How to create a persistent install for BackTrack 4 Pre-release (via the Informer) on an SD card (or USB thumb drive)

I was excited to be able to use the new pre-release version of Backtrack 4, as I love to use it on my Asus EEE 1000HA. When it was released I was eager to make it work, booting off of an SD card in the EEE so that I would not have to mess with additional USB thumb drives (they stick out of the laptop, and the SD card is internal). During the process, I was happy to discover that both the internal wireless and bluetooth adapters are now supported. The wireless card even appears to support injection!

I'll be tailoring this to use on an SD card, but the steps are exactly the same as a USB thumb drive.

Thank you to the Offensive Security folks who put together LINK this video, as this guide is based on it exactly. I wanted to put it down in text as it isn't always that easy to print out video, or view when you don't have internet access (such as on a plane...), where I initially wanted to accomplish this.

Additionally, this is a signifiant departure from the previous methods for creating a persistent install. This will not work for the BT4 beta versions.

Let's get started.

Two things that you will need:

• The Backtrack 4 Pre-release ISO, booted on a machine with an SD card reader
  
• An SD Card 4 gigs or larger (or USB thumb drive 4 gigs or larger) that we can completely wipe. This is a destructive method, as we need to create a few partitions.
  

After Booting in to BT4, and insert your SD card. Issue the command "dmesg". At the very bottom of the output, we should be able to identify the plug in of our SD card, and the device to which it was assigned. Mine happened to be /dev/sdc, so that's how the rest of the instructions will progress. Replace /dev/sdc with your assignment from the output of dmesg.

Now, as root (the default user for BT4), we need to fdisk our SD Card. BE CAREFUL, as selecting the wrong drive here can potentially hose your system. That's why I like doing this from within a VM. Start fdisk with the appropriate drive:

# fdisk /dev/sdc

Within the fdisk utility, print the existing partition table with "p". If there are existing partitions, delete them with "d", and select the appropriate partition, and repeat until they are all gone. You can reverify by reprinting the partition table with "p".

We now need to create two new partitions with in fdisk. For the first partition enter "n" for a new partition, "p" for primary partiton, "1" for first. Use a size of "+1500M" for 1.5 Gig. For the second partition, "n" for a new partition, "p" for primary partition, 2 for second. You can accept the default for size, or at a minimum of 1.5 Gig with "+1500M"

Activate (set as bootable) the first partition with "a", and select partition 1. Assign a type to partition 1 by issuing "t", select partition 1, and use the code of "b" to identify it as W95 FAT32

Verify the new partition table by issuing a "p" with in fdisk. If all looks OK, write it to disk (and exit) with "w"

Ok, you can breathe again. The dangerous part is done.

In order to use our new partitions, we need to format them. The first partition (/dev/sdc1) will be vfat, and the second (/dev/sdc2) will be ext3. We can format them with the following commands:

# mkfs.vfat -F 32 -n BT4 /dev/sdb1
# mkfs.ext3 -b 4096 -L casper-rw /dev/sdb2

The mkfs.ext3 command will take some time, so be patient.

Before we can begin copying over the files, we need to mount the forst partition after creating a directory to mount it to. We accomplish that with:

# mkdir /mnt/sdc1
# mount /dev/sdc1 /mnt/sdc1

Copy away! We're going to copy the contents of our current, booted BT4 enviroment to the new partition on the SD card:

# rsync -avh /media/cdrom/ /mnt/sdc1

Again, this one will take some time, so be patient. Also, note that the extra "/" at the end of /media/cdrom/ is important. If you use tab completion to add that directory to the command, it will not be included and the rsync copy will fail.

