In order to install the tools that are making Kali what it is, I had to install the metapackages. For me, the easiest option was to install all of them (kali-linux-all).

It sounds simple:

# apt-get install kali-linux-all

but it was failing constantly

Failed to fetch http://http.kali.org/kali/pool/main/##whatever_package## Size mismatch

A little bit of research and trying to download the actual package from the host machine made me realize that the proxy was blocking access to the packages.

I decided to check if Tor traffic is allowed. Luckily it was. So I installed it

# apt-get install tor

started it

# tor &

and used torify to pass all the traffic through Tor

# torify apt-get install kali-linux-all

A few more minutes (6+ GB) and I had my fully featured Kali installation.

# sudo apt-get install rpi-update
# sudo rpi-update
# sudo apt-get update
# sudo apt-get upgrade

]]> https://pentest.ro/2014/09/10/installing-raspbian-from-scratch-without-a-keyboard-or-a-monitor/ Wed, 10 Sep 2014 10:08:52 +0000 http://www.pentest.ro/?p=393 Continue reading Installing Raspbian from scratch without a keyboard or a monitor]]> So, you got your Raspberry Pi, a nice SD card, but you can’t remember the last time you saw a keyboard and the only thing around you is a laptop with Windows. Don’t worry, there’s a simple solution.

Download the latest version of Raspbian and Win32 Disk Imager.

Start Win32 Disk Imager (“Run as Administrator”). After installation start the program, select your SD card and the Raspbian image that you downloaded earlier. Lay back for a few minutes.

Since you don’t have any other means to access Raspbian other than SSH, you need to figure the IP address.

You can set up your router to assign a unique IP address via DHCP for the MAC address corresponding to your Raspberry Pi.

Or you can scan for open SSH ports in your LAN:

# nmap -sT -p 22 -v 192.168.x.1-255

Once you’ve identified the IP of your Raspberry, SSH into it.

The default user/password is pi/raspberry. Needless to say, you should change your default password. You can also set a root password, just “sudo su” from the command line and run “passwd” once you have root privileges.

Now it’s time to set a static IP address. SSH into the box once you know the IP address and do the following.

• # sudo cp /etc/network/interfaces /etc/network/interfaces.old
  # sudo nano /etc/network/interfaces

In the end, the configuration file should look like this:

auto lo
 iface lo inet loopback

 auto eth0
 iface eth0 inet static
 address 192.168.x.222
 gateway 192.168.x.1
 netmask 255.255.255.0
 network 192.168.x.0
 broadcast 192.168.x.255

 allow-hotplug wlan0
 iface wlan0 inet manual
 wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
 iface default inet dhcp

You just need to restart the network

# sudo /etc/init.d/networking restart

and you can SSH on the new static IP address.

# ifconfig en0 ether xx:xx:xx:xx:xx:xx

For iOS versions >5 you have to resort to nvram:

# nvram wifiaddr=xx:xx:xx:xx:xx:xx

and then reboot the device.

Prerequisite: jailbroken device, terminal access (local or SSH) and sudo.

Just run the following commands replacing the xxx.xxx.xxx.xxx field with the IP of your listening machine:

# iptables -t mangle -A POSTROUTING -d 0.0.0.0/0 -j ROUTE --tee --gw xxx.xxx.xxx.xxx

# iptables -t mangle -A PREROUTING -s 0.0.0.0/0 -j ROUTE --tee --gw xxx.xxx.xxx.xxx

# echo 1 > /proc/sys/net/ipv4/ip_forward

when we want to enable forwarding in Linux.

If you want to make this change permanent, you need to edit the /etc/sysctl.conf file and add or uncomment the following line

net.ipv4.ip_forward = 1

Althou installing Apache, MySQL and other stuff needed for a web server by hand is not hard and you can find a lot of support I prefer installing Webmin and Virtualmin to ease the administrative tasks.

If you’re planning for a new server you should start with a fresh Debian installation with only the basic stuff on it.

