Remote Exploit Forums - Pentesting

How to redirect the Metasploit Console output to a file?

yellowxi — Thu, 19 Nov 2009 03:07:22 GMT

How to redirect the screen output of Metasploit Console to a file?
Thank you guys!:D

I got the answer.
Just
./msfconsole | tee output;)

sniff router password

goon123 — Wed, 18 Nov 2009 17:58:33 GMT

hi,

i'm wondering if there is another way to get the router password instead ob bruteforing the router. So is it possible to sniff a day long traffic only on the router, so when I would log on the router from my brothers laptop that i could catch the password and username via wireshark or sth. else?

thx

Can't run execute and exploits with Metasploit

Mucker — Tue, 17 Nov 2009 10:16:47 GMT

Hi,
I have learnt about Metasploit recently through their website and on this forum. I have read loads of documentation but I can’t find out why the exploits won’t work...well to be more exact it looks like it is running the exploit but not executing the payload. I am not using my own exploits; I am using the built ones. Here is an example:
I run Metapsploit on my Back Track 4 live DVD.
The exploits I have used are the ones that are apparently still vulnerable like browser ones.
I used:
windows/browser/realplayer_console
windows/browser/ani_loadimage_chunksize
as well as other universal ones.

I have now resorted to the absolute basics just to test whether it is successful. With each different exploit I try I choose to deliver the payload “windows/exec”. The command I choose to execute is just a simple IPconfig to a text file and drop it in the C drive on the target PC (ipconfig > c:\meta.txt).
These exploits all exploit the browser so it sets up a fake http service which I then connect to using different browsers from the target machine. As soon as the target machine connects I see a message from the metasploit console (or metasploit gui) saying it is sending the exploit to the machine. From what I understand this means the exploit is actually working but not delivering the payload?
Some info about the target machine:
XP Pro SP3
Windows firewall disabled.
NOD32 anti virus but this is disabled for testing (when it was enabled it detected every exploit attempt).

No matter what payload I run it never works. There is no text file on the C drive.
Maybe these exploits don’t work anymore but I thought that if the console says it has sent the exploit then it does work?
Can anyone help please and point me in the right direction.
I am wondering whether there is something obvious I have missed.
Thanks,

Quick & Ugly Ruby Network based Fuzzer

proteus-ocm — Mon, 16 Nov 2009 14:34:33 GMT

The following is a quick and ugly network based fuzzer scripted in Ruby. It was modified (ever so slightly) to allow for IP address and Destination port to be passed at the command line instead of being hardwired into the script itself.

Example use: quickfuzz.rb Target_IP_Address Target_Destination_Port

It is core application and use is when you're developing network based exploits and have a network based service that you can monitor and watch the target service.

The folks at N2NetSecurity have provided a very concise and simple to understand presentation on Exploit Development (located at www n2netsec com slash dump slash techno dot pdf).

Code:

##################################################

#!/usr/bin/ruby

require 'socket'



##################################################

# Quick & Ugly Fuzzer  

#

# quickfuzz v.1.0 - N2NetSecurity, Inc - AAH

#

# www n2netsec com | Reach the security summit...

#

# info [at] n2netsec com 

#

# quickfuzz v1.1 - PROTEUS|OCM - EBM

#

# www proteus-ocm net | Answering the "So What if we get hacked?" 

#

# info [at] proteus-ocm [dot] net   

#

# Updates welcome

##################################################



##################################################

# This script was based off of a presentation  

# provided at a recent conference by N2NetSecurity.

# The original script had hard coded IP's within the

# script.  I've taken the script and updated it to

# allow for passing along command line arguments of

# the IP address and Destination_Port.

#                                                                  

# Usage: ruby quickfuzz.rb IP_Address Destination_Port

##################################################



buffer=[]

increment=1



#

# Variables to be passed at the command line and assigned for

# use in identifying buffer overflow.

# 

unless ARGV.length == 2

        puts "The correct use of this gem is as follows:"

        puts "Usage: ruby quickfuzz.rb Target_IP_Address Target_Destination_Port"

        puts "Example: ruby quickfuzz.rb 192.168.1.10 445"

        exit

end



target = ARGV[0]

port = ARGV[1]



