Friday, March 23, 2018

Techs from the Crypt: Holiday Network Nightmare

During the Christmas break at my work, the tech department continues working for a good portion of it. We work almost as long as the gremlins that cause the problems, it seems like most of the time. Normally, I enjoy working with no one in the buildings because that means not only can I get stuff done at my own leisure, but no more work orders come in. Normally, it's a good time to work, however it's not just the people who's computers I fix that can be a major problem. A good portion of the time, some of my worst experiences come from those I work with. In this case, my boss set me up for quite a bit of anger and as I am writing this, problems still persist. So sit back and get some popcorn while I spin you the tale of my network nightmare!

For some background, we had contractors running a new Cat6 network along side the old Cat5 and Cat5e network that was currently in place. This alone was riddled with headaches due to them unplugging network cables of inept teachers, leaving behind particulate from the drop down ceiling, leaving doors unlocked, and even leaving behind empty pizza boxes. I dealt with those problems as they were presented. In the meantime, our Network Administrator was learning how to use Brocade Ruckus switches. All of our current infrastructure was HP Procurves of all various time periods and Ubiquiti edge switches that had a problem with POE burning up the onboard fuses on cards we could not get replaced and could not send the switches back for repair because the warranty was so short. The end goal was to replace all the Ubiquity with Brocade Ruckus switches, stick in new HP Procurves where we need extra connections with no POE in rooms that were air conditioned because all the current equipment were in electrical rooms. Since I am an IT Specialist, I was not involved in the major networking choices or configurations.

One of the days when getting ready for our big cutover, the Network Manager had a heart attack and went to the hospital to be put into a chemically induced coma because of a 90% blockage in his heart. So now we have a half configured network, equipment everywhere and the ONLY network person and only person who knew what was going on with the network was not only hospitalized, but unable to in anyway tell us where his notes were to get this stuff going. So as we inch closer to the break to do the cutover, my boss decides to have me check everything over and try to work out what was going on and figure out where everything was. I reluctantly did so.

As I found a saved half-working configuration, I grabbed an extra switch and began to mess with it to try and make a generic configuration that would suffice for a quick copy-paste deployment to get us started. A few days before we went into the break, another tech had to leave because of a death in the family and would not be back until the end of the break.

Already by now you are probably thinking that all the signs are saying to not do the cutover now. The fates are all stacked against it. However, it continues to get even worse. It gets so bad that I contemplated just simply walking out.

Now we get to the last day before the Christmas break. My boss had decided to come with me to the location and review everything so we could set it up for the cutover. At this point, I am highly against trying to do the cutover because of the ramifications should we screw up and not be able to correct it before the break is over. Ramifications that I am now suffering. So we go through everything we can, I install and configure as much as I possibly can in a forlorn hope to not be eaten alive by the project. At the end of the day, before we left, I was told something that I am still flabbergasted by. As my boss was on his way out and we were chatting...

"Well, I won't be able to help with this next week. My wife said I need to clean the house because we have guests coming over. Could you work on it the following week (this is the week OF Christmas, just FYI) when I am available to help?"

Not only is that excuse one of the most irritating things I have ever heard uttered, seemingly a slap in the proverbial face of work-ethic, logic, and common decency, but the reason I was making sure to keep those days clear was specifically because HE PUT IT ON OUR WORK CALENDAR TO DO IT THAT WEEK. I know what you might be thinking. It's horrible, but can it really get any worse? Well, get ready to cringe so bad that your face may just stick in that position for days to come.

The next day, I show up to work and wandered around like a lost puppy trying to find some guidance or shelter. The assistant coordinator, the second in command, asked me a question.

"Is <boss> coming in to work today? You were the last one to talk to him and I haven't seen him yet today."

ARE YOU KIDDING ME? How is it that my boss can have the audacity to not only excuse himself from a task that he himself scheduled, but he doesn't have the balls to even inform the other workers that his wife said he couldn't come out to play for the day. His wife must have his spine and balls in her purse under lock and key. By now, I'm fuming inside. I'm pretty sure I have a brain tumor and a few ulcers from this. I let the assistant boss know what I was told. She asked if I was going to need help doing the cutover, like I actually was project planning and all that, to which I said no because I don't even know what I'm doing.

