Solving round robin DNS name with SSH Server hosts

Hi Guys !

After a long time, I’ll try keep the blog updated ! 0/

So, recently I have a little problem with round robin DNS name pointing to different SSH Servers ( different fingerprints ) and when the round robin happens , occurs a conflict with known_hosts file, because the fingerprint entry inside file is different.

So, to solve this little inconvenient , I wrote a little script !

Follow the example (;

———————cut———————-

#!/usr/bin/expect --

puts "Which server do you want connect?"
expect_user -re "(.*)\n"
send_user "\n"
set server $expect_out(1,string)
spawn -noecho host $server
expect -re "(\[0-9]{1,3})\.(\[0-9]{1,3})\.(\[0-9]{1,3})\.(\[0-9]{1,3})"
set m1 $expect_out(1,string)
set m2 $expect_out(2,string)
set m3 $expect_out(3,string)
set m4 $expect_out(4,string)
puts "Which is your username?"
expect_user -re "(.*)\n"
send_user "\n"
set username $expect_out(1,string)
stty -echo
spawn -noecho ssh $username@$m1.$m2.$m3.$m4
expect "continue connecting" {send "yes\r"}
interact

————————-cut———————————–
Feel free to improve !

 

Posted in Network, Tools | Tagged , , , | Comments Off

OpenBSD+Squid+Dansguardian+ldap+Active Directory

This setup was tested with OpenBSD 5.1, squid-2.7-ldap, dansguardian-2.10.1.1 and Windows 2008 Server

I will show how to authenticate Squid Proxy in Active Directory using squid_ldap_auth and squid_ldap_group.

The basic for this is:

At squid.conf put

auth_param basic program /usr/local/libexec/squid_ldap_auth -v 3 -R -b dc=yourdomain,dc=com -D cn=”Squid Authenticator”,ou=IT,ou=”Users and Groups”,dc=yourdomain,dc=com -W /etc/squid/passfile -f sAMAccountName=%s 10.20.30.1

external_acl_type proxygroup %LOGIN /usr/local/libexec/squid_ldap_group -v 3 -R -b dc=yourdomain,dc=com -D cn=”Squid Authenticator”,ou=IT,ou=”Users and Groups”,dc=yourdomain,dc=com -W /etc/squid/passfile -f (&(sAMAccountName=%v)(memberof=cn=%a,ou=Internet,ou=Groups,ou=Organization,ou=”Users and Groups”,dc=yourdomain,dc=com)) 10.20.30.1

acl ad_auth proxy_auth REQUIRED
acl netaccess external proxygroup url_regex “/etc/squid/group”

…..

http_access deny !ad_auth
http_access allow netaccess

Quick explanation:

 cn=”Squid Authenticator” = Display Name of User account in Active Directory

ou=…., ou… = recursive search to top of domain

/etc/squid/passfile = Contains password of Squid Authenticator account

10.20.30.1 = Ip address of Active Directory

url_regex “/etc/squid/group” = If the group contain spaces, example: Internet Access, put into file called group, if not use:

acl netaccess external proxygroup InternetAccess
where InternetAccess is name of the group

squid_ldap_group = was used to autheticate users that belong of specific group

dansguardian.conf

Uncomment:

authplugin = ‘/etc/dansguardian/authplugins/proxy-basic.conf’

Tips: Test ldap authenticators with -d param, it is usefull to debug, and test from command line directly.
To squid_ldap_auth, the sintax is: username password
To squid_ldap_group, the sintax is: username group
To Test group with spaces from shell, use: Internet%20Access

That is

Posted in OpenBSD | Tagged , , , , , , , | Leave a comment

Remote Packet sniff using SSH and Wireshark to analysis

Hello there !

In this brief tutorial, I will show how capture remote traffic through ssh and analysis with wireshark.

the basic to do this is:

$ mkfifo /tmp/remoteif
$ ssh root@yourserver “tcpdump -ni pflog0 -w – host 10.20.30.40″ > /tmp/remoteif
$ wireshark -k -i /tmp/remoteif

* Tips: configure your remote user to use sudo to execute tcpdump. Configure root login without password using keys

An especial thanks to my friend mentesan -> Muito Sapeca !