#

# GIGO-Monkeybone

#



while buffer.length <=1000

        buffer << "A"*increment

        print "Sending #{buffer.length} bytes... \n"

        sleep(0.25)

        s=TCPSocket.new(target, port)

        s.print(buffer)

        s.close

end

I have a theory on the 2WIRE routers....

whorobj — Wed, 11 Nov 2009 09:49:42 GMT

ok so i've been lurking for a while and now i happen to be getting pretty good with aircrack/cowpatty etc. I can crack wep and the usual wpa's simple now.

So we all know about the att 2wire routers....I was wondering how to crack those WPA keys. I started the run wordlists (on my own uverse 2wire with default key) . All failed. then i found ok so most 2wire's have 10 digit hex keys. (my att uverse 2wire has a sticker on the bottom)

I then compiled this script to create my wordlist

Code:

//made by karabaja4



#include 

#include 



int main(int argc, char** argv)

{

    char format[10];

        

    unsigned long long last = 0;

    unsigned long long i;

        

    if ((argc != 2) || (atoi(argv[1]) > 16)) {

        printf("\n hex wordlist generator - by karabaja4\n\n");

        printf(" usage: ./hwg n > wordlist.txt\n");

        printf(" n - number of digits (max 16)\n\n");

        exit(0);

    }

    

    sprintf(format, "%s%s%s", "%0", argv[1], "llx\n"); //linux (gcc)

    //sprintf(format, "%s%s%s", "%0", argv[1], "I64x\n"); //windows (mingw)

    

    for (i = 0; i < atoi(argv[1]); i++)

            last = ((last + 1) * 16) - 1;

        

    for (i = 0; i < last; i++) printf(format, i);

    printf(format, last);

        

    return 0; //hooray!

}

Code:

gcc hwg.c -o hwg

Code:

./hwg n > wordlist.txt

script credit user karabaja 4

now i will run gemk against this and the ssid, then the hash against the captured 4 way handshake.

So in theory, eventually in time this will crack the 2WIRE's with the default 10 digit hex key.

I'm going to try running it against my handshake this weekend when i have more time.

How do I bypass anti-debugging protections in Immunity Debugger?

godfather — Sun, 08 Nov 2009 16:39:24 GMT

in last days . I was try to bypass anti debugger with immunity debugger . I was run pycommand and saw usage guide .run !hidedebug with all types provide by pycommand but no way to run the program after attach it with a debugger. after attach the program with debugger and press play button .it stay in puase mode and did not change it's mode to running mode ... when flow executable code .. I note the program call specific fucation to kill the process. plz is there any tip.

exploit write, small jump

compaq — Sat, 07 Nov 2009 09:52:23 GMT

Hi, I'm trying to workout how to do a small jump. I'm useing the opcode eb, and would like jump 10 instruction.
do I have to add a offset or linear number in frount or behind it?

/etc/shadow

spawn — Fri, 06 Nov 2009 15:31:04 GMT

Folks,

On gentoo, ubuntu, ( that I tested ) when I run john --users=root shadow

No password hashes loaded

I tried too unshadow /etc/passwd /etc/shadow > mypwd

the same message

In present day it still works ?