Let's install the grub bootloader so that the thumbdrive will actually boot, and know where to fund all of the appropriate files:

# grub-install --no-floppy --root-directory=/mnt/sdc1 /dev/sdc

Editing the startup items will make our experience that much better. You can use your favorite text editor here (vi for example), but nano is included on the BT 4 install, so feel free to use that:

# nano /mnt/sdc1/boot/grub/menu.lst 

At the top of the file, change the default boot option to 5 to automatically use the persistent install at boot time if no user interaction is provided. the line should now read as:

default 5

Also, edit the block towards the end of the file with the title of "Start Persistent Live CD". You'll want the kernel line to be updated, and at the at the end add 0x315. This sets the default video mode for boot, and was the highest resolution available on my EEE. For normal installations (such as on non-netbooks), use 0x317. The updated line should be as follows:

/boot/vmlinuz BOOT=casper boot=casper persistent rw quiet vga=0x315 

Exit nano and save the file to the default location (with ctrl x).

We are almost done! Just unmount the SD card ad reboot:

# umount /mnt/sdc1
# init 6

Enjoy your persistent Backtrack 4 installation on an SD card!

- Larry "haxorthematrix" Pesce

Some people get really worried if a complete stranger sees their dirty laundry. In order to hide their "secrets" they will air their dirty laundy in a dark basement. The problem is the laundry is still dirty, kids are sleeping in dirty sheets, all because you are ashamed.

An excuse some will use not to have a penetration test is, "Our data is too sensitive for you to ever have access to, so you just need to do an audit". Even better, "Our systems cannot go down, so just do a portscan". Wow, this is just an amazing security fail! If you don't trust an outsider, and lets face it, some organizations just can't, then develop an internal pen test team and program. This is not an excuse not to have a penetration test, its a reason to create your own team! In addition to your own team, consider expanding the scope for external testers. This is something that you've heard so many professional penetration testers saying, and its time to start listening and sleeping in clean sheets.

Paul Asadoorian
PaulDotCom Enterprises

Taking Time To Go Fishing (Not Phishing)

I was enjoying a relaxing day of fishing last weekend, a low-tech hobby that I have enjoyed since I was probably 5 years old. I had all of the essential components that make for a successful day of fishing: good weather, cigars, beer, and beef jerky. I set out to fish some of my favorite spots on the pond, using my tried and true artificial lures that are known to work on this pond in these conditions (I will spare you all the details). I noticed that there was one other fishing party on the pond who had navigated their small boat over to the dam and begun fishing, albeit with live bait. If there is one thing I believe in as a fisherman, it is that using live bait is cheating. I mean sure its fun every once and a while, and certainly useful for keeping the kids occupied while fishing as you tend to catch a lot more fish. In any case, I was fishing within site of the folks on the dam who were not catching any fish and caught two small fish right in front of them. On the second fish I noticed something interesting sticking out of the fish's mouth, a set of nasty little pinchers! The fish must have been hungry because not only did it consume a crawfish, but also my imitation worm. I decided to change spots to just across the pond where there was a prime spot with some logs sticking out of the water. I changed baits to an imitation crawfish (digging through the tackle box to find one) and on my first cast as soon as the lure hit the water my line started pulling. I reached forward and then quickly leaned back to set the hook. To my pleasant surprise it was a 3 pound large mouth bass, the largest I had caught all season! Needless to say this had to frustrate the folks fishing off the dam with live bait. Am I a master fisherman headed for the professional fishing circuit? Not even close, but it speaks to common sense that we all need to have.

Yes, I frequently yell at the fish; they like it though.

Adapting To The Changing Landscape

How does this relate to our field? It doesn't really, i just wanted to share my fishing story with you. Just kidding (sorta)! We certainly need to exercise common sense in the security field, and there are far too many areas where we are using tried and true methods of defense (or offense) and its just not working as well as it used to. The big question is, why? The landscape and environment is constantly changing, and we need to observe what's in our environment if we are to be successful hackers, defenders, and fisherman. For example, consider the following areas:

Web application assessments - Some customers may give push back about this one, but we need to continue to put this on the forefront of our penetration testing agendas. Web application testing, by real human beings, should be a part of every external penetration test. Attackers are exploiting our web applications, stealing our data, and using it to trick users, and we should too!

