Muts' Blog

Goodbye Blog, Hello BackTrack 4

2009-05-26T19:05:00.002-04:00

I've consolidated all my blogs at :

http://www.offensive-security.com/blog

This new blog will keep you updated with the latest and greatest in the world of BackTrack.

Offensive-Security.com Cowpatty Rainbow Table Collection

2009-03-28T19:31:00.006-04:00

We've finally gotten up to uploading and hosting our massive Offensive Security Cowpatty WPA rainbow tables.

We've crunched the top 200 SSIDs, with a 49 million password WPA optimised dictionary file. The list will be updated as we continue uploading new files....

http://www.offensive-security.com/wpa-tables/

Please help seeding these files if possible. Pushing hundreds of GBs across the internet is not a simple task :)

Cracking WPA at the speed of pico

2009-01-30T13:27:00.007-05:00

We're building a new WPA Rainbow Table cracking collection, using a 40 million long password list.
Each table is 1.9 GB, created per SSID. We're crunching through the top 500 SSIDs for this project, with David from Pico Computing leading the way.

The tables will be used in a contest at shmoo, and later on be available on torrents. We presently have over 350 GB of tables, and still counting.

This is what aircrack-ng looks like when connected to an array of 35 E16 picos:

BackTrack 4 Beta almost out of the oven!

2009-01-30T01:14:00.003-05:00

Once again, it's that time of the year... we are working hard on BackTrack 4 and it will be released in the very near future...

I've set up a small blog where I'll be able to post BT4 related information, until our wiki is fully functional. Check it out here : http://backtrack4.blogspot.com/

MS Internet Explorer XML Parsing Remote Buffer Overflow Exploit

2008-12-10T14:15:00.007-05:00

Just downloaded it from:
http://milw0rm.com/exploits/7403
Played around with it, got code exec in Vista SP1:
http://www.offensive-security.com/0day/iesploit-vista.rar

Updated my Vista Box:

After fully patching my box, the exploit was still working, giving full code exec. Yikes.

Metasploit 3 on an iPhone

2008-07-01T20:16:00.010-04:00

The idea of getting Metasploit 3 on an iPhone has been bugging me for a while.
We've already put it on a WRT54g, so having it on an iphone was a must.
The Ruby package in the iPhone installer is broken, and recompiling it... just didn't seem like fun.
I haven't had too much background with installing iPhone firmwares, so i called on my trustworthy friend, Jacky.

I read that the Cydia installer was a better environment (BSD Subsystem replacement) for these games...so after a painful process of bricking my iPhone, being saved by Jacky, installing Cydia, ruby, wget, mobile terminal, svn and downloading metasploit - we got it to work!

iPwn takes on a whole new meaning :)

http://www.offensive-security.com/images/iphone01.jpg
http://www.offensive-security.com/images/iphone02.jpg
http://www.offensive-security.com/images/iphone03.jpg
http://www.offensive-security.com/images/iphone04.jpg
http://www.offensive-security.com/images/iphone05.jpg

PS - Just to later find out that Metasploit 3 is already included in the Cydia installer...ugh.

BackTrack 3 Final - Release Information

2008-06-10T03:10:00.022-04:00

It's finally happening....BackTrack 3 Final is being released....Finally!
Max, Martin and I have slaved for weeks and months, together with the help of many remote-exploit'ers to bring you this fine release. As usual, this version overshadows the previous ones with extra cool things.

Saint
SAINT has provided BackTrack users with a functional version of SAINT, pending a free request for an IP range license through the SAINT website, valid for 1 year.

Maltego
The guys over at Paterva have created a special version of Maltego v2.0 with a community license especially for BackTrack users. We would like to thank Paterva for co-operating with us and allowing us to feature this amazing tool in BackTrack.

Nessus
Tenable would not allow for redistribution of Nessus.

Kernel
2.6.21.5. Yes, yes, stop whining....We had serious deliberations concerning the BT3 kernel. We decided not to upgrade to a newer kernel as wireless injection patches were not fully tested and verified. We did not want to jeopardize the awesome wireless capabilities of BT3 for the sake of sexiness or slightly increased hardware compatibilities. All relevant security patches have been applied.

Tools
As usual, updated, sharpened, SVN'ed and armed to the teeth. This release we have some special features such as spoonwep, fastrack and other cool additions.

Availability
We will be releasing an internal "IRC pre release" version of BT3F for final testing and identification of possible blunders...and shortly after that we will have a full blown release.