 

Posted in Network | Tagged , , , | Leave a comment

Possible Bug at OpenBSD

Hello there,

My apologies, I’m working so much, and the time is scarce. Coming soon, I will to back post regularly.

by hour, I will post a video with a possible bug that I discovered at OpenBSD

Follow the video:

https://vimeo.com/46372893

 

I founded another possible bug with route issue, but was at 5.0, I will do tests with 5.1, and if true, I will send to bug at openbsd dot org too

:)

Regards to my friend Mauricio Gimenez, Cleiton ( Clandestine ) and Fabiano Matias (Bhior)

Hacking Life :D

 

Posted in OpenBSD | Tagged , | Leave a comment

simple statefull firewall with iptables

Today, I was very very nervous ! Believe ! I’m ! So, I decided paste this simple script that I did a long time ago, but BELIEVE ! WORK and  is EFFECTIVE !

Brief resume, of why I’m posting this script:
frw~ # iptables -nvL

Chain INPUT (policy ACCEPT 215K packets, 38M bytes)
Chain FORWARD (policy ACCEPT 4848K packets, 3768M bytes)
Chain OUTPUT (policy ACCEPT 78397 packets, 11M bytes)

This is what really import at this moment ! Rules of the INPUT and FORWARD CHAIN, I not will show, because the target of rule is ACCEPT and  the POLICY of CHAIN IS ACCEPT too , thus,  WHY RULES WITH ACCEPT !???? make no sense !

Alright, a simple script …

# cat firewall.sh

#!/bin/bash
# Simple firewall
# Guilherme Hakme
# http://stuffresearch.tor.hu

ipt=$(which iptables)
# Set yours ifaces here
iface=”eth0″

# Clear all rulez at tables FILTER and NAT ( -F ) and delete chains predeffined by user (-X) and set POLICY ACCEPT

defaccept() {

$ipt -F
$ipt -X
$ipt -t nat -F
$ipt -t nat -X
$ipt -P INPUT ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
}

# Default Policy ;) ( firewall begins here ;) )

defdrop() {

$ipt -P INPUT DROP
$ipt -P FORWARD DROP
$ipt -P OUTPUT DROP

# Allowing local traffic at loopback interface ( 127.0.0.1) and doing statefullllllll

$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT

$ipt -A INPUT -i $iface -m state –state RELATED,ESTABLISHED -j ACCEPT
$ipt -A OUTPUT -o $iface -p tcp –dport 53 -j ACCEPT
$ipt -A OUTPUT -o $iface -p udp –dport 53 -j ACCEPT
$ipt -A OUTPUT -o $iface -p tcp –syn -m state –state NEW -j ACCEPT
$ipt -A OUTPUT -o $iface -p icmp –icmp-type echo-request -j ACCEPT
$ipt -A OUTPUT -o $iface -m state –state RELATED,ESTABLISHED -j ACCEPT
}

# Allowing necessary services

dispserv() {

$ipt -A INPUT -i $iface -p tcp -m multiport –dport 22 -j ACCEPT
$ipt -A INPUT -i $iface -p udp -m multiport –dport 5000,8000:9000 -j ACCEPT
}

case $1 in
start) defdrop && dispserv ;;
stop) defaccept ;;
reload) defaccept && defdrop && dispserv ;;
statefull) defaccept && defdrop ;;
test) defdrop && dispserv && sleep 40 && defaccept ;;
*) echo “Uso: “$0″ start, stop, reload, statefull, test” ;;
esac

This firewall is very very simple, and is designed to allow only running services, in this example, asterisk and ssh.
Permit DNS searches and ping ( echo request ) .
Statefull is Accept connections only generated by firewall

Adjust to yours purposes and execute it

#  chmod +x firewall.sh
# ./firewall.sh start

# iptables -nvL

See by you the diference.

 

 

 

 

Posted in Network | Tagged , | Leave a comment

Things to do with SSH

From Wikipedia:

Secure Shell (SSH) is a network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively).[1] The protocol specification distinguishes two major versions that are referred to as SSH-1 and SSH-2.

