Now that I am an OSCP (Offensive Security Certified Professional) and have a few minutes to spare, I decided to share my thoughts on the BackTrack 101 course which I took to get OSCP.

I'll be brief. BackTrack 101 is just as it implies in the name -- an entry level course. Sounds boring already? It isn't. Although it covers basic level concepts, it is rather in-depth, comprehensive, very much hands-on and, in the end, practical. From information gathering, to fuzzing and exploit development, to SQL injections. Like I said, nothing really advanced, but gives an excellent foundation. That's what the course is really all about -- giving a solid foundation and letting the students to build on that. I think that really shows with the OSCP challenge, which I won't say anything more about.

I'm glad I took the course and the challenge.

Because all blog entries appear on the main page here, I thought it would not be very nice to spam it with such things as changelogs every couple of days, and I've decided to use my own web space for that purpose.

I will still be posting project related material here that I deem worthy, though.

Oh, and if you have any suggestions, please let me know (here or there) as I will be very happy to hear them.

EOFYI

When I do external network perimeter assessments, the first steps almost always end up being exactly the same. I scan for open ports, check dns records, get whole website and look for interesting files, compile a list of potential usernames, and do other types of information gathering. The thing about all that is it takes time and time is one thing I don't have a lot of. Running tools such as nmap, httrack, and nikto all at the same time is not a very good idea and running them one after another requires monitoring their progress whole day long (and sometimes even longer), which I can't do. Manually running the tools means downtime between execution of those tools. Most of the time I have more than one project going at a time and because of that I may forget what stage each project is at and skip a test and end up coming back to it later. Wastes time. So, to save myself time and spare myself the hassle of remembering things I decided to write a tool that would do everything for me. Well, at least the initial part of an assessment when my input is not really required. And so lazyfoot was born.

As of right now it is still not complete, but it does most of what I wanted it to do when I first thought of it. Lazyfoot was not intended to be a tool all by itlsef, but rather a means of running other tools without me having to issue the commands. It was also not designed with only one target in mind. Lazyfoot is ideal for when you have a list of targets rather than just one machine, which is why all inputs to the program are text files.

Here are some possible features that I have in mind and might implement in not too distant future:

• goog-mail.py (gathers e-mails from google search results)
  I may rewrite the tool in ruby to include it in the lazyfoot for better portability.

• dns hijacking
• e-mail notification of completion
• compress (+email?)
• reverse dns lookup
• search saved sites for forms
• banner grabbing from nmap scans + telnet
• searching milw0rm + securityfocus for banners

And anything else that would make my life easier.

I was also thinking of, perhaps, splitting lazyfoot in stages such as "passive", "stealthy", "intrusive", and "all out". This way I could put things like grabbing dns records and search for e-mails in the "passive" stage, and nmap scan in "stealthy", and so on. This seems like a cool idea but I am not sure if it would be all that useful.
Another idea I pondered is to write plugins (httrack, nmap, whatever). Also seems cool, but having one executable with on/off switches is probably more practical.

Hm.

Anyway, I'll keep you posted.

In my line of work I need to run nmap, nikto, dig, and bunch of other tools against several targets almost on daily basis. Because I am lazy I created a tool to do that for me. It's called lazyfoot, where foot stands for footprinting. It's wirtten in Ruby, isn't fancy and only around 300 lines of code long.

So far the main functions are:
nmap
nikto
httrack
whois
dig

It also looks for some files after in the sites httrack got, and does chown & chgrp because it has to be run as root. I need to figure out how to properly do version numbering because right now it's a mess.

This little thing is is still under development but already saved me a bunch of time. Maybe you'll find it useful too.

EDIT:

http://www.missingvowel.net/lazyfoot/development/

EDIT 2:

I guess I should give some usage examples....

Contents of IP.txt:
192.168.1.1-255

Contents of weblist.txt:
mywebsite1.com
yourwebsite2.com

this is just a place holder to see what it all looks like.