Final Requests
We request the community to not mirror or torrent this release, or otherwise distribute it online without our knowledge. We are trying to gather statistics about bt3 downloads. If you would like to mirror BT3 then please:
1) Think again! Traffic generated by BT3 downloads is CRAZY.
2) Please contact us before doing so.
3) Send us monthly statistics of downloads for the iso.

If you would like to add a link to BackTrack downloads to your website, please use:

http://www.remote-exploit.org/backtrack_download.html as the download link.

Rants
Problems, fixes, bugs, opinions - should all end up in our Remote Exploit community forums, and our wiki:

http://forums.remote-exploit.org
http://wiki.remote-exploit.org

Over and out,

Muts, Max, MjM

BackTrack 3 Beta out!

2007-12-13T23:47:00.000-05:00

Max Martin and I are ecstatically happy to announce that Backtrack 3 Beta is available for download.

We are all suffering from lack of sleep - we will make a public announcement about this tomorrow.

The images are currently being uploaded to mirrorswitch servers, and a torrent has been made available:

BackTrack 3 Beta ISO version (Stripped Down - 700 mb)
http://www.offensive-security.com/bt...07.iso.torrent
md5sum : 04ed8742fc8facd1ecc8c9f6f567c116
shasum : 70c33e0aa75a978b8a87a207bf488ecec8d10a87

BackTrack 3 Beta USB version (946 mb)
http://www.offensive-security.com/bt...07.rar.torrent
md5sum : bd0d8f507502787184b187f5a39288df
shasum : 853b80a77e3881e8084c797ba55077ead15f84ae

More info, howtos, changelogs etc will be updated on our wiki:

http://backtrack.offensive-security.com

We need sleep.

Enjoy !

Muts

BT3 Beta ETA - 14th Dec 2007

2007-12-03T15:34:00.000-05:00

I've finally managed to pull Max Martin and me out of the proverbial work cycle we're in - we plan to release the Beta on the 14th Dec 2007.
"Beta" means we think this version is stable and ready, and need final confirmation from the community before adding a few more modules and tweaks, and calling it a final.

There will be 2 releases of BT3 - a ~700 mb iso file, and a ~1 GB USB stick image. Compiz will NOT be included in the stock 700 mb bt3 iso. We have to fight for each MB on the iso...and compiz is far from being useful in a penetration test environment. We DO however plan to have compiz modules for download separately, and to add them to the 1 GB distribution.

Hurray!

BackTrack 3 in the oven!

2007-09-26T11:17:00.000-04:00

Max, Martin and I have started working on BackTrack 3....and boy...it's sexy. I know I've said this before about BackTrack 2...but really....it's sexy...sexier than ever before.
New shiny kernel, new patched wifi drivers, compiz working out of the box (so we can all pwn like r0ckstarz). We are planning on new public repositories for BT3 - for better support for updates and HD installs.

We still don't have an ETA for BT3...but one thing is for sure - it will be worth the wait! More info about BT3 dev to follow in the next few weeks.

PS - I've updated the offsec website with this BackTrack 3 Teaser:

http://www.offensive-security.com/movies/bt3teaser/bt3teaser.html

Microsoft Bugs vs Features

2007-04-13T09:14:00.000-04:00

I've been watching the developments of the "Word 2007" doc bugs fiasco. Its seems like Microsoft are calling these crashes "features" rather than bugs.

http://www.computerworld.com.au/index.php/id;377659799;fp;2;fpid;1

I'm not sure if this is the result of IT security media contorting the infomation they recieve and presenting it in a provocative way, or if Microsoft are really trying to blow off these bugs as part of their application design.

To make things clear - The bugs that I released are proof of concepts which cause denial of service. In their current state, they do not present a real threat to Word 2007 users. However, having an application crash or consume 100% CPU on a machine due to malformed user input - is probably the most classical description of a software bug.

It also seems that there is no mention of the HLP heap overflow, which probably presents more danger than all 3 doc bugs combined.

Microsoft DOC bugs and friends

2007-04-11T18:00:00.000-04:00

Wow! Who thought 7 lines of python could go so far.

A few days ago I released a few proof of concepts to full disclosure - http://seclists.org/fulldisclosure/2007/Apr/0325.html

3 doc files which crashed my Word 2007, and a hlp file which when analysed looked like a classic heap overflow, with a twist or two.

