Ratproxy on Cygwin

I have used Michal Zalewski's Ratproxy on Google code. I like it a lot. But I also like to have it on Windows. But it seems that the makefile that comes with ratproxy is not really compatible with cygwin.
If you have the gcc, make, openssl, openssl-dev packages installed on cygwin, all you need to do is remove the -Wno-pointer flag from the CFLAGS entry from the Makefile.
So my Makefile's CFLAGS line looks like:

CFLAGS  = -Wall -O3 -D_GNU_SOURCE

I also replaced $(CC) with gcc just because I felt like it. :-)
Compile it with make command.
Do not forget to dos2unix the ratproxy-report.sh otherwise you will get some errors with '\r' and some other random stuff when you run the report generator shell scripts.
Run ratproxy as :
c:\tools\ratproxy>ratproxy.exe -p 8000 -v c:\testdir -w ratlog -d example.com -extifscfjmXCk
Once you have the log to generate a nice looking pretty report:
bash$ ./ratproxy-report.sh ratlog >reportname.html

Using awk with bash variables

I wanted to use variables in a bash script's for loop inside awk's print statement.
Here's an easy way to do it - enclose the bash variable within "'"

Here's a sample scripts to take a list of IPs and do a DNS lookup and generate a CSV:

for ip in `cat ips.txt`
do
  host $ip|grep -v NXDOMAIN|sed 's/\.$//g'|awk '{print "'"$ip"'"","$NF}'
done

Amazon's Mechanical Turk

Yesterday, while searching for Web Services on the Internet I came across an old, popular web service called "Amazon's mechanical turk" based on the mechanical turk trick from old magic days.
The gist is, you ("The requestor") put in a HIT (Human Interaction Task) in amazon's lingo so that some one on the Internet can solve it for you ("the worker"). Most of what I saw on the website seemed like random tasks being used by researchers, online yellowpages-like directories, marketing, classification of goods, etc.
What might also be an interesting application, and I'm sure it's probably being used for is, captcha-solving for spammers.
Also, the Amazon Mechanical Turk terms of service don't help and say the following (verbatim):
Amazon Mechanical Turk provides a venue for third-party Requesters and third-party Providers to enter into and complete transactions. Amazon Mechanical Turk and its Affiliates are not involved in the transactions between Requesters and Providers. As a result, we have no control over the quality, safety or legality of the Services, the ability of Providers to provide the Services to Requesters' satisfaction, or the ability of Requesters to pay for Services. We are not responsible for the actions of any Requester or Provider. We do not conduct any screening or other verification with respect to Requesters or Providers, nor do we provide any recommendations. As a Requester or a Provider, you use the Site at your own risk.

Given this, and the rates prevalent (about a penny or so per task), I think spammers might have a free-run on this service. Of course, amazon has a conveniently available web service available at http://mechanicalturk.amazonaws.com/AWSMechanicalTurk/AWSMechanicalTurkRequester.wsdl.
Now, the key question is, suppose a spammer uses this service, who's to blame...I wouldn't imagine the solvers know what the intent of the act is, amazon (possibly) can't be liable because the ToS is required to be accepted before use, and since the requestor is somewhere on the Internet, he/she possibly can't be traced.
Of course, I'm not saying that Mechanical Turk is all bad, but like all walks of life there's a positive or a negative use to everything.
As someone once said: "Every tool is a weapon if you hold it right"!

Pass the hash

In a pen test, it's always the race to the finish. Either you get to the domain admin or r00t or you die tryin'! :-) But thanks to some real l33t fu by Hernan Ochoa this has only been made easy for you.
The key to pass-the-hash attacks is that Windows NTLM authentication relies on the passing of the right hash to identify you. As long as the right hash is stored in the authenticated session you are who you say you are.
Hernan Ochoa's Pass-the-hash toolkit (http://oss.coresecurity.com/projects/pshtoolkit.htm) is precisely the tool for that. Once you gain local admin rights on a box, just run the whosthere.exe utility on the box. Mind you, in differing versions of Windows you need some right addresses to pass as parameters. So the first thing to do is goto C:\WINDOWS\system32 and copy the lsasrv.dll file onto your local machine. The pass-the-hash src tar ball, has an IDA Pro script passthehash.idc that you need to run after opening the file in IDA Pro. This will give you the right addresses to pass to whosthere.exe:
whosthere.exe -a -o outputfile.txt

Once you have the hash you could either use iam.exe or winexe (http://eol.ovh.org/winexe/) with pass-the-hash patch from jo-mo-kun (http://www.foofus.net/jmk/tools/winexe), or samba with jomo kun's pass the hash patch.
Just set the Environment variable SMBHASH to the hash value such as

export SMBHASH="92D887C9910492C3254E2DF489A880E4:7A2EDE4F51B94203984C6BA21239CF63"

Then run winexe as

./winexe -U "Domain\\Username" //192.168.0.1 "cmd.exe"

Of course, you can also expend some time in cracking the LM hashes to get the actual passwords but it isn't really necessary.

OpenSSL-fu

If you want to find out the components of a site's certificate the following commands will help you.
If you want to find if the certificate is signed with the weak MD5 signature algorithm:
$ echo | openssl s_client -connect webserver.example.com:443 2>/dev/null | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | openssl x509 -text | grep "Signature Algorithm"| gawk '{print $3}'

$ echo | openssl s_client -connect 167.155.38.24:443 2>/dev/null | sed -ne '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' | openssl x509 -text | grep "Exponent"

Metasploit Veritas BackupExec Dumping

In metasploit there's a plugin admin/backupexec/dump. This plugin uses the default credentials to login to Veritas backupexec agent and download an arbitrary file. The catch is it downloads it in the MTF (Microsoft Tape Format) file. You need a utility called NTBackup to restore this file. Metasploit authors have conveniently made this available for us at http://metasploit.com/tools/msbksrc.tar.gz.
However, if you compile this file you get an error:
msqic.c:814: error: conflicting types for 'bques'
This happens because the function prototype is missing.
Goto line 169 of msqic.c file in the source code and add the following line:
int bques(char);
Once you add this, you should be able to make the client and should be able to extract the file from the .mtf file.

Defcon CTF Quals 2009 Write-ups

This time the DefCon CTF challenges were really tough. After about 40 hours of straight effort in those 2 days my head was spinning. There were some nice write-ups that people have posted:
Vedagodz's site is up at : http://shallweplayaga.me/
Pursuits Trivial 400 writeup : http://pastie.org/510841
Binary l33tness 300 writeup : http://hackerschool.org/DefconCTF/17/B300.html (based on k0rupt's original work)
Crypto badness 400 : http://beist.org/defcon2009/defcon2009_crypto400_solution.txt