News Update: Mimikatz/wce/fu.txt/find Proxys On Lan/650Kb/s Over Open Proxy/client Side Html/enum Java, Adobe Reader And Flash/nmap & Oracle

[operat0r_001]

Mimikatz works but I have been also useing wce.exe and wce32.exe with the -w switch

http://www.ampliasecurity.com/research/wcefaq.html#curversion

09/26/2012 - split up fu and fu ripp ... fu.txt and fu_ripp.txt. also updated masspwdumper.exe to include wce.exe (windows credential editor)

08/27/2012 - fu.txt oclHashcat-plus fu .. I know right... my fu.txt is getting out of hand.

08/19/2012 - quickkill.exe Kills all unknown processes to quickly free up memory! tested XP/Win7

BEFORE 80 .. after 48

07/3/2012 - BREAKOUT This app will atempt to BREAK OUT of protected networks by using input IP,PORT as HTTP and SOCKS proxies

06/10/2012 - 650KB/s over open proxies with downloadthemall/rmccurdy.com/scripts/proxy/proxychains.conf

I will update the proxycheck script to include thist bit later.

05/22/2012 - some command line fu

# set power profile via command line

Powercfg.exe /SETACTIVE "Always On"

Powercfg.exe /SETACTIVE "Max Battery"

#Remove the .NET Credentials (Stored User names and Passwords)

Control keymgr.dll

04/24/2012 - Client_Enumeration_Java_Adobe_Reader_flash.zip Client side HTML/Java code to enumerate Java, Adobe Reader and Flash Versions

04/24/2012 - Openvas in Ubuntu

echo 'GSA_HTTP_ONLY=1' >> /etc/default/greenbone-security-assistant

/etc/init.d/greenbone-security-assistant

[ "$GSA_HTTP_ONLY" ] && [ "$GSA_HTTP_ONLY" = 1 ] && DAEMONOPTS="$DAEMONOPTS --http-only"

remove src from sources list along with matching the /etc/lsb-release ver too

add-apt-repository "deb http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.XX/ ./"

grep -ia open /etc/apt/sources.list deb http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.04/ ./ #deb-src http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.04/ ./

if you still have issues just run 'killall gsad;sleep 5;gsad --http-only --listen=127.0.0.1 -p 9392

watch -d 'ps axuwww|grep nasl|grep -v grep'

view source omp -h 127.0.0.1 -p 9390 -u admin -w password -X "$RANDOM`cat in|sed 's/$/,/g'|tr -d '\n'`"

04/18/2012 - update_nmap_oracle_sids_userpass.exe

# sid enum using nmap and metasploits sid.txt 1307 sids in ~8 seconds

nmap -n --script=oracle-sid-brute -p 1521-1560 192.168.1.141

# try 1255 user/pass

# requires valid SID ( default is XE )

# Performed 1245 guesses in 3 seconds, average tps: 415

nmap --script oracle-brute -p 1521-1560 --script-args oracle-brute.sid=XE -n 192.168.1.141

# oracle shell using OAT Oracle Audit Tool

ose.bat -s 192.168.1.141 -u SYS -p CHANGE_ON_INSTALL -d XE -t Windows

04/17/2012 - Metasploit with Oracle !

-------------------------------------------------------------------------------------

following :http://www.metasploit.com/redmine/projects/framework/wiki/OracleUsage

2:10 PM 4/17/2012

-------------------------------------------------------------------------------------

# Remove ruby using apt or synaptic etc ..

apt-get remove ruby

# update and install 1.9.1 dev

apt-get update

apt-get install ruby1.9.1-dev -y

mkdir /opt

mkdir /opt/oracle

# copy zips to /opt/oracle

cp *.zip /opt/oracle

cd /opt/oracle

unzip basic-10.2.0.5.0-linux.zip

unzip sdk-10.2.0.5.0-linux.zip

unzip sqlplus-10.2.0.5.0-linux.zip

cd instantclient_10_2/

ln -s libclntsh.so.10.1 libclntsh.so

# add this to ~/.bashrc and also type it in current shell

export PATH=$PATH:/opt/oracle/instantclient_10_2

export SQLPATH=/opt/oracle/instantclient_10_2

export TNS_ADMIN=/opt/oracle/instantclient_10_2

export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2

export ORACLE_HOME=/opt/oracle/instantclient_10_2

# wget http://rubyforge.org/frs/download.php/65896/ruby-oci8-2.0.3.tar.gz

tar xvzf ruby-oci8-2.0.3.tar.gz

cd ruby-oci8-2.0.3/

LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/

export LD_LIBRARY_PATH

make

make install

# download msf .run bin installer

# I had to edit the /pentest/exploits/framework/.svn/entries and add www. to the file so you could run svn update

cd /pentest/exploits/framework/

svn update

# run MSFconsole from /pentest/exploits/framework/ not the init scipt this will allow for use of YOUR env and not the static one for MSF binary

cd /pentest/exploits/framework/

./msfconsole

#from msfconsole install ruby-oci8 gem

gem install ruby-oci8

If you still get the missing OCI error it is all ruby the oracle client loads after

# oracle_login needs nmap > 5.50 !

wget http://nmap.org/dist/nmap-5.51.tgz

tar -xvf nmap-5.51.tgzm

cd nmap-5.51

./configure

make

make install

ln -s /usr/local/bin/nmap /usr/bin/nmap

--------------- msf stuff ---------

# as always you can spool log.log to save logfile or use screen -L

# brutes ~576 sids will eat targets file

use auxiliary/scanner/oracle/sid_brute

set RHOSTS file://home/rmccurdy/oracle

run

back

# This module attempts to authenticate 568 line USERPASS_FILE list

# requires SID

use auxiliary/scanner/oracle/oracle_login

set RPORTS 1521

set RHOSTS file://home/rmccurdy/oracle

set SID XE

run

back

# needs oci !!!

# This module uses a ~598 line list of well known default authentication credentials to discover easily guessed accounts.

use auxiliary/admin/oracle/oracle_login

set RHOSTS file://home/rmccurdy/oracle

set RPORTS 1521

run

back

# needs oci !!!

# needs full login/password/sid audits database and or user

# https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/oracle/oraenum.rb

use auxiliary/admin/oracle/oraenum

set RHOST 127.0.0.1

set DBPASS TIGER

set DBUSER SCOTT

set SID ORCL

run

back

04/17/2012 - Configuring the Scrollback Buffer

By default, the scrollback buffer only keeps the last 100 lines of text, which is not enough for my typical interaction with Screen. I’ve found a setting of 5000 lines to be more than adequate for my usage. The number of scrollback lines can be configured in your $HOME/.screenrc file, by adding the following line:

defscrollback 5000

04/16/2012 - Block Facebook with Adblock Plus! :

Make new custom filter and add these three filters:

||facebook.com$domain=~www.facebook.com

||facebook.net$domain=~www.facebook.com

||fbcdn.net$domain=~www.facebook.com