Fast Debian installation of Webmin:

# wget http://www.webmin.com/download/deb/webmin-current.deb

# dpkg --install webmin-current.deb

You probably will miss some dependencies and will have to install them via ‘apt-get install‘. On my fresh Debian I was missing some perl modules so I did ‘apt-get install perl’, again dependecies missing, but with a ‘apt-get install -f‘ (as instructed) I solved it.

When this process is over you can login at https://server_ip:10000. Most browsers will issue a warning because the certificate is not signed by a trusted 3rd party, but that’s fine since it’s your machine. If you login as root you will have full control of the system but pay attention to what you do from that point on.

Now a quick installation of Virtualmin:

# wget http://software.virtualmin.com/gpl/scripts/install.sh

# chmod +x install.sh

# ./install.sh

It askes for a FQDN, if you’re planning on a web hosting server you should provide your domain name (the hosting company domain) as this will be used as default when something is not found or when someone requests the IP directly via http.

Now the cool magic part comes in, as the install script does pretty much everything you should have done by hand, installing apache, mysql, php and a whole lot more (it will take a while).
A Post-Installation Wizard is now in place at https://server_ip:10000 to guide you in configuring Virtualmin. There are performance issues that can be change later on and since you will be exploring a first installation of Webmin & Virtualmin, the default values are just fine. As a side note to this, if you’re not planning  an email server you should disable clamav and SpamAssassin for saving RAM. By default MySQL will be the database and PostgreSQL will not be running. You will be prompted for a MySQL password (which should be different as the root password for obvious security reasons). You will be asked how should the passwords be stored, I higly recomend storing them as hashed. When they are stored as plaintext you can easily recover them for fast-forgeting users but this raises high security issues. You can always reset the passwords for your users.

Because we configured our VM as bridged network, we can access it not from only the host machine, but from the entire network, making it a playground for the office, or offering services such as internal web, file hosting, etc.

For my testing purposes I prefer Oracle VM VirtualBox instead of VMWare. First of all because it’s free for home use and secondly it’s smaller and faster for the applications I run. If you don’t already have it installed you can download it from https://www.virtualbox.org/wiki/Downloads.

You might have noticed that I’m a Debian fan, these is the system I have worked for a long time so it’s more of a habit now. For our clean installation we’ll use the so called NetInstall version. It’s a small ISO image (under 200MB), containing only the basics for the installation, the rest of the applications will be downloaded during the install phase. So you must have internet access during installation (if you read this article you surely do, but pay attention when installing on real hardware). So, download the latest version of Debian NetInstall from http://www.debian.org/CD/netinst/.

Start VirtualBox and let’s create a new Virtual Machine, by selecting New:

Next we select a Name and the type of the OS:

Select how much RAM to give to the Virtual Machine. Note that if you assign more than half of your physical RAM to the VM like I’m doing in the image below you risk RAM starvation on the host machine, you should analyze  the situation depending on your hardware. Anyway, there is a base recommendation of at least 384MB RAM for a Debian. Depending on what you plan with this VM you should assign the RAM. Usually 1GB of RAM will be more than enough.

Now we’ll create a hard-drive for our VM.

Then we select the type of the disk, the format in which it will be stored on disk. If you plan to port this VM to VMWare you should choose VMDK, otherwise VDI which is the default VirtualBox format is fine.

We choose then how will the disk space will be allocated. If you choose Fixed Size, then all the space necessary will be locked by the file used to store the HDD. In Dynamically Allocated mode, the file is only as large as you have files stored on the VM, so it’s a better option in terms of managing resources efficiently.

As for the size of the disk you should know better. By default, VirtualBox is proposing 8GB. I know I need a little bit more space for my applications so I choose 16GB, you should do your math.

We’re done creating our machine, press Create two times and that’s it with this phase.

Let’s modify some important settings of our newly created VM.Press Settings from the main screen.

Go to Storage -> IDE Controller -> Empty, check  the Live CD/DVD check-box and select the ISO image of Debian downloaded earlier.

Under the Network tab, I choose a Bridged Network type to avoid yet another NA. In bridged mode, the network adapter on the VM is practically in the same network as the host machine. I bridged the adapter to my wireless network card which is the one connected to the Internet.

It’s time to start the machine.

