Monday, December 19, 2011

Setting up Metasploit and Armitage on a Mac

In this guide we will do the following on OSX 10.7.2:
  1. Install Metasploit Framework/Armitage prerequisites:
    • Install Xcode
    • Install PostgreSQL 9.1.1-1 
    • Install MacPorts
    • Install other plugins/connectors
  2. Install Metasploit Framework 4.2
      • Install the latest Metasploit Framework
      • Update Metasploit
      • Link programs/modify PATH$
    • Configure everything
      • YMAL database settings file for armitage
      • Allow Armitage to run with privileges
    • Run Metasploit & Armitage
      • launch msfrpc
    • Optionally Create Services & Automatically update everything
      • Automatically update everything
      • Create a launchd

      1.Metasploit 4.2 prerequisites:  
      • Install Xcode - http://developer.apple.com/tools/xcode/
      • Install PostgreSQL - http://www.enterprisedb.com/products-services-training/pgdownload#osx
        • Fell free to install the mac ports version, BUT I'm using the GUI version in the next steps.
          • PostgreSQL may ask you to reboot if it needs to adjust your memory configuration. 
        • Give the postgres user a secure password
        • Configure a new user
          • Open pgAdmin III.app, connect to the local postgresql server (user postgres, if it asks, & whatever password from above), right-click on Login Roles and select New Login Role...
          • Set the role name (this will be the username) to whatever you want or use msfuser
            • This username will be stored in a plain-text file later!
          • Under the definition tab, set the password to whatever you want or use msfpassword
            • This password will be stored in a plain-text file later!
        • Configure the database
          • Still in pgAdmin III.app, right-click on Databases and select New Database...
          • Set the database Name to whatever you want or use metasploitdb
          • Set the database Owner to the new user from above (msfuser in the example above)
      • Install MacPorts - http://www.macports.org/
        • add "/opt/local" to your spotlight privacy settings to avoid excessive compile times & unnecessary indexing by spotlight. 
          • System Preferences->Spotlight->Privacy->"+"
          • Press "command+shift+G" and type in /opt/local
        • Update with sudo port selfupdate
        • Quit terminal & relaunch to accept new path settings added by MacPorts
      • Install other plug-ins
        • Install Ruby & RubyGems with sudo port install ruby19 +nosuffix
        • Install gem/PostgreSQL connector with
          • For 34-bit systems: sudo gem install pg -- --with-opt-include=/Library/PostgreSQL/9.1/include/ --with-opt-lib=/Library/PostgreSQL/9.1/lib/
          • For 64-bit systems: sudo env ARCHFLAGS='-arch x86_64' gem install pg -- --with-opt-include=/Library/PostgreSQL/9.1/include/ --with-opt-lib=/Library/PostgreSQL/9.1/lib/
        • Install the gsm msgpack with sudo gem install msgpack 
        • Add /opt/local/ to your anti-virus exclusion list
        2. Install Metasploit Framework 4.2 (includes armitage):  
        • Install MSF
          • Give metasploit a place to live with sudo mkdir /opt/local/msf
          • Download & install the latest framework with sudo svn co https://www.metasploit.com/svn/framework3/trunk/ /opt/local/msf/
            • permanently accept the certificate with p
        • Create a link to the msf applications with sudo ln -s /opt/local/msf/msf* /opt/local/bin
          • Optionally you can edit $path to include /opt/local/msf/ -- BUT this method never worked for me & you would have to do that for each user on the system... or change the system $path
        • Create a link to the armitage with sudo ln -s /opt/local/msf/armitage /opt/local/bin
          • Update MSF with sudo msfupdate
          3. Configure everything:

          • YMAL database settings file for armitage
            • create the configuration directory: sudo mkdir /opt/local/config
            • Create/Edit the following file: sudo vi /opt/local/config/database.yml

              # These settings are for the database used by the Metasploit Framework
              # unstable tree included in this installer, not the commercial editions.
              #

              production:
                adapter: "postgresql"
                database: "metasploitdb"
                username: "msfuser"
                password: "msfpassword"
                port: 5432
                host: "localhost"
                pool: 256
                timeout: 5</code>
          • Allow Armitage to run with privileges
            • SOMETHING GOES HERE
            4. Run Metasploit & Armitage:
            • Run Metasploit
              • Launch msfrpcd with sudo msfrpcd -U msfuser2 -P msfpassword2 -t Msg
                • feel free to use a different username & password here 
              • launch msfconsole with sudo msfconsole
                • db_connect -y /opt/local/config/database.yml
                  • The data will build now 
                  • how do I make this default (maybe just in armiatge)
                • exit out of msfconsole with exit
            • Launch Armitage from the command line
              • Enter the credentials from the msfrpc command above
              • Enjoy!
            5. Optional extras that will make your life better:
            • Make msfrpcd a launchd service:
              • Create/edit the following file: /Library/LaunchDaemons/org.metasploitframework.rpcd.plist

