Mar 10, 2012

Install Vanguard - Web Penetration Testing Tools

1. Install perl
- apt-get install perl

2.  Install Net::SSLeay Library
- perl -e shell -MCPAN
CPAN> install Net::SSLeay

3. Install Clone and YAML Library of Perl
- apt-get install libconfig-yaml-perl libclone-perl

4. Download Vanguard
- cd /opt/
- wget
- tar xzvf vanguard-public.tgz

5. Try to run it :)

If you want to see all configuration of Vanguard, try to

Have a nice week end :)

If you like my blog, Please Donate Me

KARMA on the Fon and Sniffing Wireless Network Traffic with Ubuntu – Step by Step

This is the old post but still working :)

KARMA is an application that transforms the right wireless NIC into the ultimate Access Point. Unlike a regular AP, which advertises its SSID to whoever wants to connect to it, the KARMA enabled AP passively listens to any client wireless requests and then responds to it with the SSID that it probed for and thus impersonating virtually any Access Point. In short, it presents itself to each client as whatever the client wants it to be and allows it to establish a connection. So it can be “Linksys” to one computer, “MyHome” to another and completely different to someone else.
In order to run KARMA, you need a wireless card with the appropriate chipset, which supports the MadWifi drivers. As a general rule the Atheros based chipset are compatible with MadWifi, but you can check the complete list with the supported hardware just in case before you buy anything.
MadWifi drivers and KARMA are included in the BT3 Linux distribution and that makes it real easy to turn your laptop into the perfect Access Point. Just boot into BT3 from a CD or a USB thumb drive.
KARMA also simulates different services like FTP and DNS so that you can temporarily trick the wireless clients that they are getting somewhere, just like a “honey pot”. Although this is a lot of fun, a lot more exciting is when you reroute them out to the internet so that they can browse just like they expected and at the same time you can examine their network traffic without them even suspecting anything.
In this case it is best to install KARMA on a router. Just make sure it has the right wireless chipset, then blow out the firmware it came with and install DD-WRT, OpenWRT, Tomato or any of the sort, then put KARMA on it and you are good to go. There is a very neat project started by Darren Kitchen and the folks at HAK5,  called Jasager. They installed KARMA on a fon router and created a quick web front end to it. In HAK5′s episode # 412 Darren demonstrates network sniffing and session hijacking of the wireless clients connected to Jasager from Windows.
The fon router is relatively quite small and very appropriate for this purpose. So I bought a fonera router myself, put OpenWRT and KARMA on it and continued from there. Check out Darren Kitchen’s step by step process of how to accomplish this.
Lets look at how the network set up will theoretically work. We need to reroute the network traffic from the fon router to the internet and have a packet sniffer like Wireshark in the middle. For this I need to set up a simple gateway on my Ubuntu laptop that will be between the fon router and the Internet. I also have to set up a DHCP server to assign IP addresses to all the wireless clients as they connect to my AP. In this case I will connect the fon router to my Ethernet jack and I will use my wireless NIC on my laptop to connect it to my home router, which gives me the Internet access. Here is a simple diagram of how this will look:
Network Diagram
Network Diagram
Step 1. Install the DHCP server and the front end to it for easy configuration:
sudo apt-get install dhcp3-server
sudo apt-get install gadmin-dhcpd

The first command above will install the dhcp server and after it finishes it will try to start it and will give you a message that it failed to do so. This is normal, since you have not configured it yet, so just ignore it for now and execute the second command. We will configure it in Step 3.
Step 2. Install a front end graphics tool to set up the gateway:
sudo apt-get install firestarter
Step 3. Configure the DHCP server.
We need to keep the 2 NICs on different networks. In my case the Ethernet card that will be connected to the fon router will be on the network and the wireles NIC that is connected to my home router and then to the Internet is on the network.
Start the GADMIN-DHCPD: System Tools -> GADMIN-DHCPD.
Under “Scope settings” put in the network interface name (in my case it is eth0). You can find out all the interfaces on your computer by running the ifconfig command. Then put in for a “Network address” and finally for the “Subnet mask”. Now click the “Apply” button. You also need to specify the range of IP addresses that the dhcp server can use. So under “Shared IP-addresses ranges” put- “Range from: to:″. Then click the “Add” button:
DHCP server configuration
DHCP server configuration
Step 4. Before we can configure our wired interface, we need to give the fon router a static IP address and DHCP server IP. Connect your fon router to your Ethernet port and power it on. Now open your browser and connect to the webif interface of the router. In my case it is (Refer to Daren Kitchen’s tutorial if needed). Go to the “Network” tab and change the connection type to DHCP, leave the “Type” to “Bridged” and put in the IP address of and the Subnet mask of Click “Save Changes” and then “Apply Changes” in the bottom right corner of the page. And finally, in the “Connection Type” drop-down go back to Static IP and make sure that the new settings are retained:

