Pure PWNAGE for less than $120.00!

pwnielogo

 

So I’ve been reading and hearing a lot about the Pwn Pad by Pwnie Express.  Security Weekly  dubs this “The lean mean pentesting machine.” Ok seems pretty decent thing to say about a tablet but I didn’t exactly want to go out and spend around $1000 dollars for the device. So I decided to download the Pwnie Express Community Edition, which comes with no support from Pwnie Express. They do however provide some pretty detailed instructions on how to install it on a Nexus 7.

All hardware was available on the Pwnie Express site but I was able to save even more by heading over to Newegg.

As I meantioned earlier Pwnie Express provides some pretty decent instructions on how to install their software. However their instructions are only for Ubuntu, and I am running OSX 10.10.3.

Ok after downloading the software I started the install.  Also for this example I am using the following version. Pwn Pad 2013 (using the Nexus 7 2012 or 2013 tablet)

First I start by verifying the install since it did come from source forge and all. 😐

In the Pwnie docs they mention apt-get installing adb.

But I am running OSX. So I did a brew search. Found fb-adb Seeing it was from Facebook made me feel a little warm and fuzzy.

 

So I installed it

 

Then after just blindly running  adb I was greeted with the following message.

 

So I run the update, also clicked my life away to the Android SDK in their EULA.

Next lets tar out the image files.

 

NOTE: Connect Nexus 7 to host machine now.

After that cd into the pwnie_img directory and run the following.

After that a ton of interesting things start happening. I clearly chose option 2 because I am not running Ubuntu.

I am running the 32 GB Wifi only Nexus 7

 

Oh cool it did a thing! Wait it says Pwn Pad 2014?! WTF. I know I downloaded the right version

 

I went and checked the MD5 that I saw earlier back on their page. Ok so I definitely have the right file. Just some inconsistency I guess, NBD.

wtf_version_pwnie

Its pretty important to read what is going on, on the screen. To boot into fastboot mode, hold down power and volume. (Yep I had to do it twice ;-))

Press enter and let it do its thing.

 

This took a little while maybe about 15 -20 minutes or so. This was taking the image and pushing it over to the Nexus 7.

I got a little confused from this point because it was just sitting there, and also had that message a few lines up, that says do not interrupt the process …

It just sat there and waited. Then I clicked reboot. It then said that I had no operating system installed. So I clicked restore and then clicked the image I had pushed to it, and then restored that.

imagingscreen_arrow

After that it restored the image onto the Nexus 7. This took about 10 minutes.

 

After the last reboot I was greeted with this screen.

pwnie

I’ve only been using this for about a half a day, but so far its pretty fun. I can imagine how useful this would be on a pentest. Thanks Pwnie Express for releasing the community edition software. Thanks for reading!

This is what happens when you rely on data scraped from the output.

gam

I am testing out the latest version of Google Apps Manager 3.42 for my personal Google Apps domain. Currently the version I have been running is 3.04. Which was working just fine for what I was doing with it. But since Google changed a lot of what the admin panel can report I figured I would check it out. I built some tools in the past to do some basic google admining from the command line.  Read about them HERE. Every one of the tools that I put together works just fine. However, the remove user from groups script always changes. This is what happens when you rely on data scraped from the output.

I would run a script userinfo.sh to get the following data. Below is the differences of the output:

Output from version 3.04:

Output from version 3.42:

Previously I would have used something like this to print out the group addresses that the user belonged to.

Using GAM Version 3.04 I would have done the following; The first sed command would remove everything up until the word “Groups” Then the grep –v would have actually omitted “Groups:” from being shown. Then the final sed section would have removed the first word and angle brackets around the groups email address. Here is an example of what I was hoping would come back.

Instead, I tried running that same thing on the latest version of GAM but found much different results.

The actual output from running the userinfo.sh script little different than the older one. So that is why this current script doesn’t work. With this script it only left us with the 4 coms and the last two lines (Which were new.) So a little googling for syntax and playing around on my command line I was able to come up with this.