Shortly after that, I guess my boss' wife let him run free for a few minutes, as he showed up. This was not to do work, but instead to leave the assistant boss with a list of what I needed to get done with the help of what was left of an 11 person department that was down 5 people, as two were already taking there vacation as well. Shortly after, he leaves and we all hop in our cars and drive on down.

We all get there and I'm still lost because I got thrown into a project already started without myself. As we walk into the building, the assistant boss who I would have assumed would take the role of boss and delegate roles, instead asks me what I want everyone to do. Some may have viewed it as them putting their faith in my abilities. I, however, viewed it as people looking for ways to absolve themselves of responsibility for the impending and certain failure that will (and has) occur. After taking a guess and just scattering people in hopes maybe someone would get something right, I took one of the other techs I consider a friend with me to listen to me complain while he helped me do my guess work. I would have grabbed another one of the techs, but I didn't want it to be obvious that I was just trying to keep my sanity and complain than working on something I had only guess work with.

So after day one of hooking up equipment, I had assumed it was all good and we all left. Oh boy was I wrong. We got network alerts galore! So on to day two. I grabbed a couple of techs to help me stare at stuff in hopes divine intervention may happen to fix the problem. Eventually we called in the ISP fiber engineer person to help us to see if the fiber may be the problem. When he got there, he assured us that he was as lost as we were. So we talked, tested, and fought the network. Day three was more of the same. With some luck, the network went up for a bit and I hightailed it out of there for a week Holiday vacation. The whole week was email alert after email alert that it wasn't working.

Over that week, my boss went in to try to fix the problem. It was never fixed while he was there. The week I got back, we tried to figure it out more. I got spanning tree set up and that seemed to get parts of the network working, so I took it at that and left. After school was back in session, I faced many work orders about network stuff not working. A couple of weeks later, I disabled all rapid spanning tree because the HP Procurves refused to accept a new root for RSTP, and just did plain old legacy STP. Over the course of the next couple of weeks, I found not one, not two, but three loops that were created by the cabling guys who helped move devices over after the cutover. I also found out that because of the change in contractors, there was a 50% failure rate when they were certifying the work that they had to redo.

I was swallowed up and now seem to live in the belly of the beast. Despite everything appearing fine, the network still has problems with VOIP quality randomly failing, WiFi connections dropping, fluctuating speeds when checking with, and a general disdain for work at the moment. On the lighter side, our Network Administrator is alive, awake, and back at work with plans to retire as soon as he hits the mark he needs.

I think the moral to the story is quite simply to not let work get to you, because then you have stress and problems at work. Or something like that. I'm not really good at morals.

Thursday, March 22, 2018

Penetration Tool Testing Guide: Recon with Nikto

It's all great to find a web server on a machine you are trying to test, but just knowing what port and web server version is only the start. Now when we are talking about web servers, there are so many potential points of attack that could be open. Testing everything yourself could take a very long time without more information. Nikto is a tool that made to scan web servers for potential vulnerabilities and outdated software.

I have never played around with Nikto before this, so I had to read through the documentation a few times. As a whole, it is pretty easy to use but takes a bit to understand it. To make sure I get some good results, I ran the scan against a live CD of Damn Vulnerable Linux. To start with, let's take a look at the help information from the command, run with nikto -H.

       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don't ask, don't send
                               auto  Don't ask, just send
       -Cgidirs+           Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator (\)
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               htm   HTML Format
                               nbe   Nessus NBE format
                               sql   Generic SQL (see docs for schema)
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host
       -404code           Ignore these HTTP codes as negative responses (always). Format is "302,301".
       -404string         Ignore this string in response body content as negative response (always). Can be a regular expression.
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host (e.g., 1h, 60m, 3600s)
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -Option            Over-ride an option in nikto.conf, can be issued multiple times
       -output+           Write output to this file ('.' for auto-name)
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Save              Save positive responses to this directory ('.' for auto-name)
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval - Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval - Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               d     WebService
                               e     Administrative Console
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -useragent         Over-rides the default useragent
       -until             Run until the specified time or duration
       -update            Update databases and plugins from
       -useproxy          Use the proxy defined in nikto.conf, or argument http://server:port
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
           + requires a value

As we can see, there are a lot of options to tweak your scan. So let's try starting with how to do a basic scan. I'll use the IP I have of DVL.

