USB Wireless Adapter on a Kali Virtual Machine

To get started, Debian has incredibly helpful instructions on installing wireless adapters – I have a TP-LINK WN722N and used these instructions: http://wiki.debian.org/ath9k_htc.

After drivers are installed:

1. Connect your USB wireless adapter
2. Pass it through to your VM
3. Run ‘ifconfig wlan0 up’
4. To get started monitoring run ‘airmon-ng start wlan0’
5. Run ‘airodump-ng mon0’ to start listing all the wireless AP’s and probes being sent out

Logging Attack Traffic

When performing a test, it is important that you log all your activity so that you have proof of what you were doing, in case anything goes awry (and it is not your fault!). Here are a couple methods of logging activity:

• Wireshark: before you start capturing data, in the Capture Options window select “Use multiple files” and in the “Next file every” field specify the upper limit of the file size that you desire (a new file will be created once the current file reaches that limit) – see image below.

• Tshark (found in the c:\program files\wireshark directory): c:\program files\Wireshark\tshark.exe -i [interface] -w [base file name] -b filesize:[file size in KB]  -p [this flag restricts monitoring to current VM, otherwise all VM traffic will be captured]
  • This option doesn’t put as much strain on your machine as using Wireshark does

• tcpdump: tcpdump -i [interface, use ‘tcpdump -D’ to get list] -w [base file name] -C [file size in MB]
  • Another low resource option

Extracting Certs and Keys from .pfx and using with sqlmap

I only had a .pfx file to work with and needed to extract the key and certificate in order to use sqlmap against a particular site. This site provided all the steps I needed to do that.

1. Extract private key:

   • openssl.exe pkcs12 -in file.pfx -nocerts -out privKey.pem

2. Extract certificate:

   • openssl.exe pkcs12 -in file.pfx -clcerts -nokeys -out cert.pem

3. Remove password from private key:

   • openssl.exe rsa -in privKey.pem -out private.pem

Once that is done run sqlmap with the following flags:

• sqlmap -u https://www.targeturl.com --auth-cert privatekey.pem,cert.pem

To save time typing in the key and cert locations, if in windows you can just drag the file into the command prompt (not sure about linux/mac).

Option 2:

If you have your client cert loaded into Burp, you could just use the sqlmap option ‘–proxy=”http://localhost:8080″‘ and have sqlmap go through Burp and then not worry about extracting certs/keys.  This would have been easier, but I found out about it later.  Good to know for the future.

Setup VNC Server in BT5 r3 KDE

1. Install vncserver – ‘apt-get install vnc4server’
2. Run – ‘vncserver’
3. Setup 8-character password
4. Edit xstartup – ‘vi ~/.vnc/xstartup’
5. Comment out entire file
6. Append the following three lines to the file:
   • export XKL_XMODMAP_DISABLE=1
   • exec ck-launch-session startkde
   • exec pcmanfm –desktop
7. Run – ‘vncserver -kill :1’
8. Run – ‘vncserver’

You then just need to install the free VNC Viewer on the client machine and make sure to add ‘:5901’ to the end of the IP address of your new vncserver.

VxWorks Debugging with BT5r3

I had to make a few modifications to the code referenced here in order to get it running in Backtrack 5 r3.

Download and extract the tarball

1. Download the tarball, extract to an easy to locate directory (e.g., /pentest/forensics/vxworks/).
2. Navigate to the directory and extract the files (‘tar zxvf filename.tar.gz’)

In the vxworks_mem_search.rb file, make sure the that you put the entire location to the vxworks_collide file in line 4, e.g.,

• require ‘/dir/dir/…/vxworks_collide’

To help with encoding issues, place the following at the beginning of the file

• # encoding: UTF-8

And then at the line where the file is reading the memory_data (“memory_data = File.read(input_file)”) add the following right after the closing parenthesis:

• .force_encoding(“ISO-8859-1”).encode(“utf-8”, replace: nil)

Save the file.

Run the file with the following command:

• ruby vmworks_mem_search.rb lookup.txt dump.mem (where dump.mem is the memory dumped using the corresponding metasploit exploit module)

Back|Track 5 64-bit KDE in VirtualBox – Failed to load module “vboxvideo”

When trying to run ‘startx’ with Back|Track 5 64-bit KDE iso running in VirtualBox I would get the following error – “Failed to load module ‘vboxvideo'”.  I had a heck of a time searching for solutions and ultimately gave up and just ran the 32-bit.  Today, however, I finally ran into a solution!  Simply remove the icon-cache and plasma cache files from /root/.kde/cache-root/ directory.    After you reboot, once BT5 is installed, remove the same files again, but this time from the /root/.kde/cache-bt/ directory.  In order to get VirtualBox Additions you’ll need to install the following packages:

source-linux-source

source-linux-headers

Run “prepare-kernel-sources” and then the VB additions install script.

 

Thanks goes out to leandrotami for posting this solution here.

