The good news is the device just got a lot better, there is now a pwn pi and you guessed right, it’s a pen test drop box distro using the raspberry pi as the hardware.

The disto includes:

SET, Fasttrack, kismet, aircrack-ng, nmap, dsniff, netcat, nikto, xprobe, scapy, wireshark, tcpdump, ettercap, hping3, medusa, macchanger, nbtscan, john, ptunnel, p0f, ngrep, tcpflow, openvpn, iodine, httptunnel, cryptcat, sipsak, yersinia, smbclient, sslsniff, tcptraceroute, pbnj, netdiscover, netmask, udptunnel, dnstracer, sslscan, medusa, ipcalc, dnswalk, socat, onesixtyone, tinyproxy, dmitry, fcrackzip, ssldump, fping, ike-scan, gpsd, darkstat, swaks, arping, tcpreplay, sipcrack, proxychains, proxytunnel, siege, sqlmap, wapiti, skipfish, w3af

I think this is really cool just because of the size of the pi and now you have a mini backtrack on it, this makes it really feasible to leave on a clients site hidden away doing all sorts of cool and scary things.

You can download it from here Link to download

“Geotagging (also written as GeoTagging) is the process of adding geographical identification metadata to various media such as a geotagged photograph or video, websites, SMS messages, QR Codes[1] or RSS feeds and is a form of geospatial metadata. This data usually consists of latitude and longitude coordinates, though they can also include altitude, bearing, distance, accuracy data, and place names.”

So in a nutshell this mean if you using a modern device that uses GPS your latitude and longitude coordinates could be stored in the picture that is taken.

From a security point of view this means if you upload a picture to Twitter from your phone, it could be possible for someone to find the location where that picture was taken, this was used recently to track down an anonymous hacker who posted a picture of his girlfriend online the FBI used the images latitude and longitude coordinates to locate where the picture was taken and a few days later he was arrested.

It just goes to show you should be careful when using smart devices and uploading images.

How to:
In order to get the information from the image here a quick and dirty PHP script:

link to article
Geo tagging used to find hacker

I wanted to try and answer this firstly by saying it depends, although it’s good to sit on the fence as I think if you are doing more network type Pen Testing then knowing how to code is not essential but can help. For example when you need to do something and you can write a really quick nasty bash file or python script to do it for you it saves you time, which as we all know is never on our side when doing a Pen Test. However I don’t think you need to know the ins and outs of programming in network security and I think Tom will agree with this. When it comes to web applications I think it’s a very different issue being able to understand code and write code is essential because you need to understand how the developer may have written code, for example if you are trying to bypass a log having a good understanding of who it may have be coded with, which can make it easy to find holes in the code and exploit it.

So when it comes to programming what should you learn? Well in a recent survey done in the UK by Robin Wood python was at the top of the list. This is what I am currently learning but everyone has their own choice I know Pen Testers who love Perl (yuck) and some who only code in ruby the language of Metasploit. I think the best thing to do is just to try and learn one language really well and go from there as it will be easy to pick up other languages up once you know the basic of ifs,loops,variables so on. Many people pick Python as their starting points and there are lots great resources out there for all programming languages.

1) Attend conferences and network this is really easy to do depending on where you are in the World. There are loads of conferences in the USA and Europe, some are free and some require you to purchase a ticket. The great thing about conferences is that it’s full of security folks who love nothing more than talking about … that’s right SECURITY!!

2) Submit a talk to a conference. This is a great way to make a name for yourself, if you know a subject or find a bug in some software doing a talk at a conference about it really heightens your profile.

3) Write a tool that helps everyone in infosec it can be a simple tool or a really complex tool depending on how much time you have. The more useful the tool is the more your make a name for yourself. We are all lazy and love things that help make our lives and job easier so producing a tool that does this gets the thumbs up.

4) De-ice disks most of you should know about the De-Ice project for those of you who don’t.. shame on you. The De-Ice disk helps others like you train and learn cool new tricks, this is a great way to make some cool challenges and most people in security have used them or heard of them.

5) Last but not least, give back. This is the most important tip. If you achieve one of the above then you are giving back and you get a thumbs up. We would not have cool tools like Metasploit and Nmap to name some if people did not give up their time and effort to give back to everyone in security.

Ncrack http://nmap.org/ncrack/
is a high-speed network authentication cracking tool it was built by the same people behind that wonderful network tool Nmap.