~$ nikto -h
- Nikto v2.1.6
v+ nmap Input Queued:
+ Target IP:
+ Target Hostname:
+ Target Port:        80
+ Start Time:         2018-03-17 14:38:16 (GMT-4)
+ Server: Apache/1.3.37 (Unix) PHP/4.4.4
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /: Directory indexing found.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/1.3.37 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/4.4.4 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
v+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /./: Directory indexing found.
+ OSVDB-3268: /?mod=node&nid=some_thing&op=view: Directory indexing found.
+ OSVDB-3268: /?mod=some_thing&op=browse: Directory indexing found.
+ /./: Appending '/./' to a directory allows indexing
+ OSVDB-3268: //: Directory indexing found.
+ //: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ OSVDB-3268: /?Open: Directory indexing found.
+ OSVDB-3268: /?OpenServer: Directory indexing found.
+ OSVDB-3268: /%2e/: Directory indexing found.
+ OSVDB-576: /%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher.
+ OSVDB-3268: /?mod=<script>alert(document.cookie)</script>&op=browse: Directory indexing found.
+ OSVDB-3268: /?sql_debug=1: Directory indexing found.
+ OSVDB-3268: ///: Directory indexing found.
+ OSVDB-3268: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: Directory indexing found.
+ OSVDB-3268: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: Directory indexing found.
+ OSVDB-3268: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: Directory indexing found.
+ OSVDB-3268: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: Directory indexing found.
+ OSVDB-3268: /?PageServices: Directory indexing found.
+ OSVDB-119: /?PageServices: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled.
+ OSVDB-3268: /?wp-cs-dump: Directory indexing found.
+ OSVDB-119: /?wp-cs-dump: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled.
v+ Retrieved x-powered-by header: PHP/4.4.4
+ /info/: Output from the phpinfo() function was found.
+ OSVDB-3092: /info/: This might be interesting...
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server leaks inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 20743, size: 10992, mtime: Sun Jan 18 16:58:12 2009
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3268: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Directory indexing found.
+ OSVDB-3288: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Abyss 1.03 reveals directory listing when      /'s are requested.
+ OSVDB-3268: /?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3268: /?D=A: Directory indexing found.
+ OSVDB-3268: /?N=D: Directory indexing found.
+ OSVDB-3268: /?S=A: Directory indexing found.
+ OSVDB-3268: /?M=A: Directory indexing found.
+ OSVDB-3268: /?\"><script>alert('Vulnerable');</script>: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3268: /?_CONFIG[files][functions_page]= Directory indexing found.
+ OSVDB-3268: /?npage=-1&content_dir= Directory indexing found.
+ OSVDB-3268: /?npage=1&content_dir= Directory indexing found.
+ OSVDB-3268: /?show= Directory indexing found.
+ /info.php?file= Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file= RFI from RSnake's list ( or from
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3268: /?-s: Directory indexing found.
+ OSVDB-3268: /?q[]=x: Directory indexing found.
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /?sc_mode=edit: Directory indexing found.
+ OSVDB-3268: /?xmlcontrol=body%20onload=alert(123): Directory indexing found.
+ OSVDB-3268: /?admin: Directory indexing found.
+ 7536 requests: 0 error(s) and 63 item(s) reported on remote host
+ End Time:           2018-03-17 14:38:27 (GMT-4) (11 seconds)
+ 1 host(s) tested

Oh boy, that is a lot of information to take in. Let's break down what the basics of what the output is saying. Some of these are straight-forward, but let's focus on the OSVDB. OSVDB stands for Open Source Vulnerability Database and the problem now is that is has shut down. So the reference number with it does not exactly help us. After that reference is some request information and then some information as to what is is. With this information, we can fine tune your attack vectors to hone in on more viable holes.

