Thursday, September 30, 2010

Audible Manager on Ubuntu (requires patching/compilation of wine)

Apparently is working with open-source providers to give us a native Audible Manager for Linux. Recently, they released an Audible application for Android phones, so that seems like they are at least working with Linux in some form or fashion.

But I am impatient and don't like waiting for corporate bureaucracy to "fix" things that are broken. (How does that go again? Whatever cuts least into our bottomline...)

So, there is a patch proposed here that fixes the shortcoming (bug) in the API that wine had when dealing with SSL/TLS connections. Right off the bat, the patch does not work for the latest wine release (1.3.3). A little editing was required to patch the right files (dlls/wininet/internet.c iirc).

I fixed up the patch (which you can download by clicking here) so that after downloading the wine 1.3.3 tarball, I unpacked the tarball, patched, compiled, and indeed the patch works.

Specific commands used...

tar xjf wine-1.3.3.tar.bz2
cd wine-1.3.3/
patch -p0 < ../audible_wine-1.3.3.patch
./configure --prefix=$HOME/wine
make && make install

I did however need to get the wine dependencies from apt...

apt-get build-dep wine

Hope this helps others in the same boat as me! I hate waiting for companies to find time to appease the customers rather than making time.

Wednesday, September 29, 2010

Putting up posters and passing out flyers

I will be putting up posters and passing out flyers for both the March to Keep Fear Alive and the Rally to Restore Sanity at the University of Texas at Arlington.

Doing this from my own pocket, if anyone would like to support the effort, donating $10 gets us one more poster (who knows, maybe we can put some up around Arlington rather than just the University!).

So far I have enough cash for about 10 posters and hundred flyers or so. Please see my donation page if you would like to help!

Also, if you don't really want to help political stuffs (who wouldn't!) and you use any of my apps, maybe that's enough for a $10 donation (even though it will still go towards the posters and flyers).

Thanks to anyone that helps out! If you live in DFW and want to help out, feel free to get a hold of me through the comments or by contacting me.

Monday, September 27, 2010

Maverick (nmap 5.21) supported

If you get latest on the od-autoassess script, you will have support for nmap 5.21 on maverick, so you can use the script.

If you are running an older version (< 5.21), it will let you know you are running an older version of nmap, but it is just informational, it should not affect the script at all.

Saturday, September 25, 2010

nmap -sP output changes from 5.00 to 5.21

Currently the od-autoassess script will not run on maverick because the nmap outputs it's findings differently on 5.21 (on lucid, nmap is at 5.00).

I will work on this so that I can release another appliance (when maverick is released) fully configured for all the tasty features added since the last appliance

Friday, September 24, 2010

x86/x86_64 winexe binaries available

I have uploaded the x86 winexe binary, so now both the x86_64 and x86 binaries are available for download. I will look into making debs for them, but for now, binaries are just copied from the whole samba4 bin folder.

I also added the hydra debs because the will be optional later (kinda is now).

Thursday, September 23, 2010

The neat command I learned today

On Windows XP and up, you get a neat utility called msinfo32 that you can run to get system and software information. Going to look into getting this working with winexe and the autoassess script.

The command I have found best is `start msinfo32 /report info.txt /categories +systemsummary`.

In lesser news, I added a binary for x86_64 winexe to the downloads page in google code. Probably tomorrow I will build a x86 chroot and build an x86 winexe binary and upload it as well.

I have also been working on the new gui for the autoassess script, it is my first real application written in python (pyqt), so feel free to (constructively) criticize. No events are wired up yet outside of some test events.

Monday, September 20, 2010

RVM and Metasploit

If you are a ruby developer and haven't looked at rvm, you really need to. It is a very powerful tool in supporting applications across concurrent ruby installations.

The rvm developers have super easy scripts to install rvm. Recently, they released a system-wide script (before, it installed ruby to user-specific dirs ($HOME)).

As root:

bash < <( curl -L )
source /usr/local/rvm/script/rvm;

Once installed, you can install and use ruby 1.9.1 easily...

rvm install 1.9.1; rvm 1.9.1

If you also want 1.8.7 installed, replace all the 1.9.1 instances with 1.8.7.