Now that we know what is SSH, let me show somethings.

Imagine the follow situation:

You are on a promiscuous network and you need to get your mails. The comunication with the server is not encrypted, thus, someone that sniffing network traffic, can have your username/password !

But you have a SSH service running on someplace ( your home, free shell, etc ;-) )

Normally, you provide user/password . Of course you can use KEYS too !

# ssh user@server.com

Note: On windows machine, you can use putty/plink. Google for it …..

We will encrypt the communication on local network!

# ssh -L 127.0.0.1:2525:mailserver.com:25 user@server.com

Note: A shell will open at your server.com, try to pass -LNnf, it will run shell session in background. Remember: # man ssh

Explanation:

A local tunnel ( Local Forward, parameter “-L” ) was created locally to local computer at port 2525 using server.com to forward packets to mailserver.com at port 25

Note: You need to be root to bind to TCP port <1024. In example I used 2525.

In your computer, try configure your mail client to get emails from: 127.0.0.1 and port 2525

Hummm, can I do this of inverse form ? I’ m asking because I only can read my mail from my job ….

Of couse … You can !!!!, try change -L to -R

# ssh -R 127.0.0.1:2525:mailserver.com:25 user@server.com

Explanation:

A Remote tunnel ( Remote Forward, parameter “-R” ) was created locally to remote computer at port 2525 using YOUR HOST to forward packets to mailserver.com at port 25

To finalize SSH as SOCKS

From Wikipedia:

Practically, a SOCKS server will proxy TCP connections to an arbitrary IP address as well as providing a means for UDP packets to be forwarded.

For this:

# ssh -DnNf 127.0.0.1:1080 user@server.com

Explanation:

A Dynamic  tunnel ( Dynamic  Forward, parameter “-D” ) was created locally at port 1080. All traffic, including udp protocol, will be forwarded to server.com

Configure your favorite browser to use Proxy, put 127.0.0.1 and port 1080, select socks and type 5 , and then, open a website as http://www.whatismyip.org and see ip of your ssh server !

Tips: Combine the knowledge here acquired, with article published here. “Stay anonymous and SSH honeypot”

Bypass firewalls, etc.

If you have some tip, please comment, and we will add to here, contribute ! Share your knowledge !  :)

All traffic between SSH SERVER and SSH CLIENT is CRYPTO !

Happy hacking !

 

Posted in Information, Network | Tagged , , , | Leave a comment

Howto recovery mysql root password

Five steps to recovery root password of mysql server

  1. Stop mysql server

# /etc/init.d/mysql stop

2. Start mysql server without password

# mysqld_safe –skip-grant-tables &

3. Connect to mysql server using mysql client

# mysql -u root

the output will be something like this:

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 5

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.


mysql>


4. Configure new password for root user

mysql> use mysql;
mysql> update user set password=PASSWORD(“YOUR_PASSWORD_HERE”) where User=’root';
mysql> flush privileges;
mysql> quit;

5. Stop mysql services.

# ps ax | grep mysql

* tip: first stop -> mysqld_safe

Example :

# kill -9 4456
# kill -9 4567

and then

# /etc/init.d/mysql start

 

Posted in Information | Tagged , , | Leave a comment

BACKTRACK-LINUX ON MOTOROLA ATRIX 4G

Hello there,
Last week, I bought an Atrix 4g and I would wanted run bt5 arm.
Now I’m here, writing a little tutorial to do this. Basically it is easy, but need some tricks.
Let’s go …

First, if you is beginner on droid’s world , read a little. ( in my first day with my droid, I do on Power Up the cellphone : -> BOOT FAILED ) LoL .
A good place is XDA DEVELOPERS 

In this link -> http://forum.xda-developers.com/show….php?t=1154600

Step 1 -> Download BT5 ARM from www.backtrack-linux.org/downloads
Step 2 -> You need ROOT your DROID, -> http://forum.xda-developers.com/show….php?t=1255548
Step 3 -> Unpack your BT ARM IMAGE and enter into directory.

