Proxychains on OSX Mountain Lion

EDITED:

Link below is not working anymore. To install Proxychains, you can install it directly using brew

infidel:~ goo$ brew install proxychains-ng

Here is the step-by-step solution to get it works:

Setup a working directory, I’m using ~/build-temp/

infidel:~ goo$ mkdir build-temp
infidel:~ goo$ cd build-temp

Download Proxychains from here (you may using wget or via the browser) and extract

infidel:build-temp goo$ tar xzvf proxychains-3.1.tar.gz

Download the patch file for Proxychains here (thanks to chrootlabs guy)

infidel:build-temp goo$ wget http://chrootlabs.org/bgt/proxychains-3.1_osx.diff

Patch the Proxychains

infidel:build-temp goo$ patch -p1 <proxychains-3.1_osx.diff

Install the Proxychains

infidel:build-temp goo$ cd proxychains-3.1
infidel:proxychains-3.1 goo$ ./configure --PREFIX=/opt/local
infidel:proxychains-3.1 goo$ cd proxychains
infidel:proxychains goo$ make
infidel:proxychains goo$ sudo make install

Create symbolic links to make it run from anywhere

infidel:proxychains goo$ mkdir ~/.libs
infidel:proxychains goo$ mkdir ~/.proxychains
infidel:proxychains goo$ ln -s /opt/local/lib/libproxychains.3.0.0.dylib ~/.libs/
infidel:proxychains goo$ ln -s /opt/local/etc/proxychains.conf ~/.proxychains/

Now comment out the proxy_dns option in proxychains.conf file (this causes trouble)

infidel:proxychains goo$ sudo nano ~/.proxychains/proxychains.conf

Proxychains should works now, you may test it using lynx

infidel:~ goo$ proxychains lynx ipchicken.com

source: http://touhou.ru/?act=showpost&pid=511

MSF PostgresQL Problem on BT5

If you read this post then I bet you have the same problem with me. When I tried to run the msfconsole on my BT5 I have this buggy information.

[-] Failed to connect to the database:
could not connect to server: Connection refused
Is the server running on host "127.0.0.1" and accepting
TCP/IP connections on port 7175?

Seems that the MSF could not connect to Postgres database server. I tried to install the Postgres server inside my BT5 and still have no luck. So I starting to search over the internet and found the solution for this problem. Here are the solution.

rm /opt/framework3/postgresql/data/postmaster.pid
rm /opt/framework3/postgresql/.s.PGSQL.7175
rm /opt/framework3/postgresql/.s.PGSQL.7175.lock
/etc/init.d/framework-postgres start

Then, try to run the msfconsole again.

NOTICE:  CREATE TABLE will create implicit sequence "api_keys_id_seq" for serial column "api_keys.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "api_keys_pkey" for table "api_keys"
NOTICE:  CREATE TABLE will create implicit sequence "macros_id_seq" for serial column "macros.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "macros_pkey" for table "macros"
NOTICE:  CREATE TABLE will create implicit sequence "cred_files_id_seq" for serial column "cred_files.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "cred_files_pkey" for table "cred_files"
NOTICE:  CREATE TABLE will create implicit sequence "listeners_id_seq" for serial column "listeners.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "listeners_pkey" for table "listeners"
NOTICE:  CREATE TABLE will create implicit sequence "nexpose_consoles_id_seq" for serial column "nexpose_consoles.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "nexpose_consoles_pkey" for table "nexpose_consoles"
NOTICE:  CREATE TABLE will create implicit sequence "profiles_id_seq" for serial column "profiles.id"
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "profiles_pkey" for table "profiles"

______________________________________________________________________________
|                                                                              |
|                   METASPLOIT CYBER MISSILE COMMAND V4                        |
|______________________________________________________________________________|
\                                  /                      /
\     .                          /                      /            x
\                              /                      /
\                            /          +           /
\            +             /                      /
*                        /                      /
/      .               /
X                             /                      /            X
/                     ###
/                     # % #
/                       ###
.       /
.                       /      .            *           .
/
*
+                       *

^
####      __     __     __          #######         __     __     __        ####
####    /    \ /    \ /    \      ###########     /    \ /    \ /    \      ####
################################################################################
################################################################################
# WAVE 4 ######## SCORE 31337 ################################## HIGH FFFFFFFF #
################################################################################

=[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 732 exploits - 374 auxiliary - 82 post
+ -- --=[ 227 payloads - 27 encoders - 8 nops
=[ svn r13728 updated today (2011.09.13)

msf > quit

It will create the databases structure. Again run the msfconsole once again to make sure that it connect to the database correctly

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

=[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 732 exploits - 374 auxiliary - 82 post
+ -- --=[ 227 payloads - 27 encoders - 8 nops
=[ svn r13728 updated today (2011.09.13)

msf >

Nice! Good luck to you.

Useful Addresses When Dealing with ROP

Saya nulis ini supaya ga lupa. Sebenarnya bisa dicari lagi sih alamat ini, cuma lebih enak klo udah ada disini tanpa nyari lagi khan?!.

