If you haven't seen it all over twitter yet, achillean released the "beta" of SHODAN yesterday. It's a search engine of basically a nmap of the internet (ports 21, 22, 23 or 80 so far).

http://shodan.surtri.com/

You can search by keyword, and/or using any of the advanced search options.

 

• country:2-letter country code
• hostname:full or partial host name
• net:IP range using CIDR notation (ex: 18.7.7.0/24 )
• port:21, 22, 23 or 80

Here is just a taste of the power this bring to the game:

 

 

Let your mind run wild. I imagine this search engine will do nothing but grow. Remember, as with any service, your searches are happening on someone else's servers, be gentle (it's free.. right now) and be wary, you don't want to put too much data about a customer ;-)

Thanks go to HD Moore for the head up about the service, and Thierry Zoller for adding flame to the fire of crazy searches to try on this new service.

 

CKTricky over at http://cktricky.blogspot.com has been running an awesome Burp Tip of the Day series on his blog. After seeing him use Nikto through Burp. I decided to see if I could just export the list of checks to a text file so that I could use them over and over in Intruder. After a bit of awk and sed hell I figured it out, and submited it to him for acceptance to his BTotD series. Yesterday it was posted ;-)

Here: http://cktricky.blogspot.com/2009/10/btod-importing-nikto-db-to-intruder.html

Here is the ugly command I came up with:

cat /pentest/web/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^\"*//;s/\"$//' | sed 's/^\@CGIDIRS//;s/\@ADMIN//;s/^\@NUKE//;s/^\@POSTNUKE//;s/^\@PHPMYADMIN//' | sed 's/^\///' > ~/nikto_burp.txt

What you are sacrificing here are the checks for the CGIDIRS, ADMIN, NUKE, POSTNUKE, and PHPMYADMIN interfaces. Personally, I've modified this script a bit, but you can modify it how best fits your tests:

cat /pentest/web/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^\"*//;s/\"$//' | sed 's/^\@CGIDIRS/cgi\-bin\//;s/\@ADMIN//;s/^\@NUKE//;s/^\@POSTNUKE//;s/^\@PHPMYADMIN/phpMyAdmin\//' | sed 's/^\///' > ~/nikto_burp.txt

So that I could cover at least the most common cgi and phpmyadmin directories 

So this is a pretty crafty way of getting packet captures on a target system. Definitely could be streamlined with some meterpreter scripting fu, but awesome job on the video.

 

Metasploit meterpreter Windump/Winpcap sniffer from siles on Vimeo.

Brute force, even though it's gotten so fast, is still a long way away from cracking long complex passwords. That's were word lists come in handy. It's usually the crackers first go-to solution, slam a word list against the hash, if that doesn't work, try rainbow tables (if they happen to have the tables for that specific hash type), and then the full on brute force. Some would say those first two steps are reversed, and it really is the choice of the the person doing it and the word lists they have to work with.

Matt Weir and company created a cool tool that has the best of both worlds, Dictionary based Rainbow Tables with Dr-Crack, which you can find here:

http://reusablesec.googlepages.com/drcrack

But, back to the reason of this post, word lists. Where do you get them? Here are a couple of my favorite places in no particular order:

http://www.packetstormsecurity.org/Crackers/wordlists/
http://www.theargon.com/achilles/wordlists/
http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html

I like to keep 3 size word lists:
1. small and fast: usually based on the output of one of the tools i'm about to tell you about
2. medium: this is my custom list that I add passwords I find / crack and generally think are good to add. I'm pretty picky about what goes into this list
3. huge: any wordlist I come across gets added to this list, it gets sorted and uniqued and restored

Now the two tools that I like for the small list is are CeWL and wyd

CeWL - http://www.digininja.org/projects/cewl.php
Wyd - http://www.remote-exploit.org/codes_wyd.html

They have some very similar lists of features, your mileage may vary. But they basically parse files and web pages for words and generate password lists based on the words found.

I recently upgraded my video card and had a rough time finding programs that fit the hype of GPU password cracking, so here is what I found so that you won’t have as hard a time.

Ivan Golubev’s SHA1/MD5/MD4 cracker:
http://www.golubev.com/hashgpu.htm

Ivan Golubev’s RAR pass cracker:
http://www.golubev.com/rargpu.htm

CUDA Multiforcer (down at the time of this posting)
http://www.cryptohaze.com/bruteforcers.php

BarsWF – MD5 Cracker:
http://3.14.by/en/md5

GPU MD5 Crack: (Included in BackTrack 4 repos “gpu-md5-crack”)
http://bvernoux.free.fr/md5/index.php

Distributed Hash Cracker:
http://rpisec.net/projects/show/hash-cracker
” This is an interesting one as it has a PHP front end and is agent based, so you can use one or a dozen computers, and it will use the CPUs and GPUs available”

Pentoo Live CD with a bunch of GPU cracking goodness built in:
http://pentoo.blogspot.com/

Extreme GPU Bruteforcer (39.95 Euro)
http://www.insidepro.com/eng/egb.shtml

ElcomSoft Distributed Password Recovery ($599 for 1st lvl – 20 hosts)
http://www.elcomsoft.com/edpr.html

ax0n from http://www.h-i-r.net/ shot me an email stating that BT4 has some more GPU tools added to it:

Just FYI, BT4 also added some CUDA GPU cracking functionality a while
back ago. IIRC It includes Pyrit and CUDA-Multiforcer -- maybe a few
others. Pyrit is a cuda-enabled WPA-PSK cracker that you may also be
interested in.

Pyrit - WPA/PSK - WPA2/PSK GPU cracker
http://code.google.com/p/pyrit/