Code:
# cd BT5-GNOME-ARM

# ls 
README  bootbt   bt5.img.gz  busybox  fsrw  installbusybox.sh  mountonly  unionfs

-> Unpack bt5.img.gz

Code:
 
# gunzip bt5.img.gz

By default Internal memory is VFAT filesystem and SDCARD, if you use the droid to format too, so we need resize the image ( bt5.img ) to put at VFAT, because the image cannot be bigger than 4GB ( vfat filesystem not permit this )

-> Create another “disk” less than 4GB

Code:
# dd if=/dev/zero of=bt5-new.img bs=1M count=3600

-> Create 2 directories

Code:
# mkdir OLD && mkdir NEW

-> Mount the original image

Code:
# mount -o loop bt5.img OLD
# df -i 
Filesystem            Inodes   IUsed   IFree IUse% Mounted on
.....
.....
.....
/dev/loop0            320000  266729   53271   84% /home/chaos/BT5-GNOME-ARM/OLD

-> Now format the new “disk”

Code:
# mke2fs -N 320000 bt5-new.img

-> Note that I used the same number os INODES that THE ORIGINAL IMAGE *

-> Mount the “disk” and copy the content of ORIGINAL IMAGE TO NEW IMAGE, umount images, delete original image, rename new image, gzip it and delete bootbt script

Code:
# mount -o loop bt5-new.img NEW
# cp -R -f OLD/* NEW/
# umount OLD
#umount NEW
# rm bt5.img
# mv bt5-new.img bt5.img
#gzip bt5.img
# rm bootbt

-> Create a new bootbt file with this content:

Code:
perm=$(id|cut -b 5)

if [ "$perm" != "0" ];then echo "This Script Needs Root! Type : su";exit;fi

busybox sysctl -w net.ipv4.ip_forward=1
export kit=/sdcard/BT5
export bin=/system/bin
export mnt=/data/local/mnt
export PATH=$bin:/usr/bin:/usr/local/bin:/usr/sbin:/bin:/usr/local/sbin:/usr/games:$PATH
export TERM=linux
export HOME=/root
losetup /dev/block/loop2 $kit/bt5.img
mount -o noatime -t ext2 /dev/block/loop2 $mnt
mount -t devpts devpts $mnt/dev/pts
mount -t proc proc $mnt/proc
mount -t sysfs sysfs $mnt/sys
echo "nameserver 8.8.8.8" > $mnt/etc/resolv.conf
echo "127.0.0.1 localhost bt5" > $mnt/etc/hosts
busybox chroot $mnt /bin/bash

echo "Stopping Backtrack on Atrix"
umount $mnt/dev/pts
umount $mnt/proc 
umount $mnt/sys
umount $mnt/root/.gvfs
sleep 2
umount $mnt
losetup -d /dev/block/loop2
Code:
# chmod +x bootbt

-> From README FILE <-

-> Go to your platform-tools directory and proceed to make a directory on the device to store BT5:

Code:
    
# ./adb shell
# mkdir /sdcard/BT5
# exit

-> If you ROOTED your droid with ONE CLICK, You ALREADY HAVE BUSYBOX

-> Transfer the required BT5 files to the device:

Code:
# ./adb push fsrw /sdcard/BT5/
# ./adb push mountonly /sdcard/BT5/
# ./adb push bootbt /sdcard/BT5/
# ./adb push bt5.img.gz /sdcard/BT5/
# ./adb push unionfs /sdcard/BT5/

-> Uncompress the image and start BT5:

Code:
# ./adb shell
# su
# cd /sdcard/BT5
# gunzip bt5.img.gz
# sh bootbt

-> If all goes well, you’ll be in the BT5 chroot:

root@localhost:/# ls /pentest/
backdoors database exploits passwords scanners stressing voip
cisco enumeration forensics python sniffers tunneling web