Webif Interface
Webif Interface
At this point you can power off the fon router for now. The next step is to give static IP settings to the wired NIC in order to put it on the same network as the fon router. The network in this case.
Step 5. Configure the Ethernet NIC that the fon router is connected to:
Go to System -> Preferences -> Network Configuration or you can right-click on the networks incon on your menu bar and select Edit Connections:
Wired NIC Configuration
Wired NIC Configuration
Then under the “Wired” tab select your interface and hit “Edit”. Then hit the IPv4 tab, select “Manual” from the “Method” dropdown. Hit the “Add” button and put for the IP address, for the Netmask and leave the Gateway blank. You need to also specify a DNS server. There are a hundred different ways you can find your DNS server but the easiest in Linux would be to look at the /etc/resolv.conf file. So, execute the command more /etc/resolv.conf and use that IP address as your DNS server. In my case, the DNS server for my laptop is my router at IP address (you can also use your ISP’s DNS server). In any case, keep in mind that if you take your laptop somewhere else (for example your local coffee shop) the DNS server will change. After you are done, hit “OK”:
Wired NIC Configuration
Wired NIC Configuration
Now the wired interface is configured to the network, the DHCPD settings have the same network and interface, and the fon router is also configured on the same network.
Step 6. Power up the fon router. Now you should be able to connect to it on IP address Open up your browser and this time connect to the “Ysager” page. Enter The Jasager page should come up:
Step 7. Configure the gateway.
The only thing that is left is to configure the gateway so that we can forward the traffic from the wired NIC to the other interface pointing out to the Internet (the wireless NIC in this case, which is connected to the home router and then out to the Internet). Linux has this built into the kernel and we can set all this up using the command line to do the so called “masquerading”, but it is much easier to use a GUI tool that we installed in Step 2.
Fire up the firestarter: Go to Internet -> Firestarter.
First it will ask you to specify your Internet connected device. In this case it is my laptop’s wireless interface, so I chose “wlan0″ from the dropdown. Click “Forward” and in the next screen specify your wired Ethernet interface (in this case eth0), then select the checkbox named “Enable Internet connection sharing”:
Firestarter LAN Device
Firestarter LAN Device
Next click “Forward” again, and finally click “Save”. This will start the gateway. You should see something like this (only without the vmnet interfaces, those are there because I have VMWare server installed on this machine):
Firestarter Running
Firestarter Running
Now enable the DHCP. Click on the “Preferences” button in the above screen. Go to “Network Settings” and select the checkbox “Enable DHCP for the local network” and hit “Accept”:
Firestarter Preferences
Firestarter Preferences
At this point you can test if your router can find its way to the Internet through your gateway. Just start a terminal session. Type ssh root@ and enter your password when prompted. After you log in, just ping any Internet site like- ping, you should be getting responses back:
$ ssh root@
root@′s password:
BusyBox v1.4.2 (2007-09-29 07:21:40 CEST) Built-in shell (ash)
Enter ‘help’ for a list of built-in commands.
_______                     ________        __
|       |.—–.—–.—–.|  |  |  |.—-.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
|__| W I R E L E S S   F R E E D O M
KAMIKAZE (7.09) ———————————–
* 10 oz Vodka       Shake well with ice and strain
* 10 oz Triple sec  mixture into 10 shot glasses.
* 10 oz lime juice  Salute!
root@net1:~# ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=48 time=85.0 ms
64 bytes from icmp_seq=1 ttl=48 time=84.3 ms
64 bytes from icmp_seq=2 ttl=48 time=86.3 ms
— ping statistics —
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 84.3/85.2/86.3 ms
This means that your network settings are correct.
Step 8. Enable KARMA and start Wireshark.
Go back to the Jasager screen you opened in your browser in Step 6 and hit the “Change” button next to “Karma is currently: Off” to start KARMA:
Yasager- KARMA is On
Jasager- KARMA is On
The last thing is to fire up Wireshark and start the capture on the eth0 interface. Now you will be able to see all the traffic of anyone connected to your fon router.


