Whenever we get into it in regards the users need to be able to have admin access on their PC's I explain the issues then he also fires back then they should just run a MAC because there are not viruses on a MAC.  I would love to simply demonstrate how far into the sand his head is without committing professional suicide.  I am not allowed to touch his MAC, so he is in 100% control of it.  When I do deploy a more unified network, I know that this will come to a head as he will think that he is unnecessarily being controlled when he doesn't need the protection.

What would be a simple, easy way for me to demonstrate how vulnerable he is without committing professional suicide.  If he could get owned in a controlled fashion by a trusted independent party it would be great.  I think it would go a long way to silencing him when I am using best practices for protecting the network.

-- Tkrabec

http://beeradvocate.com/beer/profile/5316/23713

5.1 ABV, 11oz.

They also have a dark lager (black label) which is just as enjoyable, but it lacks the bite of a regular lager.  Enjoy it from the bottle or a glass; a glass lets you drink it more faster, though. 

This week I tried to test to site http://scanme.ntobjectives.com/ (testing site) with paros proxy tool to test if I can crawl deep to the site considering that the robots.txt is setup strictly. Crawling a site is important to determine all links possible to be vulnerable
user-agent: *
Disallow: /osrun/*
Disallow: /report/*
Disallow: /*

Paros and W3af result simply shows few links detected even pushing the settings to be more verbose
NTO tool can crawl to all the links/directories on the site. I feel the they tool bypass the robots.txt and just crawl the entire site.
http://scanme.ntobjectives.com/report/  (link of the scan result)

Can you help how can I set Paros/ W3af to crawl to all links bypassing the robots.txt so I can get all the links needed to be check for XSS?

Thanks a lot

Basically the script (a horribly coded bat and vbs file) runs a collection of different commands and common third party tools that perform a handful of standard analysis steps, then it writes out the results into an awkward html report and after that it’s up to you to analyze the results, nothing revolutionary just helps cut down time and gives you a set of standard repeatable steps.  The script is broken down into a bat file and a small vbs file and depending on what level of analysis you want, you can choose how verbose you want the output. Using psexec you can run the script against another machine without the remote user's interaction/knowledge.  You will need to download the tools the script calls since I can't really distribute them.  Below are the files you will need to place in the same folder as the script
The script is here http://theinterw3bs.com/wiki/images/Klu … ge-2.9.zip
Listdlls.exe – http://technet.microsoft.com/en-us/sysi … 96656.aspx
handle.exe – http://technet.microsoft.com/en-us/sysi … 96655.aspx
Psinfo.exe – http://technet.microsoft.com/en-us/sysi … 97550.aspx
psloggedon.exe – http://technet.microsoft.com/en-us/sysi … 97545.aspx
streams.exe – http://technet.microsoft.com/en-us/sysi … 97440.aspx
tcpvcon.exe – http://technet.microsoft.com/en-us/sysi … 97437.aspx
vmmap.exe – http://technet.microsoft.com/en-us/sysi … 35533.aspx
autorunsc.exe – http://technet.microsoft.com/en-us/sysi … 63902.aspx
SigCheck.exe – http://technet.microsoft.com/en-us/sysi … 97441.aspx
procdump.exe – http://technet.microsoft.com/en-us/sysi … 96900.aspx
7za.exe – 7-Zip Command Line Version – http://www.7-zip.org/download.html
grep.exe, uniq.exe, cut.exe – http://sourceforge.net/projects/unxutils/
md5deep.exe – http://md5deep.sourceforge.net/
mdd.exe – physical memory acquisition tool – http://sourceforge.net/projects/mdd/files/
mbr.exe – GMER mbr rootkit scanner – http://www2.gmer.net/mbr/
sarcli.dll, sar1.dll, sar2.dll, sar3.dll, sar4.dll, sar5.dll, sar6.dll, MEMSWEEP.sys, helper.exe – Sophos sarcli.exe – http://www.sophos.com/products/free-too … otkit.html
catchme.exe – rootkit/stealth malware scanner – http://www2.gmer.net/catchme.htm
rifiuti.exe, cygwin1.dll – http://www.foundstone.com/us/resources/ … ifiuti.htm
rip.exe, regscan.exe, regslack.exe, p2×588.dll and the plugins directory from regripper – http://www.regripper.net/
HoboCopy.exe – http://sourceforge.net/projects/wangder … /HoboCopy/

