Tuesday, 25 September 2012

How to setup Github access in Backtrack 5

Hey guys,

Today I wanted to write a quick tutorial on using github and some of the issues I encountered. I wanted to perform a really simple task but help pages on the github site were confusing and overall pretty useless.

So what did I want to do?

I wanted to get involved with the BeEF project (https://github.com/beefproject/beef/wiki). I had worked on improving the Pretty Theft module and thought I would submit my work to see if anyone was interested in it. Sounds simple enough right? Hmmm... :)

What's Github?

Github is essentially a sourcecode repository and project collaboration site. It's great for open source projects as users can download the source, modify it and then submit their changes. If the original author likes the changes they keep the new version and the project gets better and better over time thanks to user submissions.

How do you download code from github?

Create an account at www.github.com, go to the project page your interested in and press the "Fork" button in the top right of the screen. That will create a copy of the code for your own personal use. To actually start editing the code I switched over to my Backtrack 5 (BT5R3) machine and downloaded the code with the command:

git clone https://github.com/pwndizzle/beef.git

The address for your fork should be on your forked page on github. For me my user account was pwndizzle and the beef.git is the source for the beef project. BT5R3 already has git installed so you should have no trouble with this command.

How to update git in BT5? How to change repositories in BT5?

Although BT5R3 has git installed it is not the latest version. Running the command "git --version" I get the version 1.7.0.4 and even after an "apt-get install git-core" I was not able to get the latest version. Why is this an issue you might ask? Well later, when trying to upload to github, I was getting the error:

Error: The requested URL returned error: 403 while accessing
# https://github.com/user/repo.git/info/refs
# fatal: HTTP request failed

This link has more info: https://help.github.com/articles/https-cloning-errors

To address this issue I managed to update git by adding the ubuntu repositories to /etc/apt/sources.list and then performing an "apt-get update" followed by "apt-get install git-core". I added the following repositories to the source.list file:

deb http://archive.ubuntu.com/ubuntu/ precise main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ precise main restricted universe multiverse
deb http://archive.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse
deb-src http://archive.ubuntu.com/ubuntu/ precise-updates main restricted universe multiverse

The command "git --version" should now show up as 1.7.9.5 and we won't get upload errors later on.

How to upload files to github?

Once you have locally edited some of the files in the clone you'll want to upload them to github. First I set my username that would be used when submitting files:

git config --global user.name "pwndizzle"

I was then ready to push my changes to the github website. This is a three stage process, first you choose what files you would like to include using the add command, you confirm using the commit command and then finally upload the changes to github with git push. To find out the current state of your clone you can use the "git status" command at any time from within your local clone folder.

Here are the commands:

git add /yourpath/yourfile1
git add /yourpath/yourfile2

git commit -m "Add your message here, e.g. Updating files 1 and 2"

git push origin master

The changes I had made on my machine were now incorporated into my fork on the github site and I was able to share these changes with others. The final question is how do you send the original author your changes? Go to your fork page and click "Pull Request", fill in the forms and submit. Done!

Next post I'll be talking about my work with BeEF :)

Pwndizzle

Thursday, 6 September 2012

How to setup VirtualBox with BackTrack 5 and XP

Hey guys,

This is the follow-up from the previous post where I was talking about migrating from VMware to VirtualBox. After doing some googling I came across this guide:

https://blogs.oracle.com/fatbloke/entry/migrating_from_vmware_to_virtualbox

This guide recommends exporting the VMware image as a vmdk/ovf and then importing it into VirtualBox. I followed the guide but unfortunately when booting in VirtualBox I got the error:

"Error loading operating system"

In an attempt to address potential Windows errors I downloaded a copy of Spotmau PowerSuite 2009 and tried to repair the Windows installation. This had no effect. However I was able to mount the drive and access my files. I think the real issue was the change in virtual hardware, the post here details a potential work around:

https://www.virtualbox.org/wiki/Migrate_Windows

Like in my previous post the easiest option is usually the best so I decided to just re-install Windows XP from ISO on VirtualBox and within 10 minutes I was up and running. This is super simple on VirtualBox, just create a new machine with all default settings, open the settings for the machine, go to storage and select the CD icon. On the right just browse to your ISO and press ok. Start the machine and it should boot from CD.

With BackTrack and XP both up and running the next thing on the list was networking.

By default the machines are set to use NAT. VirtualBox creates a virtual router that the virtual machines connect to and grab addresses from a virtual DHCP server. NAT allows the machines to access the outside internet however does not permit communication between virtual machines. As I'm going to be attacking my machines I'm going to need to communicate with them. So instead of NAT I'm going to be using Bridged mode.

In Bridged mode VirtualBox uses a device driver on the host system to intercept virtual machine traffic from the physical network adapter. This configuration allows different virtual machines to connect to each other as well as the internet.