If everything is fine the VM should boot from the ISO image of Debian NetInstall. Choose Install in the first screen.

You will the select the Language for the installation, Location -> Locales -> Keymap. If your network adapter is on DHCP then the installer will automatically detect the network and acquire a new IP address for the VM. Otherwise it will prompt to introduce manually the network settings. Next select a Hostname (debian is just fine) -> Domain name (be creative). You will then be prompted for a root password and to create a new user.

Partitioning for beginners is simple with Debian, just choose the defaults.

Confirm Finish partitioning and write to disk. The installer will load the base system then will ask for the mirror which will be used to download the rest of the necessary files. Choose the closest one to your location for faster download.

In the Software Selection screen uncheck all the packages except SSH. Remember, we want a clean install, everything needed will be installed after. So just the SSH daemon for access to the VM (it’s way better than the terminal).

Confirm Loading GRUB to MBR and finish the installation. There you have it, a fresh, clean Debian. Log in, type ifconfig and connect via SSH.

Now let’s make a php function to automate this task. We can use this type of validation to check for example if a user is using a correct address when registering for a service.

The code is explained.

<?php
/*
email_validation.php
Coded by: Pentest ROMANIA; Dan Catalin VASILE; http://www.pentest.ro
*/

function email_validation($email)
{
 //Some vars we will need later
 $timeout = 5; // how much to wait for MX connection in seconds
 $helo = "helo example.com\r\n"; // helo string, feel free to modify but keep in mind that \r\n are necessary at the end of the string to send CR
 $mailfrom = "mail from: <somemail@example.com>\r\n"; // some mail and the domain used before, preferably a valid one

 //First we'll do a quick string validation
 if(filter_var($email, FILTER_VALIDATE_EMAIL))
  {
   //split the email address by the @ sign
   $email_str = explode ("@",$email); 
   //check for MX records
   if (getmxrr($email_str, $mxhosts)) //you could also check the weights of the MX hosts, some other time for me maybe
    {
    
    //opening sock connection to the forst MX host 
    $sock = fsockopen ( $mxhosts[0], 25, $errno, $errstr, $timeout);
     if (!$sock)
     {
      return "INVALID. COULD NOT OPEN CONNECTION TO MX HOST. ERROR: ".$errstr.$errno;
     }
     else
     {
      //sending commands to the MX host
      fwrite ($sock,$helo);
      fwrite ($sock,$mailfrom);
      $rcpt = "rcpt to: <".$email.">\r\n";
      fwrite ($sock,$rcpt);
      //reading responses
      for($j=0;$j<4;$j++)
       {
        $r[$j] = fgets($sock);
      }
      //exploding the last response line which should contain the answer we're looking for
      $r1=explode(" ",$r[3]);
      if($r1[0]=="250")
       return "VALID"; //according to the RFC "250" means valid
      else
       {
        echo "INVALID. ERROR CODE FROM MX SERVER: ".$r1[0];
       }
     }

    }
   else
    return "INVALID. NO MX RECORDS FOUND"; 
   
  } 
 else 
  return "INVALID EMAIL ADDRESS"; // the string submitted to filter_var is invalid 

} 

?>

For this example we will use bogus@pentest.ro. We first need to check the MX record for pentest.ro. In Linux is as simple as:

> dig MX pentest.ro

; <<>> DiG 9.6-ESV-R4 <<>> MX pentest.ro
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53492
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 3, ADDITIONAL: 0

;; QUESTION SECTION:
;pentest.ro.                    IN      MX

;; ANSWER SECTION:
pentest.ro.             86400   IN      MX      5 ALT2.ASPMX.L.GOOGLE.COM.
pentest.ro.             86400   IN      MX      10 ASPMX2.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX3.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX4.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      10 ASPMX5.GOOGLEMAIL.COM.
pentest.ro.             86400   IN      MX      1 ASPMX.L.GOOGLE.COM.
pentest.ro.             86400   IN      MX      5 ALT1.ASPMX.L.GOOGLE.COM.

