Saturday, July 24, 2010

Remove duplicate entries in a file W/O sorting.

This is mainly for my own reference, however you may find it useful as well.

Remove duplicate entries in a file without sorting.

$ awk '!x[$0]++' FILE where FILE is the name of the file to run on.

One can also use sort | uniq or sort -u however this will sort the files into an order.
With awk we are simply removing all the duplicates.


MySQL Security Assesment Script in BT4

So this is a short write up on using the MySQL security Assessment Script
by Carlos Perez

Of course you will need a mysql database to target.
If you want a pre-made setup then get the metasploitable package.

Grab some shell and navigate to the /pentest/database/mysqlaudit/ directory.
Then just run the command with no options.

-----------------------------CODE---------------------------------------

root@bt:/pentest/database/mysqlaudit#./mysqlaudit.py

MySQL Security Assesment Script Version 1.0

By: Carlos Perez, carlos_perez[at]darkoperator.com
USAGE:
python ./mysqlaudit.py Targer IP User Password Report


Target : The system you whant to do the assement on, port 3306 should be open.
User : User account with DBA privelages on the server to use for the assesment.
Password : password for the user account.
Report : Name of text file to wich to write the report.

-----------------------------CODE--------------------------------------

Simple enough the only thing you will need of course is the log-on credentials.
This time we will run the scan against our metasploitable setup and see what happens.

-----------------------------CODE--------------------------------------

root@bt:/pentest/database/mysqlaudit# ./mysqlaudit.py 192.168.2.103 root root /tmp/msqlauditreport.txt
root@bt:/pentest/database/mysqlaudit#

-----------------------------CODE--------------------------------------

So in order to see what our report shows we can either open it with a text editor or we can cat the output back to the screen.
Since the report is quite long I will only show a little of it here.
-----------------------------CODE--------------------------------------

root@bt:/pentest/database/mysqlaudit# cat /tmp/msqlauditreport2.txt | less

Severity: High

Description:

MySQL authentication is based on usernames and passwords stored in a table

called mysql.user. To create a user, a row is added to this table. MySQL
also supports wildcards and blank values in the USERNAME and HOST fields of
the table. By indicating a blank username and a blank password, you allow
anonymous access to the MySQL database.
Solution:

To remove the anonymous user, run the following commands:
shell> mysql -u root [password]
mysql> DELETE FROM mysql.user WHERE User = '';

Anonymous user was found

User Connection Location
anonymous ---->localhost
anonymous ---->ubuntu804-base

-----------------------------CODE-------------------------------------

As you can tell there is a high level flaw in our setup.
So this tool will allow the Penetration tester to target mysql databases and will determine some basics when it comes to the security of the system.

Have fun.

Friday, July 23, 2010

Converting Metasploitable for Virtualbox

So this is not a typical Back Track post, but one on converting the Metasploitable VMware image to one that will work with Virtualbox. There are other ways of converting .vmdk files to .vdi ones but none of them seemed to work for me. This was all done on an Ubuntu machine. You could do the same on others though. If you don't have or know about metasploitable check the above link. So grab a copy here and then extract the zip archive.

Go to a shell and then grab qemu, this is another virtualization product but we don't care about it, once we are done you can remove it.

-----------------------------------CODE---------------------------------------
amael@ubuntudork:~$ sudo aptitude install qemu
-----------------------------------CODE---------------------------------------

Once this is done run the following commands.
NOTE: This may take some time to complete.

-----------------------------------CODE---------------------------------------
amael@ubuntudork:/tmp/Metasploitable$ qemu-img convert /tmp/Metasploitable/metasploitable.vmdk metasploitable.bin
-----------------------------------CODE-------------------------------------

This will convert the .vmdk to a binary then we will convert the .bin to a Virtualbox .vdi file.

-----------------------------------CODE-------------------------------------
amael@ubuntudork:/tmp/Metasploitable$ VBoxManage convertdd metasploitable.bin metasploitable.vdi

Sun VirtualBox Command Line Management Interface Version 3.0.14
(C) 2005-2010 Sun Microsystems, Inc.
All rights reserved.
Converting from raw image file="Metasploitable.bin" to file="Metasploitable.vdi"...
Creating dynamic image with size 8589934592 bytes (8192MB)...
-----------------------------------CODE-------------------------------------

Once this is finished you are now ready to use Metasploitable in Virtualbox.

So go ahead and set up a new machine. You can find many guides on doing this on the net.
But basically you just need to point Virtualbox to the newly created Metasploitable.vdi file.
From Virtual Box Metasploitable

You may want to edit some of the settings. For my setup I had to ensure that the Extended Features Enable PAE/NX box was checked. This is located under Settings>System>Processor. The first time I booted without this it did not work.
From Virtual Box Metasploitable

It might also be a good idea to ensure that this machine is configured for "Host Only" networking so that it is not facing the internet.

So there you have it.
From Virtual Box Metasploitable

That's pretty much it. Have fun.

Wednesday, July 21, 2010

Update bt4-customise.sh script

So after someone noticed on the forums that the bt4-customise.sh script needs to be edited in order to work with the new .iso, I decided to make this post with what needs to be changed.


First grab the script and open it with your favorite editor.
------------------------------CODE-------------------------------------
# nano bt4-customise.sh
------------------------------CODE------------------------------------
Then at the top around line 3 change
------------------------------CODE------------------------------------
btisoname=bt4-pre-final.iso
------------------------------CODE------------------------------------
To the new .iso name.
So for the BT4 final you will need bt4-final.iso
------------------------------CODE------------------------------------
So btisoname-bt4-final.iso
------------------------------CODE------------------------------------

Save, exit and that's it.

Have fun.

Monday, July 19, 2010

how-to, brutessh.py in BT4

Fast and simple guide to using brutessh.py in BT 4

Standard disclaimer applies, Don't be stupid and do things that will get you put in jail etc.

Ok as the name implies brutessh.py is a python based brute force tool for ssh
So what it does is takes target data on the command line and uses a dictionary to try and brute ssh. Pretty simple.

Grab a shell
-------------------------------------CODE------------------------------------------------------------------

root@bt:/pentest/passwords/brutessh#

-------------------------------------CODE----------------------------------------------------------------
Check out the readme for more info.
-------------------------------------CODE----------------------------------------------------------------

root@bt:/pentest/passwords/brutessh# cat README

-------------------------------------CODE----------------------------------------------------------------
An easy and safe way to run the tool is to simply make a small dictionary in the same directory put a few words and your ssh password into the list.

Now run it.
-------------------------------------CODE----------------------------------------------------------------
root@bt:/pentest/passwords/brutessh# python brutessh.py -h localhost -u root -d dict

*************************************
*SSH Bruteforcer Ver. 0.2 *
*Coded by Christian Martorella *
*Edge-Security Research *
*laramies@gmail.com *
*************************************

HOST: localhost Username: root Password file: dict
===========================================================================
Trying password...
Times -- > Init: 0.15 End: 3.35
Auth OK ---> Password Found: 123abc$$
root@bt:/pentest/passwords/brutessh#
-------------------------------------CODE----------------------------------------------------------------
Of course that's not the real password!

It obviously didn't take that long, 3.35 seconds.

So there you have it. Quick, fast, and easy. Actually I don't believe it gets easier than that.