Okay, so that was a basic scan. Let's scan a whole network! Now the problem is need to scan a whole network to find all web servers then scan the web servers for vulnerabilities. So can we use nmap output to automate a Nikto scan? Yes! It's actually very easy.

~$ nmap -oG - | nikto -h -

Now this output I am not going to show because one, there is a lot, and two, I just don't want people to see all the stuff on my network just because. Either way, now you can fly relatively blind and gather a starting picture of the web servers on your network. Now keep in mind, you can add any other ports to check that may be there. I do have some devices running web servers on three different ports for various services.

So now let's look at some of these options and see what we can use. Most are self-explanatory, so let's focus on the larger choices.

The -Display option has a few interesting things to add. There are a few more things we can show, but keep in mind this can expand quite a bit and make finding what you want rather hard. Showing things like redirects, cookies, and HTTP errors could help reveal some additional information that may prove useful. Other than that, for my current means, it just seemed to clutter my terminal.

Moving down the line, we have an -evasion option. This allows different options to alter the encoding for the URI being used.  The added obfuscation could maybe somewhat help prevent gaining the attention of a NIDS (network intrusion detection system). The other possibility is maybe slipping past some poorly designed filters if things are filtered.

Skipping on down a bit further, we see a -mutate option. This, according to the documentation is depreciated, so let's focus on the -Plugins option. To get an idea of what we have to work with using the -list-plugins option.

~$ nikto -list-plugins

The output has quite a lot, so let's pull one that has a good variety of everything.

Plugin: apacheusers
 Apache Users - Checks whether we can enumerate usernames directly from the web server
 Written by Javier Fernandez-Sanguinoi Pena, Copyright (C) 2008 CIRT Inc.
  cgiwrap: User cgi-bin/cgiwrap to enumerate
  home: Look for ~user to enumerate
  size: Maximum size of username if bruteforcing
  dictionary: Filename for a dictionary file of users

  enumerate: Flag to indicate whether to attempt to enumerate users

The plugins have a name, synopsis, author, and optionally some options. On top of these options, there is also verbose and debug. If the option does not get an argument, is is just a flag where using it is true and omitting it is false. So it could look something like:

~$ nikto -Plugins "apacheusers(enumerate,dictionary:users.txt);report_xml"

That gives us a glimpse into the syntax.

Another thing to note is there are macro definitions near the bottom of the -list-plugins option, there are macros that define things like what to do by default. In the end, there are a lot of options and customizing that can be done. As I learn more, I may expand upon this later.

After -Plugins, we have the -Tuning option. This one is a lot simpler to figure out, you can tune what vulnerabilities to check for or not check for. This can speed things up if there is stuff you don't want to spend the time for everything or if the results of certain scans are undesirable. To exclude things specifically, you proceed the specific scan identifier with an x.

Lastly, there is the -Format option that goes hand in hand with the -o option to get your output to a desired file and format. As seen at the beginning, formatting output allows porting and/or usability to other tools. One that stands out is a format explicitly for the Nessus tool, the nbe format. While it is not essential, knowing how to get output is great for documenting and expanding your recon to either do recon or fine-tune your tools with little manual interference. You can live your life like in the movies, maybe hack into somewhere with a few simple rapid commands.

In conclusion, I am still learning this tool, but it's pretty easy to dive into a lot of results. As far as recon goes, the more information we get, the better a picture we can paint.

Wednesday, March 14, 2018

Techs from the Crypt: I don't understand!

Realistically, I have not been a tech for very long, however I work on four different sites normally and interact with quite a lot of people. In my travels, I have come across some humorous, horrifying, and down right strange scenarios. I will now share them with you as part of an attempt at a running series I am calling "Techs from the Crypt" as homage to a favorite show of mine as a kid, Tales from the Crypt! Get it? Did I really need to explain it?

Moving on, I will make up names where needed, not so much to protect the people involved, but more so because I don't care enough to remember anyone's name. Luckily my time in retail has taught me how to cover up my anti-social nature and severe anger towards the more remedial tasks I'm expected to perform.