;; AUTHORITY SECTION:
pentest.ro.             86400   IN      NS      ns1.pentest.ro.
pentest.ro.             86400   IN      NS      ns2.pentest.ro.
pentest.ro.             86400   IN      NS      ns3.pentest.ro.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jul  2 21:48:05 2011
;; MSG SIZE  rcvd: 261

On Windows platforms there is no integrated dig utility. You can use this app, or you can use a free online check like this one:

http://www.mxtoolbox.com/

Either way you will end up with the MX server or servers for the domain. Notice there is a number in front of the MX servers in the list, that indicates priority (smaller means higher priority). We will use the highest priority server available and if this one fails we can try the next one.

It’s time to connect to the server (from the command line in Linux or Windows):

> telnet ASPMX.L.GOOGLE.COM 25
Trying 74.125.39.27...
Connected to ASPMX.L.GOOGLE.COM.
Escape character is '^]'.
220 mx.google.com ESMTP y26si6167249fag.156
helo mydomain.com
250 mx.google.com at your service
mail from: <me@mydomain.com>
250 2.1.0 OK y26si6167249fag.156
rcpt to: <bogus@pentest.ro>
550-5.1.1 The email account that you tried to reach does not exist. Please try
550-5.1.1 double-checking the recipient's email address for typos or
550-5.1.1 unnecessary spaces. Learn more at
550 5.1.1 http://mail.google.com/support/bin/answer.py?answer=6596 y26si6167249fag.156
rcpt to: <somevalidaddress@pentest.ro>
250 2.1.5 OK y26si6167249fag.156
quit
221 2.0.0 closing connection y26si6167249fag.156
Connection closed by foreign host.

The bolded lines are the ones you type, the others are responses from the server.

All servers should abide to RFC 821. Most do, a few don’t. I noticed some servers are accepting all addresses as valid. This is not a standard response but you can check if this occures testing an email like vrWvrtVWRmJU5Jrvrw43t524@domain.com.

The response code you are interested in is 250. This means it’s a valid address. 550 means that the user does not exist. There are other codes as well and you can do further reading in the RFC.

Please note that helo command must be run before anything else. mydomain.com and me@mydomain.com can be changed in anything you please.

To close the connection after validation just type quit.

wget for example is unable to work directly with a socks proxy. Also, configuring wget to work with a http proxy is a pain. You can’t specify the proxy from the command line.

Fortunately, there are transparent ways to make things work.

One option in hand is tsocks (transparent socks). Debian comes with it pre installed. If not just do a:

> apt-get install tsocks

and you’re good to go.

You need to edit the /etc/tsocks.conf. You can specify a lot of thing there but the really important lines are the ones at the end of the file:

server = 127.0.0.1 # socks ip here
server_type = 5 # 5 for socks5, default is 4
server_port = 1080 # well... 

You can use tsocks as simple as this:

> tsocks app args[]

Now we can put it to a test:

> tsocks wget www.whatismyip.com

and test to see if index.html contains the IP of the proxy.

Now, if you want to use a proxy chain you may want to use proxychain. But about this one in another post.

Of course VPN is the favorite method, but what if you don’t have such an option? Let’s say all you have is a DD-WRT router with no VPN (because you have a mini or generic firmware). Just for the sake of argument. How do you route your traffic through this router from the Internet?

Well, I spotted in my early days a way to secure the communication in such environments while looking for something else. I was actually looking for a way to access private IPs behind a Linux router without the use of a proxy and I figured that Putty can do both of this. For several reasons I use Windows in my daily work so the best tool in hand for SSH connections is by far Putty.

Start Putty and put your server name or IP address, select SSH for Connection Type (and the port if it’s different from 22, I know it’s a common thing to change the SSH daemon port for security through obscurity reasons), type a name for this connection in the Saved Sessions field and click Save.

Now go under Connection -> SSH -> Tunnels, set the Source Port to 8080 or whatever port you wish, click Add, and you should get something like this:

Any SOCKS-able protocols can be used over this tunnel so there are virtual unlimited uses. As you can see from above you now also have secure access to the Intranet.

As a side note, there are a lot of plug-ins for easy and quick proxy switching and management for Mozilla FireFox. Choose your favourite: https://addons.mozilla.org/ro/firefox/search?q=proxy&cat=all