Sejumlah alamat yang dipake untuk tehnik ROP, sbb:

VirtualAlloc()

Secara sederhana, fungsi VirtualAlloc() akan mengalokasikan memory baru. Salah satu dari parameter di fungsi ini yang bisa membuat memory yang baru bisa memiliki opsi eksekusi dan baca-tulis. Untuk itu, tujuan utama di fungsi ini adalah memastikan nilai EXECUTE_READWRITE sesuai.

Pada Windows XP SP3, VirtualAlloc() ada di alamat 0x7C809AF1 (kernel32.dll), sedangkan di Windows 7, terdapat pada alamat 0x75C57A4F (kernel32.dll).

Info: http://msdn.microsoft.com/en-us/library/aa366887(VS.85).aspx

HeapCreate()

Membuat memory heap baru yang dapat digunakan oleh shellcode kita. Fungsi ini mengalokasikan sebuah ruang pada ruang virtual address (virtual address space) dari proses yang bersangkutan.

Fungsi ini, hanya akan membuat heap privat dan menandainya sebagai executable. Kita masih harus mengalokasikan memori di heap ini (dengan HeapAlloc() misalnya) dan kemudian meng-copy menyalin shellcode ke lokasi heap (dengan memcpy() misalnya).

Ketika heap memori baru dialokasikan, kita bisa pake memcpy() untuk menyalin shellcode kita ke tempat heap dialokasikan dan jalankan.

Pada XP SP3, HeapCreate terletak di 0x7C812C56 yang juga bagian dari kernel32.dll. Pada Windows 7, HeapCreate terletak di 0x75C5EDFF, bagian dari KERNELBASE.dll

Info: http://msdn.microsoft.com/en-us/library/aa366599(VS.85).aspx

SetProcessDEPPolicy()

Syarat agar fungsi ini berjalan dengan baik, maka DEP harus di set OptIn atau OptOut, jika yang terjadi adalah AlwaysOn atau AlwaysOff, tehnik ini akan jadi error atau ga jalan. Jika modul di linked dengan /NXCOMPAT, tehnik ini juga akan gagal. Begitu juga, tehnik ini hanya bisa dipakai apabila fungsi ini belum dipakai sebelumnya, misalnya IE8 pasti memanggil fungsi ini ketika aplikasi dijalankan, maka tehnik ini tidak bisa dipakai.

Kabar baiknya, fungsi ini hanya perlu 1 parameter, sehingga membuat ROP chain tidak terlalu sulit. Alamat SetProcessDEPPolicy pada Windows XP SP3 0x7C8622A4, sedangkan pada Windows 7 0x762B62E4, keduanya merupakan bagian dari kernel32.dll.

Info: http://msdn.microsoft.com/en-us/library/bb736299(VS.85).aspx

NtSetInformationProcess()

Fungsi ini akan membuat memory menjadi executable, tapi tidak akan berjalan jika DEP di set permanen dan AlwaysOn. Alamat pada Windows XP SP3 pada 0x7C90DC9E. Hanya bisa dipake di Windows XP, Vista, dan 2003.

Info:http://uninformed.org/index.cgi?v=2&a=4

VirtualProtect()

Fungsi VirtualProtect merubah perlindungan akses memori saat proses dipanggil. Perlindungan terhadap akses memori bisa dilihat disini. Pada Windows XP SP3 alamatnya adalah 0x7C801AD4, sedangkan pada Windows 7, bisa ditemukan di 0x75C5F306. Keduanya merupakan bagian dari kernel32.dll

WriteProcessMemory()

Pada Windows XP SP3, WriteProcessMemory() terletak di 0x7C802213 (kernel32.dll), dan pada Windows 7 terletak di 0x75C744CF (kernelbase.dll) . Fungsi ini memungkinkan attacker untuk menyalin shellcode ke lokasi lain (executable) sehingga kita bisa melompat pindah ke sana dan menjalankannya. Selama menyalin, fungsi ini memastikan lokasi tujuan ditandai sebagai writeable (bisa ditulis).

Info: http://packetstormsecurity.org/files/view/87883/Windows-DEP-WPM.txt

(Source: corelan.be)

Backtrack 5: How to install VMware Workstation 7.1.3

So I want to install VMware Workstation 7.1.3 on Backtrack 5, but there are some things to do there’re errors after I ran the binary (e.g: ./VMware-Workstation-Full-7.1.3-324285.x86_64.bundle), so here’s the solution:

Prepare the Kernel

Look here: http://www.backtrack-linux.org/forums/backtrack-5-how-tos/40276-backtrack-5-how-prepare-kernel-sources-vmare-tools-drivers-etc.html

Download patch

http://communities.vmware.com/servlet/JiveServlet/download/2344-293321-1721368-58749/vmware-7.1.3-2.6.38-1-generic.patch

Patching

cd /usr/lib/vmware/modules/source
ls *.tar | xargs -n 1 tar xvf
patch -p1 < /path/to/patch/vmware-7.1.3-2.6.38-1-generic.patch
tar cf vmci.tar vmci-only
tar cf vsock.tar vsock-only
tar cf vmnet.tar vmnet-only
tar cf vmmon.tar vmmon-only
rm -rf vmci-only vsock-only vmnet-only vmmon-only

Compile Module

vmware-modconfig --console --install-all

Voila! VMware Workstation 7.1.3 installed, and you can proceed to upgrade to the latest version. This patch applied only for VMware Workstation 7.1.3, for VMware Workstation 7.1.4 download this patch and you can do the same way.