                <?xml version="1.0" encoding="UTF-8"?>
                <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
                <plist version="1.0">
                <dict>
                        <key>Disabled</key>
                        <false/>
                        <key>Label</key>
                        <string>org.metasploitframework.rpcd</string>
                        <key>RunAtLoad</key>
                        <true/>
                        <key>Debug</key>
                        <false/>
                        <key>ProgramArguments</key>
                        <array>
                                <string>/opt/local/bin/ruby</string>
                                <string>/opt/local/msf/msfrpcd</string>
                                <string>-f</string>
                                <string>-U</string>
                                <string>msfuser2</string>
                                <string>-P</string>
                                <string>msfpassword2</string>
                                <string>-t</string>
                                <string>Msg</string>
                        </array>
                        <key>WorkingDirectory</key>
                        <string>/opt/local/bin/</string>
                </dict>
                </plist>
              • Start the msfrpcd launchd with sudo launchctl load /Library/LaunchDaemons/org.metasploitframework.rpcd.plist
            • Automatically update everything you just installed:
              •  Edit you crontab & add the following lines:
                0 6 * * * /opt/local/msf/msfupdate -u
                0 5 * * * /opt/local/bin/port selfupdate; /opt/local/bin/port upgrade outdated
                0 5 * * * /opt/local/bin/gem update --system
              • If you don't know what this means then don't touch cron.

            Further reading:
            http://blog.metasploit.com/2010/05/introducing-metasploitable.html
            http://www.symantec.com/connect/articles/metasploit-framework-part-3
            http://www.fastandeasyhacking.com/manual#mac

            Sources:
            http://www.cedric-baillet.fr/IMG/pdf/armitage_configuration_on_macosx.pdf
            https://community.rapid7.com/docs/DOC-1037
            http://krypted.com/mac-os-x/mac-os-x-enable-and-disable-spotlight/

            Tuesday, May 17, 2011

            Rename multiple files' file extensions from the command line with a wildcard

            Problem:
            I hate not being able to rename multiple files from the command prompt/mac terminal session, ie:
            mv *.thisisthewrongextension *.thisiscorrect
            or as my example will be for torrent files incorrectly downloaded by a browser as .torrent.html files:
            mv *.torrent.html *.torrent
            This lack in functionality in bash just drives me crazy.

            Solution:
            Here are two inline commands, a bash script, a pearl script, and GUI Mac program, that will overcome this shortfall. In these two command examples we will try to rename files that downloaded as myfile.torrent.html to myfile.torrent.
            1. find *.torrent.html -exec mv -vn {} `echo {} | cut -f1 -d.`.torrent \;
              find *.torrent.html -exec bash -c 'mv -vn {} $(basename {} .torrent.html).torrent' \;
            2. for i in *.torrent.html; do mv -vn "$i" "`basename $i .torrent.html`.torrent"; done
            3. bash/pearl script examples located here
            4. You could also use this GUI program on a mac, it is VERY, VERY, VERY awesome: A Better Finder Rename
            Solution 1 breakdown: In the first example we will use the find command in conjunction with executing another command inline. In the second example we will be using a bash script in a single line. Let's begin. command breakdown:
            find *.torrent.html
            will output: 
            myfile1.torrent.html
            myfile2.torrent.html
            myfile3.torrent.html
            Then we run into the "-exec" parameter of the find command... it may seam a lot to deal wth, but basically it just runs a command each time find returns a result. Moreover it will pass the found file/directory in the form of "{}". for example:
            find *.torrent.html -exec echo {} \;
            Please note: at the end of an "exec" you must have whitespace(a space in the above example), then a backslash(escape character) followed by a semicolon. If you don't do that you'll get the following error:
            find: -exec: no terminating ";" or "+"
            anyway, the aforementioned command will output: 
            myfile1.torrent.html
            myfile2.torrent.html
            myfile3.torrent.html
            Let's take a break from the "exec" function of the "find" command, and move on to the "mv" command (pun intended). When you move or rename a file you need to specify a source & destination file/directory. Now since we can't move multiple files with a wildcard as the destination with the "mv" command (as is the point of this article) will not work
            mv *.torrent.html *.torrent    -   this will not work
            However, the following 3 commands will work (and this is exactly what we will be replicating in this first example):
            mv myfile1.torrent.html myfile1.torrent
            mv myfile2.torrent.html myfile2.torrent
            mv myfile3.torrent.html myfile3.torrent
            I'm also adding the "-vn" options to the "mv" command so it will be verbose about what it is moving & to prevent "mv" from overwriting an existing file. Now that we know what "mv" will be expecting, let's see how we can get "find" & "-exec" to pass the file names to the "mv" command.
            find *.torrent.html -exec mv -vn {} `echo {} | cut -f1 -d.`.torrent \;
            find *.torrent.html -exec bash -c 'mv -vn {} $(basename {} .torrent.html).torrent' \;

