Remote shell via SSH for remote pentesting

SSH is a powerful remote access tool. It has an often overlooked feature -R : (from the man pages) Specifies that the given port on the remote (server) host is to be forwarded to the given host and port on the local side..

In essence this means that you can have a remote host A connecting to a host B that is controlled by you. Then from that host B you can connect trough hostRead more.

NetTraveler, cyber-espionage campaign

Kaspersky recently released a paper on a cyber-espionage campaign that used NetTraveler, a malicious program used for covert computer surveillance.

The document is an interesting read. Below is a summary of some of the attack vectors used with this malware. You can use this information to detect the presence of the NetTraveler malware.

Nettraveler uses a couple of C&C scripts

Two of the C&C domains are sinkholed, pkspring.net and yangdex.org byRead more.

Manually crafted HTTP requests

If you want to mangle HTTP requests you are better of with tools like Paros or the Burp Suite. Have a look at the OWASP page for further info. However, if you would like to send them manually with telnet you can use the template below.

Warning! This template worked for me, you should adjust it for your case.

I created a small python script, http-py, available on Github do the manually queries.

Nmap scan through TOR

TOR (https://www.torproject.org/) is a great project if you want to take care of your privacy. You can use TOR to proxy your nmap scans making it very difficult for the scanned network to find the source.

First check that you have TOR installed. It should be listening on a local network port tcp/9050.

You also need to install a package called proxychains that will proxy all the traffic through TOR. Proxychains has its configuration fileRead more.

Use Dropbox with encrypted volume for backups

I use Dropbox to have online backups of my files. Dropbox already provides a good set of protection mechanisms (Two-step verification, …). If you need an additional level then Boxcryptor is worth having a look.

Unfortunately Boxcryptor is not available on Linux but it is compatible with encfs. The blog of Boxcryptor has a post describing in details how you can setup encfs on Ubuntu.

The blog post lacks some useful additional details.

Read more.

Verify a network for open dns resolvers

DNS amplification attacks have become pesky (see below for pointers on these kind of attacks). There’s an easy way to verify if there are nameservers on your network that allow recursive queries for the “world”

Do this from a machine outside of your network (if you’d launch it from a machine inside your network chances are high that your IP is part of an ‘allowed’ list in the NS-config, thus falsifying your results).

The toolRead more.

Include an Evernote feed in your WordPress blog

I use Evernote to keep track of my ToDo’s, interesting web pages that I visited, found code snippets or some random thoughts. I have it configured in a browser on my laptop and as a separate app on my smartphone.

“Things” in Evernote are put in notebooks, notebooks can be shared. I’ve been sharing some of my notebooks with friends and colleagues to keep track of joint projects. These shared notebooks have a RSSRead more.

Graph the first 8 bits of the IP of apache logs

Below is a PHP script that will graph the first 8 bits of the visitors source IP in your apache logs. The bigger the circle, the more visitors you had. You’ll need gd support in PHP. The minimal width of the circle is set to 3, the maximum width is 85. You can run the script with

The first parameter is the log file. The second parameter is either 20x, 40x or 50x. This graphsRead more.

SANS SEC542 (Web App Penetration Testing and Ethical Hacking) cheat sheet

This week I obtained my GWAPT (GIAC Web Application Penetration Tester) certification (as a follow up to the SEC542 Web App Penetration Testing and Ethical Hacking course I followed last May). Besides the course notes I also used my own cheat sheet below.

Tip: take a copy of the ToC of every book and put them together on one big A3, if you want to look up something in the books it helps aRead more.

Track your laptop’s IP even when it gets stolen

If you take your laptop with you when you travel it can get stolen. Often when a laptop gets stolen the thieves don’t go to the trouble of re-installing your laptop. If you install IP-tracking software you might be able to locate its position when the thieves (or people who bought the device from the thieves) boot it. You would still have to go through the trouble of convincing law enforcement that it is yourRead more.