Wireless "security" - Ah yes, of course, WPA2 came out and we're all safe, right? This is a prime example of how the crawfish is hanging out of the fish's mouth, but we're still fishing with worms. Attackers are exploiting wireless to gain access to your networks. Here's another secret: the protections you've put in place to stop them aren't working! WEP, WPA/WPA2, and most IDA/IPS devices do little to stop attackers, yet we see so many organizations doing little about it except recognizing that it's broken and going off to work on the firewall upgrade project.

Collecting logs and not checking them - This is the equivalent of catching the fish, but never even looking in it's mouth to see what its eating. Some organizations have spent a lot of money on solutions that collect, aggregate, and correlate their logs. Sure,it takes some work to configure and use these solutions, but how many are being used to prop open the server room door? (thanks to Carole Fennelly for that story!)

"Client security" - Its pretty clear that attackers are going after the client. Everything from phishing, to xss, to straight up exploiting client software (like adobe products), the client is the low hanging fruit in your network and has been for some time. Guess what? This isn't changing! As penetration testers one theme that I gathered from many people and presentations at the penetration testing summit was we are beefing up post-exploitation, in a big way. At the center of this effort is our very own Carlos "darkoperator" Perez who is writing and maintaining several Metaspoloit Meterpreter scripts to automate post-exploitation. During our own penetration testing exercises once we've gained access to a client, we can use that as a jumping off point to gain access to other systems. I don't mean jumping off exclusively from the network necessarily, but maybe that client has some piece of information that leads us to your data, like a browser history, stored password, re-used password, or spreadsheet of passwords. Don't even get me started on anti-virus software and how its supposed to help...

Conclusion

Organizations need to take a long hard look at their overall defensive strategies on a regular basis. Adjust your strategies and be adaptive. I think the hardest part is keeping management up to speed. It seems like just when we convince them that one technology is vital to your survival from attacks, something new or different crops up and changes the landscape. Then, well, lather, rinse, repeat (we started with firewalls, to Anti-Virus, to IDS/IPS). You need to identify security strategies that stand the test of time and put effort into them, such as:

Well-formed security policies

Procedures that enforce the policies

Vulnerability management programs

System Hardening

The above items are like a net - they will always catch some fish regardless of the conditions.

Paul Asadoorian
PaulDotCom Enterprises

Live from Las Vegas, the entire crew gets together for the first time live on stage!

Note: We did NOT figure out a way to get free access to "adult" programming at the hotel. Although we heard some reports that it was as easy going into the setup menu, add/delete channels, then using the regular channel up/down buttons. So we heard...

Full Show Notes

Direct Audio Download

Hosts: Larry "HaxorTheMatrix" Pesce, Paul "PaulDotCom" Asadoorian, John Strand, Mick Douglas

Audio Feeds:

Peer-To-Peer Networking Information Gathering

Users of P2P networks will sometimes inadvertently disclose too much information via the files they are sharing from their computer. With the potentially large amount of personal data one can gather, all manner of fraud and identity theft is much easier to accomplish.

P2P Research & Results

At the PenTest Summit '09 in Las Vegas, Larry Pesce and Mick Douglas revealed their findings based on reconnaissance of the Gnutella P2P network. This reconnaissance was inspired by the breach of top secret details pertaining to the Joint Strike Fighter Aircraft. This breach allegedly happened via a P2P client installed on a system with this highly sensitive information.

Harkening back to the now defunct seewhatyoushare.com, the duo attempted to see what sort of information can be gathered via Gnutella. The results were shocking and rather sobering.

In this first round of research, using readily available software, they focused on the acquisition of personal information one could use to perpetrate fraud. They were able to acquire high resolution images of social security cards, passports, visitation visas, tax returns, retirement planning forms, and drivers licenses. In one instance, they were able to uncover personal data on an former Iraqi national who fled to the US fearing retribution for themselves and their family for assisting the US lead coalition forces.