I was asked to use some Windows binaries from a trusted source in case the machine I am analyzing has tainted exe’s.  Usually never an issue but whatever, it was easy enough to do so I set the script to call the following native cmds from the same folder as the script. You will need to copy the following exe’s into the same folder or simply edit the script removing the .\ from the command.
Arp.exe – Copy the binary from trusted box
At.exe – Copy the binary from trusted box
ipconfig.exe – Copy the binary from trusted box
nbtstat.exe – Copy the binary from trusted box
net.exe – Copy the binary from trusted box
netsh.exe – Copy the binary from trusted box
netstat.exe – Copy the binary from trusted box
route.exe – Copy the binary from trusted box
schtasks.exe – Copy the binary from trusted box

There are 3 different output detail levels for the script 1 being the quickest, 2 being detailed and 3 detailed and with memory/process dumping. FYI - I was told Vista caused issues when running regslack but Win7 did better so unless XP/2003 you may need to adjust. 

Using the tools above the script will automatically collect/report the following information.

Gathers System Information – environment variables, OS info, path, drive info, partition info, user accounts, scheduled tasks, logged on users, shares, USB Device History, Installed Hotfixes and Service Packs

Network info – TCP/UDP Connections, Cached DNS, IP and route info, firewall info, hosts file contents, NetBios Connections, NetBios over TCP Connections, Cache and Resolution, NetBios Session Information

Process Information – lists all running processes, list all processes using wsock32.dll, Startup Apps, Services, Dlls, Open Handles

File Information – dumps IE and FF browser history, outputs contents of Program Files, Documents and Settings and Windows directories, searches for ADS files, md5 hashes of Windows and Docs&Settings directories, outputs event logs, outputs Flash version, Acrobat versions, Java Versions and lists version used by browser, Firefox version, outputs each user’s recyclebin contents, copies all user’s Flash Cookies, outputs any unsigned executables in the sys32 directory

Registry Information – outputs installed BHO’s, outputs a bunch of common reg keys, dumps HKLM, HKCU, HKCR, HKU, HKCC, copies Sam, Sam.log, Sam.sav, Security, Security.log, Security.sav, Software, Software.log, Software.sav, System, System.alt, System.log, System.sav, Default, Default.log, Default.sav, Userdiff, Userdiff.log, Ntuser.dat.log and each user’s NTUSER.DAT.  Outputs RegRipper plugins against each hive file, outputs RegSlack against each hive, outputs Regscan

AV – currently dumps McAfee logs and Symantec logs (XP and Vista), outputs quarantine folder contents, runs rootkit scans

Memory Analysis – dumps memory, dumps individual process memory, Virtual and Physical memory process analysis

As of right now you need to copy the script and the needed tools to the user's machine by some means.  For example copy the folder to \\RemoteMachine\c$ , then if you named the folder "kludge" and you want to run it with a detail level of 2 use this psexec command to run the kludge.vbs script
psexec.exe \\RemoteMachine -u domain\AdminUserName -w c:\kludge cmd.exe /c c:\kludge\kludge.vbs 2
then when the script is finished it will zip itself up and you can copy it back to your machine.

A friend wrote a little python wrapper for the script that will copy the script/tools over and run it then copy it back to you so if anyone is interested in it I will send you a copy.

Sorry for the long post but if you need more info a better description is here - http://theinterw3bs.com/?p=399 .  If you have issues/suggestions/modifications please let me know.

http://pauldotcom.com/2010/03/ipv6-surv … ar-di.html

[-] stdapi_sys_process_kill: Operation failed: 5

I found an old post from HD on the framework mailing list discussing this issue wrt killav.rb, where he explains that this is an Access Denied error probably caused by lack of permissions (I was the NT ADMINISTRATOR\SYSTEM user after exploit).