Thanks in advanced

A strange IP address in my network!!

generaluser — Wed, 04 Nov 2009 16:07:40 GMT

My private IP address scheme is in 192.168.1.x subnet, Here is my network diagram

Quote:

DSL-Modem (192.168.1.1)
|
|
Switch
|
My-PC (192.168.1.x)
and a voip phone (192.168.1.x)

But there is an IP address 192.168.0.1 which can be pinged from my modem as well as my computer the result of the ping is

Quote:

> ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
56 bytes from 192.168.0.1: icmp_seq=0 ttl=250 time=35.0 ms
56 bytes from 192.168.0.1: icmp_seq=1 ttl=250 time=35.0 ms
56 bytes from 192.168.0.1: icmp_seq=2 ttl=250 time=30.0 ms

--- 192.168.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 30.0/33.3/35.0 ms"

I did a traceroute and the result is

Quote:

C:\nmap-5.00>tracert 192.168.0.1

Tracing route to 192.168.0.1 over a maximum of 30 hops

1 1 ms <1 ms <1 ms 192.168.1.1
2 34 ms 39 ms 40 ms 116.71.208.1
3 32 ms 32 ms 33 ms 116.71.241.245
4 36 ms 36 ms 36 ms rwp44.pie.net.pk [221.120.253.41]
5 36 ms 36 ms 35 ms 221.120.253.10
6 35 ms 35 ms 35 ms 192.168.0.1

Trace complete.

I did nmap with parameters (-sV -oO -v) and the output is

Quote:

C:\nmap-5.00>nmap.exe -sV -oO -v 192.168.0.1

Starting Nmap 5.00 at 2009-11-04 19:10 Pakistan Standard Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Ping Scan at 19:10
Scanning 192.168.0.1 [4 ports]
Completed Ping Scan at 19:10, 0.36s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:10
Completed Parallel DNS resolution of 1 host. at 19:10, 0.04s elapsed
Initiating SYN Stealth Scan at 19:10
Scanning 192.168.0.1 [1000 ports]
Discovered open port 22/tcp on 192.168.0.1
Discovered open port 23/tcp on 192.168.0.1
Completed SYN Stealth Scan at 19:10, 6.40s elapsed (1000 total ports)
Initiating Service scan at 19:10
Scanning 2 services on 192.168.0.1
Completed Service scan at 19:10, 7.56s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.0.1.
NSE: Script Scanning completed.
Host 192.168.0.1 is up (0.043s latency).
Interesting ports on 192.168.0.1:
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
23/tcp open telnet?
1720/tcp filtered H.323/Q.931
5060/tcp filtered sip
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at
SF-Port23-TCP:V=5.00%I=7%D=11/4%Time=4AF18B47%P=i686-pc-windows-windows%r(
SF:NULL,37,"\r\nError:All\x20user\x20interfaces\x2 0are\x20used,\x20please\
SF:x20try\x20later!")%r(GenericLines,37,"\r\nError :All\x20user\x20interfac
SF:es\x20are\x20used,\x20please\x20try\x20later!") %r(GetRequest,37,"\r\nEr
SF:ror:All\x20user\x20interfaces\x20are\x20used,\x 20please\x20try\x20later
SF:!")%r(HTTPOptions,37,"\r\nError:All\x20user\x20 interfaces\x20are\x20use
SF:d,\x20please\x20try\x20later!")%r(RTSPRequest,3 7,"\r\nError:All\x20user
SF:\x20interfaces\x20are\x20used,\x20please\x20try \x20later!")%r(RPCCheck,
SF:223,"\xff\xfb\x01\xff\xfb\x01\xff\xfb\x01\xff\x fb\x03\xff\xfd\x18\xff\x
SF:fd\x1f\r\n\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\*\*\*\*\*\*\*\*\*\*\*\
SF:*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\* \*\*\*\*\*\r\n\*\x20\x20
SF:\x20\x20\x20\x20\x20\x20\x20\x20\x20All\x20righ ts\x20reserved\x20\(2000
SF:-2007\)\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 \x20\x20\x20\x20\*\r
SF:\n\*\x20\x20\x20\x20\x20\x20\x20Without\x20the\ x20owner's\x20prior\x20w
SF:ritten\x20consent,\x20\x20\x20\x20\x20\x20\x20\ x20\*\r\n\*\x20no\x20dec
SF:ompiling\x20or\x20reverse-engineering\x20shall\x20be\x20allowed\.\x20\*
SF:\r\n\*\x20Notice:\x20\x20\x20\x20\x20\x20\x20\x 20\x20\x20\x20\x20\x20\x
SF:20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\ x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20 \x20\x20\x20\x20\x20\x20
SF:\*\r\n\*\x20\x20\x20\x20\x20\x20This\x20is\x20a \x20private\x20communica
SF:tion\x20system\.\x20\x20\x20\x20\x20\x20\x20\x2 0\x20\x20\x20\x20\*\r\n\
SF:*\x20\x20\x20Unauthorized\x20access\x20or\x20us e\x20may\x20lead\x20to\x
SF:20prosecution\.\x20\x20\x20\*\r\n\*\*\*\*\*\*\* \*\*\*\*\*\*\*\*\*\*\*\*
SF:\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\ *\*\*\*\*\*\*\*\*\*\*\*\
SF:*\*\*\*\*\r\n\r\n\r\nLogin\x20authentication\r\ n\r\n\r\nUsername:")%r(D
SF:NSVersionBindReq,37,"\r\nError:All\x20user\x20i nterfaces\x20are\x20used
SF:,\x20please\x20try\x20later!")%r(DNSStatusReque st,37,"\r\nError:All\x20
SF:user\x20interfaces\x20are\x20used,\x20please\x2 0try\x20later!")%r(Help,
SF:37,"\r\nError:All\x20user\x20interfaces\x20are\ x20used,\x20please\x20tr
SF:y\x20later!")%r(SSLSessionReq,37,"\r\nError:All \x20user\x20interfaces\x
SF:20are\x20used,\x20please\x20try\x20later!");