 

 

Internet/Computer Security Advice

I’ve been thinking a lot about how I’d really like to help those around me have a better understanding of internet/computer security.  Here are some common and simple things to keep in mind.  Please let me know in the comments if there’s anything that isn’t terribly clear.

Opening Ports in Windows 7 Firewall

Maximumpcguides.com offers a very easy-to-follow guide on opening a port in Windows 7’s firewall.  I had thought that simply setting up a service to run and making sure that that service was listed as “approved” in the firewall, as well as making sure my router had the port open that I would be good to go.  Sadly it was not that simple.  One tool that helped me realize that this was the problem was uTorrent’s port checker URL: http://www.utorrent.com/testport?port=80.  Simply change the port number at the end of the URL to test if the port is open on your firewall.  If it isn’t, follow the above guide.

Here are the steps I followed, in case the above mentioned guide becomes unavailable:

1. Browse to the Advanced Settings of the Windows Firewall
2. Select Inbound Rules in the left column
3. Select New Rule in the right column
4. Select Port in the rule wizard
5. List the port(s) that you want opened
6. Select Allow the Connection
7. Specify where you would like the rule applied
8. Name the rule and click Finish.

Setting up Netbook to Dual Boot to Backtrack 4

I have an Eee PC 1000HA and have been wanting to get more familiar with Backtrack.  I was tempted to just wipe out the drive completely and run pure BackTrack, but that would probably be less effective for my wife who shares the laptop with me.

The box touts 160GB total, but that’s inflated by 20Gb (not to mention the wrong calculation of GB – 160,000,000,000 Bytes (what retailers say is 160 GB) is really only 149 GigaBytes).  The break down of partitions ends up being

1. 80 GB for the main partition, with XP installed on it
2. 60 GB as an empty partition
3. 9 GB as the emergency recovery drive
4. 41 MB as something unidentifiable – I’m assuming this is just leftovers that didn’t fit somewhere

The tutorial on offensive-security.com showed the capability of choosing a guided-partition resize option, that let you drag a little bar to tell it how much space you wanted allocated for the install.  Well, all i got was either an option to format the whole hard drive or manually edit the partition tables.  I ended up taking the crash course in hard drive partitioning.

I figured I’d install Backtrack on part of the 60GB and freaked out when I sized it to 40GB, that the other 20GB became unusable.  After doing some research I found that I could easily extend the 40GB partition to fill up the 20GB, but with there being already 4 primary partitions, I couldn’t split it up, at least with the GUI provided.  So I went with a 60GB BackTrack partition with 1GB of swap memory.

So the final distribution ends up being 80GB for windows, 10GB for the emergency recovery, 59GB, about 1GB for swap.  I created a logical partition for the swap since it didn’t matter.

On the last stage of the installation, under the Advanced menu I left the boot loader device selection at default (hd0).

In theory, this should work.  But it didn’t for me (I got a little excited and posted this before I actually rebooted my computer).  The Grub boot loader never displayed on start-up.

What did end up working was to copy the /boot and /casper directories to my main hard drive and install Grub for windows (with some changes to the boot.ini and BackTrack menu.lst file).  Check out John’s very clear description here (written for BackTrack 4 Pre-Final, but it worked for me with the final release of 4).

XSS: Cross Site Scripting

To better understand what scanning tools are looking for I’ve been doing some research on Cross Site Scripting (XSS) and Injection exploits (SQL and Command to be covered in a future post). The types of XSS I’ve run across are reflected and stored – with numerous variations of each.

Reflected XSS

According to OWASP.org:

Reflected attacks are those where the injected code is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web server. When a user is tricked into clicking on a malicious link or submitting a specially crafted form, the injected code travels to the vulnerable web server, which reflects the attack back to the user’s browser. The browser then executes the code because it came from a “trusted” server.

Stored XSS

From the same article, OWASP.org:

Stored attacks are those where the injected code is permanently stored on the target servers, such as in a database, in a message forum, visitor log, comment field, etc. The victim then retrieves the malicious script from the server when it requests the stored information.

Countermeasures

One of the most important countermeasures for XSS and many other vulnerabilities is data validation.  If you let users enter whatever they want to in your web app, they will, and you and your users will be adversely affected by it.  I won’t copy down all the countermeasures, but here are some sites with useful info:

• OWASP XSS Prevention Cheat Sheet

Hands-on Practice

I used IronGeek’s Mutillidae and OWASP’s WebGoat to gain a better understanding of what XSS is and how to safeguard against it.  Mutillidae is a lot simpler and straight forward (though you’ll need something like XAMPP to get it started), I’d suggest using it first and then WebGoat (downloads with Tomcat and Java – all you have to do is launch a .bat file) won’t be as perplexing.

RSnake provides a quite comprehensive list of the numerous ways XSS can be executed in his XSS Cheat Sheet (all examples use the generic alert(XSS!); example, but you can easily exercise your imagination a little bit).