Now, metasploit ships with it's own version of ruby. If you want metasploit to use the rvm version of ruby rather than it's shipped version, run the binary as an absolute path. You may alias the absolute path of msfconsole to 'msfconsole' to achieve the shorter command and to use rvm.

alias msfconsole='/opt/metasploit3/msf3/msfconsole -L'

(-L says use native readline rather than ruby readline, supposedly it is faster)

Using system:

root@acc-vulnerability:~# rvm system
root@acc-vulnerability:~# /opt/metasploit3/msf3/msfconsole

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 590 exploits - 302 auxiliary
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r10398 updated today (2010.09.20)

msf > ruby --version
[*] exec: ruby --version

ruby 1.8.7 (2010-01-10 patchlevel 249) [i486-linux]
msf > exit

Using shipped ruby:

root@acc-vulnerability:~# msfconsole

__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( <_> ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 590 exploits - 302 auxiliary
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r10398 updated today (2010.09.20)

msf > ruby --version
[*] exec: ruby --version

ruby 1.9.1p243 (2009-07-16) [i686-linux]
msf > exit

Using rvm instance of ruby:

root@acc-vulnerability:~# rvm 1.9.1
root@acc-vulnerability:~# /opt/metasploit3/msf3/msfconsole

| | _) |
__ `__ \ _ \ __| _` | __| __ \ | _ \ | __|
| | | __/ | ( |\__ \ | | | ( | | |
_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__|

=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 590 exploits - 302 auxiliary
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r10398 updated today (2010.09.20)

msf > ruby --version
[*] exec: ruby --version

ruby 1.9.1p378 (2010-01-10 revision 26273) [i686-linux]
msf > exit

Sunday, September 12, 2010

Added MBSA support (and other experimental things) to autoassess script

Please use --enable-mbsa, --mbsa-user, --mbsa-pass, and --mbsa-remote-path to perform a remote MBSA scan of a host on your network. It's pretty quick, a few seconds hang time per host run on. The report is saved in the mbsa folder of the scan archive.

A neat thing I added the other day, when public shares are found on a computer, the script will try to get a file list for each file in the share. It's super quick, so I left it alone and it runs on every scan. If something comes up, I can make this an optional thing.

I have also added _some_ experimental hydra support to the script for protocols such as ftp, ssh, and pop3. Please look at the code to see how to enable it, I won't take any bugs reports or complaints on speed when having these enabled.

Another small thing I added was the ability to email the scan archive to email@address.tld when the scan was finished using a local smtp server such as sendmail. (see --send-to)

I removed the --zenity option, I will be writing a GUI that is better suited to the options I have been adding.

Not sure if I have mentioned this previously, but a --print option has been added to automagically print pdf reports to the default printer. This can be a bad thing as a lot of paper can be used.

Optionally, you may define all of your variables in the .od-autoassessrc file in the user's home dir who is running.

Finally, for an example, if you wanted to run a single-host profile (no vulnerability scans) with MBSA enabled, your scan could look like this:

root@bperry-laptop:/opt/scripts/od-autoassess# sh --client="Joe Badass" --single-host= --profile-only --enable-mbsa --mbsa-user=Test --mbsa-pass=password --mbsa-remote-path="C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsacli.exe"

Creating scan folder -> ~/scans/Joe Badass-2010-09-12-14:50

Using in single-host scan...

Scanning individual hosts...

--Finding shared directories and drives...
--Trying to get file list for public share: C...
--Trying to get file list for public share: desktop...
--Running remote MBSA scan...
--Interesting port found: 139 NetBIOS Datagram Service
--Suspicious port found: 445 Nimda
--Interesting port found: 445 Microsoft-DS

Creating ZIP archive of scan...

Total time to analyze network:
0 minutes 57 seconds

Interesting port found on 139 NetBIOS Datagram Service
Suspicious port found on 445 Nimda
Interesting port found on 445 Microsoft-DS

Scanned 1 hosts in total in 0 m 57 s.


