Latest ramblings of the monkey... http://pentestmonkey.net Wed, 19 Nov 2008 23:37:46 +0100 FeedCreator 1.7.2 http://pentestmonkey.net/images/M_images/mambo_rss.png http://pentestmonkey.net Latest ramblings of the monkey... http://feeds.feedburner.com/~r/pentestmonkey/~3/447514220/index.php I just updated unix-privesc-check (http://pentestmonkey.net/tools/unix-privesc-check/). Download it here (http://pentestmonkey.net/tools/unix-privesc-check/).This release fixes a couple of minor bugs in the reporting of cron-related issues and some problem while running under /bin/sh (as opposed to /bin/bash). ptm http://pentestmonkey.net/index.php?option=com_content&task=view&id=133&Itemid=1 http://feeds.feedburner.com/~r/pentestmonkey/~3/447488445/index.php I just released an important update to exploit-suggester (http://pentestmonkey.net/tools/exploit-suggester/). Download it here (http://pentestmonkey.net/tools/exploit-suggester/).It seems that showrev -p sometimes lists multiple revisions for the same patch. This caused exploit-suggester to return false-positives. ptm http://pentestmonkey.net/index.php?option=com_content&task=view&id=132&Itemid=1 http://feeds.feedburner.com/~r/pentestmonkey/~3/447370420/index.php I reveived an interesting tip from Munish about how to prevent directories from being easily identified in IIS. I've updated my original post about directory enumeration (http://pentestmonkey.net/blog/direnum/) with the following info:Setting the Hidden Attribite to Hide Files in ISS Hiding directories in IIS seems to be as easy as setting the hidden attribute: cd c:\Inetpub\wwwroot attrib +h myprivatedirectory Now when an attacker browses to http://yoursite/myprivatedirectory they will get a 404 Not Found message instead of a 403 Directory Listing Denied . However, files inside the directory are still accessible (e.g.... ptm http://pentestmonkey.net/index.php?option=com_content&task=view&id=131&Itemid=1 http://feeds.feedburner.com/~r/pentestmonkey/~3/438471496/index.php Yaptest (http://pentestmonkey.net/projects/yaptest/yaptest-overview/) v0.2.0 is now avaialble. Download it here (http://pentestmonkey.net/projects/yaptest/yaptest-installation/).The main improvements are support for udp-proto-scanner (http://labs.portcullis.co.uk/application/udp-proto-scanner/) to improve UDP service detection and support for ms08-067_check (http://labs.portcullis.co.uk/application/ms08-067-check/) to automatically check for the most recent pentester-friendly MS vulnerability.There are also minor improvements including DNS tests and more automatic issue-parsing. Remember that you can use YaptestFE (http://pentestmonkey.net/projects/yaptest/yaptestfe-overview/) to view collected data if you get tired of using the CLI.The complete changelog is below... ptm http://pentestmonkey.net/index.php?option=com_content&task=view&id=127&Itemid=1 http://feeds.feedburner.com/~r/pentestmonkey/~3/432911386/index.php Release 0.1.9 of yaptest (http://pentestmonkey.net/projects/yaptest/yaptest-overview/) is now available. Download here (http://pentestmonkey.net/projects/yaptest/yaptest-installation/).This release includes enumeration of users via the finger service (using finger-user-enum (http://pentestmonkey.net/tools/finger-user-enum/)) and gathering of usernames and password hashes via rexd (Linux rexd client (http://pentestmonkey.net/blog/rexd-client-for-linux/)). There are also important improvments to the gathering of topology information, which should make network diagrams generated in YaptestFE (http://pentestmonkey.net/projects/yaptest/yaptestfe-overview/) look nicer. See below for the full change log... ptm http://pentestmonkey.net/index.php?option=com_content&task=view&id=126&Itemid=1 http://feeds.feedburner.com/~r/pentestmonkey/~3/430055720/index.php I recently encountered the rexd (http://docs.sun.com/app/docs/doc/816-5212/6mbcdgk7r?a=view) service running on a host I was testing. This is a really old-school UNIX service which you don't see much on modern networks (in my experience at least). It's well know (http://www.porcupine.org/satan/demo/tutorials/vulnerability/REXD_access.html) that it's insecure: It basically lets you run any command on the host as any user you like with no authentication.This post briefly covers how to identify the service and how to exploit it. I've also modified the rexd client from SATAN to compile cleanly on Linux (download link below...). ptm http://pentestmonkey.net/index.php?option=com_content&task=view&id=125&Itemid=1 http://feeds.feedburner.com/~r/pentestmonkey/~3/427755393/index.php I had some really detailed feedback from Bernardo Damele A. G. (http://bernardodamele.blogspot.com) on the SQL Injection Cheat Sheets. I've just finished updating the cheat sheets for MSSQL (http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/), Oracle (http://pentestmonkey.net/blog/oracle-sql-injection-cheat-sheet/), MySQL (http://pentestmonkey.net/blog/mysql-sql-injection-cheat-sheet/) and PostgreSQL (http://pentestmonkey.net/blog/postgres-sql-injection-cheat-sheet/) .Thanks a lot Bernardo.If anyone else has suggestions, feel free to mail pentestmonkey at pentestmonkey dot net. ptm http://pentestmonkey.net/index.php?option=com_content&task=view&id=124&Itemid=1 http://feeds.feedburner.com/~r/pentestmonkey/~3/396970173/index.php Version 0.1.7 of Yaptest (http://pentestmonkey.net/projects/yaptest/yaptest-overview/) is now available for download (http://pentestmonkey.net/projects/yaptest/yaptest-installation/). This release parses additional issues into the backend database, along with Network Topology information (so YaptestFE (http://pentestmonkey.net/projects/yaptest/yaptestfe-overview/) can draw a network diagram (http://pentestmonkey.net/blog/yaptestfe-update-1.0/) for you). There is also support for exporting data in XML format so you can import Yaptest's findings into 3rd party tools. The complete changlog is listed below: ptm http://pentestmonkey.net/index.php?option=com_content&task=view&id=123&Itemid=1 http://feeds.feedburner.com/~r/pentestmonkey/~3/439161767/index.php ident-user-enum is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system.This can help to prioritise target service during a pentest (you might want to attack services running as root first). Alternatively, the list of usernames gathered can be used for password guessing attacks on other network services. ptm http://pentestmonkey.net/index.php?option=com_content&task=view&id=122&Itemid=16 http://feeds.feedburner.com/~r/pentestmonkey/~3/396970174/index.php A new version of the Yaptest Frontend (http://pentestmonkey.net/projects/yaptest/yaptestfe-overview/) is available. Download it here (http://pentestmonkey.net/projects/yaptest/yaptestfe-overview/).The release fixes a couple of bugs pointed out by Deanx when running YaptestFE on Mac.I've added new Network Map item to the left-hand menu bar. This reads in topology information gathered by yaptest (http://pentestmonkey.net/projects/yaptest/yaptest-overview/) (from ping -R , traceroutes, TTL information, SNMP) and attempts to display using Graphviz (http://www.graphviz.org/) in something resembling a network diagram.Graphviz was never really designed for drawing network diagrams, but I've found the results both useful and accurate on internal, unfiltered networks. In the majority of cases,... ptm http://pentestmonkey.net/index.php?option=com_content&task=view&id=120&Itemid=1