Based off these findings, they are strongly suggesting that users think twice before installing and using P2P software of any sort. Additionally, network and systems administrators should be reminded to check for the presence of P2P systems which violate company policies. If you must use P2P software, please be extremely cautious about the data you share with others.

You can download the slides from out presentations section and listen to the audio recording on PaulDotCom Security Weekly Episode 154 where is was the feature technical segment. Those who wish to learn more about this research are encouraged to contact Larry and Mick at the following email address: psw /at/ pauldotcom.com.

At least for just a second or two.

There is a problem that I have been fighting with. Lately many security testers are becoming like the TSA... Trained to look for very specific things.

For example, TSA agents appear to be focused on looking for things like scissors, containers with the ability to hold more then 3 to 3.4 ounces of fluid. Rather then looking for threats we are focusing our TSA to look for specific things.

And that is the problem with many penetration tests today, they are looking for specific things. Many of us are reducing our craft to the search for XSS, XSRF and SQLi vulnerabilities (just to name a few). However, I would say that a test that looks for only those types of vulnerabilities is sub-par at best.

Here is why. We need to be looking at how the application and the network functions. We need to understand how it is transferring data from the back end to the web front-end. We need to try to understand how the data is being segmented and protected. All of this requires us to try and understand how the application works. Trying to understand how something worked used to be the goal and definition of hacking.

Do you see the difference in perspective? If you are hunting for missing patches and other vulnerabilities you will find them, but you are missing out on the bigger (and probably more important) picture.

This goal with looking for specific vulnerabilities is weakening our profession in two ways. First, it is locking us into very small and well defined roles. Unfortunately, this type of mindset is driving many of the audit standards that help us get work. Audit standard X says we should look for Y vulnerability, so that is what we look for. Second, and somewhat related, there are a number of outstanding tools that are automating that process. If at any point in your career the opportunity exists to replace you with a tool your employer/customer will do it.

If we continue to allow this to happen the modern penetration tester will quickly become a thing of the past. We will have been replaced by a number of tools that look for the same defined sets of vulnerabilities.

The reason I am writing this is the past couple of tests I have been on the tools have turned up squat. In-fact a couple of the customers use the exact same tools I use on a regular basis. However, I have been able to find fairly major holes in their applications or network architectures without tools. I just start messing around with different applicants and accounts. To be honest, this approach is where I started. I strongly believe that this is where a good number of you started as well. We probably do our best work this way.

Automation and tools are great. I love all of the wonderful tools I have on my computers. But they are not sufficient to do a penetration test. If they are, we are all in big trouble. Run the tools, automate and print reports.

However, when the tools are done running. It is time to get back to basics. Consider a new definition of "Hack Naked", put all of your tools away and just use what you have at your disposal. A browser, a OS and a couple of test accounts are all you need.

-strandjs

One of the most asked questions we have gotten since we started PaulDotCom is: "How do I get started in information security?". This is a great question, and the following guide will get you started:

1. Be curious - The first and most important characteristic you need to succeed in information security is curiosity. I have to say that I started by being curious. I was 7 years old and I took a class on how to use an Apple IIe computer (back then you had to write programs to make the computer do anything). I remember sitting in front of the Apple IIe (my parents eventually bought one) and staring at the glowing screen and the green flashing cursor, just wondering what I could make it do. I watched the movie "War Games" and wanted a modem so bad, but my parents forbid it, saying that I would cause global thermo-nuclear war (I told them I only wanted to play chess, but they didn't believe me). I guess that's part of your homework, go back and watch two of the best hacker movies on the planet, "War Games" and "Sneakers".
2. Work in information technology - Most people I encounter who want to get into information security want to know, "How do I become a hacker?". I don't think its something that you become, I think its something that you are, coupled with something that you are shaped into. The best information security professionals are those that have been "In The Trenches", working as a help desk technician, systems administrator, or network engineer. Working in these positions will gain you an understanding of how things work, which lays the foundation to learn how to break them and make them do things they were not intended to do.
3. Setup a home network/lab - First, setup a home lab. VMware makes free versions of their software, and there are thousands of pre-configured virtual hosts available on their web site. Don't just focus on setting up security tools either, try to setup a file server using Samba and lock it down (for example). This exercise can provide valuable experience. For example, I was on an interview once for one of my first UNIX systems administrator jobs and they asked me if I had experience with NFS. I said, "Sure do! I run it at home." They looked puzzled at first, but when I could answer all their technical questions about NFS, they, well, hired me. I also brought pictures of my computers at home to the interview. Now, I don't recommend that, but its one of those funny interview stories and it happened to work for me. However, it could have very easily had the opposite effect.

