Nmap will scan IPv6 enabled hosts if you pass it the -6 switch, but only does TCP Connect scans and no OS identification, which makes sense because OS identification uses nuances of ipv4 responses...

carnal0wnage ~: nmap -6 -sV 2002:53e9:a52a::832:3316:5042 -p53,80,222

Starting Nmap 5.21 ( http://nmap.org ) at 2010-03-19 20:42 UTC
Nmap scan report for 2002:53e9:a52a::832:3316:5042
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
53/tcp open domain ISC BIND 9.X
80/tcp open http nginx
222/tcp open ssh OpenSSH 5.1p1 Debian 5 (protocol 2.0)
Service Info: OS: Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

much much more available in the documentation
http://www.secdev.org/projects/scapy/doc/usage.html

but here is how to make a cool traceroute graph from you to another host.

from: http://www.secdev.org/projects/scapy/doc/usage.html#tcp-traceroute-2

Welcome to Scapy (v1.1.1 / -)
>>> res, unans = traceroute("www.google.com",dport=80,maxttl=20)
Begin emission:
*****************Finished to send 20 packets.
*
Received 18 packets, got 18 answers, remaining 2 packets
209.85.225.103:tcp80
1 209.20.72.2 11
2 209.20.79.6 11
3 4.53.160.189 11

thanks to cktricky for pointing me to:

android-apktool

Once you've gotten it installed/unzipped its fairly easy to use. Download your .apk from the emulator.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk 2441 KB/s (625416 bytes in 0.250s)

From there simply decode the .apk

The android debug bridge (adb) has lots of useful features. its documented here:
http://developer.android.com/guide/developing/tools/adb.html

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb
Android Debug Bridge version 1.0.25

some of the features you may want to immediately mess with are:

listing devices

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb devices
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
emulator-5554 device

A poster on one of the other android posts mentioned you can just telnet into the android app if you've got the emulator running.

Its easy to do and the preferred way if you just want to script events. Just telnet into localhost 5554 and you can issue emulator commands.


user@dev:~$ telnet localhost 5554
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Android Console: type 'help' for a list of commands
OK
help


Android console command help:
help|h|? print a list of commands
event simulate hardware events
geo Geo-location commands
gsm GSM related commands
kill kill the emulator instance
network manage network settings
power power related commands
quit|exit quit control session
redir manage port redirections

I covered some of the halflm challenge sniffing stuff in a previous post.

but I had to revisit it the other day for work and couldn't find the actually tables and program from the post.

so here are some updated links.

where to grab the tables:

http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/

where to grab the program:

http://sourceforge.net/projects/rcracki/

Got asked to help remotely locate local admins on boxes on a network.

rpcclient $> enumalsgroups
Usage: enumalsgroups builtin|domain [access mask]

rpcclient $> enumalsgroups builtin
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Network Configuration Operators] rid:[0x22c]
group:[Power Users] rid:[0x223]

Nothing earth shattering, but since this is a place for my notes...

Sometimes while you are on a box and pilfering through all the documents doesn't yield anything useful for you to move laterally you can sometimes grab the Firefox saved passwords. Lots of times someone will save their password to the corporate OWA, wiki, helpdesk page, or whatever. Even if doesn't give you a *great* lead you'll at least get an idea if they are a password re-user or not.

So how to do it?

Actually its simple. Inside of the mozilla\firefox directory will be somethingrandom.default. Inside that folder you'll find:

key3.db
signons.sqlite

Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.

Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:

/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]

and make your PHPURI

PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX

let's see it in action

msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...

Exploits
========

Name Rank Description
---- ---- -----------

Back in 09 there was a buzz about token kidnapping by Argeniss
http://www.argeniss.com/research.html

http://www.argeniss.com/research/TokenKidnapping.pdf

subsequently patched http://www.microsoft.com/technet/security/bulletin/MS09-012.mspx

I'm normally violently against uploading binaries to boxes but until the local exploit functionality is added to msf...

The gist is you an run the Churrasco binary and it will execute a command for you as SYSTEM from NETWORK SERVICE (the shell privs you get when exploiting IIS). See the slides for more.

Lets see it in action.