sample .bat file running RatProxy through Burp listening on 8080 (browser proxy points to RatProxy on 8081):

@echo off

rem default values
set logfilename=""
set domain=""

rem set base log file name and target domain
:setfilename
 set /p logfilename=Enter base log file name: 
 if %logfilename%=="" goto setfilename
 
:setDomain
 set /p domain=Enter target domain (www.domain.com): 
 if %domain%=="" goto setDomain

rem Run ratproxy
start "" "C:\cygwin\ratproxy\ratproxy.exe" ^
-w /cygdrive/c/temp/rp-logs/%logfilename%.log ^
-v /cygdrive/c/temp/rp-traces -d %domain% -p 8081 ^
-P 127.0.0.1:8080 -lextifscgjm

USB Wireless Adapter on a Kali Virtual Machine

To get started, Debian has incredibly helpful instructions on installing wireless adapters – I have a TP-LINK WN722N and used these instructions: http://wiki.debian.org/ath9k_htc.

After drivers are installed:

1. Connect your USB wireless adapter
2. Pass it through to your VM
3. Run ‘ifconfig wlan0 up’
4. To get started monitoring run ‘airmon-ng start wlan0’
5. Run ‘airodump-ng mon0’ to start listing all the wireless AP’s and probes being sent out

Extracting Certs and Keys from .pfx and using with sqlmap

I only had a .pfx file to work with and needed to extract the key and certificate in order to use sqlmap against a particular site. This site provided all the steps I needed to do that.

1. Extract private key:

   • openssl.exe pkcs12 -in file.pfx -nocerts -out privKey.pem

2. Extract certificate:

   • openssl.exe pkcs12 -in file.pfx -clcerts -nokeys -out cert.pem

3. Remove password from private key:

   • openssl.exe rsa -in privKey.pem -out private.pem

Once that is done run sqlmap with the following flags:

• sqlmap -u https://www.targeturl.com --auth-cert privatekey.pem,cert.pem

To save time typing in the key and cert locations, if in windows you can just drag the file into the command prompt (not sure about linux/mac).

Option 2:

If you have your client cert loaded into Burp, you could just use the sqlmap option ‘–proxy=”http://localhost:8080″&#8216; and have sqlmap go through Burp and then not worry about extracting certs/keys.  This would have been easier, but I found out about it later.  Good to know for the future.

Setup VNC Server in BT5 r3 KDE

1. Install vncserver – ‘apt-get install vnc4server’
2. Run – ‘vncserver’
3. Setup 8-character password
4. Edit xstartup – ‘vi ~/.vnc/xstartup’
5. Comment out entire file
6. Append the following three lines to the file:
   • export XKL_XMODMAP_DISABLE=1
   • exec ck-launch-session startkde
   • exec pcmanfm –desktop
7. Run – ‘vncserver -kill :1’
8. Run – ‘vncserver’

You then just need to install the free VNC Viewer on the client machine and make sure to add ‘:5901’ to the end of the IP address of your new vncserver.

VxWorks Debugging with BT5r3

I had to make a few modifications to the code referenced here in order to get it running in Backtrack 5 r3.

Download and extract the tarball

1. Download the tarball, extract to an easy to locate directory (e.g., /pentest/forensics/vxworks/).
2. Navigate to the directory and extract the files (‘tar zxvf filename.tar.gz’)

In the vxworks_mem_search.rb file, make sure the that you put the entire location to the vxworks_collide file in line 4, e.g.,

• require ‘/dir/dir/…/vxworks_collide’

To help with encoding issues, place the following at the beginning of the file

• # encoding: UTF-8

And then at the line where the file is reading the memory_data (“memory_data = File.read(input_file)”) add the following right after the closing parenthesis:

• .force_encoding(“ISO-8859-1”).encode(“utf-8”, replace: nil)

Save the file.

Run the file with the following command:

• ruby vmworks_mem_search.rb lookup.txt dump.mem (where dump.mem is the memory dumped using the corresponding metasploit exploit module)

Back|Track 5 64-bit KDE in VirtualBox – Failed to load module “vboxvideo”

When trying to run ‘startx’ with Back|Track 5 64-bit KDE iso running in VirtualBox I would get the following error – “Failed to load module ‘vboxvideo'”.  I had a heck of a time searching for solutions and ultimately gave up and just ran the 32-bit.  Today, however, I finally ran into a solution!  Simply remove the icon-cache and plasma cache files from /root/.kde/cache-root/ directory.    After you reboot, once BT5 is installed, remove the same files again, but this time from the /root/.kde/cache-bt/ directory.  In order to get VirtualBox Additions you’ll need to install the following packages:

source-linux-source

source-linux-headers

Run “prepare-kernel-sources” and then the VB additions install script.

 

Thanks goes out to leandrotami for posting this solution here.

 

 

Setting up Netbook to Dual Boot to Backtrack 4

I have an Eee PC 1000HA and have been wanting to get more familiar with Backtrack.  I was tempted to just wipe out the drive completely and run pure BackTrack, but that would probably be less effective for my wife who shares the laptop with me.

The box touts 160GB total, but that’s inflated by 20Gb (not to mention the wrong calculation of GB – 160,000,000,000 Bytes (what retailers say is 160 GB) is really only 149 GigaBytes).  The break down of partitions ends up being

1. 80 GB for the main partition, with XP installed on it
2. 60 GB as an empty partition
3. 9 GB as the emergency recovery drive
4. 41 MB as something unidentifiable – I’m assuming this is just leftovers that didn’t fit somewhere

The tutorial on offensive-security.com showed the capability of choosing a guided-partition resize option, that let you drag a little bar to tell it how much space you wanted allocated for the install.  Well, all i got was either an option to format the whole hard drive or manually edit the partition tables.  I ended up taking the crash course in hard drive partitioning.

I figured I’d install Backtrack on part of the 60GB and freaked out when I sized it to 40GB, that the other 20GB became unusable.  After doing some research I found that I could easily extend the 40GB partition to fill up the 20GB, but with there being already 4 primary partitions, I couldn’t split it up, at least with the GUI provided.  So I went with a 60GB BackTrack partition with 1GB of swap memory.

So the final distribution ends up being 80GB for windows, 10GB for the emergency recovery, 59GB, about 1GB for swap.  I created a logical partition for the swap since it didn’t matter.

On the last stage of the installation, under the Advanced menu I left the boot loader device selection at default (hd0).

In theory, this should work.  But it didn’t for me (I got a little excited and posted this before I actually rebooted my computer).  The Grub boot loader never displayed on start-up.

What did end up working was to copy the /boot and /casper directories to my main hard drive and install Grub for windows (with some changes to the boot.ini and BackTrack menu.lst file).  Check out John’s very clear description here (written for BackTrack 4 Pre-Final, but it worked for me with the final release of 4).