Nmap will scan IPv6 enabled hosts if you pass it the -6 switch, but only does TCP Connect scans and no OS identification, which makes sense because OS identification uses nuances of ipv4 responses...

carnal0wnage ~: nmap -6 -sV 2002:53e9:a52a::832:3316:5042 -p53,80,222

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-19 20:42 UTC
Nmap scan report for 2002:53e9:a52a::832:3316:5042
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.X
80/tcp open http nginx
222/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

much much more available in the documentation
http://www.secdev.org/projects/scapy/doc/usage.html

but here is how to make a cool traceroute graph from you to another host.

from: http://www.secdev.org/projects/scapy/doc/usage.html#tcp-traceroute-2

Welcome to Scapy (v1.1.1 / -)
>>> res, unans = traceroute("www.google.com",dport=80,maxttl=20)
Begin emission:
*****************Finished to send 20 packets.
*
Received 18 packets, got 18 answers, remaining 2 packets
209.85.225.103:tcp80
1 209.20.72.2 11
2 209.20.79.6 11
3 4.53.160.189 11

thanks to cktricky for pointing me to:

android-apktool

Once you've gotten it installed/unzipped its fairly easy to use. Download your .apk from the emulator.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk 2441 KB/s (625416 bytes in 0.250s)

From there simply decode the .apk

The android debug bridge (adb) has lots of useful features. its documented here:
http://developer.android.com/guide/developing/tools/adb.html

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb
Android Debug Bridge version 1.0.25

some of the features you may want to immediately mess with are:

listing devices

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb devices
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
emulator-5554 device

A poster on one of the other android posts mentioned you can just telnet into the android app if you've got the emulator running.

Its easy to do and the preferred way if you just want to script events. Just telnet into localhost 5554 and you can issue emulator commands.


user@dev:~$ telnet localhost 5554
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Android Console: type 'help' for a list of commands
OK
help


Android console command help:
help|h|? print a list of commands
event simulate hardware events
geo Geo-location commands
gsm GSM related commands
kill kill the emulator instance
network manage network settings
power power related commands
quit|exit quit control session
redir manage port redirections

I covered some of the halflm challenge sniffing stuff in a previous post.

but I had to revisit it the other day for work and couldn't find the actually tables and program from the post.

so here are some updated links.

where to grab the tables:

http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/

where to grab the program:

http://sourceforge.net/projects/rcracki/

Got asked to help remotely locate local admins on boxes on a network.

rpcclient $> enumalsgroups
Usage: enumalsgroups builtin|domain [access mask]

rpcclient $> enumalsgroups builtin
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Network Configuration Operators] rid:[0x22c]
group:[Power Users] rid:[0x223]

Nothing earth shattering, but since this is a place for my notes...

Sometimes while you are on a box and pilfering through all the documents doesn't yield anything useful for you to move laterally you can sometimes grab the Firefox saved passwords. Lots of times someone will save their password to the corporate OWA, wiki, helpdesk page, or whatever. Even if doesn't give you a *great* lead you'll at least get an idea if they are a password re-user or not.

So how to do it?

Actually its simple. Inside of the mozilla\firefox directory will be somethingrandom.default. Inside that folder you'll find:

key3.db
signons.sqlite

Let me introduce three basic terminologies as they are commonly used in various China hacking forums:

肉雞 (Chicken) - It means machine trojaned with malware and backdoor.

網頁掛馬/挂马 (Injected iframe) - it is about injected iframe with malicious code in web page.

免杀 (Prevented to be killed) - It means a software is with anti-debugging technique.

攻击 - Attack

I simply captured a piece of attack service advertisement from a Chinese blog (URL: http://tieba.baidu.com/f?z=650017145&ct=335544320&lm=0&sc=0&rn=30&tn=bai...). You could feel free to translate it via Google translator:

免杀制作,网马挂马 入侵挂马 QQ空间挂马 视频传播木马
-> Anti-debugging, inject malicious iframe, trojans for QQ messenger, spreading trojan via video media.

Hi dudes,

You could find a new paper describing the design of Wepawet. One of my research mate, Daniel, asked the first author about the deobfuscation part. He said "We do some analysis to recover the clear text of the code. For example, we save the parameters passed to eval and document.write, which is often sufficient to deobfuscate the code. However, we don't currently handle more sophisticated obfuscation techniques (e.g., replace-based ones).". It may be the reason why it may not detect the crimeware.

Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code

Abstract: