Thursday 13 February 2014

SAM,SYSTEM, & LSA Secrets Dumping using Reg Save Command


When you get access to Desktop or Server, through some vulnerability, first thing we are interested in is get password hashes and try to get as many passwords in clear text as possible, which will help us penetrate deeper into the network.

In one of the scenario, once we get command level access to server, we can actually dump SAM & SYSTEM files which can be used to further extract hashes out of it.

SAM + SYSTEM ==> Windows Password Hash ==> Crack / Rainbow table to get clear text password

Going one step ahead, we can even dump LSA Secrets using which you can extract usernames & passwords where your machine connected to previously.

Ex. Lets say you previously connected to remote machine share with X username Y password , probably you will get these credentials by extracting contents from:  HKEY_LOCAL_MACHINE\Security\Policy\Secrets

With the help of handy little tool from Nirsoft : http://www.nirsoft.net/utils/lsa_secrets_dump.html


We can effectively dump SAM + SECURITY files with the help of "reg" command
( One of my friend pointed me to this)

Exported SAM, SYSTEM, & LSA Secrets








Extracting Contents of LSA Secrets (Nirsoft Utility)














Commands :

  1. reg save HKLM\SAM c:\SAM
  2. reg save HKLM\SYSTEM c:\SYSTEM
  3. reg save HKEY_LOCAL_MACHINE\Security\Policy\Secrets c:\lsa


Now we have SAM + SYSTEM Files which can be used to extract Windows Passwords Hashes
& We have credentials dumped through LSA Secrets :)

Hope this is helpful :)



Configure sqlmap with burp suite proxy [ NTLM Authentication ]


Some web application needs NTLM authentication, especially .NET, and testing for SQL Injections becomes very important in such critical applications.

In Backtrack, if we want to test for SQL Injection using SQLMap it needs "python-NTLM" in order to test such applications.

You can find python-ntlm information : 

But what if we can do our testing without this library??? Guess how...??? ...Answer is through Burp-suite...










Configure Burp for NTLM Authentication














Configure SQLMap to use Burp Proxy














Now your SQLMap will attack on your web application through Burp suite which is already taking care of NTLM Authentication :)




Saturday 8 February 2014

Pineapple Mark V Standard First Boot & Start


So to start with Pineapple Mark V Standard, we need latest updated firmware.
Pineapple Mark V Ships with latest firmware and files are present on SD Card.


  1. Insert Micro SD Card (Containing Firmware Files) into Pineapples SD Card slot
  2. Plug in power cable
  3. Once device starts, green light will indicate power supply and solid blue light which indicates firmware flashing in progress.
  4. Wait for around 5 minutes, after which all other light will blink contentiously which indicates Flashing process is done and device is ready to use.

While flashing firmware first time i faced some difficulties, all lights were in solid state for more than 10 minutes after which I reset power supply and it worked as mentioned by HAC5 team in manual.

Once flashing process is done, we need to configure device which can be done by connecting Your Laptop to Ethernet port on pineapple, and browse to http://172.16.42.1:1471 

In my case at first it didn't work so manually assigned Ip to LAN Adapter and then started working fine.

First Acces

Setting up password for pineapple

Password Set 

After Login to Pineapple (Web + SSH)















































And your Pineapple is ready to start !!!!
Wait...there are much more things than this....:)

WiFi Pineapple Mark V Standard


Recently bought new Wifi Pineapple Mark V Standard device, and looks Gr8....
Lets have little walk through of device :)

Device Specifications:

CPU: 400 MHz MIPS Atheros AR9331 SoC.
Memory: 16 MB ROM, 64 MB DDR2 RAM
Disk: Micro SD support : up to 32 GB, FAT or EXT, 2 GB Included
Mode Select: 5 DIP Switches - 2 System, 3 User configurable
Wireless: Atheros AR9331 IEEE 802.11 b/g/n + Realtek RTL8187 IEEE 802.11 b/g
Ports: (2) SMA Antenna, 10/100 Ethernet, USB 2.0, Micro SD, TTL Serial, Expansion Bus
Power: DC in Variable 5-12v, ~1A, 5.5mm*2.1mm connector, International Power Supply
Status Indicators: Power LED, Ethernet LED, Wireless 1 LED, Wireless 2 LED

Product Link : https://hakshop.myshopify.com/products/wifi-pineapple

First Look Of Wifi Pineapple Mark V Standard 


















Specifications


Specifications


Features





































My HAK5 Kit...:)






























Wifi Pineapple Mark V Standard Product includes:

  1. Wifi Pineapple Mark V Standard
  2. 6dBi SMA Antennas (Quantity 2 )
  3. Micro SD Memory Card ( With Latest Firmware)
  4. International Power Adapter
  5. Ethernet Cable
I purchased Below Accessories :



So this was external Look & Feel of device with its specifications....:) shortly am going to post much more interesting information on Wifi Pineapple Mark V Standard Product.
Keep visiting...



Monday 3 February 2014

eFront LMS v3.6.14 - build 18012 Multiple Vulnerabilities


eFront LMS v3.6.14 - build 18012 is vulnerable to :

1. Arbitrary File Upload & Internal Path Disclosure 
2. Access to restricted folder ( Backup )


[-] Disclosure timeline:
--------------------------------

[13/12/2013] - Vulnerabilities discovered
[13/12/2013] - Issues reported to Vendor by E-Mail
[17/12/2013] - Vendor update released [ v3.6.14.2 - build 18013 - build 18013 ]: http://forum.efrontlearning.net/viewtopic.php?f=15&t=8522
[18/12/2013] - Public disclosure


Details has been published on : 

Hostname Resolution Burp Suite


While working on Web App Pen-testing, came across situation where application was hosted like :

http://Public IP/ApplicationName/

After logging in to application, few links had Internal IP address in it,

Ex. http://Internal IP/ApplicationName/TestPage.aspx

As it was Internal IP address of server, we need to replace it with Public IP and then only link works perfectly fine.


Fortunately We can use Burps "Hostname Resolution" to overcome this situation while testing web apps.

Hostname Resolution



















Now every time burp receives any request with IP : 192.168.0.155 IT will simply replace it with 101.10.10.178    ;)

I know its simple trick, But for documentation purpose!.......It will be here..... :)