To configure Bridged networking, go to the settings for your machine, select network and then select "Bridged Adapter" from the "Attached to:" menu. Under advanced I also configured promiscuous to "Allow VM". In simple terms the promiscuous mode setting defines what traffic will be visible when you sniff the network interface in your virtual machine. I'm using my wireless adapter for the bridge and for regular internet surfing so if I were to select "Allow all" this traffic would clog up my sniffer. I'm only interested in sniffing the traffic moving between my virtual machines, so I selected "Allow VM". Remember though in a standard switched network you will effectively be working under the "Deny" setting as traffic not destined for your IP would not be forwarded to your switch port!

More info on network settings: http://www.virtualbox.org/manual/ch06.html

Once the changes have been made reset your VM's and they should now all be able to attack talk to each other. Also remember to disable Windows firewall!

Your lab is now ready for use! Go grab a few different versions of Internet Explorer/Java/Adobe and get exploiting :)


PwnDizzle

Wednesday, 5 September 2012

Updating BackTrack, Metasploit and switching to VirtualBox

Hey guys,

Recently I've been trying to update Backtrack and Metasploit, as well as connect up the PostgreSQL database to Metasploit. I've had some difficulties and thought I'd make a quick post to talk about the issues I've encountered and some of the solutions.

For a long while I was using BT5R1 in VMware Workstation 7 which I had upgraded to BT5R2. I wanted to upgrade to BT5R3 but both the ISO and vmware image I had downloaded from the Backtrack site, were giving me errors. Everytime the system was booting I received the error:

"The CPU has been disabled by the guest operating system."

After hours of googling and tweaking settings I couldn't find a solution. Frustrating but well these things happen, if anyone knows a fix I'd be interested to know. Anyhow, there's more than one way to skin a cat so I decided to perform an update from the repository instead.

apt-get update && apt-get dist-upgrade

Followed by an installation of the new tools, check out the link below:

http://www.backtrack-linux.org/backtrack/upgrade-from-backtrack-5-r2-to-backtrack-5-r3/

This update sorted me right out, at least I thought it had...

When I went to run msfupdate it no longer worked and was giving me an error saying my SVN client was too old. At this point I decided to completely remove Metasploit and grab the latest version using SVN as per the advice here:

https://community.rapid7.com/thread/2293


rm -rf /opt/framework/msf3/*
svn co https://metasploit.com/svn/framework3/trunk/ /opt/framework/msf3

The version under /opt/framework/msf3 was now up to date, but did not have database functionality. When trying to do a db_connect I received the error "no database driver installed". I played around with this for a while but couldn't get it working and gave up. More info can be found here:

http://www.backtrack-linux.org/forums/showthread.php?t=40411
http://www.backtrack-linux.org/forums/showthread.php?t=40377

I was also confused why the version in /pentest/exploits/framework was different to /opt/framework/msf3. The whole issue of having two versions of Metasploit was confusing me until I came across this post:

http://www.backtrack-linux.org/forums/showthread.php?t=51173

Up to this point I never realized that BackTrack was held together will a huge set of symbolic links (feel free to send me n00b abuse :) ). I think what I should have done originally was remove Metasploit, grab the latest version using svn, then create a symbolic link (ln -s /opt/metasploit/msf3 /pentest/exploits/framework)  to ensure the /pentest version used the /opt version. Unfortunately I only realized this as I was writing this post! (A nice post on symbolic links: http://www.cyberciti.biz/tips/understanding-unixlinux-symbolic-soft-and-hard-links.html)

So just to re-cap, new versions of BackTrack (both vmx and iso) wouldn't work for me in VMware, I was having issues updating Metasploit and to top it off Metasploit database integration had also stopped working! It wasn't looking good.

The major issue was that I couldn't load up a clean copy of BackTrack. Everything works fine from a clean copy so if I could somehow get a clean copy to load I'd be all sorted. This is where VirtualBox comes in. I'd used VirtualBox in the past and found it to be fairly solid, but had switched to VMware as it's what I had used on my corporate machine. With all the issues I had been having I thought I'd try firing up a clean version of the latest BackTrack iso in VirtualBox. Lo and behold it worked! I felt like an idiot, I'd wasted so much time chasing all these issues, why hadn't I just done this in the first place?




With the fresh copy installed in VirtualBox both msfupdate and Metasploit database work fine. Now I just need to transfer over my Windows images from VMware. I assumed it would be a straight forward import, but it turns out there's even more tweaking to be done due to the fact that the installed kernel and drivers depend on the underlying (virtual) hardware.This means that you can't simply *transfer* a Windows VMware image into VirtualBox.

Hopefully I can figure this out today and I'll put up a post with a step by step.

As a side note, I'm no expert when it's comes to Metasploit, I have no doubt there are probably some really easy solutions to the things above, I just couldn't find them on google. If anyone can explain any of the issues or solutions to me better please leave a comment as I'm eager to learn :)

PwnDizzle

Monday, 3 September 2012

CEH vs OSCP vs GPEN

Hey guys,

It's been an interesting few months for me, I moved to Manila, attended BlackHat 2012 in Vegas and I've completed my CEH, OSCP and GPEN certs. Time just seems to have flown by.

Anyhow, today I wanted to compare and contrast the CEH, OSCP and GPEN certifications. Hopefully it might provide some guidance to those folks interested in qualifications but don't know what to go for, what content is covered by each and whether its ultimately worth doing or not.