Currently support the following protocols
RDP
SSH
http(s)
SMB
pop3(s)
VNC
FTP
telnet

Patator https://code.google.com/p/patator/
is a multi-purpose brute-forcer, with a modular design and flexible usage

Currently it supports the following modules:
* ftp_login : Brute-force FTP
* ssh_login : Brute-force SSH
* telnet_login : Brute-force Telnet
* smtp_login : Brute-force SMTP
* smtp_vrfy : Enumerate valid users using the SMTP VRFY command
* smtp_rcpt : Enumerate valid users using the SMTP RCPT TO command
* http_fuzz : Brute-force HTTP/HTTPS
* pop_passd : Brute-force poppassd (not POP3)
* ldap_login : Brute-force LDAP
* smb_login : Brute-force SMB
* mssql_login : Brute-force MSSQL
* oracle_login : Brute-force Oracle
* mysql_login : Brute-force MySQL
* pgsql_login : Brute-force PostgreSQL
* vnc_login : Brute-force VNC
* dns_forward : Forward lookup subdomains
* dns_reverse : Reverse lookup subnets
* snmp_login : Brute-force SNMPv1/2 and SNMPv3
* unzip_pass : Brute-force the password of encrypted ZIP files
* keystore_pass : Brute-force the password of Java keystore files

SSHtrix http://www.nullsecurity.net/cracker.html
is a very fast multithreaded SSH login cracker this only does SSH but it is extremely good at it.

On Hydra website they have a comparison between hydra, medusa and ncrack but I can only think that if ncrack will grow over the years to be the main tool for brute forcing any protocol.

http://www.thc.org/thc-hydra/network_password_cracker_comparison.html

Jamie

In order to understand how passwords work it’s necessary to understand what a Hash function is and what it does. There are two key features to a Hash function, it is fixed length and it’s always one way, meaning it cannot be reversed. The reversed bit being a big key in this example.

The way passwords on websites work is that you sign up to a website and type in a username and password. The password is then put through a hashing algorithm to produce a fixed length hash.

Bad Example Code:
$password = test123
$Hash = sha1($password)
print $Hash

The above is a very basic example of how some sites may do it, then the hash is stored in the database. When you go to sign on the above process happens, you type in your password it hashes it again and then compares the hash to the stored entry if it’s valid you get access if it’s not then you will get a failed login attempt.

So the question here is how do you know a password is being stored in plain text without hacking the site? Well it’s simple, most sites have password reset buttons. If you forget your password you can use this method to get a way to reset your password. However some websites will send you your password in plain text, this means that they must be storing the password in plain text in the database or an unproved hashing method. As well as all know hashes are none reversible so they can’t be taking your hash and reversing it, then sending you your password as the whole point of a hash is it can’t be reversed. I have noticed that jobs sites are really bad for this but I am sure there are many more that are failing to do such a simple task as using a salt and a good hashing algorithm to store passwords.

Jamie

I recently installed WordPress on my website and of course I wanted to make it as secure as possible so I did some research into it. I wanted to share the hints and tips as well as useful tools that I had found during my research. Some of these tips and hints will be really obvious but you be surprised at how many people don’t change them.

wpscan – wpscan is a tool written by Ryan Dewhurst and does exactly what it says on the tin, it will scan your WordPress site and give you a list of all the information it can find. For example username, plugins and loads more. It’s a really cool little tool and it points out any areas that you may need to work on.

When you first install WordPress there are a few things you will want to change like the database naming conventions by default. It is wp_somthing but you would want to change this to something else. You also don’t want to use the default admin name so pick something unique.

Once WordPress has been installed you will want to edit the wp-config.php to change the secret keys so that they are not the default ones. You can also move this file up a directory so it’s hard to find as it does contain all the configuration settings. Another tip here maybe to protect the file with htaccess.

Other settings you might want to change would be in function.php where you would add the following code
remove_action(‘wp_header’, ‘wp_generator’); this will remove the WordPress version.

There are a few useful plugins that you may want to look into, and some that you will definitely want to install.

WordPress security plugin this does not only help to hide the version but also gives you recommendations on other security issue like passwords, filepermission,database security and wordpress admin protection.

Login lockdown plugin will limit the number of login attempts from a given ip range. You could also use access to only allow certain ip’s to have access to the wp-login page.

The last tip is common among almost any software but keep WordPress up to date as well as any plugin you install and backup.

Jamie

I wanted to share some tools and tricks that I use when doing Social Engineering. The best part of Social Engineering is you can practice it anywhere just by talking to people and trying to get information from them.

Tools in my arsenal:
Mobile Phone
Lock Picks
Business cards
SET
Teensy Device
RFID Card

The first thing you need is bags of confidence as you are trying to sell yourself, this is where practicing comes into play. I gained a lot of this from working in sales and selling to customers, trying to make them part with cash and buy more stuff. The company I used to work for also showed me how to manipulate people and overcome objections.