Read data files from: C:\nmap-5.00
Service detection performed. Please report any incorrect results at
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.25 seconds
Raw packets sent: 1174 (51.632KB) | Rcvd: 1162 (46.500KB)

Another nmap OS fringerprint scan shows

Quote:

Starting Nmap 5.00 (]Nmap - Free Security Scanner For Network Exploration & Security Audits.] ) at 2009-11-04 19:31 Pakistan Standard Ti
e
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 19:31
Scanning 192.168.0.1 [4 ports]
Completed Ping Scan at 19:31, 0.38s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:31
Completed Parallel DNS resolution of 1 host. at 19:31, 0.04s elapsed
Initiating SYN Stealth Scan at 19:31
Scanning 192.168.0.1 [1000 ports]
Discovered open port 23/tcp on 192.168.0.1
Discovered open port 22/tcp on 192.168.0.1
Completed SYN Stealth Scan at 19:31, 7.45s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.0.1
Retrying OS detection (try #2) against 192.168.0.1
Host 192.168.0.1 is up (0.039s latency).
Interesting ports on 192.168.0.1:
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
1720/tcp filtered H.323/Q.931
5060/tcp filtered sip
Device type: switch|WAP
Running (JUST GUESSING) : HP embedded (88%), D-Link embedded (86%), TRENDnet em
edded (86%), 3Com embedded (86%)
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (88%), D-Link DWL-624+
or DWL-2000AP, or TRENDnet TEW-432BRP WAP (86%), 3Com 8810 switch (86%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=18 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class

Telneting this machine gives the banner

Quote:

************************************************** *********
* All rights reserved (2000-2007) *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
* Notice: *
* This is a private communication system. *
* Unauthorized access or use may lead to prosecution. *
************************************************** *********

Login authentication

Username:

Neotrace gives the following output

Quote:

