Posts

Showing posts from 2009

Cracking Mac OS X Passwords

In this post I will demonstrate how to both extract and crack Mac OS X passwords. The OS X variants that this tutorial is aimed at are 10.4 (Tiger), 10.5 (Leopard) and 10.6 (Snow Leopard). Whilst Mac OS X is based on a Unix variant (BSD), there are several key differences between traditional Unix-based and Mac OS systems when it comes to password storage. Lets take a quick look at some of the differences. If you have ever poked around on an OS X system, you may have noticed the absence of the /etc/shadow file. Whilst traditional Unix and BSD variants store their password hashes in /etc/shadow and /etc/master.passwd respectively, Mac OS X does not. Since the release of OS X 10.3 in 2003, Macintosh products have stored their shadow files in the /var/db/shadow/hash/ directory. Another key difference is the way in which the two systems store their hashes. On a Unix-based system, every hash associated with the system is stored in the /etc/shadow file. This differs from OS X whereby each

Bypassing Anti-virus

Whether compromising a system for legitimate or non-legitimate purposes, bypassing anti-virus software is often an integral step in any intrusion exercise. Fortunately for enterprise, anti-virus and anti-malware software is now commonplace in most organisiations. Whilst many of the tools that attackers wish to implement are constantly being blacklisted, this isn't without reservation. Attackers are still getting malware into systems and penetration testers are still able to compromise systems. So the question is, how is this possible? The answer: Bypassing anti-virus, of course. In this post I intent to present several tools that can be used in bypassing anti-virus/anti-malware software. I will provide a brief background on each tools operation and a summary of its use. But first, some background. Anti-virus software typically works by using either signature-based detection or heuristic-based detection (some products use both). Signature-based detection products rely on rec

Milw0rm Alternative is Here!

Offensive-Security has announced its new exploit archive: Offensive Security Exploit Database

Metasploit Autopwn: Hacking made simple

Image
Nowadays, exploiting a system requires little, if no knowledge of computer systems or networking. Merely, someone with 10 minutes on their hands that is interested enough to Google how it’s done. One with very little skills has the ability to fire up Metasploit, load an exploit, and fire it at the target system – giving attacker’s the ability to compromise a system within minutes. I thought I would write a post on Metasploit’s autopwn module to reiterate just how simple it is to attack/compromise a system in today’s environment. My intentions here are to give you a tutorial on the Metasploit autopwn module and provide a timely reminder on just how important it is to have a good patch policy in place. I would also recommend regular audits on system services. The tools I will be using in this tutorial are: Nessus - A free vulnerability scanner for Mac OS, Windows and Linux Metasploit – framework 3 - A free exploit framework for launching exploits against targets A virtual machine runni

Enumerating Windows Information

After you have gained access to a box, the first thing you want to do as a pen tester is obtain as much information about the machine/network as possible. Here is a list of commands that aim to enumerate host/network information from a Windows machine. The following commands are for Windows XP/Vista/7 unless stated otherwise. Operating System Details > ver > systeminfo Who are you logged in as > set username Which domain/workgroup is the machine apart of > set userdomain What is the machine called > set computername Windows 7 only > whoami List user groups on the system > net localgroup List users on the machine > net user List users in administrative group > net localgroup administrators View all mapped logical/shared drives on the system > wmic logicaldisk get caption,description,providername List all listening services on the machine > netstat –nao See which

Pass-the-Hash Attack with Backtrack 4

For the uninitiated, a pass-the-hash attack is a way to gain access to a Windows machine without having to supply user credentials. Sounds great yeah? Cool, now you can go ahead and delete Cain and john because your password cracking days are over? Well, not quite. Before you get too excited you should realize there's a catch -- you must first have in your possession a password hash of the machine that you want to compromise. So now you're probably asking yourself, "Why is that useful if I need to have access to the box in the first place?" Well, picture this: Say you were conducting a penetration test on Company X and you were unable to crack the administrator password. Now, like most organizations, Company X is using the same administrator password on all of its machines. So gaining access to this password would allow you to pwn the entire network. Now lets say that Company X believes strongly in security, and has a 20 character random password for their administrat

Installing Kismet on Backtrack 4 Pre Release

Backtrack 4 has all the bells and whilstles we love and have come to expect from Backtrack in the past. That said however, as Bakctrack is currenly in a "Pre Realease" version, there are a couple of teething issues with various bits and pieces. One such issue is with Kismet Newcore. Kismet is our friendly little wireless stumbler that we all love. In Backtrack 4 pre release you may have noticed it is either missing functionality, or just plain doesn't work! Here is a quick guide for you to download an alternate version of Kismet Newcore and install it on Backtrack 4: 1. Make sure your network adapter is on # dhclient eth0 2. Change your director to /usr/src to download the Kismet Newcore source code # cd /usr/src 3. Download the Kismet source using the built-in subversioning software # svn co https://kismetwireless.net/code/svn/trunk kismet 4. Open the newly created kismet directory # cd kismet 5. Confrigure and make the source code # ./configure --prefix=/opt &&

Installing Nessus on Backtrack 4

Here is an easy to follow tutorial on installing nessus on the Backtrack 4 Pre Release. This is courtesy of secure_it at the remote-exploit forums . First download these packages Nessus-3.2.1-ubuntu804_i386.deb NessusClient-3.2.1-debian4_i386.deb (I have chosen debian package because NessusClient-3.2.1.1-ubuntu804.i386.deb was missing some of dependencies and was not installing correctly.instead the debian package worked like a charm as its upto-date with dependencies and it produces no error at all. Next register your copy to get plugins update using homefeed and please provide the real mail ID as they will send you the activation key for homefeed. Regsiter Here Click accept and enter a valid working email ID. now we start installing the packages. root@ThUndErbOLt:~#dpkg -i Nessus-3.2.1-ubuntu804_i386.deb now configure the certificate & admin user for nessus root@ThUndErbOLt:~#/opt/nessus/sbin/nessus-mkcert (this is neccessary to communicate between nessus client to nessus daemo