20160331
New Book Out
Dan Dieterle wrote a new book, which is an update on his old book. I did review a couple chapters for him, and he was kind enough to give a reviewer acknowledgement to me. Check it out if you would like to use a book, or maybe give one to one of your nerd friends / relations that are interested in the topic.
20160317
Windows 2008 to Debian
There comes a limit to how many virtual machines you can run on a Mac Mini. I bought a server for about $500 from savemyserver.com. It has 1.2 TB of hard drive, 48 GB RAM, and 8 cores of processor. I have not put any VMs on there yet, but did replace Windows 2008 Server that came pre-installed with Debian. From experience, I can tell you if Debian is complaining about needing some firmware to continue, you should probably figure out how to get that before you go on. I found this site to be pretty helpful when looking for individual files of firmware, rather than Debian packages which include firmware.
I'll update as I go, my dream is to use xen as my hypervisor.
I'll update as I go, my dream is to use xen as my hypervisor.
20160316
John the Mangler
When using the password cracking tool John the Ripper, I have many times used it against the LM passwords, and cracked them with a bit of time. Of course the NT passwords are (usually) just a case permutation of the LM password. So, there must be an easy way to get John to do case permutations for you. I went in to the configuration file -- /etc/john/john.conf to see if I could figure out how john word mangling rules are made. I did not, but discovered there is already a rule to get NT passwords from LM passwords. To use it, simply specify the mangling rule.
In sequence, I did this (assume the hashes are in a file called hashes) --
time john --format=LM hashes (this took about two hours)
john --format=LM --show hashes | cut -d : -f 2 | sort | tail -n 5 > word.txt
time john --format=nt --rules=NT -w:word.txt hashes (this took less than 0.1 seconds).
No video this time, comment if there's a part you don't understand, and I'll break it down.
In sequence, I did this (assume the hashes are in a file called hashes) --
time john --format=LM hashes (this took about two hours)
john --format=LM --show hashes | cut -d : -f 2 | sort | tail -n 5 > word.txt
time john --format=nt --rules=NT -w:word.txt hashes (this took less than 0.1 seconds).
No video this time, comment if there's a part you don't understand, and I'll break it down.
20160312
Beef with a Side of Kali
Many folks learn how to work with metasploit, and some folks also learn to work with BeEF. I wanted to figure out how to use them together. It took me more than 10 minutes to figure it out, so I thought I would write it down. Thanks to Sathish Arthars for his post, which was very helpful with regard to integration, and to InfoSec Institute, who had a nice write-up on getting started with BeEF.
In a nutshell, BeEF and Metasploit are meant to work together. But, they do not by default. To get them to work, you will need to change the configuration of two files. First, the file /usr/share/beef-xss/config has a pair of lines that read metasploit: enable: false, and that false will need to change to true. Secondly, change the /usr/share/beef-xss/extensions/metasploit/config.yaml file so the host and callback_host change to your actual IP address.
Finally, before starting BeEF you will need to use the load msgrpc ServerHost=<IP> Pass=<pass> command in the metasploit framework console. The IP should be the same one you put in the configuration files. Note that both the ServerHost and Pass parameters are case sensitive. Once you have the two working together, you can use a host of coordinated tactics.
I have a video of the highlights here.
In a nutshell, BeEF and Metasploit are meant to work together. But, they do not by default. To get them to work, you will need to change the configuration of two files. First, the file /usr/share/beef-xss/config has a pair of lines that read metasploit: enable: false, and that false will need to change to true. Secondly, change the /usr/share/beef-xss/extensions/metasploit/config.yaml file so the host and callback_host change to your actual IP address.
Finally, before starting BeEF you will need to use the load msgrpc ServerHost=<IP> Pass=<pass> command in the metasploit framework console. The IP should be the same one you put in the configuration files. Note that both the ServerHost and Pass parameters are case sensitive. Once you have the two working together, you can use a host of coordinated tactics.
I have a video of the highlights here.
20160306
Execute Shellcode in Firefox
Well, one of my goals for this blog is to make a note of something that took me a while to figure out, so I can look it up later, rather than relying on myself to remember. If I stumble on something you were trying to figure out, too, so much the better. I put a video together of me exploiting a Firefox browser, and then getting the hashed passwords from the computer. Here, I will put a little more explanation to keep me from talking.
The setup requires two computers. I used a Windows XP computer for my victim machine, and of course my Kali machine for the attacker. I am still using Kali 1.-something, I find it easier to find help for that one. You can get old versions of applications for testing and experimenting here. I used Firefox version 15 for this setup. The metasploit modules I used were
exploit/multi/browser/firefox_xpi_bootstrapped_addon
exploit/firefox/local/exec_shellcode
post/windows/manage/smart_migrate
post/windows/escalate/getsystem
post/windows/gather/smart_hashdump
Follow the links if you want to know more about the modules. If you want to watch the video, go here.