So first up Certified Ethical Hacker (version 7) by EC-Councilhttp://www.eccouncil.org/courses/certified_ethical_hacker.aspx

I completed this back in May and from what I remember it was heavily theory based (and at times not even the most relevant theory). The cert quite often focused on the basics, for example, what is DNS, what is a virus/worm/rootkit, the in's and outs of WPA/WEP, symmetric vs asymmetric encryption and key lengths and block sizes. Now while this is all excellent information I couldn't help wonder how useful this would actually be for most people on a day to day basis. So good information that's worth knowing, but maybe not all that relevant. And the one big thing missing from the CEH is some decent hands-on activities. They do give you a disc with some crappy windows tools and some simple exercises but it would be better just to have some exercises using the more powerful (and more relevant) tools in BackTrack.

For someone starting out in security this is a great introduction, they cover the basics as well as the most commonly used attack vectors. For me personally though, I found the material too dated, too high level and without good quality practical exercises at times I found myself bored and unmotivated.

Cost: $500 for exam only ($1000+ for course materials)
Rating: 6/10



Next up is the Offensive Security Certified Professional course offered by Offensive Security (the makers of BackTrack). http://www.offensive-security.com/information-security-certifications/oscp-offensive-security-certified-professional/

Wow, what a course. I started this back in October 2011 and after months of reviewing the material and working through the lab, i finally passed the exam in May 2012. This course is not for the faint hearted! There are two components, the study materials (videos/pdf textbook) and the lab. The course materials are very practical, every concept and activity is accompanied and demonstrated by a real example. And you are given exercises to complete for each section. The course covers what you actually need to be a certified ethical hacker (unlike the CEH!). It follows the usual attack methodology, recon/scanning/exploitation/persistance/pivoting and for each step you're guided through the theory, which tools to use and how to use the information you gain.

The lab is where the OSCP really shines. You are thrown into a virtual lab environment with 50 machines situated on different networks all with various vulnerabilities and hidden surprises. Your challenge is to hack your way through to the admin machines deep in the network. Putting theory into practice was such a great learning experience and I learnt that knowing theory and putting theory into practice are two very different things. A lot of what you need for the lab is not covered in the course material and you are forced to do background reading and research. It's this which separates the OSCP from other certifications. The OSCP motto - "Try Harder".

The exam is the icing on the cake. Instead of the usual multiple choice exam bullshit, you are challenged to hack a series of machines within 24 hours. Its pretty crazy but a hell of a lot of fun. Oh and you are required to submit a real life pentest report of all your activities in the lab!

Cost: ~$1500 (I extended my lab time a few times)
Rating: 10/10 



And last but not least, SANS 560 - Network Penetration Testing and Ethical Hacking (GPEN)http://www.sans.org/course/network-penetration-testing-ethical-hacking

I completed the multiple choice exam for this last week and after the OSCP I felt a little let down by this course. The material was decent, I completed the OnDemand version which was a series of powerpoint slides with narration by Ed Skoudis. Ed was really entertaining and did a great job of keeping the material interesting and relevant. My issue with this course was the depth. Whilst the content they covered was spot on, I felt they could have gone into more detail, in fact I wanted them to go into more detail. Its a shame that the material is written to fit in with the 6 day course because they ultimately have to compromise on the quality of the course. Ed, if you reading this, why not offer an online version that is twice as long and covers everything?

My favorite aspect of the course was the emphasis on providing business value. Logistically what is the best way to perform a penetration test? There's a lot to consider and Ed does a great job of breaking the tasks down and showing you how to effectively structure a full penetration test. He gives plenty of useful tips as well, for example, for large networks only scanning a subset of representative machines or obtaining firewall rules to reduce the time/cost of the test. And he gives a great overview of how to write an awesome final report.

Perhaps the biggest issue with this course is the price. For the course and exam it costs just under $5000 which for a set of online videos (only valid for 3 months) and a pile of books is a little overpriced to say the least.

Cost: ~$5000
Rating: 8/10


Summary

Certs are cool, its great to learn new things and brush up on the old. (And its cool to have some new letters after my name) Employers like certs, it shows that you know stuff and they will be more likely to choose you over someone with no certs. I learnt a lot doing all three certs, the OSCP was my favorite by far but it really is a baptism of fire and you need to be dedicated to it. The others were useful but more as a CV filler.

It was interesting at BlackHat and Defcon how a lot of people frowned on certs and tbh I do agree with them. For example both the CEH and GPEN used relatively easy 150 question multiple choice exams and the GPEN was open book. Realistically they aren't that hard to pass. So should you employ someone with these certs? Yes of course! Should you expect them to be super 1337? No. But how else can you judge if someone knows their shit? Experience alone?

I think what people don't like is these certs and others (I'm looking at you CISSP) are a convenient way for non-security and even non-IT folks to get into IT security when they have no real experience. More people working in security is great but in-experienced people deploying security in Fortune500 companies is probably not a good idea.

OSCP's (and OSCE's) are the exception to the rule, if you ever meet one of this rare breed, give them a pat on the back, they earned it.

This is pwndizzle, over and out.