If you like my blog, Please Donate Me

nmap and another program via tor tunnel by darryn van tonder

This post is just summary from the Source. If you want to see all detail or how to test it, please go to the Source.

1.Install tor
- apt-get install tor tor-geoipdb proxychains
- vi /etc/tor/torrc 
add the "SocksPolicy accept" into the file.

2. Install tortunnel
- apt-get install libboost-system1.40-dev libssl-dev
-  cd /opt/
- wget
-  tar xvzf tortunnel-0.2.tar.gz
- cd tortunnel-0.2/
- ./configure
- make
- make install

3.  Edit proxychain to work with tortunnel
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 9050
socks5 9050

4. Find the tor node that support nmap
-  curl | grep --before-context=1 'Exit Fast Running V2Dir Valid' | awk '{ print $7 }' | sed '/^$/d'

5. Use torproxy to choose tor node
- torproxy tornode-ip

6. Use nmap command with proxychains
- nmap -Pn -sT -p 80,443,21,22,23
** Use -Pn( to skip the host discovery) and -sT(full Connect() scan to ensure that all packets use the Tor network) for surely disclose IP.
All it's done :) You're anonymous user now :)

If you like my blog, Please Donate Me

Mar 9, 2012

Interesting Vulnerability (2012-03-09)

# Exploit Title: Microsoft Cross Site Scripting Vulnerability
# Date: 08/03/2012 - 06:21pm
# Author: Ryuzaki Lawlet
# Tested On: WinXP, Win 7
# Platform: -


[$] Preview Sites:





# Greetz: Misa Cyb3rSec, Ben Cyb3rSec, Xay Cyb3rSec, SBkiller Cyb3rSec AntuWebHunt3r, Alex Newbie3vilC063s, PK Newbie3vilC063s,Black_List Rival,ReD John, CyberFalconz Crew

#Cyb3rSec Crew + MyHex Crew + Newbie3vilc063s + Malaysian Crew + CYBER 4RMY + T3 Ð Ha©Ke® + 

# Special To : Putera Army - Rileks Crew , H3x4 Crew & Newbie3vilC063s


Barracuda WAF 660 v7.6.0.028 - Cross Site Vulnerability




The Barracuda Web Application Firewall provides superior protection against hackers’ attempts to exploit vulnerabilities
in Web sites or Web applications to steal data, cause denial of service or deface Web sites. By integrating application
delivery capabilities, the Barracuda Web Application Firewall is an affordable and comprehensive application firewall
that can secure Web applications, as well as increase their performance and availability.

- Protection against common attacks
- Outbound data theft protection
- Web site cloaking
- Granular policies
- Secure HTTP traffic
- SSL Offloading
- SSL Acceleration
- Load Balancing

The Barracuda Web Application Firewall is a complete and powerful security solution for Web applications and Web sites. The
Barracuda Web Application Firewall provides award-winning protection against hackers leveraging protocol or application
vulnerabilities to instigate data theft, denial of service or defacement of your Web site.

(Copy of the vendor Homepage: )

Vulnerability-Lab Team discovered a non persistent Cross Site Scripting Vulnerability on Barracudas Web Application Firewall 660 v7.6.0.028.

2012-02-16:  Vendor Notification
2012-02-19:  Vendor Response/Feedback
2012-03-05:  Vendor Fix/Patch
2012-03-07:  Public or Non-Public Disclosure


Affected Products:
Barracuda Networks
Product: Barracuda Web Application Firewall 660 v7.6.0.028



A client side cross site scripting vulnerability is detected on Barracudas Web Application Firewall 660 v7.6.0.028.
The vulnerability allows an attacker (remote) to hijack customer/moderator/admin sessions with medium required user inter
action. Successful exploitation can result in account steal or client side context manipulation when processing firewall module
application requests.

Vulnerable Module(s):
            [+] sessions_by_user&filter=[x]


The security risk of the non-persistent (client side) cross site scripting vulnerability is estimated as low(+).

Vulnerability Research Laboratory - Benjamin Kunz Mejri (Rem0ve)

The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of
other media, are reserved by Vulnerability-Lab or its suppliers.