Actual picture Paul brought to his interview
4. Get involved with local groups - This is a great place to meet people in the field, exchange ideas, and ask questions. Its important to network as this is most likely how you will get a job in the field! Local groups in my area, for example, include 2600, defcon (DC401), Linux user groups, and several others. Also, there may be a "Hacker Space" in your area as well, so be certain to find one and participate in it. If there is no group of any kind in your area, then create one!
5. Go to conferences - Defcon is one of the larget conferences on the West Coast, and Shmoocon is a popular conference on the East Coast. This is another great place to network and there are several smaller conferences all across the country (such as NOTACON). SANS is a great place to learn and network, but most starting out in the field may not have an employer who will pay for training. There are many options, such as SANS @home online training or becoming a facilitator for SANS.
6. Read blogs & listen to podcasts/webcasts - There is so much information on the web about our field that it is overwhelming. While you may specialize on certain systems or technologies, you need to have some level of understanding in all areas on technology. Keeping up with all this can be a full-time job in and of itself. My suggestion is to use an RSS news reader and subscribe to as many technology and security related resources as possible. Need some help getting started? You can download all the feeds from here and import them into your RSS news reader. Podcasts are free, and iPods are very cheap now, so you should be listening to podcasts. Of course we produce our own weekly show called PaulDotCom Security Weekly, and this thread in our forum discusses many of the other great podcasts on the net. Webcasts are free ways to get good information, and are available from SANS, Whitehat World, and many others.

Hacking Naked Helps Too
7. Take training classes and get certification - We've talked about SANS already, and there are several other places to get great training. Backtrack is a great security live CD distribution (also a great place to start for beginners) and its associated training classes have gotten great reviews. Don't shy from certification, but don't spend too much time getting certifications to pad the resume. Strike a balance - get a few certifications and see where it takes you, then spend some time and resources getting real-world experience. Get involved with an open-source project - even if you may not feel like you have the technical chops to participate in many open source projects. That's okay, if you are good at writing documentation and/or testing, you can be a valuable resource. This tack gets you familiar with the technology and gets you networked in the field.
8. Socially Network - Not only are social networks fun to hack, but they are one of the best ways to network in the field. Twitter has become a great tool for this, and even has the "Security Twits" group consisting of security people using Twitter. They have meetups at various conferences. Facebook and LinkedIN can also be valuable networking tools to help you meet people and find a job.
9. Write about stuff - A great addition to your resume are publications. Find a topic that you like and write something on it and submit it to various magazines and online resources to get published. This is looked upon favorably by employers, and gives them writing samples as well. Also, have a blog. Blog about stuff that you do, what you think about security, etc... If you keep it focused on security, you'll be in good shape. If you start blogging about farm animals and creamed corn, it may not be as useful. For examples of some of the things we have written, you can check out the papers page. For examples of presentations, see the presentations page.
10. Manage a machine that gets hacked - I know this sounds strange, but many people we interview say they got their start when their machine got hacked. This is not to say that you would let a machine get hacked (be careful if you plan to do this and setup honeypots/honeynets), but this can provide valuable experience and further motivate you to explore the field of information security.

I want to thank the members of the PaulDotCom mailing list for sharing their ideas and thoughts on this subject. You can read the full thread in the archives that inspired this post.