There's also a thread over on hak5 discussing a very similar issue wrt some switchblade scripts (thread here). A few people there have pointed out that AV vendors have taken some interesting countermeasures to avoid being killed (e.g., low level kernel hooking to avoid the process being killed from user space). And Eset uses a monitoring function that will restart the NOD32 process with a new pid if you manually kill it (as described in a posting by Carnal0wnage discussing similar issues here).

There were a few suggestions made on the hak5 forums but many of the suggestions were things like registry hacks to disable the antivirus after a reboot (this is the solution that Carnal0wnage describes in the linked post, as well).

Are there other ways to circumvent or disable modern antivirus? This is more for educational purposes than real pen testing (when people ask what exactly antivirus software is doing for them I can at least point to this and say it makes certain things more difficult). Antivirus is really just preventing further exploitation by restricting my toolset, so I can always circumvent the detection rules with packers, etc. but is there a way to actually kill off the av?

QuahogCon is a regional conference for the hacker culture in all forms. Hardware, Software, Security, Social, Eco Hacking, Zero Impact Living. Like most hacker cons, it will run Friday to Sunday. We'll have two tracks: one for InfoSec topics and the other track will be a mix of all the other topics with a bit of an emphasis on hardware hacking and DIY electronics. Besides our perennial InfoSec favorites, we want to hear from some new voices on a wider range of topics. If it's a good hack, we want to hear what you're doing.

It goes on April 23d thru 25th.

Some of the talks: 

Dan Crowley - Windows File Pseudonyms    
Mariano Alvira - The MC1322x Project 
Nick DePetrillo /Don Bailey - We Found Carmen Sandiego!    
Darren Wigley /Larry Pesce - Building the 2010 ShmooBall Launcher
Michael Schearer "theprez98" SHODAN for Pen Testers    
Noah Bedford / Peter Schmidt - Neilsen The Little Microcontroller That Can: Awesome uses for the Atmel ATTiny45
Dragorn - Wifi Threats aren't dead, they just moved down the street    
Deviant Ollam - Packing & The Friendly Skies
Larry Pesce - Information disclosure via P2P networks    
Jason Thibodeau - Hacking the Arcade: Basketball for Two
Alex Muentz - Security, Stupidity and Employability    
Rob - Beginner Lock Picking

- MikeP

You can download it and get more information from www.digininja.org/cewl.php .

Any problems/questions/bugs let me know.

Is there a way to enumerate all of the databases within an environment?  I want to use a tool to scan and then have the tool report to me all the databases within our environment.  Additionally, once all the databases are identified, is there a tool to tell me whether the databases are secure?  I am new at application/db security and would like some pointers/resources towards informational sites and so forth.

Thank you very much.

ML

http://hak5.org/forums/index.php?sho... … entry88306

for a full list I LIVE off USB .. I have backtrack windows XP and windows7 all on usb drives :

win7: http://rmccurdy.com/scripts/usboot%20windows%207.bat
winxp : www.usboot.org ( you can push a usboot image in 4min and have windows up an running in under 4min .. with driverpacks )
backtrack 4 prefinal with changes: http://forums.remote-exploit.org/bac...tml#post148380

I have recently added portable:
GrabIt.exe
dvdflick.exe
MediaCoder 0.7.2.4582 portable.exe
Premiere 6.0 Portable

some of these windows apps are Thinstalls FYI you need admin for the dropbox portable

I am managing via the Brother Control Center3 software so I need SNMP enabled (I have secured the device with a strong password) but probably don't need web based management.  I have disabled Telnet too but from here I am not sure how deep I can go without breaking it.  I am managing it remotely via the VPN so I need to make sure I don't break it to the point that I can't access it to configure it.

Suggestions?

Hate to say it but I'm looking for a windows based solution.