            The {} portion of the above command will be replaced with "myfile1.torrent.html". For the next portion of the command we will look at the bold section in the command above. 
            `echo {} | cut -f1 -d.` is translated into:
            `echo myfile1.torrent.html | cut -f1 -d.` 
            $(basename {} .torrent.html) is translated to:
            $(basename myfile1.torrent.html .torrent.html) 
            The above example will give the following output (note that anything inside the  ` (tick marks) will be executed first):
            myfile1
            This output still needs an extension appended to it, so we do the following:
            `echo {} | cut -f1 -d.`.torrent
            $(basename {} .torrent.html).torrent
            And we get the following output:
            myfile1.torrent
            So now the "mv" command has both a source ("{}" as represented in the example below), and the destination ("`echo {} | cut -f1 -d.`.torrent" "$(basename {} .torrent.html).torrent" also represented below), and we get:
            find *.torrent.html -exec mv -vn {} `echo {} | cut -f1 -d.`.torrent \;
            find *.torrent.html -exec bash -c 'mv -vn {} $(basename {} .torrent.html).torrent' \;
            With the following output:
            myfile1.torrent.html -> myfile1.torrent
            myfile2.torrent.html -> myfile2.torrent
            myfile3.torrent.html -> myfile3.torrent
            Phew... all done with the first example.

            Solution 2 breakdown... sort of:
            Now let's dissect the single line bash script:
            for i in *.torrent.html; do mv -vn "$i" "`basename $i .torrent.html`.torrent"; done
            Expanded below with added comments it looks like:
            for i in *.torrent.html;  #(the for loop begins here)
                do
                    mv -vn "$i" "`basename $i .torrent.html`.torrent";  #(here we use the mv command, as we saw above, but we use the "basename" function to split the file name)
                done  #(and then we are done)
            I could go into more details, but I think that should be enough for that today. For more details about this function, and to see some other bash function examples go here.

            If you need help with a bash script:
            1. Feel free to comment/mail me
            2. Visit a linux forum (www.linuxquestions.org)
            3. Take a good long look at the Advanced Bash Scripting Guide
            4. Use the "man" pages for further detailed info.
            -Brian
            =:~)

            Saturday, May 7, 2011

            Fixing double letter issues when naming people in photos in iPhoto

            Problem:
            When in iPhoto and naming/identifying people using "Faces" when you type in the text field all characters typed are doubled (see below)

            Cause:
            An address book corruption... yeah annoying hu?

            Detection:
            in /var/log/system.log look for lines similar to the following:
            12/2/10 12:45:00 PM AddressBookSync1871 Critical error fetching ABCDContact in context <ABManagedObjectContext: 0x10012b670>: Fatal error. The database at /Users/kurtpedrosa/Library/Application Support/AddressBook/AddressBook-v22.abcddb is corrupted. SQLite error code:11, 'database disk image is malformed'
            The data that's important here is:
            database at Application Support/AddressBook/AddressBook-v22.abcddb is corrupted

            Solution:
            Rebuild you address book database.
            I'm partially referencing the instructions from this site:
            http://forums.macnn.com/82/applications/431074/corrupt-address-book-how-can-i/
            1) Exit iPhoto & other apps that may use the address book.
            2) Backup your address book.
            • Open Address book.
            • Click on "All Contacts" and drag that into a folder of your choosing. (that was easy)
            • Make another type of backup, from address book click on the "File" menu->"Export..."->"Address Book Archive..." and save that file somewhere safe too.
            • Quit Address Book
            3) Fix the address book database.
            Run the following code logged in as your user from the terminal:
            echo '.dump' | sqlite3 ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb | sqlite3 ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.new; mv ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.bak; mv ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.new ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb

            Here is the code broken into three separate commands:
            echo '.dump' | sqlite3 ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb | sqlite3 ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.new
            mv ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.bak
            mv ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb.new ~/Library/Application\ Support/AddressBook/AddressBook-v22.abcddb

            Start Address Book & iPhoto, enjoy tagging faces again.