Wednesday, November 28, 2007

HTTP Request Forager v1.1

Heres a script I made to forage HTTP requests for pen-testing

Download

Monday, November 26, 2007

Useful Things

Posted the sites first "Useful Things" plunder. a JavaScript Shell, very "Useful" thing for pen-testing XSS holes.

Wednesday, November 14, 2007

Think Thin

Think Thin
The skinny on thin clients
Part 1

::Intro::
In this installment of the series we will be looking at the What, Why, How, of thin clients. I made this in a two part series because this is a fairly new piece of network device technology that is popping up in our libraries, Internet Cafes, and production floors or offices all over the world. I just feel an in-depth look at thin clients and thin client technology is needed.

::What is a thin client::
In a thin client environment, clients act as terminals providing access to application and data on the servers. Rather than holding data individually on each node, applications are instead held centrally with users accessing them across the network. This way most of the data handling and processing is done on the server side.

A thin client may process only keyboard input and screen output, leaving all application processing to the server. This dedicated main server provides applications and other resources to a large number of terminals. The terminals often have just enough intelligence to operate the mouse, keyboard, monitor, and Ethernet. A thin client generally does not have a hard drive, or any other kind of drive for that matter.

Many of the latest developments at IBM *www.ibm.com* and WYSE *www.wyse.com* operate with Windows XPe, Windows CE, or embedded Linux. They have integrated Wireless, embedded network testing tools *ping and trace* and Internet Explorer or Net Scape for the linux clients, printer ports, USB 2.0, FireFox and a small amount and free ROM space to upload programs that can be accessed directly from the thin client.

::Why are so many people using thin clients::
The use of thin clients are first and for most because it can reduce annual total cost of ownership by $1000 per device per year or more in harsh environments!! This of course has IT maintenance time and replacement costs figured in, in fact a large portion of that cost reduction comes from less IT cost to maintain the network and the nodes/devices with in. Nice easy upgrading, and easy deployment of security policies, these are due to the fact that every thing is done on the server for the most part. In some situations a admin is on site maybe 10% of the time if that.

Another unique quality of the thin client is its super small foot print. About the size of a cable modem, the thin client can go places a typical desk top can not like smaller places and makes it much more mobile and less cumbersome.

::How does all this work?::
A preconfigured unit when first turned on with network access will go to the FTP server specified in the network config panel, then download the following files: a global user file usually called wlx.ini, a single user file username.ini *this file is always kept in the sub dir of /ini, that is if the global file is in c:/thin then the single user file is in c:/thin/ini and generally supersede the identically named global parameters, * and a add on files *these are kept in the addon sub dir*. These files must be created and maintained in plain text. If the thin client cant find the wlx.ini file it default to wnos.ini. DHCP can also be used to direct the thin client to the FTP server.

Users have three privilege levels of access to thin client resources:
High (default) - No restrictions.
Low - This is the level assigned to a typical user and is the thin client default.
None – The System Setup selection on the desktop menu is disabled. The Connection Manager is available, however, the user cannot create a new connection or edit an existing connection.
These privileges are in effect before login and governs access to system facilities even when the login dialog box is displayed.

The Login:
Guest – No password and no access
Stand-alone User - Makes operation of the thin client possible when user profiles or
PNLite apps are not available.
PNLite-Only User - This is similar to a Stand-alone User except that apps published by PNLite services are available (the IP address of a PNLite server is entered into the ICA Network Setup dialog box).

Ok now that the thin client has everything it needs to work you will see icons on your thin clients desk top, the icons act like short cuts to the app you want to use from the server, such as a web browser. After you click on the icons, you then will be logged on to the network and given access to the app the icon points to, as you red earlier the config for the icons are sent in the ini files the thin client gets from the FTP server. Now while its connect to the network and using the server app its operates over the net work using Microsoft’s RDP or Citrix’s version of RDP, so even if all you seem to have access to is a web browser, underneath you could have access to everything on the server that is hosting the app you are using.

That’s it for now, the next installment will be about hacking the thin client network to shreds.

Think Thin: The skinny on thin clients part 1
By: Anarchy Angel
anarchy.ang31@gmail.com
Thanx to: ibm.com, wyse.com, and google.

Saturday, November 3, 2007

Party time you gouls

My brother had a Halloween party at his house today. It was a great time, my kids really enjoyed it. Great food + great beer = great time :) I want to thank Dave and Mary for doing such a great job with the decor and setting up the kids games with prizes at the last minute, you guys did a hell of a job.