As a tech, I often come across a lot of people who say something along the lines of "I don't know," or "I don't understand." I often feel myself rewording what I say many times over to make a point or even get some acknowledgement that there is thought behind the vacant stare and hysterical smile of someone completely distraught because "the Internet is broken," or "I didn't do anything and it's no longer working." I'm sure almost every field you can be in has some variation of this interaction, be it with co-workers or clients. So now I submit to you a story about a lady who even when I think back on it, I find hard to believe she actually did all the things she did.

I work for a school system, so most of the people I help are teachers, those we trust to educate our youths. This particular case was at an elementary school. I received a work order about a teacher, we shall call her Mrs. Lego (part of an inside joke I may mention later), could not log into her Google account. Now when an account is setup on our system, a Google account is created. The problem is that you cannot log on to the account until after you change your password and then it gets synchronized with Google. I was quite confident in dealing with these cases as it was the beginning of the year and a lot of new teachers sent in identical work orders. With that, I marched off to the school to get the new teacher squared away.

So far it all seemed routine, and then I met the teacher. Now, let me be clear, she was and is a very nice lady who has never been intentionally rude to me even when I almost lost my temper. However, I would not say Mrs. Lego is the most receptive of people. After explaining to me her problem, I explained to her that she needed to change her password and showed her how. Now, our passwords have complexity requirements that are more strong than some of the other unconnected systems certain groups of staff need to use, usually due to just software limitations. Mrs. Lego tried to change her password to one she had previously setup on one of these particular systems. After it rejected her twice, I asked her to tell me the password. I then explained to her that because of the complexity requirements, it needs more to it, like a special character, maybe an exclamation mark at the end or something simple to remember like punctuation.

"But I want it to be the same password for everything," stated Mrs. Lego quite adamantly.

"Well, I understand that, but I cannot change these requirements. To access Google through your account, it's required to change your password."

"But I need them to be the same, or else what's the point?"

"To access Google, you NEED to change your password."

"Well, why can't I use this one?"

"Because there are requirements that need to be met."

"I don't think you're understanding me. I have my password for that set. I want them to be the same passwords."

"I get that, but unless you change both passwords, we can't make this one the same."

"No, you don't understand, I want my password-"

"To be the same as the other one, I get what you're saying but I cannot do that for you."

"Oh... well then there is no point in changing my password, how do I go back?"

"To access your Google account you HAVE to change your password."

"But I don't want to unless they can match."

This is the shortened version, as this conversation then continued on for some more time. Finally, my patients were gone. She was convinced I couldn't understand what she wanted so now she wants everything back but wants to access her Google account. I was so fed up, I did the only thing I could within my power. I fired up Google Admin Console and manually entered her default password and reluctantly left that be. However, it does not end there, oh no my friends. You see, she was a new teacher and had questions. Many questions. We have instructional people for such questions, but I was nice enough (dumb enough is more like it) to attempt to help to the best of my ability.

You see, at one point they thought it was a good idea to try to continue the use of old outdated computer by installing Ubuntu on them. As a Linux user, I informed them many times after I started and came across this that Ubuntu os a full featured OS, it is not lightweight or good for repurposing old computers. Mrs. Lego had two and one with Windows still on it. The Ubuntu computer log in automatically and the Windows they are recommended to use a class login. After explaining to her the class login and showing her the Windows computer, we discussed the Ubuntu. I explained to her they really are just there for web browsing, there is no Microsoft office or the like on them.

"So, they're not real computers?"

"No, they are just older computers that the schools are trying to reuse to save money."

"At the school system I come from, they stripped out the guts of old computers and called them Linux machines."

"...uh... yeah... same thing?..."

"Well, can I get real computers instead?"

"... uh... tell you what... put... put in a work order and... I'll see if I can scrap together some parts and get Windows on them..."

"Oh, that would be great, what do I put down?"

So I gave her word for word what to put down and then made a mental note to upgrade the RAM so it could handle Windows and try to get this wonderful woman out of my hair.

Then for a bit, we talked about the tech and differences between school systems. I thought it was over and I had weathered the storm, then while I was mid-sentence, she walked over to the door and said she needed to go pick up the kids... and walked out before I could even respond.

