Tag Archive for open source

Firefox Extensions For Penetration Testing

This year at the SecTor security conference in Toronto, Canada, Security Compass introduced a series of open source firefox extensions aiding in penetration testing exercises.

Illuminating the Black Art of Security. SecTor brings the world’s brightest (and darkest) minds together to identify, discuss, dissect and debate the latest digital threats facing corporations today. Unique to central Canada, SecTor provides an unmatched opportunity for IT Professionals to collaborate with their peers and learn from their mentors. Held at the Metro Toronto Convention Centre in downtown Toronto, SecTor runs two full days, October 7th and 8th. The event features Keynotes from North America’s most respected and trusted experts. Speakers are true security professionals with depth of understanding on topics that matter. SecTor is a must attend event for every IT Professional.

This suite of web application security testing tools is named Exploit-Me and its designed to be lightweight and easy to use.

The suite is compromised of XSS-Me allowing Cross-Site Scripting, which is a common flaw found in web applications, SQL Inject-Me used to check for SQL Injection vulnerabilities which would allow malicious users to view, delete and modify records and finally Access-Me which test for access vulnerabilities by trying to access resources without being authenticated.


Cross-Site Scripting (XSS) is a common flaw found in today’s web applications. XSS flaws can cause serious damage to a web application. Detecting XSS vulnerabilities early in the development process will help protect a web application from unnecessary flaws. XSS-Me is the Exploit-Me tool used to test for reflected XSS vulnerabilities.

SQL Inject-Me

SQL Injection vulnerabilities can cause a lot of damage to a web application. A malicious user can possibly view records, delete records, drop tables or gain access to your server. SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.


Access vulnerabilities in an application can allow an attacker to access resources without being authenticated. Access-Me is the Exploit-Me tool used to test for Access vulnerabilities.


Root Shell – The Holy Grail

The “Holy Grail” of any attack is the creation of a root shell. On UNIX/Linux, the “root” user is a superuser account that has the capability of running any process on the machine. An exploit will attempt to gain root access to a system by obtaining a root shell prompt from which any command can be executed.

The hacker will attack a system running an exploit script that breaks into the system, following with establishment of a root shell bound to a TCP connection, which will then allow the attacker to remotely enter commands into the system.

There are basically three way that these shells can be bound to a TCP connection:

  1. Conversion – The TCP connection used to exploit the server (such as SMTP, DNS, FTP) is converted to a shell prompt.
  2. Listen – The most popular method is to register a shell (/bin/sh, /bin/ksh, etc.) within a service bound  to a particular port.
  3. Connect – This exploit will create a outbound connection back to the attacker.

In the early days, these exploits were developed by the “Leet” hackers using either reverse engineering and/or a trial and error approach to see how applications/systems behaved when unexpected packets were sent their way.

Later tools started to appear in the wild on the Internet, which then prompted the existence of the term “Script Kiddie“; allowing people without the ability to write hacking programs on their own to target machines on the Internet.

On the security consultant side, vendors in the late 80s and early 90s provided extremely expensive equipment/software such as NetTest, NetScout Systems and Sniffer Technologies as well as automated scanning tools such as ISS’ Internet Scanner.

Online vulnerability repositories like http://rootshell.org were used target specific applications to determine actual levels of threat probabilities.

With the open source initiative, many of these high-end tools have become widely available and have even matched and in some cases mastered their proprietary counterparts. Examples of these are Ethereal which then became Wireshark, Nmap, Nessus.

Rootshell.org has since disappeared and been replace by Milw0rm.com, an online exploit database. Hacking tools have become much more sophisticated in methods and automation, for instance the “Metasploit Project” providing information about security vulnerabilities and aiding in penetration testing with the capability of querying exploit databases in real-time to scan and attack for the most recent exploits.

This without a doubt raises serious questions on the approach security professional and system administrator need to take to protect and guard their systems.

We are well past the point when hacking was for the elite, when ill-intentioned people can monitor the release of security patches released by vendors and using the window of time between the patch release date and when patches are actually applied to make mischief.


Setting up a Mail Relay on CentOS 5

This will give you the capability to scan e-mails for spam, viruses and phishing using a variety of open source programs before they arrive to your e-mail server.

From Sekipedia
Jump to: navigation, search

* Install CentOS 5.1 barebones (customizing the install with nothing checked.)

* Update the system

yum update

* Install Additional packages

yum install ntp

yum install vixie-cron crontabs

* Download and install Webmin

cd /opt

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.430-1.noarch.rpm

yum install perl-Net-SSLeay

rpm -ivh webmin-1.430-1.noarch.rpm

* Disabled unneeded services

service iptables stop
service ip6tables stop
service netfs stop
chkconfig iptables off
chkconfig ip6tables off
chkconfig netfs off

* Install Postfix

yum install postfix

* Configure Postfix

myhostname = titan.corp.com
mydomain = localhost
myorigin = $mydomain
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, $mydomain
mynetwork_style = class

* Configure Postfix to forward email

relay_domains = lab.net

This tells Postfix which domains it should relay mail. All mail destined for this domain (and only this domain) will be forwarded to its remote SMTP server. You can put multiple domains here, just separate them with a comma or whitespace.

Add line to end of main.cf

transport_maps = hash:/etc/postfix/transport
mailbox_size_limit = 20480000
mailbox_size_limit = 20480000

This tells Postfix what method to use to resolve the destination address for relayed mail:

Add line to end of “/etc/postfix/transport”

lab.net smtp:[]

This command specifically maps the domain “lab.net” to the IP address and tells Postfix to use SMTP as the transport. All mail destined for lab.net which is relayed through this Spam Gateway will be forwarded via SMTP to

Then run command:

postmap /etc/postfix/transport

This command builds the hash table/file which Posfix will use to forward mail. If you don’t do this, it wont work.