Paul Asadoorian
PaulDotCom

Here at PaulDotCom Security Weekly we have this thing for wireless of all kinds. Wireless cards, cables, antennas, 802.11, RFID...the list goes on. We're always on the lookout for something neat and useful. We found that in the Asus EEE line of netbooks. They are small, usually feature Atheros wireless cards, and have a huge modding community. The small form factor is also something that works well for wireless assessments, whether covert or sanctioned. The size is conducive to easy transport in a small space or as a second laptop while traveling.

To those aims, the Asus 4G Surf (amongst others in the EEE family) works well, however the small internal wireless antennas don't offer much flexibility or range. We need to take some cues from the EEE modding community and extend the hardware to support a better antenna. So, here's how to add an external RP-TNC antenna connector to the Asus EEE 4G Surf.

Tools and parts you will need:

A small Phillips screwdriver

Electrical tape

A drill and appropriately sized drill bits

A flat instrument for gently prying the case apart (such as a plastic putty knife or a fingernail)

A u.FL to RP-TNC pigtail (about 6 inches works well)

First, we need to get this little machine open. To do that we need to remove the memory door cover on the underside by removing two small Philips screws.

Then we need remove the rest of the screws on the underside of the case. While we are there, remove the battery and set it aside.

Once removed, we need to remove the keyboard to access the screws underneath. To do this, loft the rear of the keyboard and push in the 3 small retaining tabs (near the screen). The keyboard should lift up from the rear allowing you to carefully disconnect the ribbon cable in the front.

Removing the keyboard will reveal several screws on the metal plate underneath the keyboard.

Separate the top section of the case from the bottom; start at the bottom right and work your way around to the screen and down the left hand side. Once you reach the left hand side, rotate the top of the case slightly in a counter clockwise direction in order for the case to make it past the ethernet and sound ports.

Once the top has been separated, remove the main board from the case to access the underside of the board and wireless card. Next, remove the several small cables to separate it from the case.

Last but not least, remove the microphone from the case. It should pop out easily and stay attached to the board.

All that is left holding the board hostage in the case are three small clips at the front edge of the laptop. Pushing the tabs aside with your finger will liberate the board.

In order round the corner on our hack, we will also need to separate the display from the base. This will allow for safety while drilling the hole for the RP-TNC connector and allow us to wedge it all back together. The display can be removed by removing one screw from the outer edge of each hinge and then it should lift straight out.

I found an interesting place for the RP-TNC connector. At the right hand edge of the laptop, what appears to be the "hinge", there is a small silver disc. This disc is just a sticker; peel it off and we are left with a spot that looks as if it was made for the connector. I used my handy drill press in the workshop to create an appropriate hole where the sticker used to be (I believe that it was 5/16ths of an inch). This could certainly be accomplished with a hand drill as well.

Due to the cramped quarters in this section of the case, I had to route the pigtail connector for the external RP-TNC connector through the right hand display hinge. Fortunately, this is also how cables are passed into the display form the main compartment.

At this point we can start the reassembly process. I found that it was easiest to attach the RP-SMA external connector to the case first, and then reinstall the display.

The final step before reassembly is to attach the u.FL end of our pigtail to the wireless card. I elected to leave one of the internal antennas attached, and placed a small piece of electrical tape over the other, and disconnected internal antenna connector. We don't want this nice conductive connector inside of the case causing a short!

In order to complete the reassembly (just follow the disassembly steps in reverse, yes it is that easy), we need to modify the top half of the case in order to accommodate the internal parts of the RP-TNC connector. On the underside of the hinge cover, we need to remove a small bit of plastic. I did this with my Dremel and a small grinding stone.

Reassemble, and we are done! Attach an appropriate RP-SMA antenna of your choice and begin your assessments, now with more power!

As a bit of an update, I quickly discovered that the location of the external connector was just a bit too tight. It pushed out the side of the case a little bit and as a result, compromised the connection on the inside of the connector. This quickly failed.