It's at times like those that I wonder how people get there in life, or how they often seem better off than me. Perhaps it's just the chipping away of my soul that makes the other side seem so much better. Mrs. Lego went on to terrorize our instructional techs after I told her to submit a work order for them to come by and walk her through the tech.

You see, when one of them was talking to her, he passed the comment that this stuff is easy, jut plug it together, like Lego...

"But I don't have any Legos."

And that, my friends, is the story of Mrs. Lego and why I don't understand. I hope you enjoyed. I have a few other stories I hope to get down before I forget too much detail and make it hard to put in a decent story form.

Monday, March 12, 2018

Penetration Tool Testing Guide: Recon with nmap

For a while now, I have just dabbled around with some hacking tools on Kali Linux and worked a bit on various challenges on websites for learning some basic hacking. I'm still a very new beginner, but why not write a guide as I learn to enhance my learning? While I already know the basic concepts behind a lot of the stuff, in practice I fall quite short. So I will be focusing on the tools in use and hope that the concepts behind them are understood by the reader at a basic level. So let's begin.

In the world of "hacking," there is a lot of things going on. Hacking itself is a broad term, but I will be taking aim at software. Specifically more like breaking and entering on a software level. I already do some of the exploitation at work just to see what I can do, but the goal is to at the very least successfully get in, and to do that we need information. The information gathering step is crucial as it will tell us what direction we can go in and allow us to begin to contemplate our options. Within the realm of recon tools, there are a few of quite some notoriety even breaching into the spotlight of Hollywood fame. This famous tool is called nmap.

To grasp the concept of nmap, you need to have some understanding of networks and ports. We can use this tool to scan our target and find open ports, identify services, discover the operating system, and even create a network map. There is a GUI for ease of use called Zenmap, but I would suggest you understand nmap itself to unlock all the potential. Then it can be expanded upon with Zenmap. Keep in mind that with this tool, we are looking at ISO Layer 3 stuff, so mapping switches won't work without Layer 3 intervention.

So the first thing we need to do is check out the help menu for nmap. So we run nmap -h

Nmap 7.60 ( )
Usage: nmap [Scan Type(s)] [Options] {target specification}
  Can pass hostnames, IP addresses, networks, etc.
  Ex:,,; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
  nmap -v -A
  nmap -v -sn
  nmap -v -iR 10000 -Pn -p 80

Okay... so we have a lot of options. So let's try to figure this out. Starting at the top we see that you can make an input file of hosts to scan. As nice as that sounds, I'm not gonna bother with that right now. Instead, looking at the bottom, it has some examples. So I would recommend you try running it and familiarize yourself with the command's output. I'm not gonna show that because it would take up a bit of space. Give it a go on your router's IP, see what shows. My router has quite a few services and I already did a review of it.

So when we look at that first example command, we see the options -v and -A are used. The -v option is one you may use quite often, this is the verbose setting. This allows you to watch what it finds, or doesn't, as it runs and lets you know it's actually doing something while it's running. This is going to be used quite often. We also see that the -A allows os detection. This is very good to know when you are trying to break in or just simply curious what some random black box device has under the hood. One thing you may notice from the results is that some may be inconclusive or even wrong. This should be expected to occur and as we get deeper other recon tools may fill the gaps.

Let's get into some of these other options. The first thing we need to figure out are the scan types. When we are talking about types, the biggest point of note is what protocol we use and how it is handled. In a network, the two main types that you often find across the board used are TCP and UDP protocols. When scanning for UDP ports, it will take a significant amount of time. Let's look at TCP first.

We see a couple of TCP options of interest, -sS and -sT. So what is the difference? The first option, -sS, is a SYN scan. For those not familiar with TCP, there is three-way handshake that goes on to initiate the connection. The first step is SYN, responded to with SYN ACK, then the host finally responds with ACK (roughly). So we are just sending the opening and registering responses without opening the connection. It is considered to be stealthier. The -sT option is opening the full connection. Another point to note is that the -sS option requires elevated privileges to run. From a penetration perspective, the -sS is less likely to be noticed whereas the -sT option is not only more noticeable, but it take more time.

