Thursday, July 28, 2011

CHECKING YOUR EXTERNAL IP FROM COMMAND LINE

I find myself often working from the command line in the terminal or console when conducting various security tests and wondering if my proxy or VPN is truly working correctly for my command line tools. It is easy enough to check from a standard browser but this requires me to leave the console and actually open a browser, which of courses I am too lazy to do. In my search to keep all things command line I found this gem of a script written in python that does exactly what I have been looking for - and I had to share it with you! It is called “whatsmyip.py”. I did not write this but it is a great piece of python code and works simple enough. If you place this script in your PATH variable you should be able to access it from anywhere when in the command line, allowing us to quickly check our external ip and confirm our HTTP proxy or VPN is properly working for our CLI tools. No more need to even leave the console! You can always use ipconfig/ifconfig to check your internal IP from the command line, now you can also check your external IP. It is as simple as saving the code provided below as “<insert-name>.py” on your system and then running as “name.py” OR “python name.py”. It will grab your external IP and return the result to the console screen. It is super easy and really helpful. It won’t do anything else, but it does what it is supposed to and makes another fine addition to any real pen-testers bag of tricks to use at their disposal. Hope you find this helpful in some way, and as always Enjoy!
PS - All credits for coding this script go to: s3my0n
Quick Screenshot:


DOWNLOAD: http://uppit.com/hn5ttyb7eifx/ip.py

Friday, July 15, 2011

SQL INJECTION TUTORIALS

Hey Guys - I have been getting requests for more details on how to perform manual SQL Injections. I have gathered what I beleive to be the best of what is out there and compiled it in my own form. I have and am working on compiling it all into a educational type format so others can benifit from it while at the same time giving myself my own online reference guide available at any time (and to anyone else interested). I will be giving these tutorials there own pages as I find the material to be a good reference. I just posted the first few outlining some basic techniques and plan to add several more pages as the summer continues and time permits. In order to give you an idea of what is going to be covered I have already posted basic injections, WAF Bypassing, Blind & Time-Based Injections and still plan on covering , Double-Queries or Stacked Queries, Xpath Injections, as well as providing some general reference guides for handling Postgres & Oracle database injections. Please check the top of the page to see the new pages that are currently available and check back often to see what else has been added. I hope you find them all useful and appreciate the time that is going into packaging it all up for you. As always, Enjoy!

Here is what's available so far:
Basic SQL Injection 101
SQLi & WAF Bypassing
BLIND & Time-Based SQL Injections
SQLi using LOAD FILE & INTO OUTFILE

Monday, July 11, 2011

HOW TO: Send Messages via UnAuthenticated SMTP Server

Email Server Hunting with NSLookup:
OK so I have showed you how to perform password profiling, and how to get cracking locally and over the network, but some of you keep asking how you find the mail servers to attack. If the FQDN or IP address is unknown, the easiest way to find this information is to use the Nslookup command-line tool to find the MX record for the destination domain. You can try various web scanners to find it or you can simply open a command prompt and type the following:
  • nslookup
  • set type=MX
  • <enter site name>
  • nslookup type=MX <target IP or site name>
 
NOTE: if it seems to timeout or false results you can adjust timing by using "set timeout 20" between step 2 and step 3 above, since the default is set to only 15 seconds.
  
This will begin to send DNS queries for the MX or mail exchange records. You will find this will give you an output that tells you which mail servers are registered by your target site. Note the first line after "Non-authoritative answer". The "MX preference" specifies which mail server to use and in which order. The lower the number, the more preferred the mail server is. If the preferences for each mail server are the same, you can use any them.
 
OK, so you found the email server...what now? We can fire up Hydra and start trying to bruteforce the passwords for any known emails (follow previous tutorials for this part), but before we do lets see how secure it really is. Keep the console open for another minute and let us see if we can use Telnet to log into the SMTP server, if we can get in we will then see if we can send a message without any authenticated credentials. Here is how we use Telnet on Port 25 to test SMTP communication from command line:
  • Telnet
  • localecho
This will let us view all of the characters typed as we type them in the console (localecho not always required but I find it helpful on older systems-XP)
  • open <smtp server ip/name found above> 25

This will open telnet session between our machine and remote ip/server on port 25 (port 25 is default port for SMTP; you may need to change to fit your situation)
  • EHLO <ip/servername.com>

EHLO is the Extended Simple Message Transfer Protocol (ESMTP) verb and can help to establish the remote SMTP capabilities during the initial connection
  • MAIL FROM:sendername@email.com
This defines who email will be sent from (helps to use valid email to avoid errors on some setups or in case the receiver is undeliverable)
  • RCPT TO:receivername@email.com NOTIFY=success,failure
The NOTIFY is optional but can be helpful as it will cause the server to provide a message to let us know whether it worked or not. A message number of 500 means there was a failure or error, while 220 means it was a success
 
You will receive a 354 response that resembles the following:
      "Copy Code 354 Start mail input; end with <CLRF>.<CLRF>"
  • Subject: <Subject Title/Name>
This defines the subject line of email message, now hit ENTER to add a blank line. We need to have a blank line between the Subject header line and the Body of email to avoid errors
  • Type your message now...press ENTER when done
This defines the body of the email message to be sent
  • Just press ENTER again
  • . (Type a Period)
This should end the message and let it know we are ready to send. You should see a message similar to this:
    "Copy Code 250 2.6.0 <GUID> Queued mail for delivery"
 
That is it, you just sent a SMTP email message without any authentication required! You can repeat as necessary or you can type QUIT to disconnect from the SMTP server, which should give you a message like this:
     "Copy Code 221 2.0.0 Service closing transmission channel."
 
You can then type QUIT once more to close Telnet session.
    
Note:You can't use the backspace key after you have connected to the destination SMTP server within the Telnet session. If you make a mistake as you type an SMTP command, you must press ENTER and then type the command again from scratch once more.