 

Remove Comments from Configuration

Sometimes when you want to config something, it contains the comments from the developer which will help us to figured out which options of arguments will be used. But if you are already familiar with the configuration, comments are so annoying, so here is how to eliminate them (using apache2.conf as example):

sed '1p; /^[[:blank:]]*#/d; s/[[:blank:]][[:blank:]]*#.*//' /etc/apache2/apache2.conf | more

or write it to a file:

sed '1p; /^[[:blank:]]*#/d; s/[[:blank:]][[:blank:]]*#.*//' /etc/apache2/apache2.conf > /etc/apache2/apache2.conf.nocomments

Use it with caution, always review it. You’ve been warned!

Secure Browsing Dengan SSH Tunnel

Tehnik ini saya gunakan ketika memakai akses internet di area publik seperti Wireless Hotspot. Yup, secure browsing kali ini menggunakan SSH Tunnel. Tehnik yang menarik karena SSH bisa “ditebengin” dengan paket lain, sehingga paket yang “nebeng” protokol SSH juga ikut terenkripsi (SSH merupakan protokol yang aman karena tiap paket yang berjalan di enkripsi).

Ok basa-basi selesai, pertama kali yang harus disiapkan adalah sebuah server di internet yang bisa kita SSH (maksudnya, bisa kita remote dengan SSH) contohnya server VPS kita, atau mungkin server standalone milik sendiri di rumah (bisa pake Speedy, atau ISP lain yang menyediakan IP Public). Kali ini saya menggunakan server standalone yang ada di rumah dan sudah menjalankan SSH server. Kalau sudah, berikutnya bisa dipaparkan dalam bentuk step-by-step.

Kedua, silakan SSH server kita yang dengan perintah seperti berikut:

toms@bt:~$ ssh t0m@111.222.333.444 -D 8080
t0m's password:
Linux sucks 2.6.26-2-686 #1 SMP Tue Mar 9 17:35:51 UTC 2010 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

Last login: Fri Apr 23 11:50:00 2010 from 202.134.0.61
t0m@sucks:~$

Perhatikan perintah SSH yang saya gunakan, ada tambahan -D 8080 disana. -D 8080 berarti membuka port 8080 di sisi lokal (localhost) yang nantinya apabila ada paket yang melewati port 8080 di localhost tersebut akan ikut terenkripsi seperti halnya koneksi ke port 22 untuk SSH. Istilah gampangnya, apapun yang lewat port 8080 di localhost “ditebengin” ke port 22 yang notabene terenkripsi.

Sebelum ke tahap selanjutnya, coba browsing ke IP Chicken untuk melihat IP Address kita saat ini, tujuannya biar nanti kita tahu apakah tehnik ini berhasil atau tidak.

Tahap ketiga, konfigurasikan browser kita untuk menggunakan proxy socks5 dan arahkan ke 127.0.0.1 dan port 8080.

Ok klo udah, coba browse lagi ke IP Chicken dan lihat perbedaannya. Apabila IP address yang keluar adalah IP server SSH kita, berarti secure browsing lewat SSH Tunnel berhasil dilakukan.

Tehnik ini sangat berguna apabila kita mau mengakses website yang membutuhkan transaksi terhadap informasi sensitif menggunakan browser, seperti login ke email (kantor/pribadi), login ke social network website seperti Facebook, Twitter, ataupun melakukan transaksi di Paypal, eBay, Amazon.

How-to: Backtrack 4 USB Persistent Changes

Here is my dirty way to make BT4 running on USB disk instead of run from DVD.

    1. Boot Live DVD Backtrack 4
    2. Split your pendrive into 2 partitions, the 1st is for your BT4 files, and the 2nd is for your changes. I have 4 GB pendrive, so i made 2 partitions with 1500MB for BT4 files (with FAT32 FS) and the rest of disk space went to another partition with Ext3 FS. You can use fdisk of cfdisk to make those things.
    3. Format it using mkfs:
      • mkfs.vfat -F 32 -n BT4 /dev/sdb1
      • mkfs.ext3 -b 4096 -L casper-rw /dev/sdb2
    4. Mount them:
      • mkdir /mnt/BT4
      • mount /dev/sdb1 /mnt/BT4
    5. Copy all BT4 files from mounted DVD to our new mounted partition (/mnt/BT4)
      • rsync -avh /media/cdrom/ /mnt/BT4/
    6. Instal GRUB boot loader
      • grub-install –no-floppy –root-directory=/mnt/BT4 /dev/sdb
    7. Edit the menu.lst file
      • nano /mnt/BT4/boot/grub/menu.lst
      • Start Persistent Live CD <———- find this line
      • bla bla bla quiet vga=0×317 <———- add vga=0×317 like this
    8. umount /mnt/BT4
    9. reboot

That’s it. Can’t wait for the official release ^^