So, in under a minute, you can have a pretty extensive source of information for the host at hand even without vulnerability scans.

You can see the latest code here.

Saturday, September 11, 2010

Utilising the Microsoft Baseline Security Analyser remotely from Ubuntu

So, today one of my projects was to see if I could incorporate the Microsoft Baseline Security Analyser (MBSA) into the autoassess network script. Some of the options I thought about were running it in wine (doesn't work), running it remotely on the remote machine (works), running a remote scan from yet another dedicated remote server (kinda works, but not really).

I had to download winexe from sourceforge and compile it (not install it, ran it from the winexe/bin folder). It is a "clone" of psexec from the sysinternals suite.

So, onto the knitty-gritty. I first tried to use a remote server (virtual guest) to scan the remote machines. This would have been the second best (next to it just running in wine on the local Ubuntu machine), but alas, MBSA essentially segfaults with an invalid pointer for some reason...

bperry@bperry-laptop:~/Downloads/winexe-0.91/source4/bin$ ./winexe -U Test%password // "C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsacli.exe /target /u admin /p password"
Microsoft Baseline Security Analyzer
Version 2.2 (2.2.2170.0)
(C) Copyright 2002-2010 Microsoft Corporation. All rights reserved.

An unexpected error has occurred. The operating system returned error message -2147467261 Invalid pointer


So, when I saw this, I lost most of my hope of having MBSA run remotely on the remote machine themselves. But, running MBSA on the actual server works! Removing the /target, /u, and /p switches outputs the report MBSA should print.

bperry@bperry-laptop:~/Downloads/winexe-0.91/source4/bin$ ./winexe -U Test%password // "C:\Program Files\Microsoft Baseline Security Analyzer 2\mbsacli.exe"
Microsoft Baseline Security Analyzer
Version 2.2 (2.2.2170.0)
(C) Copyright 2002-2010 Microsoft Corporation. All rights reserved.

Security assessment: Severe Risk
Computer name: GENERIC\TEST-8A3888C308
IP address:
Security report name: GENERIC - TEST-8A3888C308 (11-09-2010 12-02)
Scan date: 11/09/2010 12:02
Scanned with MBSA version: 2.2.2170.0
Catalog synchronization date:
Security update catalog: Microsoft Update

Security Updates Scan Results



I found this pretty neat, and will be adding support for running MBSA on the remote machine (if applicable) to the autoassessment script. This is a huge step in being able to make a judgement of host security by getting lists of patches and other things the computer both has and does not have installed.

One thing that really frustrated me, and hopefully this helps others who have this problem, but I had disable "Simple File Sharing" on the remote host in order to login remotely from Ubuntu or another Windows host.

Basically, go to My Computer -> Tools -> Folder Options -> View tab -> bottom of the list, uncheck Simple File Sharing. Click apply and the change should work instantly. No need to reboot.

If you get an error saying something about not being able to install winexe service or something, look at the --uninstall and --reinstall flags. (sorry if this got reposted to planets due to the update :-/)

Sunday, September 5, 2010

OD AutoAssess VirtualBox Appliance updated

Updated the VirtualBox appliance for the OpenDiagnostics Network AutoAssessment script.

Updated metasploit, od-autoassess, openvas definitions
Installed traceroute, smbclient, nbtscan

You can get it here.

See `sh /opt/od-autoassess/ --help` for new arguments and such. A lot of work has gone into the script since updating the last appliance.

ALSO: You can just use svn up /opt/metasploit3/msf3/ and /opt/od-autoassess/ on a current appliance and install the previously mentioned programs it now uses.

OpenDiagnostics Live CD beta release

Making this a beta release until next weekend as long as no bug reports are reported (or they are fixed by then).

Added w3af (dunno how I missed this!)
Added traceroute
Added smbclient
Added nbtscan
Added openvas-scanner (run openvas-nvt-sync to sync vulnerability database... but make sure you have the RAM or are using a thumb drive)
Updated ClamAV definitions
Updated metasploit
Updated od-autoassess