Saturday, July 31, 2010

OD AutoAssessment Server Tutorial (w/ VirtualBox Appliance!)

I wrote up a quick tutorial on getting the AutoAssess Network Script running on a fresh Ubuntu 10.04 install, and since, to verify everything, I used a virtual machine, I have made an easy to use appliance (and small! 600 MB). If you plan on running the appliance on Linux, you will need to fix the Sound/Audio setting to not use Windows DirectSound.

Credentials are rooty/ytoor, then you can `sudo su` from there to get root. Try setting up a cronjob and letting it run for a month, see what things might be creeping up. I think this would be great for a geek dad who likes to keep his home network secure.

The auto-assess script is in /root (you need to be root to run the script anyway).
The following is an example on how to run it:

sh local

'local' is the name of the location, or client, whomever, whatever. '' is the IP range of YOUR network (you can find this out with ifconfig).

A short explanation of the files generated during the scan.

*.nkt are nikto files (the output of running nikto on a host on the network. This is useful for NAS drives, printers, routers, many things you wouldn't suspect).

*.nmap are nmap files, the output of a portscan and OS detection of the host at hand.

*.msf is the entire metasploit session. The end of the file is most important, it tells you how many exploit sessions were able to be opened during the scan and the vulnerability that was used.

*.db is the sqlite3 DB metasploit generates when performing it's scan. I keep this DB strictly for record-keeping, in case I need to go back to my scans for any reason.

*.pdf are the PDF files generated for average person use... main.pdf is a general overview whereas IP specific PDFs go into detail about each host.

network_ips and included are both lists of IP addresses on your network (included does not have the scanner host). The script removes its host from the lists of things to be scanned because it is a foreign host only on the network during the scan (in most of my uses anyway). This can be fixed by making openvas-client and the for loops in the script use network_ips instead of included.

If you have any comments or suggestions, feel free to contact me!

Friday, July 30, 2010

OD AutoAssess Network Script

A few days ago, I posted a small bit on automating OpenVAS. I have written a small shell script that I use to automate (almost) full network testing and assessment. The reason I say almost is because you still need to go through the data collected to make sure nothing serious is up.

This script requires htmldoc, metasploit, openvas-client and -scanner, nmap, and zip. I have posted it to my random script and snippets page and will maintain it there, but posting here as well.

May not be perfect, my bash-fu is rusty. Some extra info, htmldoc is quite neat. You can actually specify a logo image to use if you want for your company adding '--header l --logoimage /path/to/logo.jpg'.

UPDATE: Updated code w/ svn repo here.

Saturday, July 24, 2010

SteganoSSH: A theoretical SSH client

How would this work? Obviously, it could work in many ways, here are just a few that would be pretty neat:

First Scenario: 2 streams, 2 ports

The client encrypts the stream through normal SSH means, then using predefined bit offsets, patterns, etc... the client splits the one SSH stream into two streams, lets say that mimic HTTPS and SFTP (ports 443 and 22 respectively, by default).

Both streams could mimic these streams with false header information and junk data, and both being encrypted, any prying 3rd-parties would not be able to say "Oh hey, that stream looks funky".

The server, being configured with the correct bit offsets, patterns, etc would be listening on ports 443 and 22 respectively, would piece the puzzle back together, then hand it off to standard SSH doings.

This would be the more secure out of the two scenarios.

Second Scenario: 1 stream 1 port

The client merely mimics a well known protocol (HTTP/S, S/FTP). Any will do and the server would be able to be configured to strip the fake headers from any stream being sent through the port being listened on.

This would be the easiest, and probably most used.

Saturday, July 17, 2010

Added hydra/metasploit to OpenDiagnostics Live CD (removed some bloat as well)

Added latest metasploit to /opt/metasploit. Start with 'msfconsole'.

Added hydra/xhydra. You can start fluxbox with 'startx' to use any of the GUI tools (wireshark,, xhydra, hardinfo, etc...)

You can get the latest release here (384 MB).

I also updated the list of notable apps.

Friday, July 16, 2010

Hydra ubuntu builds (with xhydra)

I was made aware of a nice app today that tries to figure out logons for certain services (by checking default and weak user/pass). I couldn't find any deb builds, so using checkinstall, I made two builds, one for x86 in a chroot, one for amd64 on the host. I didn't realise until today I have no x86 machines in my apt.

I am not sure if checkinstall does packages the way they should be done for PPAs, but if a checkinstall deb meets up to the standard (and with a bit of guidance), I wouldn't mind maintaining a PPA for these guys.

Homepage for source code:

Any help is appreciated!

You can get the debs here for the time being:

EFF Fights To Allow People To Comment Anonymously Online

This is a serious issue! No one owns the internet, don't let this happen!

Tuesday, July 13, 2010

Updated OpenDiagnostics Live CD

Updated to Lucid, should fix kernel mismatch issues.
Added openvas-client with the ability to install openvas-scanner v3 from OpenSuse Build service
Added nikto
Added sqlmap
Added to /opt with a common hosts.txt for a wordlist
Added (english) wordlists for john into /opt/wordlists
Updated ClamAV to 0.96.1

Added nmap, got removed some how.
Added unzip/zip
Added wicd
Added filerunner
Fixed background issue in fluxbox
Added galleta

Removed openssh-server. You can install it if you want to.

You can get it at

Sunday, July 11, 2010

Automating openVAS 3

There are many reasons a systems admin would want to automate vulnerability scanning, but I won't go into them here. This is just how I have found it easiest. Use nmap to get all the ips on our network like so:

nmap -sP | grep ^Host | sed 's/Host //g' | cut -d " " -f1 > ips

Then, you can use your openvas server in batch mode

openvas-client -q 9390 user pass ips "report-`date`.html" -T html

viola, set a cron job and you are good to go. Maybe you would then cat the report through sendmail to yourself or move it to another server.