A couple posts down, I was parsing the nslookup command to get hostnames. Even easier, use the host command. The hostname seems to be the fifth string after spaces, so using cut, it might look something like:
host <ip> | cut -d " " -f5
But there will be a period at the end, so just clean that up. Next is to get the IP and the hostname in some easy format, like colon or pipe delimited.
69 total views, no views today
Sometimes you gotta run a command lots of times. So let a loop do it. Here’s one example:
for ip in $(cat ips.txt); do
nslookup $ip >> nslookups.txt
This will take a file of IP addresses (ips.txt) and run nslookup on each IP and output the results to nslookups.txt. Or just remove the >> nslookups.txt if you want the output to the screen.
67 total views, no views today
So today I had to convert IP addresses to hostnames. Seems easy enough, just use nslookup. But I had more than 400 IPs that needed to be converted. Ugh. So we need to do a little parsing.
First, take the IP addresses and get the host information. Let’s script this.
for ip in $(cat ips.txt); do
nslookup $ip >> nslookups.txt
This will do an nslookup for each of the IPs in the ips.txt file. Great! Now we need to parse it. This should be pretty easy to just look for “name=” except sometimes, there isn’t a hostname and then “name=” doesn’t appear. So instead we look for something else that is always in there, regardless of whether there is a hostname. It seems the string “arpa” matches this. So the next step is to find that and then cut the hostname, or something that doesn’t look like a hostname if there isn’t one.
grep arpa nslookups.txt | cut -d " " -f3 > hostnames.txt
When this finishes, the hostnames.txt file will have one string per line, either the hostname or the word “can’t”. At this point, do a find/replace for “can’t” and make it blank (since there isn’t a hostname for that IP).
Now you have two files, one with all the IPs and one with the hostnames. Put them in two Excel columns and match them up. There is one more problem here that I haven’t found a good solution for yet. Some of the IPs may have more than one hostname. So when you match up the columns in Excel, you’ll likely have more hostnames than IPs. Unfortunately the only solution I have so far is to read through the nslookups.txt file, find the entries with more than one hostname and then manually fix this in the Excel file. It takes a little bit of time, but definitely better than running nslookup manually hundreds of times.
133 total views, no views today
Had a little bit of trouble figuring it out, so adding the format that I found here:
# wfuzz -c -z file,/usr/files/userfile -z file,/usr/files/passfile –ntlm FUZZ:FUZ2Z https:///
In a nutshell, the -z coincides with the “FUZZ”. Each subsequent payload/FUZZ combination points to the FUZ2Z or FUZ3Z and so on.
121 total views, no views today
defaults write com.apple.screencapture location ~/Pictures/
166 total views, no views today
Since this is a reference for when I forget:
export PATH=$PATH:<whatever else to add to the path>
163 total views, no views today
Once sshdroid (https://play.google.com/store/apps/details?id=berserker.android.apps.sshdroid&hl=en) is installed on a rooted device, start zipping around, like in /data/user/0/<packagename>/shared_prefs
But to log on, first might need to turn off “Enable root” in sshdroid. But after logging in to: ssh root@<ip> -p 2222 then simply su.
173 total views, no views today
This is kinda cool. One way of enumerating usernames is to try a username against a login screen and have the error message tell you “That username doesn’t exist.” Or try to create a new account and have the system tell you “That username already exists.” But if a site is coded properly, it won’t give you that kind of info, making username enumeration (ie. figuring out valid and existing usernames) harder. So how about figuring them out with a timing attack?
When a username and password are submitted to a site for checking, they’re sent to a database and the dbms needs to find the username, and when it finds the row with the username, it checks the password hash against what exists in the database. However if the username doesn’t exist, the dbms doesn’t need to bother checking the password hash. It can just return the generic fail message. This small difference can be seen in the response time. In a recent test, I created a list of 50 usernames and 5 were known good. I interspersed the valid usernames in with all the invalid ones. I used the same password for every attempt, and ran them through Burp Intruder. The result was that the five good returned the slowest response times. There was one invalid password mixed in, but out of the six slowest responses, my five valid usernames were right there. Knowing this, I could do some open source searches for potential usernames and test them against a login screen. I did also test usernames of varying length and it didn’t change the results. Just in case of having a list with mostly valid usernames, I could also pad it with likely garbage usernames, things like “aaaaaaaaa” or “nekdhspfacshabdfks”. This one will be fun to try again in future assessments.
99 total views, 1 views today
In my first test, I worked with my manager. It was a web test and one that was pretty solid. However one fun thing was something I saw in a presentation at BSides Baltimore last week. A bad password policy may be a low finding. A lack of bad auth attempt lockout feature may be a low finding. A username enumeration may be a low finding. However, if a site has all three? That is a critical finding. If you can enumerate a list of valid usernames (just check LinkedIn for names and figure out the username format) and then throw the top 1000 passwords against a list of usernames, you’ll get in.
Some other stuff too, but also wrote the report and sent it in. Looking forward to the next one!
85 total views, no views today
I got a job as a penetration tester, which I think is really exciting. It is a job that I get excited about. One that causes frustration and a feeling of accomplishment. I’ll officially start on April 11th. My plan is to track my progress here, and document things that I learn, in general.
I contacted some other friends who are pentesters and asked for their advice, ideas on things they wish they knew when they got started. I was given two great pieces of advice on things to read or study up on. One was to read the publications on GitHub from Cure53. Today I read their whitepaper on X-Frame-Options and various ways to still bypass the clickjacking protection it provides. I’m looking forward to reading the others, once I finish the other recommendation…The Tangled Web! Continue reading
116 total views, no views today