I added some additional space to the outside of the case with a new connector, utilizing the same location. I added a spare dome shaped piece, with an extra large hole drilled on the inside to accommodate the flange on the external connector. Fasten the connector to the dome, and a little two part epoxy later and we have a solid connector with plenty of room. Here's a look at the final result:

Now, any idea where the dome shaped piece came from? Glad you asked! It was a plastic foot that was supposed to be affixed to the bottom of some piece of furniture. It met with all sorts of power tools in the workshop for holes, trimming and finishing. Now, what to use the three other feet on...?

Enjoy! Let us know how your hacks turn out.

- L

Resources

EEE 4G Surf from Asus: http://eeepc.asus.com/global/product700-spec.html

EEE User Forums: http://forum.eeeuser.com/

FAB Corp u.FL to RP-TNC Pigtail http://www.fab-corp.com/product.php?productid=2680

One of the questions that we get on a regular basis is "Are there any good tools for SQL Injection?"

There are a number of great tools that do this commercially like Core Impact and Cenzic Hailstorm. However, many tools will simply alert you that a SQL Injection vulnerability exists then leave it at that.

We are penetration testers so proof is kind of important. Simply stating that you found a SQL injection vulnerability because your tool said so is not enough.

To that end, I would like to introduce you to sqlmap.

First up, I would like to say thanks to the developers Bernardo Damele A. G. and Daniele Bellucci.

Now I would like to show you a short video of the tool.

Why does this tool rock?

Glad you asked.

First, it has the ability to process results from burpsuite and webscarab with the -l option:

Like..

# ./sqlmap.py -l /tmp/webscarab.log/conversations/

It also has the ability automatically dump data. For example it can dump the database version and the tables in the database.

To do this you would use the --dump-all switch like:

# ./sqlmap.py --dump-all -u "testurl.com"

Next, it has the ability to use googledork search strings. Yep, thats right googledorking and SQL Injection... Honestly, does it get any better?

# ./sqlmap.py --dump-all -g "site:testsite.com ext:php"

The above command will have google crawl a website and pull all pages with a php extension. After sqlmap has a nice list of targets it tries to attack them.

Finally, and in my humble opinion most importantly, it can get you a SQL shell.

To do this use the --sql-shell option and it will try to give you a shell.

# ./sqlmap.py --sql-shell -g "site:testsite.com ext:php"

Very nice!!!

Once again, I want to drive home the importance of proof. Our jobs as testers is to demonstrate risk. To do that we need to act like a threat and interact with a vulnerability. Simply stating that a tool said there is a vulnerability is not enough. Also, we should be after what the attackers are after.... Data! What better place to get data then a SQL database?

strandjs

We have been promising for a few week a write-up on SSLStrip and now we have finished it!!!!

SSLStrip from John Strand on Vimeo.

SSLStrip basically strips the SSL session between the attacker and the victim. This allows the attacker (or tester) to see all of the data that is being sent to the user in clear text. As far as the server is concerned it is a valid encrypted session. There are a few interesting things going on with this attack. First from a pen-test perspective it only articulates even more how dangerous man in the middle attacks are when leveraged correctly. Funny thing about that... arp cache poisoning is just as effective as it was 5 years ago. It is getting clearer and clearer to me that if an attacker gets access to an internal network it is pretty close to being over. So if you are doing pen-testing and you don't Man in the Middle... Get on board and start doing it. Now for the second issue. User training. We tell our users that they need to be careful to not click on links for strangers and be carefull what websites they should not go to, but we rarely demonstrate that risk. Why do organizations do pen-tests? The do it to demonstrate risk. Otherwise they tend to do nothing. Is there any reason why we would expect anything less from our users? The reason I bring this up is that when we do user education we really need to be doing some live demonstrations. For example, we need to demonstrate a browser being compromised. We can also use tools like SSLStrip to demonstrate why that HTTPS is so important. We can also use tools like Web Monkey in the Middle from Dsniff to demonstrate why those certificate pop-ups are kind of important. I know I am tilting at windmills with user education. Just a hopeless romantic I guess. strandjs