Map

Node Data
Node Net Reg IP Address Location Node Name
1 - - 192.168.1.x
2 1 - 192.168.1.1 -
3 2 - 116.71.208.1 -
4 2 - 116.71.241.245 -
5 3 - 221.120.253.41 - rwp44.pie.net.pk
6 3 - 221.120.253.10 - rwp44.pie.net.pk
7 1 - 192.168.0.1 -
Packet Data
Node High Low Avg Total Lost
1 0 0 0 1 0
2 25 25 25 1 0
3 135 135 135 1 0
4 44 44 44 1 0
5 37 37 37 1 0
6 36 36 36 1 0
7 38 38 38 1 0
Network Data
Network id#:1

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

Network id#:2

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

Network id#:3

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

I think that the ip addresses 192.168.x.x are private addresses and are non-routable (meaning you shouldn't be able to access these addresses if they are not from your internal network). As the traceroute shows that the machine is behind the PIE and it seems to be quite well setup.

I am trying to investigate the machine on my own but have got no ideas how to proceed further What could this machine be any wild guesses? and one more thing you people should also try probing this machine and make sure not to confuse your own router with it :-)

To Disable the IPS or not?

Gitsnik — Wed, 04 Nov 2009 00:13:25 GMT

Something interesting just came up when I was talking to a friend of mine - we were discussing a penetration for PCI compliance, and the topic of IPS came up.

The lengthy argument was profuse and emphatic, but the same basic question (I feel) has to be asked:

During a PCI test (or any other), should one request the client turn off the IPS*? The two main arguments that I can see are:

No. The attacker wouldn't be able to get that turned off, why should you.
Yes. What if the attacker gets lucky and finds the IPS on the day it's failed - at least this way you can ensure you are not vulnerable.

So I put it to the rest of you, should the IPS be turned off for the pentester, or should it be left on?

*Turning it into IDS mode for that IP would be acceptable, the concern is the prevention part of the IPS.

target is linux. tftp help?

kungfusurfer — Tue, 03 Nov 2009 02:03:26 GMT

I'm doing a lab at home via vmware. My attacker is BackTrack (of course) and my target is linux slackware. So far I have only been able to get as far as logging onto it's ftp as anonymous (nothing really useful in there) and able to connect to the target via tftp. I'm still quite new to pen-testing so I'm not sure what I could do with this tftp access. I see that I am able to run commands such as "get" and "put". I was able (i think) to copy netcat over to the target but not sure how I can connect to the target via netcat. Since I don't have access to the target yet, I can't start a listener on the box (unless one of you know a way). If I could start a listener then I assume the best bet would be to retrieve the /bin/bash with the nc -e option. The following are the ports which are open. *this is all on my personal lab, just an fyi*

21 � ftp � vsftpd 2.0.4
22 � ssh � OpenSSH 4.3
80 � http � Apache httpd 2.2.4 mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2
631 � ipp � CUPS 1.1

Thanks for any help or a push in the right direction.

sudo is not your friend

Gitsnik — Mon, 02 Nov 2009 08:37:08 GMT

Considering the advent of Ubuntu systems, and our own precious Backtrack rolling that particular way, I thought I would do an early release of a tool I have been working on for a while - partly because it may benefit the community, and mostly because my expect skills are not as strong as they used to be and I can't get this operational.

The basic premise is thus: Ubuntu is secure right? You don't run as admin and any malware that access' your desktop can only wipe your stuff, not the system (as if this is less important to me, but it illustrates the need for good backups). You use sudo to run you nmap scans or maybe start your airodump script, so you're safe. Right?

Wrong

The key to this puzzle is, in fact, the very tool people use to keep themselves safe. Some notes on sudo basics:

"sudo -s", "sudo sh" or "sudo su -" or variants will grant you a root shell.
sudo grants you a small amount of time before it "expires", which means you only have to type your password once and you have a while to run root commands at your hearts content
sudo is not tied to a single console, you can open 18 different Xterms and run it just fine

A, well, flaw I noticed in sudo (if it can be called thus) resides in the 3rd point - sudo does not actually check what console I am operating in. If I am on my desktop, and I type "sudo nc -l 5", anyone who is ssh'd into my box can then type "sudo ./install_rootkit.sh". Further, I can write an expect script (as yet unpublished), to attempt this command (or another such as "sudo -s" for as long as I like) - while the password is being requested, sudo seems to fail to report the attempt (perhaps this is a logging feature I have merely never noticed).

