security research notes

WSH stands for Windows Script Host. It is a way of automating various Windows tasks.

I was playing around with it today and thought I'd post something on how useful it is.

For example, you can open IE and make it open a certain web page like this:

---

' ie.vbs

' version 0.1 justfriends4n0w@yahoo.com
'Opens Internet explorer and goes to foo.com
set WshShell = CreateObject("WScript.Shell")
WshShell.Run "iexplore.exe"
WScript.Sleep 800

WshShell.SendKeys "%f{down}{enter}"

' Enter a url to go to and OK
WshShell.SendKeys "www.rhce2b.com{enter}"

---

All this does is open Internet Explorer and send a bunch of keystrokes to it. I was thinking of maybe using this approach to write a simple HTML fuzzer. I could generate a file and then use this to open the file.

Another thing you can automate is sending an e-mail in Micrsoft Outlook. Interestingly enough, if you have the option set to automatically sign outgoing mail, and you have recently sent mail, this script will sent mail that is signed by you.

---

' outlook.vbs

' version 0.1 justfriends4n0w@yahoo.com
'Opens outlook and sends a mail

set WshShell = CreateObject("WScript.Shell")
WshShell.Run "outlook.exe"
WScript.Sleep 1500

WshShell.SendKeys "%nm"
WScript.Sleep 200

'to:
WshShell.SendKeys "foo@foobar.com{tab}"
'note: the first time you hit tab in an address field it just resolves names and doesn't tab out of the field...
WScript.Sleep 200
'CC:
WshShell.SendKeys "{tab}{tab}"
'subject:
WshShell.SendKeys "Test{tab}"
'text of message:
WshShell.SendKeys "This was sent by a script impersonating Randy..."

'Here is how to insert a file

WshShell.SendKeys "%il"

'file name

WshShell.SendKeys "C:\Documents and Settings\icarus\Desktop\ol.txt{enter}"

'Send message
WshShell.SendKeys "%s"

---

I saw a paper somewhere about using scripts like this to open personal firewall configuration programs and send the keystrokes to disable them, or even add new firewall rules.

Anyway, there is a lot of fun things to do with this. And after about 5 minutes of playing with it, you will get the hang of it.

Here are my first thoughts from using the new beta version (and hopefully release version) of Back Track.

When you select Scanners/Port Scanners/PBNJ, it brings up a console with the help for the pbnj command. However, the actual name of the executable is scrolled up so far that you can't find it, even if you try scrolling up. Also, since the /pentest/scanners/pbnj directory is not in root's path, you can't get tab completion to work, nor just type pbnj and have it work. However, since you are in the /pentest/scanners/pbnj directory, you can just type “ls” and discover that the executable is simply “pbnj”.

Captive NTFS is present, but not in the menus. You have to run captive-install-acquire to bring up the wizard that locates your windows DLLs that it needs. I have not experimented with this under Back Track, because I am running it under VMWare at the moment, but there used to be a couple scripts under root's home directory that allowed you to capture the dlls and mount the drive. I remember going in to one of the files and changing the options from “ro” to “rw” so we could edit things. Captive NTFS is useful for when you have local access to a machine and you want to break in to it. There are many ways, but my favorite is to replace sethc.exe with a copy of command.exe. Then if you reboot into Windows and hit the shift key 5 times, it will give you a command prompt as system before you have even logged in...

There is a lot of great wireless stuff, but I wish they had included Wellenreiter. That program eliminates a lot of headaches when trying to get your wireless card into monitor mode.

The dictionaries are in /pentest/password/dictionaries. Or rather the one dictionary that they include is there. There is also a default password list in there. I had good success with the word list from the old IWHAX/Whoppix days. But, I think Auditor used to have a bunch of different dictionaries in different languages and such. They also have the Crunch dictionary generator at /pentest/password/crunch which will enumerate through all possible passwords. It seems like with all the opportunities to brute force passwords that there are that we could get more dictionaries. On the other hand, it is pretty easy to find and create dictionaries, and they do have limited disk space.

There are both the 2.5 and 3.0 branches of Metasploit, although the 3.0 branch is still very much a work in progress. Hopefully, the next version of the 3.0 branch will be coming out soon. It will suck if it comes out just after this release of Back Track. I seem to remember someone developing an alternate user interface for Metasploit for IWHAX. It combined scanning with exploiting. I was hoping that would be in this version. Someone also had made a nifty script for cracking WEP that I don't think made it. They also include the Milw0rm and Security Focus exploit archives. They do not have the findsploit.pl script. I guess you are just supposed to grep through the index files...

Overall though, it looks pretty good. It looks like there is a lot to play with. I am also looking forward to testing out the wireless stuff.

The Final version of the first backtrack release is availiable as a Beta version. It is not linked to on the main Back Track site. But, I stumbled on it in Mut's Blog.

See:

http://secmaniac.blogspot.com/2006/05/backtrack-security-final-release.html

For info and download at:


http://backtrack.mick27.info/iso/backtrack-final-18-5-06.iso

http://64.27.12.222/backtrack-final-18-5-06.iso