                Copyright © 2012|Vulnerability-Lab

Website: ; or
Contact: or

If you like my blog, Please Donate Me

Mar 7, 2012

Test IDS By

If you want the full detail, please go to the Source.

Testing IDS


The objective of this laboratory test, scenario is to create a solution and instructions for testing an IDS^1 systems usefulness for detecting attacks against a wordpress site. In addition, a repeatable process to evaluate vendor claims. Whatever passive IDS system sample delivered as a VM or a dedicated box. Creating the IDS system itself is out of scope.
The process must be detailed enough so that somebody else can get the same results when applying that. The “other person” is expected to have IT knowledge sufficient to install and run a Linux desktop.
Budget requirements: Modest – 2 machines + a tester (Joe) + networking equipment to connect the two machines and an IDS together.
The process must test at least the following attacks:

  • Port scan
  • SYN flood
  • “Regular” DoS overwhelming attack (Ab)
Optionally the process may test:
  • slowloris/pyloris
  • Apache Range header DoS vulnerability
  • An attack targeting any other fairly recent (not older than 3-4 years) known vulnerability that could in theory apply to the target system (wordpress server)
However the competition rules are:
The highest number of attacks evaluated. Limits: * Each attack must be relevant eg. if it attacks IIS it’s NOT relevant. If it attacks Windows RPC it’s not relevant. If it attacks some other CMS eg. Drupal it’s NOT relevant. * Basically equivalent attacks count as one (different port scanners for example) * You must be able to explain in broad terms what the attack does eg: attacks the vulnerability #X in Apache server If the #attacks is equal.Lab instaractions:
Install 3 VM-s: Attacker IDS and Target

  1. Make sure all VM-s have two network adapters: NAT and Host-Only.
  2. Install Snort and it’s GUI called “acidbase” on IDS
  3. Install Apache, Mysql and WordPress on Target.
  4. Execute an attack on Attacker towards the IP address on the Host Only network.
  5. Take notice of the results displayed on Acid console.
  6. Reset counters, move on to next attack
Additionally, illustration 1 describes the overview of above scenario
Illustration 1: Lab 5 Illustration of Scenario
Illustration 1: Lab 5 Illustration of Scenario
Firstly, setup procedure of snort, secondly available proposals and thirdly illustrating the results and the functionality of proposals. Finally, closing this laboratory report with conclusion. In addition, appendixes is configuration of VM’s – Virtual Machines.


To setup snort in a right way, that will work for the second Host only network please following the instruction link provided with a full description and configuration of snort [SNORT2].
After completing the setup and configuration to run snort on the second interface use the following command:

snort -c /etc/snort/snort/conf -i eth1


In total three proposals and each one is highlighted in the next sub-sections.


Full instructions
1. Set up IDS (Snort) and WordPress on the first PC
2. Install Ubuntu server on the second PC . Then install all attacking tools there :

sudo sh
After that you should have:
[sourcecode] – DoS attack script – uses ab to generate traffic flood – Apachekiller attack script More info:
README.txt – extra instructions - Port scanning script - uses nmap - Sloworis attack script More info: \ - syn flood attack script - uses hping3
3. Start your IDS/wordpress server and the server with attack tools.
4. Run each attack tool ONE AT A TIME (targeting the wordpress/IDS server of course) . Monitor the logs/notifications on yours IDS system (SNORT) and check whether wordpress site is still accessible.
Let each attack tool run 2 minutes, then stop the attack by pressing CTRL+C on the terminal window where the attack tool is running. The only exeption is port scan- its better to wait until it finishes .
After each attack save the IDS log and wait atlest 5 minutes before trying next tool (to give server time to recover). Best practice is to manually check if the server load is at normal (one can use htop for that)

a) To run DoS attack :
Page 6
eg sh
b) For port scan:
{target IP}
eg sh
c) For Syn flood (with hping3)
sh {target}
d) For Sloworis attack:
perl -dns {target}
eg perl -dns
e) For Apachekiller attack:
{target IP}
eg perl



For this scenario we need to run several different attacks and scans to be able to compare the results with different IDS setups and rulesets. We might also want to test it with legitimate traffic to see that we dont get false positives in our alarms. We dont have that much legitimate traffic possibilities with 1 blog on our servers right now, but if we start tweaking the IDS false positives becomes an important metric and we might want to test normal usage and create traffic to run with tcpreplay for example. My proposal is to test the IDS with pytbull running on BackTrack. Pytbull is IDS testing framework and BackTrack a Linux ditribution.
I will assume that we have WordPress server with running default Snort set up on it and working. No extensive testing has been done with different snort setups so we might have to tune the methods, but basic things should be covered.