The upside of this? A pentester, or anyone else really, can abuse the sudo powers to gain root on a linux desktop (or server) as easily as if it were vulnerable to sock_sendpage(). The only thing required is some patience.

A note to anyone who wants to try a PoC for this: I presume that my cron/expect combination is not setting up a proper environment, so doing it that way is not a choice. But there is nothing that stops one from running it & and just waiting.

And you thought malware couldn't hurt you.

Implementation I leave up to those of you who have coding practice, but please feel free to PM me a sample code block if you have written one.

Pentesting Ethics (When is enough, enough?)

sociopathichaze — Sun, 01 Nov 2009 07:38:37 GMT

So I worked a temp job at a college help desk for a couple of weeks. During the lulls in calls, I began poking around the campus network. Nothing intrusive, just a few pings and traceroutes at first. However, as the days went on I became so bored I started mapping the entire network and doing my own security audit of the college. At the end of the two weeks I had a page and a half list of all the problems with the "security" they had implemented. Being the ethical guy I am, I sent the list to the head of the department. Fast forward two months and three emails later, and they've done nothing. Not even the simplest things on the list, like password protect your network printers if your going to use a 1to1 nat and not use acl's to block external access. Personally I wouldn't mess with the network because there's no challenge in it, but I'm to the point where I think these lazy/incompetent admins should be taught a lesson. At the same time I feel bad for the students/faculty that have these morons "protecting" their data. So I'm gonna put it to a vote.
Should I post all the info I obtained?
Should I email the Dean and explain why he should fire these idiots?
Should I email everyone in the student/faculty directory telling them their data isn't safe?
Should I do nothing and let their current security through obscurity model stand?
Should I post this in a different forum where someone might care?

BoF Exploit Windows XP SP0

mayfly — Sun, 01 Nov 2009 04:34:56 GMT

Hi,

Sorry for double-posting in the other thread! I missed the fact that my posts have to be approved by a mod and thought my first post would have been lost.

I have the task to demonstrate a buffer overflow with Windows XP (NO service pack installed). There are several tutorials on how to do this on the net. So I just wrote some vulnerable piece of C++ server code including:

char test[20];
...
strcpy( test, attackerstring);

where "attackerstring" is the ordinary much too long string passed by the client (some hundred "A" characters). The BoF seems to work and will crash the application. I am also able to overwrite both EAX and ECX (take a look at the screenshot below). However, I am not able to overwrite the crucial EIP, regardless how ridiculously long the string of "A" characters is. 100 do not work, 500 do not work, 2000+ do not work. It doesn't help either to let OllyDbg pass the exception to my programme.

SCREENSHOT: img101.imageshack.us/img101/5986/ollydbg.jpg

The exploit is running on VMWare Player 2.53 & Windows XP SP 0. All tutorials and forum posts I have browsed require me to access the EIP. Does anybody have an idea why it is not working for me? I'm really despaired by now.

Thanks for your efforts, m.

BeEF Zombies

wasto — Fri, 30 Oct 2009 17:13:03 GMT

I am having an issue using the latest version of BeEF. I have set the alert dialogue to autorun and the logs are showing the different IPs as connected. Also, the alert dialogue box is being displayed on the victims. However, they never show up as a Zombie. I know it takes some time to be displayed, but waiting up to five minutes and still no zombies. I am testing using mutillidae on a windows XP SP2 VM and backtrack 4 pre-final running the latest version of BeEF. I have tried IE 6 as well as various versions of FireFox. I do not have any add-ons like no script installed and javascript is enabled on both browsers. Any idea why the Zombies section is not being populated?

Nevermind, I was too quick to post. Turned off autorun and now the zombies are showing up.