Finally add this line to main.cf

append_at_myorigin = no

These lines will make sure your Spam Gateway does not add any of its own header domain info to the mail as it passes thru.

* Test Again

Stop and start postfix to make sure all changes take.

service postfix stop
service postfix start

I know this is redundant, but you really should test your system again before installing MailScanner. Make sure that mail gets passed through the system without problem. If you do encounter a problem, it will be a lot easier to fix it now than after you’ve installed MailScanner, SpamAssassin and ClamAV.

At this point incoming e-mail should go through the Mail Relay and be forwarded to the internal E-mail server.

* Install DAG’s GPG key

rpm –import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt

* Verify the package you have downloaded

rpm -K rpmforge-release-0.3.6-1.el5.rf.*.rpm

Security warning: The rpmforge-release package imports GPG keys into your RPM database. As long as you have verified the package and trust Dag then it should be safe.

* Download and Install the package

wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.3.6-1.el5.rf.*.rpm

This will add a yum repository config file and import the appropriate GPG keys. At this point, you can set the priority of the RPMForge repository, and also of the CentOS repositories if you have not done so yet.

* Test with this command:

yum check-update

* Update the system

yum update

* Install perl modules and dependencies for MailScanner

yum install –enablerepo=rpmforge perl-Archive-Zip perl-Convert-BinHex perl-Convert-TNEF perl-DBD-SQLite perl-Filesys-Df perl-HTML-Parser

yum install –enablerepo=rpmforge perl-IO-stringy perl-MIME-tools perl-Net-CIDR perl-Sys-Hostname-Long perl-OLE-Storage_Lite

yum install tnef

* Download and Install MailScanner

wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.71.10-1.rpm.tar.gz

tar -zxvf MailScanner-4.71.10-1.rpm.tar.gz

cd MailScanner-4.71.10-1

rpm -ivh mailscanner-4.71.10-1.noarch.rpm

chkconfig postfix off

service postfix stop

chkconfig MailScanner on

* Configure MailScanner Settings

Updates to postfix’s main.cf by adding this line:

header_checks = regexp:/etc/postfix/header_checks

In the file /etc/postfix/header_checks add this line:

/^Received:/ HOLD

Here are the edits to Mailscanner – place / update in /etc/MailScanner/MailScanner.conf

Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

Optional edits to MailScanner

Change %org-name%
Change %org-long-name%
Change %web-site%

Here’s some file permissions changes you’ll need to make:

chown postfix.postfix /var/spool/MailScanner/incoming
chown postfix.postfix /var/spool/MailScanner/quarantine

service MailScanner start

Its a good idea to test the server now. Send a message to the remote server and see if it goes through. It should, and then you can move to installing SpamAssassin.

* Install perl modules for SpamAssassin

yum install perl-Digest-SHA1 perl-Net-DNS perl-Archive-Tar perl-IO-Zlib

yum install –enablerepo=rpmforge perl-Encode-Detect perl-Mail-SPF perl-IP-Country perl-Mail-DKIM perl-Net-Ident

* Update the system

yum update

* Install and Configure SpamAssassin

yum install spamassassin

You don’t need to edit any of the SpamAssassin conf files because all of the configuration is done through MailScanner.

In /etc/MailScanner/MailScanner.conf we will make these changes:

Change this line:

Use SpamAssassin = no


Use SpamAssassin = yes

Update the SpamAssassin User State Dir setting:

SpamAssassin User State Dir = /var/spool/MailScanner/spamassassin

and then run commands:

mkdir /var/spool/MailScanner/spamassassin
chown postfix.postfix /var/spool/MailScanner/spamassassin

Restart MailScanner to make changes stick.

service MailScanner restart

* SELinux exception for Clamav

setsebool -P clamd_disable_trans=1 or disable SELinux while Clamav is installed.

* Install ClamAV

yum install clamav clamav-db –enablerepo=rpmforge

* Configure ClamAV and MailScanner Settings

In /etc/freshclam.conf make the following edits:

Add ‘#’ in front of the word ‘Example’

Do the same in /etc/freshclam.conf

Now you need to update ClamAV’s virus signature files

[[email protected]]# freshclam

ClamAV update process started at Fri Sep 19 12:45:42 2008
main.cld is up to date (version: 48, sigs: 399264, f-level: 35, builder: sven)
daily.cvd is up to date (version: 8287, sigs: 29596, f-level: 35, builder: arnaud)

Update MailScanner’s configuration file to use ClamAV

‘Virus Scanners = clamav’

In MailScanner.conf, check the setting of ‘Monitors for ClamAV Updates’ to ensure it matches the location of your ClamAV virus database files.

This should be “/var/clamav/*.cld /var/clamav/*.cvd”.

* Installing Postgrey

yum install postgrey

* Configuring Postgrey

Edit /etc/postfix/main.cf and add the following to smtpd_recipient_restrictions.

check_policy_service unix:postgrey/socket

check_policy_service unix:postgrey/socket performs the greylisting while adding reject_unlisted_recipient before it enables Postfix to immediately reject unknown recipients instead of having clients go through the greylisting process before being informed that the recipient does not exist.

To disable greylisting for certain IP addresses or hostnames, add the IP address, hostname or regular expression to match hostnames into the file /etc/postfix/postgrey_whitelist_clients.local.

Hostnames are identified by performing a reverse DNS on the client’s IP address.

For sample entries, view the file /etc/postfix/postgrey_whitelist_clients.

* Update the system

Make one last final update to make sure your system is updated.

yum update