You have to be quick witted too and think fast off your feet. Never try to sell yourself as someone who has certain skills when you don’t. You may be in a situation where you need to think fast to get out of it. For example you get stopped by a security guard. What are you gonna say to him ? Are you just going to give up? What story will be good enough so he lets you go on your way?

The first tool that you should always have is a mobile phone this is one of the best tools ever in Social Engineering. The good thing about us humans is that we are either really nice people or not confident enough to interrupt someone on the phone, as that would just be so rude. Speaking on the phone whilst walking into a building or hanging outside a RFID door on the phone waiting for a kind soul to hold the door open for us is just so easy. This pretty much works all of the time and it is really effective.

I tend to carry lock picks with me at all times but I very rarely used them, but the one time I might need them it’s better to have them than not.

A good business card will sell you like nothing else it’s easy to get cheap business cards printed these days and they are a great way to backup any story you are trying to sell. Another good tip is if you can get a business card for someone who works at the company you are doing the Social Engineering attack against you might be able to go to another location and sell yourself as being that person who works for the company.

SET Social Engineering toolkit is a great tool that works well with the teensy device. Depending on your scope you can always use this to drop USB around the company and there a good chance that someone will plug it in and run the exploit on the USB.

If you are doing a Social Engineering attack and you know they use RFID doors you can buy a RDIF card off of Ebay even though it won’t work but when people see it, you can just say your card has been playing up and you need to get it sorted. Most people will see the card and just let you in.

These are just a few hints and tips when doing Social Engineering.

Jamie

So the tools I will use in every web application tests are:

• Firefox – plugins foxy proxy,tampa data,
• Google Chrome
• Burpsuit
• SQLmap
• Hoppy
• Nikto
• sslScan

I tend to use firefox as my main testing browser this is because it had lots of plugins that make life easy and also does not have a built in feature like xss filtering like chrome. I then use Google chrome as another web browser that allows me to search and use the internet without having any of the search results show up in burpsuit or any other tools.

Burpsuit is the main tool I use, simply put it’s the best one to use. It has loads of features and if you have the pro version you can sometimes identify low hanging fruit. It allows you to scan the site, intercept requests and modify paramaters. You can use tampa data to modify requests but burpsuit has many more features that really does make life easier.

The next tool is sqlmap. I use this then when I need it, mainly if I identify an sql injection point. This allows me to easy dump the database without knowing every sql statement off by heart.

Hoppy and Nikto I tend to run after each other to try and gather more information about the web application. Hoppy is a fansatic little tool written in python and is a http options prober which checks the availability of http methods as well as probing them to see if they can be forced to disclose system information. Nikto again tries to identify directories and other information about the web applications. On many occasions it has helped me to find webdav directories which allows me to upload contents to the site.

Last but not least sslscan, this is great to determine the ciphers that are supported on a website. It identifes if it’s using sslv1 or sslv2 as well as if it is using encryption equal too or greater than 128b.

So what do you think am I missing? Anything you would add to the list? Most of the tools are free apart from burpsuit but you can get a free version of that too.

So, in no certain order, the eight tools I use in every pentest are…

1. Netcat
2. OpenSSL
3. Nmap
4. Ettercap
5. Tcpdump
6. Burp suite
7. Nikto
8. OpenVAS

To give reason to this list, let’s start with netcat and openSSL – these two tools are used to verify banners from vulnerability scans, as well as trying to identify unknown protocols. Pretty straight forward, but essential tasks.

I primarily use Nmap as a vulnerability scanner, not just to identify targets. The “-A” option is a must-use flag that adds additional depth to output from better-known vulnerability scanners, like openVAS (also on my list – seems to be more up-to-date than some of the others… plus I’m a firm believer in open source projects; they have propelled this industry farther along than any commercial software ever has).

I also use nikto and Burp Suite to find things missed. I cannot count how many times Burp Suite saved my butt during a pentest – the one commercial product I buy with my own money.

That leaves ettercap and tcpdump, which only belong in the list when conducting internal pentests. If you aren’t conducting ARP spoofing attacks, you aren’t doing an in-depth pentest. Soooo much traffic crosses the wire that it’s inevitable to capture sensitive data.

Naturally, there are some tools that I use most of the time (e.g. Metasploit, JTR, medusa, etc.), but not every time… hence the exclusion from the list.

Now that I listed my top eight, I have to say I’m stuck in my ways, and there are probably tools I’m ignoring. Let me know what you think should be added to this list of must-use hacker tools. I may be old, but I can still learn new tricks.