DL and install BackTrack
Install it rather than running a live version for this scenario. Boot it up in default mode, start GUI and launch installation from desktop. Default login root / toor. Standard setup comes with pytbull and several pieces of software the IDS test-system depends on like nmap, hping3, nikto and others.

Setup connections

Connect the machines and install ftp and ssh on server. We need ftp to get snort alert files and ssh to run attacks against.
apt-get install vsftpd openssh-server

Setup pytbull

You will find pytbull from /pentest/enumeration/ids/pytbull/ or Applications > BackTrack > Information Gathering > Network Analysis > IDS IPS Identification > pytbull when using the GUI. Change the configuration file values to have correct connection information, user credentials and locations of dependencies. Here you also select which test modules out of the 9 available you want to run. ClientSideAttacks needs extra configuration.
cd /pentest/enumeration/ids/pytbull/
gedit config.cfg
Example conf file:
Now get custom DoS module to have hping SYN flood and  \
ApacheBench DoS tests covered.
cd modules
You may want to refer to Pytbull documentation


/pentest/enumeration/ids/pytbull/pytbull -t <WP/Snort server IP>
If everything works you will find html report file under /reports. If you have problems add -d on run for debugging.

(optional) Slowloris

To have slowloris attack test for pytbull we need to get custom slowloris that allows to set how many packets to send because we dont want the tests to run forever. I added argument s that tells the script to stop after we have sent s packets.
cd /pentest/stressing
Slowloris attack has been written into DoS module,  \
 you have to uncomment it. Lines 47-52.
gedit /pentest/enumeration/ids/pytbull/modules/


For this proposal I will suggest to use open source tool OpenVas for vulnerability scanning, to test our IDS system. It contains many security tools integrated. The security and analysis tools are: Nikto, nmap, ike-scan, snmpwalk, amap, ldapsearch, SLAD (John-the-Ripper, Chkrootkit, LSOF, ClamAV, Tripwire, TIGER, logwatch, trapwatch, lm-sensors, snort and ovaldi), pnscan, portbunny, strobe, w3af, etc.
Instructions of installation process, for further more information please refer to

Step 1: Configure OBS Repository

sudo apt-get -y install python-software-properties
sudo add-apt-repository "deb ./"
sudo apt-key adv --keyserver hkp:// --recv-keys BED1E87979EAFD54
sudo apt-get update

Step 2: Quick-Install OpenVAS

sudo apt-get -y install greenbone-security-assistant gsd openvas-cli openvas-manager openvas-scanner
openvas-administrator sqlite3 xsltproc

Step 3: Quick-Start OpenVAS

(copy and paste whole block, during first time you will be asked to set a password for user “admin”)
test -e /var/lib/openvas/CA/cacert.pem || sudo openvas-mkcert -q
sudo openvas-nvt-sync test -e /var/lib/openvas/users/om || sudo openvas-mkcert-client -n om -i
sudo /etc/init.d/openvas-manager stop
sudo /etc/init.d/openvas-scanner stop
sudo openvassd
sudo openvasmd --migrate
sudo openvasmd --rebuild
sudo killall openvassd
sleep 15
sudo /etc/init.d/openvas-scanner start
sudo /etc/init.d/openvas-manager start
sudo /etc/init.d/openvas-administrator restart
sudo /etc/init.d/greenbone-security-assistant restart
test -e /var/lib/openvas/users/admin || sudo openvasad -c \
 add_user -n admin -r Admin

Step 4: Log into OpenVAS as “admin”

Open https://localhost:9392/ or start “gsd” on a command line as a regular user (not as root!).
Optional we can use and the Slowloris and Pyloris DoS attacks.
Download link for Slowloris is:
The above solution and tool will help us to check and test our IDS system usefulness. It tests the following attacks: Port scan, SYN flood, DoS, etc. The results are presented with nice GUI interface. For more info about the project please refer to


If you like my blog, Please Donate Me