There is some user interaction required, I leave it to your imagination to figure out how an attacker might get a user to install a plugin or add-on. As I mentioned in the video, it is a good idea to migrate out of the Firefox process since you don't want your presence to rely on the user not closing the browser. Additionally, if you change the EXITFUNC setting to 'thread', you will not cause the browser to close when you migrate out of it or close your session. Finally, if the user is not part of the "Administrators" group, the escalation will fail, and the hashdump will fail if it is attempted without SYSTEM privileges.
The setup requires two computers. I used a Windows XP computer for my victim machine, and of course my Kali machine for the attacker. I am still using Kali 1.-something, I find it easier to find help for that one. You can get old versions of applications for testing and experimenting here. I used Firefox version 15 for this setup. The metasploit modules I used were
exploit/multi/browser/firefox_xpi_bootstrapped_addon
exploit/firefox/local/exec_shellcode
post/windows/manage/smart_migrate
post/windows/escalate/getsystem
post/windows/gather/smart_hashdump
Follow the links if you want to know more about the modules. If you want to watch the video, go here.
There is some user interaction required, I leave it to your imagination to figure out how an attacker might get a user to install a plugin or add-on. As I mentioned in the video, it is a good idea to migrate out of the Firefox process since you don't want your presence to rely on the user not closing the browser. Additionally, if you change the EXITFUNC setting to 'thread', you will not cause the browser to close when you migrate out of it or close your session. Finally, if the user is not part of the "Administrators" group, the escalation will fail, and the hashdump will fail if it is attempted without SYSTEM privileges.
20160305
Kali 2.0 Jacked My sources.list File
Well, this topic is perfectly covered at the Kali web site, but when I searched for the solution I got a lot of links pointing me to old information. So, in the hope that having enough new information out there will point your search results to the newer solution, I will post it right here.
In a nutshell, if you try to update your copy of Kali 1.* that you still like to use, you can get this error:
Err http://security.kali.org kali/updates/main amd64 Packages
404 Not Found
This is because that link does not work any more, so you get the standard HTTP 404 error.
To fix it, you will need to fix up the file that is pointing to the old repo location. Using your favorite text editor (I use vim), get your /etc/apt/sources.list file to contain this text:
/-------- START AT THE # ----------------/
/-------- STOP AFTER FREE ----------------/
In a nutshell, if you try to update your copy of Kali 1.* that you still like to use, you can get this error:
Err http://security.kali.org kali/updates/main amd64 Packages
404 Not Found
This is because that link does not work any more, so you get the standard HTTP 404 error.
To fix it, you will need to fix up the file that is pointing to the old repo location. Using your favorite text editor (I use vim), get your /etc/apt/sources.list file to contain this text:
/-------- START AT THE # ----------------/
#
# deb cdrom:[Debian GNU/Linux 7.0 _Kali_ - Official Snapshot amd64 LIVE/INSTALL Binary 20140108-17:05]/ kali contrib main non-free
#deb cdrom:[Debian GNU/Linux 7.0 _Kali_ - Official Snapshot amd64 LIVE/INSTALL Binary 20140108-17:05]/ kali contrib main non-free
deb http://old.kali.org/kali moto main non-free contrib
#deb-src http://http.kali.org/kali kali main non-free contrib
## Security updates
deb http://old.kali.org/kali-security moto/updates main contrib non-free
/-------- STOP AFTER FREE ----------------/
This is a good spot to take a snapshot if you are using a VM.
Once you save the file you can run the commands
apt-get update
apt-get upgrade
(I would restart the computer here if I got a lot of upgrades.)
apt-get dist-upgrade
20160304
Gotta Start Somewhere
Well, I sometimes wish I wrote down something I had thought about. So I thought maybe I should keep a journal, or maybe use Evernote to keep track of things. But, on the off chance that maybe somebody else might also be interested in what I was thinking about on a particular day, I decided to go with a blog. I basically have one job - Instructor at UMBC Training Centers, where I teach Information Technology and Cybersecurity - focused classes. I also have two hobbies: running and keeping up with news on the Cybersecurity front, including new tools and techniques. I am not looking to rehash the news - check The Cyber Wire if you're looking for news. But, maybe I'll post every now and then about something I found or some musings.
Today I am thinking about a tip I got from another instructor, which is there is a Capture the Flag (ctf) challenge that is always online at Over the Wire. I started playing with it, and got to level 10 or so of the 'bandit' game. Might use it, or something like it, for folks that come to learn Linux.
Today I am thinking about a tip I got from another instructor, which is there is a Capture the Flag (ctf) challenge that is always online at Over the Wire. I started playing with it, and got to level 10 or so of the 'bandit' game. Might use it, or something like it, for folks that come to learn Linux.
Subscribe to:
Posts (Atom)