root@localhost:/# passwd

-> change your root password

-> change startvnc script

Code:
root@localhost:/# vi /usr/bin/startvnc

-> THE CONTENT must be

Code:
#!/bin/bash
rm -rf /tmp/.X1*
export USER=root 
vncserver -geometry 960x540

-> change stopvnc script

Code:
root@localhost:/# vi /usr/bin/stopvnc

-> the content MUST be

Code:
#!/bin/bash
export USER=root
vncserver -kill :1

-> CHANGE VNC PASSWORD

Code:
root@localhost:/# vncpasswd

-> Start your GUI and connect it

Code:
root@localhost:/# startvnc

-> USE ANDROID VNC FROM MARKET and connect to localhost and port 5901

ENJOY YOUR BACKTRACK-LINUX in your ATRIX

Posted in Network, Tools | Tagged , , , , | 3 Comments

Gentoo, W3AF, Python and scapy

Hello there,

In this little tutorial, I will show how install scapy to coexists with multiple versions of python under gentoo linux.

The “big”problem is that W3AF is designed to run under python 2.6. and sometimes your default python can be other.

You can check which versions of python your system have typing:

# eselect python list

Well as set which will be your default.

By example: your default python is: 2.7, so if you compile scapy , it will be optimezed to be used with 2.7 and not with 2.6.
To resolve this little problem lets edit the ebuild of scapy and put this:

# vim /usr/portage/net-analyzer/scapy/scapy-2.2.0-r1.ebuild

PYTHON_DEPEND="2:2.6"
SUPPORT_PYTHON_ABIS="1"
RESTRICT_PYTHON_ABIS="3.*"

and in pkg_setup() function comment this:

#       python_set_active_version 2

It is relative easy to do.

now generate new digest, because if you try compile, md5sum will be differ.

# ebuild /usr/portage/net-analyzer/scapy/scapy-2.2.0-r1.ebuild digest

now compile

# emerge scapy

now run W3AF

# python2.6 ./w3af_gui

 

 

Posted in Information | Tagged , , , | Leave a comment

How to block TOR Network with OpenBSD and PF

1 – Fetch tor master nodes ( Used for tor clients fetch exit node list )

* Trick viewed on Network Security Hacks – #hack 53

Download tor source: and edit the following file.

mybox@knights ~/tor-0.2.1.26 $ vi src/or/config.c

look for the function below: 

dd_default_trusted_dir_authorities(authority_type_t type)
{
int i;
const char *dirservers[] = {

“moria1 orport=9101 no-v2 ”
“v3ident=D586D18309DED4CD6D57C18FDB97EFA96D330566 ”
“128.31.0.39:9131 9695 DFC3 5FFE B861 329B 9F1A B04C 4639 7020 CE31″,

“tor26 v1 orport=443 v3ident=14C131DFC5C6F93646BE72FA1401C02A8DF2E8B4 ”
“86.59.21.38:80 847B 1F85 0344 D787 6491 A548 92F9 0493 4E4E B85D”,

“dizum orport=443 v3ident=E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58 ”
“194.109.206.212:80 7EA6 EAD6 FD83 083C 538F 4403 8BBF A077 587D D755″,
….
NULL
};

so the master tor nodes are: 128.31.0.39, 86.59.21.38, 192.109.206.212, …..

2 – now, we need a list of tor exit nodes, this can be obtained by the follow way:

Directly from tor website: 

$ wget -q -O - --no-check-certificate https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=YOUR_IP_ADDRESS > index.html

or by the below url, there is no need to supply your IP address ( I’m not sure how it works ) but the exit nodes are the same as the one on Tor website.

$ wget -q --no-check-certificate https://213.160.111.20/torlist/
( https://www.dan.me.uk/torlist/ )

The list is update every hour. A good way would be to place the command in the crontab, we now have the tor master nodes and the tor exit nodes

lets enable the rules on OpenBSD/PF ( pf.conf )

table <tormaster> { 128.31.0.39, 86.59.21.38, 192.109.206.212 }

* remember exists more tor master, I put some.

table <tornodes> persist file "/path/of/your/index.html"

the rules:

block in quick on $int_if to { <tormaster>, <tornodes> }
block in quick from { <tormaster>, <tornodes> }

* Don't forget to reload rules every one hour after get new exit nodes.

Happy Block

 

 

 

Posted in Network, OpenBSD | Tagged , , | Leave a comment