Some times you need to keep a close watch on a machine that has been compromise; therefore, you might want to see the logs in real time. Well, ”tail” allows you to watch the logs in real time. Most systems related messages are logged to the “messages” log file, and security related messages are send to the “secure” log file. In the later you can find successful and unsucesful login attemps. So the “secure” log file is a good place to start when you are trying to identify whether someone has tried to break in to that box.

tail -f /var/log/secure

or

tail -f /var/log/messages

Now you can try login from a remote box or locally and watch the logs scroll down in real time. These are some logs file that might be of interest.

tail -f /var/log/secure  #security related messages
tail -f /var/log/messages  #system messages
tail -f /var/log/maillog  #mail server messages
tail -f /var/log/httpd/access_log  #web server messages

Moreover, the “grep” command can be quite useful for parsing through logs files. In this case, the grep command is use to search the “secure” log file for the string “jorge.” The -R switch is to specify the string, and the -n switch for displaying the line number.

[root@Fedora11-vbox ~]# grep -Rn smbuser /var/log/secure
81:Sep 26 11:55:04 Fedora11-vbox useradd[2233]: new group: name=smbuser, GID=501
82:Sep 26 11:55:04 Fedora11-vbox useradd[2233]: new user: name=smbuser, UID=501, GID=501, home=/home/smbuser, shell=/bin/bash
83:Sep 26 11:55:26 Fedora11-vbox passwd: pam_unix(passwd:chauthtok): password changed for smbuser
85:Sep 26 12:00:37 Fedora11-vbox passwd: pam_unix(passwd:chauthtok): password changed for smbuser

The “grep” command can also be used to search multiple files recursively. This command searches in the “/etc/httpd/conf” and “/etc/httpd/conf.d” directories for the string “VirtualHost.” Read the rest of this entry »

Ok, the previous video was kind of out dated, so I posted a new one. Credits to g0tmi1k. This video goes beyond just cracking wpa, it also shows how the different tools perform. This video explains the methodology really simple. Let me say that cracking WPA is not like cracking WEP, in WEP you’re exploiting a vulnerability in the way the encryption algorithm is implemented, but in WPA the only vulnerability will be in the strength of the user passphrase. Yes you’ve guessed it, when cracking WPA basically what you’re doing is brute-forcing the user password, in other words the success of your attack will depend on your dictionary or password list. If the user’s passphrase is not in your dictionary, you will never crack the WPA key. There are several types of WPA dictionary list out there, but I highly recommend using rainbow-tables which can be several Gigs in size. How to find them?… Google is your friend! Read the rest of this entry »

Recently I decided to do a bit of WarDriving (mapping Access Points) and bought a cheap but very easy to install GPS receiver (GlobalSat BU-353) on Amazon.com, so I put together this quick guide for wardrving. This is only one of the many ways of doing wardriving, for this article I chose Netstumbler for detecting the Access Points, but there are other tools out there, that can do the job more effectively, I personally like wifihopper, who unlike netstumbler identifies the type of encryption been used by the Access Point. Another tool for detecting AP is Kismet, but this one only works in Linux, and all of this tools mentioned have support for a GPS receiver.

Read the rest of this entry »

Ophcrack live cd is by far the best windows password recovering/cracking tool out there, because of its simplicity and how fast it cracks relative complex passwords, it cracked my 11 character password in less than 3 minutes, and if you are a Network Administrator or computer users in general, you could absolutely appreciate the usefulness of this tool. The tool is open source and free to download and use (at your own risk )… the technology it uses for breaking the windows password is “Rainbow Tables”  and is a Time-Memory trade off. An easy way of describing this would be that Tables of possible Hashes are precomputed so that you can iteratively compare the windows hashes to precomputed bits and piece together the hash and its value more quickly than brute-force guessing. Well in this article we will go over the process of cracking a Windows XP password. (The process is the same for Vista except you would download the Vista live cd). Read the rest of this entry »

One way of detecting malware (virus, rootkits, etc) is by knowing what ports are open and what services and application are associated with those ports. A while back some of this malware would install on your computer with the intention of opening a backdoor for the attacker to connect leaving your PC to the mercy of an attacker, now with the use of NAT (Network Address Translation), this type of attack is less common, but as technology evolves, so are the new threats, now the malicious software will install on your PC and initiate a connection back to the attackers PC, which is listening for the connection. With that in mind you should turn off any services you don’t actually need so they will not become avenues of attacks for security threats. There’s no way to provide a comprehensive guide, of course different systems will have different services running by default, and new services are been invented from time to time, expanding the number of services that may possibly be running on a given computer. Read the rest of this entry »

I finally completed “th3 pwn3d zit3″ test site, this is the complete site in which users can test their web applications testing skills, as well as an example on how to filter your input and securing your code in web applications, you may have seen part of the site in a previous post “Hacker Challenge: pwn3d the login form”, the other part of the site is the main page in which I added a search form for searching the content of the site, and of course also has different vulnerabilities.“th3 pwn3d zit3″

I came up with this pwn3d zit3 login form challenge, to kind of expose one of the many web application vulnerabilities; it consists of a login form which authenticates against a mysql backend database to give authorized access to the members only part of the web site (you must become a member first—>”REGISTER”). The goal is to login with full administrator rights and get the users list data stored in the mysql database, if you need help or hint on how to come up with the goods use the comments form at the end of the page, hope you find it interesting….
here’s the link to th3 pwn3d zit3 login form challenge

hint #1: the vuln is in the way the cookie is set….take a look at the content of the cookie.
hint #2: read the login page for additional clues.

the complete site is now finish and it contains different vulnerabilities you can find it here