Again the first sed would work just like the last part. It would remove all data up until the word “Groups:”. Since the number next to Groups would always be different I just used “sed 1d” to remove the first line. From there I did a grep for extended regex and invert match. Then removed the licenses and Google-Apps from the bottom of the list. Then removed the <> from the group email addresses. Then finally printed only the second column using awk. It’s a little hacky for sure, but should always work unless they update the output 😉

Here is the latest full script that I am using to remove groups from a user account. This will also log to the current directory that the script is being ran from in the gamlog file.
removegroups_forgam34.sh

 

Thanks for checking this out. I will be posting some more about Google Apps Manager 3.42 soon!

 

How About a Little Honey?

Pooh-Hunny-Pot-winnie-the-pooh-1993701-1024-768

I was listening to Security Weekly episode 395 where they had Elliot Brink @ebrinkster on the show talking about  Kippo Honey Pot.  It seemed like an interesting way to gather information on post exploitation data. I am investigating this further and will post a follow up to this post in a month or so, after I have obtained more data from the Honey Pot. For now, I will go over the steps to install Kippo on your own system.

For more information on a Honey Pot click here.


I am running this on a Iniz VPS that I purchased for $29 for the year. The specs are as follows:

OS              = CentOS 6 32bit
Bandwidth = 500 GB
Memory     = 256 MB
HDD           = 50 GB

With the Kippo Honey Pot running, I am only using the following:

Bandwidth = 13.9 MB of 500 GB Used / 500 GB free
Memory     = 43.8 MB of 256 MB Used / 212.2 MB free
HDD           = 731.2 Mb of 50 GB Used / 49.3 GB free


As far as installation, its not that big of a process. The steps I have taken are listed below. All of the commands are going to assume you are running as root.

Since this is a freshly installed CentOS 32 bit setup,  you do the following to get prepped:

Run all system updates.

Enable EPEL.

Install Git.

Install PIP and Twisted.

Since Kippo can not run as root, create a kippo user. Then login as the kippo user. Create a git directory to sync the kippo git repo. And finally clone the git repo.

After the repo has been cloned, enter the kippo directory. Create the kippo config file by copying the kippo.cfg.dist file to kippo.cfg.

Then, edit the kippo.cfg file. There are a lot of basic settings that you can set in the config file; I only edited the hostname on line 21. I usually pick db01, but you can choose anything that seems fitting.

Start the Kippo process.

After the process has successfully started, I normally just do a quick ps to confirm it is running. You should see something like this if it is running properly:

Test out the port 2222 to make sure the ssh server is running.  The Default password 123456, is the most popular password on the adobe list.

After all that is tested and working, Its time to setup iptables to forward the ports. Change IN_IFACE to match the ethernet interface. I also like to restart the ssh service.

This will allow people/potential attackers ssh to the Honey Pot using port 22.  I use the console login option in the VPS management page. This way I can login at the same time on another port while Kippo is running. Your setup may be a bit different in that area.

After that is all setup, go in and tail some logs.

 

I will post some of my findings in the next couple of weeks. Thanks for reading, and a big shout out to Elliot Brink @ebrinkster for all the help getting this thing setup.

 

honeypot-bear-trap

Where I have been….

Screen Shot 2014-04-12 at 2.23.50 PM

I just wanted to get updated over here, I have been gone a bit. I have been spending most of my free time trying to learn python. I have found a few cool sites that I have been using to learn. Here they are ;

A Byte of Python
Code Academy

And to me the most valuable one (in my opinion)
Learn Python The Hardway by Zed A. Shaw

I opted to pay the $29.59. It was probably one of the best 30 dollars I have ever spent in my career. With tons of tutorials and videos Zed makes sure that you understand what you are doing. There are plenty of extra credit, and common student questions. I highly recommend this to anyone looking to learn python. This for me has been the easiest to follow. I am about halfway through the class. I am on the part where I am to go read other peoples code. I am learning a ton doing so. I attached a sample of what I learned in using Zeds page.

