OWASP New Zealand Day 2016

Last week I spoke at OWASP day in Auckland, New Zealand. It was all security+fun and had a crowd more than expected, ~600 approximately.

You can view the synopsis of my talk and bio here:

https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016#tab=Speakers_List

The presentation slides will be available soon here:

https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2016#tab=Presentation_Schedule

It was pleasure meeting you the organisers and all security headed people out there. Please free to post any questions if you haven't got chance to ask.

Stay tuned!!!

Update nessus from command line [Mac Yosemite]

Very often, I have encountered problems with updating nessus home feed plugins and components. This is the common message from Nessus.

The following commands can be used to update nessus plugins on yosemite, if you fail doing via web interface:

To update plugins:

cd /Library/Nessus/run/sbin
sudo ./nessuscli update

To update plugins and components:

sudo ./nessuscli update --all

To update just the plugins:

sudo ./nessuscli update --plugins-only

Exploiting SSH key based authentication

This is rather be a quick post and intended to be a reference note for me (and you all). 

Recently, I exploited a vulnerability to gain shell of the remote system. Yeah, this is remotely over SSH connection..:) The pre-requisites are:

1. Remote server must have SSH service running.

2. Remote server must have vagrant module installed.

3. Support key based authentication.

To detect server has vagrant module installed, browse http://example.com/vagrantfile. This should give you a pop-up to download a file. Refer here for vagrantfile info.

When vagrant is installed on the box, it creates a default user called vagrant with www rights and accepts incoming connections for the user vagrant having valid keys. The keys are known and can be downloaded from here. To exploit, replace these keys with your public and private keys or use below command:

ssh -i <key_files> vagrant@<remote_server_ip>

And here you go, you gain access to shell instantly and own the box...:)

Happy testing and hacking!!!

 

Way to go – CREST Certified

Monday morning and you hear the great news. How does it feel? Just received an email from CREST Australia that I have cleared the exam and now I’m CREST certified professional…J I’m all excited…J

For people who do not know about the certification, it’s an industry standard IT security certification for penetration testers that certifies that the individual follow best practice methodologies and the highest standards of test hygiene and conduct (applicable preforming any technical security assessment). Additionally, the certification also provides confidence to the buyer that the work will be carried out with up to date knowledge of the latest vulnerabilities and techniques used by real attackers.

The experience and pattern of the exam is simply amazing. The pattern actually tests the knowledge of the individual having both written and practical components. Its not all about memorising or mugging stuff. You actually have to demonstrate your pentesting skills with the time restriction applied. And yes, its completely different than any other paper based examinations.

Unfortunately I cannot disclose much about the exam as I’m bounded with CREST NDA (as all other candidates are). As a tip, I can only say is to go through the syllabus thoroughly and prepare the practicals well as they are the most time consuming and should take your major chunk of preparation.

All the best and Cheers…J

Utilizing Metasploit Database in Netwok Pentest

What’s the first thing come to your mind when you think of doing network pentest of over 1000 IPs in couple of weeks? Is it really possible? Answer is YES!!!

My ONLY choice is Metasploit Database. This handy tool is too awesome that it helps not only to exploit the vulnerabilities directly from the Metasploit console but also saves plenty of time and prevents you to be in a messy situation. So how do you start?

Fire up your Metasploit and type db_status command to check if you have Metasploit database installed or not. If not, refer here, here and here to set it up. Assuming you have everything setup, lets get started.

• Grab the list of subnets that are in scope.
• Detect live host (NMAP -sP <Subnet_IP>) and dump these IP into a text file i.e. ip.txt. This step will take a bit of formatting effort.
• Fire up your NMAP to start network scans [and keep it running]. Note that Metasploit DB takes XML formatted output. This is the easiest way to get things running smoothly.
• To run NMAP, following is the most efficient command for TCP scans. Obviously, this part will take long time to complete as there is bunch of IP address(s) to scan.

    sudo nmap -sV -v -O -Pn -iL ip.txt -oX network-scan.xml

          Do -sU in case you want to perform UDP scans as well. 

• Leave the scans running for overnight and it should be completed next morning when you come back to hack..:)
• Next, import the NMAP XML output file to Metasploit. Here’s how you connect to Metasploit DB.  

    db_connect <username>:<password> @localhost:5432

• Create workspace to import scan results and get things organised. The Metasploit command for this is: 

    workspace –a <Workspace_name>

          Refer here for all Metasploit database commands.

• Now its time to import your NMAP results to Metasploit database. To import the XML file, do 

    db_import <Path_of_XML_file>

•  Now you are ready to go and exploit utilising all Metasploit exploits..:)

 The take aways from this approach is: 

• You can utilize all Metasploit exploits within seconds.
• Use –R switch to directly import RHOSTS list into the exploit.
• Conduct pentests in a most structured and organised manner.

Happy Hacking!!!

Local Data Storage Analysis with iOS Simulator

There have been times when a penetration tester is not able to install iOS application on a physical device while performing iOS application security assessment. This can happen due to various reasons:

• Application does not support your iOS firmware version
• Pentester does not own iOS device or is not jailbroken
• Pentester cannot install .IPA file using iTunes

If one of the above happened to you then you need to go back to customer and ask for application’s Xcode project. Once you have this, open the xcworkspace file in Xcode and simply run the code. Ensure you select iOS simulator device to run your application. Here’s how you can do this:

XcodeàProductàDestinationàChoose Device

Once you have this, you should be able to run your application in iOS simulator. What next?

Next, I would suggest you to browse the application, input data, create records, etc. within the application. This will make the application run as in you are in real environment and allow application to do all scary stuff on your Simulator.

To inspect what application has stored locally, browse to below path (using Finder or Terminal):

~/Library/Application Support/iPhone Simulator/7.0.3/Applications/<UNIQUE_ID>/Documents

~/Library/Application Support/iPhone Simulator/7.0.3/Applications/<UNIQUE_ID>/Library

In above locations, you should be able to view below folders:

Caches - Stores application database files

Preferences - Stores application .plist files

You can now view .plist files using any text editor and could view database files using SQLiteStudio (free lightweight utility). The tool is really simple to operate and gets you what you are looking for very quickly.

Happy Reading!!!

Multiple IP Nessus 5.2 Automation Script

It is always been a pain to run Nessus when you have long list of IPs to be scanned within a short period of time. This typically happens when you are engaged in an internal pentest and you have multiple IPs to scan.

To solve this, I have written a Ruby script which enables Nessus to read list of IPs from a text file, perform individual scan, export it to XML format and saves a copy of the scan over Nessus web interface. This script is very similar to my last script with few changes in terms of reading IP from a text file. Please note that you would need to install nessus-xmlrpc gem to get this running.

Here’s a ruby script for running Nessus against multiple IPs:

require 'nessus-xmlrpc'

n=NessusXMLRPC::NessusXMLRPC.new('','admin','admin');

if n.logged_in

  id,name = n.policy_get_first

  puts "using policy ID: " + id + " with name: " + name

  File.open("ip.txt").each_line do |line|

  uid=n.scan_new(id,"#{line}","#{line}")

  puts "scanning for: " + line

  puts "status: " + n.scan_status(uid)

  while not n.scan_finished(uid)

    sleep 10

  end

  content=n.report_file_download(uid)

  #File.open('report.xml', 'w') {|f| f.write(content) }

  #File.open("#{line}_report.xml", 'w') do |f|

  f.write(content)

  f.close

  end

end

end

Steps to be followed:

1. Create a ip.txt file and dump your list of IPs there.
2. Copy and paste above script in nessus.rb file.
3. Place both these files under one folder and fire below command from your terminal.

 ruby nessus_file.rb

The output will be saved in the same folder and copy of scan will be available on your Nessus web interface.

Happy Automating!!!