For scanning UDP, we use the -sU option. There's not much more to say on it other than it takes a long time and there is no guarantee that it gets everything. Since UDP itself doesn't need to respond to anything, it very well may ignore you.

Let's jump to some other options. Another option that can prove useful is the -p option. This allows us to scan specific ports and/or port ranges with either TCP or UDP. This can be quite useful for checking through non-standard ports outside of the range normally scanned or simply trimming down the scan time if you already have some idea of where you want to get started. The -O option gives some basic service and OS identification, but I prefer -A as it gives more information, even attempting to identify the version which can be useful for finding stuff on like CVE or such things.

Another useful option is the -Pn option, which turns off pings. The ping is used as host discovery to see if the device is up. The main reason this can prove useful is because devices can be configured to ignore pings. Somewhat inversely to this is the -sn option which is a quick way to check a whole network and see all the IP addresses of everything that will respond to pings.

The final useful option to check out for now is -T for timing. This one is a bit hard to understand, as it mentions timing templates. These templates in order of Zero to Five are paranoid, sneaky, polite, normal, aggressive, and insane. The first two are for IDS (Intrusion Detection System) evasion. Polite will use less bandwidth. Normal is the default, so it does nothing but there is nothing wrong with wanting to be explicit. Aggressive uses more resources under the epxectation your machine and network are fast enough to handle it. Insane assumes you are on a fast network and will be less accurate, but a lot faster. Another thing to note is that the first three are serialized, so they will only scan one port at a time with wait times of 5 minutes, 15 seconds, and 0.4 seconds, respectively. The options above that allow parallel scanning.

Lastly, let us take a look at the output options, as reporting is useful for many things (especially jobs). The -oA option gives us a good direction as it says it will output in the three major formats. The three major formats are normal, gerpable, and xml. Normal is just simply what your normal output looks like on the terminal. Grepable is easy to split with various programming languages and the like, however it is considered depreciated. The final format is xml, which will be the favorite to work with. Not only is XML good for programming languages to read, use, and manipulate, a lot of programs will allow importing xml because of how easy it is. The format specific options are -oN for normal, -oG for grepable, and -oX for xml.

With all of these options, we can throw together some examples.

To check DHCP: nmap -sU -p U:67

Stealthy TCP service scan and output: nmap -T2 -sS -oX router_ports

Check the whole network for up devices: nmap -sn

Standard good indepth scan: nmap -v -A -T4

Of course there are many other things you can do and this only scratches the surface, however this should help get someone off to a good start to begin some impressive network recon. The main thing to keep in mind is that the results can be misleading, deceiving,  or just plain wrong. This is why information gathering is important and many tools should be used. At the very least, this should give a start to gain some insight in devices and devise more way to gain information and later go on the attack.

Tuesday, January 30, 2018

Programming: GUI with wxHaskell

So recently I have been getting back into some programming, and I figured messing around with a GUI would make me feel a little more accomplished. So to keep things simple, I made a temperature converter because it's simple and the documentation for wxHaskell is a bit hard for me.

I'm sure my design is absolutely terrible, but it works. Feel free to complain about my design. At the very least, it shows how to use a few components. If I get some time I may create something that shows as many components as I can work out.

Tag Cloud

.NET (1) A+ (1) addon (6) Android (3) anonymous functions (5) application (9) arduino (1) artificial intelligence (2) bash (3) c (7) camera (1) certifications (3) cobol (1) comptia (4) computing (2) css (2) customize (16) encryption (2) error (18) exploit (15) ftp (3) funny (2) gadget (2) games (2) Gtk (1) GUI (5) hardware (6) haskell (15) help (8) HTML (5) irc (2) java (5) javascript (21) Linux (19) Mac (4) malware (1) math (8) network (8) objects (2) OCaml (1) perl (4) php (9) plugin (6) programming (42) python (24) radio (1) regex (3) security (23) sound (1) speakers (1) ssh (2) story (1) Techs from the Crypt (2) telnet (2) tools (13) troubleshooting (4) Ubuntu (4) Unix (4) virtualization (1) web design (14) Windows (7) wx (2)