It looks like there is some confusion by Microsoft - who for some reason are not able to reproduce these bugs -http://www.scmagazine.com/uk/news/article/649985/post-patch-tuesday-microsoft-vulnerabilities-posted-exploit-sites/

I've recieved many mails from full disclosure members confirming the crash. Someone even mentioned Word 2004 crashing on OSX.

So just to make things clear - here are some screenshots of the crashes. I fully hope that Microsoft will find the resources to figure this out.

PS - The really interesting part is this... Does anyone remember the old HLP heap overflow condition ? - http://www.securityfocus.com/archive/1/archive/1/430871/100/0/threaded

It turns out, that by simply copy/pasting the OLD hlp file mentioned in the post and executing it on a fully patched XP SP2 machine one would have triggered this new heap overflow....QA anyone ?

BackTrack 2.0 Final Due End of Febuary

2007-02-13T08:40:00.000-05:00

We have been working really hard on BackTrack 2.0 Final.
I managed to change kernels (twice), and I think I broke some sort of record in fuxxing up BT :)
Things are looking good however, with some nice features included into v.2.0 final. These are just a few:

* Updated to Kernel 2.6.19
* Broadcom Wifi drivers +injection (bcm43xx)
* IPW2200 Wifi drivers + injection
* RTL8180 Wifi drivers + injection
* RTL8187 Wifi drivers + injection
* Support for a wider range of Wifi cards
* Fixed BT JTR PXE Cluster Pack
* Added Metasploit PXE ninja
* Updated tools and packages

Things are looking extremely sexy, and we hope to have a final release by the end of Febuary.

BackTrack v2.0 Public Beta Has Been Released!

2006-10-14T20:03:00.000-04:00

Released a public Beta version today. Max and I have stomped out most of the bugs, and after s short testing period, we'll release the final. Send feedback!

http://www.offensive-security.com/downloads.html

McAfee Epolicy Orchestrator / ProtectionPilot Buffer Overflow

2006-10-02T07:56:00.000-04:00

I've released a PoC exploit for McAfee Epolicy Orchestrator / ProtectionPilot last night.
This exploit was tested on Win2k SP4 / Win2k3 sp1.
McAfee were notified on the 14th July, and havn't managed to get it pacthed since.

Proof of concept exploit code is available at:
http://www.remote-exploit.org/exploits/mcafee_epolicy_source.pm

And a short article describing the exploit is available at :
http://www.remote-exploit.org/advisories/mcafee-epo.pdf

BackTrack John the Ripper (MPI) Cluster Server

2006-09-25T05:58:00.000-04:00

I've been working on a password cracking cluster. I will be integrating this into the next version of BackTrack (which is currently under development). The general idea is to have a BackTrack CD with PXE capabilities. Computers can now boot from the network, and join the Cracking cluster.

For more info, check this:

http://www.remote-exploit.org/BTJTRMPI.pdf

Back|Track Security Final Release

2006-05-15T09:00:00.000-04:00

After spending countless hours flattening out bugs - Max and I will soon be releasing the final version of BackTrack. Our estimated date is the 26th May, but of course, subject to change.

Check http://www.remote-exploit.org/index.php/BackTrack

We've decided to beta test the final release, and provide a limited download to our hardcore IRC users - just to make sure we havn't messed anything up. Several nice people are helping us host this iso. PLEASE GIVE FEEDBACK.

http://backtrack.mick27.info/iso/backtrack-final-18-5-06.iso
http://64.27.12.222/backtrack-final-18-5-06.iso
MD5sum : 14ebbbf7f914cc547fba995c513fa4bf

Metasploit on WRTSL54GS

2006-05-15T08:44:00.000-04:00

After mucking around with my NEW Linksys router, a managed to get Metasploit Framework to run on it. More information can be found in the remote-exploit site:
http://www.remote-exploit.org/research/OpenWRTvsMetasploit.html

Unbricking a WRT54G

2006-05-15T08:03:00.000-04:00

I bricked my WRT54G. T'was a sad day. Well, to be honest, I didn't exactly "brick" it, I had openwrt on it, with no "boot_wait", and i had forgotten the ssh password to it. It seemed like the only option I had was do build a serial console for it, and solder it to the WRT54G board - which made me shudder. After googling for a while, I found an interesting article describing an "unbricking" method which worked for me. The whole presentation can be found at http://www.trilug.org/talks/2004-09-wrt54g/Hacking_The_WRT54G_Presentation.PDF .
Apparently, this is a dangerous procedure, which can result in a completely DEAD WRT, be warned.