Anyway, expect some more python themed posts in the near future.

Graphing the CPU Temps from Apple Servers

core_i7

I was asked to figure out how to graph the CPU temperature of our Apple servers. First I started checking around for whatever I can find, maybe any pre built templates or anything. I couldn’t really find much. I then refined my searching a bit. I was trying to get the info using the command line. I found there was this software called Temperature Monitor by Bresink. You can download this app HERE.

So here are the steps I took to monitor the processor temps.

1. Download Temp Monitor

2 Copy the temperaturemonitor.app to the /Applications directory on the server.

3. SSH to the server, and modify the snmpd.conf file. This is found in the /etc/snmp/ directory. (This is similar to mine.) The Extendfix option allows me to execute the script on the machine using an unused OID.  This is how I will run the script from a remote host.

4. Restart SNMP. (On a MacMini or Xserve or anything running 10.8 server.app use the method I am enclosing)

5. You may have noticed that in step 3. I have am refering to a gettemp.sh script. This file should also live in the /etc/snmp directory. Also chmod +x the file after you create it to make it executable.

6. Test it out on the machine.

7. Test it out remotely using another script i wrote. get_temps.sh (I am clearly poor at naming things)

8. Enter the data into Cacti.  (I may post another tutorial on how I did that.)

9. Watch the graphs!

macmini_cpu

There wasn’t much involved to do this. Just a little bit of shell scripting and working out how to use the tempmonitor.app on the command line. I am almost certain there is a better way to do this. But in the time frame I was given to complete the job, this seemed to be the best fit for what we needed to get done.

seemslegit

Thanks for reading this, comment if you have any questions or comments.

Google 2 Factor Authentication Detection Script for Google Apps Manager

Google-Authenticator-icon

Welcome back! Well if you are running Google Apps for Business then you should be using Google Apps Manager to admin it.  Google offers a .CSV file in the admin panel to give you all the info about your users. In this .CSV you can get info on if the user(s) on your domain are rolled into 2 factor authentication.  In the latest release of Google Apps Manager  3.0 they allow you to open that .CSV. Assuming you want to know if your users have enrolled in 2fa for on their mail account. You can run the following script in your gam directory.

Gmail_2faReport.sh

When you run this, it will generate a report with the following fields.
Email Address, 2fa Enforced, 2fa Enrolled. With this you can tell if you have 2fa enforced over the network, as well as if the user has it enabled. This can be real useful if you are trying to lock down your Google Apps for Business domain.

Thanks for stopping by!

Google Apps Manager – And How I Use It.

gam

Google Apps Manager (GAM) is a nice tool that hooks into Google Apps for Business. It can do a ton of useful things. Google Apps Manager

Google Apps Manager (GAM) is a command line tool that allows administrators to manage many aspects of their Google Apps Account. This page provides simple instructions for downloading, installing and starting to use GAM. GAM requires Google Apps Business, Education, Partner or Government Edition. Google Apps Free Edition has limited API support and not all GAM commands work. Read more about it here. Getting Started With GAM

The main thing I use GAM for is exiting users when their position is terminated. I use commands like:  (from the gam directory)
Get user info

Get group info 

Remove user from groups (difficult manually if in a lot of groups)

Suspend user 

This app does a lot of other features. The commands listed above are great if you only want to run them once. 

I had help from some friends with writing these wrappers, but I was able to write one for each of the commands listed.

These wrappers make it really simple to run the GAM commands.

I will post some of the wrappers I have done. They are pretty easy and should start making sense once you see one or two of them.

These were written for GAM 2.55 The removegroups.sh Will NOT work on version 3.0x. I am working to fix this for the latest version.

userinfo.sh

groupinfo.sh

removegroups.sh 

suspenduser.sh

 

UPDATED Functionality for Google Apps Manager 3.0 09/03/2013

removegroups_gam3.sh

 

 

 

 

Here is my GAM Github Repo

Stay Classy!

%d bloggers like this: