Yearly Archives: 2017

Home »  2017

admin
Comments Off on Join a firejail session

Sometimes I use firejail…well a lot actually….and I usually just use it for a browser like this: firejail –private google-chrome or this firejail –private google-chrome –proxy-server=”socks5://localhost:8080″ But on a few occasions I want to be able to join ssh to the same sandbox instance…so I do this: firejail –list firejail –join=3452 (or whatever the session you want) Another thing I have ran into is I downloaded something but want to save it before I destroy my firejail (private) session…so I do this: firejail –get=5255 ~/.config/google-chrome/Default/Cookies   You can see more examples and other documentation here: Basic Usage

admin
Comments Off on Port Forwarding with FirewallD for a Reverse Shell

As an “Ethical Hacker” I find it necessary at times to perform port forwarding, for many reasons…  But I usually just use iptable rules to do that, and then there came firewallD…. FirewallD still uses iptables so my old rules still work, but I also wanted a way to perform port forwarding using the FirewallD process… it also makes my rules just fit in nicely with the rules that are on most Linux systems using firewallD.  Lets take for example a RedHat or CentOS system, say a ver7 or something, and I want to use it as a traffic proxy of sorts so when my reverse shell connects it looks like it is connecting to this server when in reality it is just using this iptables/firewallD port forwarding to send the traffic to my box.  We will call the location of my reverse shell the Client, we will call the […]

admin
Comments Off on A little ssh honeypot fun

I say honeypot but really it isn’t a honeypot… but it is something I am using to log/capture data from malicious individuals….so thus the reason I say honeypot. I want to edit sshd to log all user/password attempts. Cent7 yum install git make zlib-devel openssl-devel openssh-devel pam-devel screen autoconf gcc vim-enhanced lsof git clone https://github.com/openssh/openssh-portable.git cd openssh-portable/ autoreconf ./configure vim auth-passwd.c (add in my little log code in the auth_password function) //for Lanix logit(“sshd credentials:%s:%s”,authctxt->user,password); make we are going to use the built-in sshd_config and the current ssh_host_keys to prevent anyone remote being able to easily identify the trap. cp /etc/ssh/sshd_config /root/  (modify this as there are multiple parts we didn’t complile into our ssh and errors will be thrown, also to test I run it first on a different port) cp /etc/ssh/ssh_host_* /root/ chmod 0600 /root/ssh_host_* /root/openssh-portable/sshd -f sshd_config -D (I test with the -D so that I can easily […]

admin
Comments Off on zlib.h missing on kali?

I have found that some of the tools I am utilizing and need to compile require zlib.h… and that is in the zlib1g-dev package… so: apt install zlib1g-dev

admin
Comments Off on TheHarvester on Kali – and dns brute force

Just a quick note wile performing recon on a customer I struggled with the dns-names.txt issue on kali, basically thehavester is looking for a file named dns-names.txt in the current directory when you are requesting to perform a dns brute force.  The good news is the file exists in two spots on a kali box: yourname@kali:~/Desktop$ locate dns-names.txt /usr/share/golismero/tools/theHarvester/dns-names.txt /usr/share/golismero/tools/theHarvester/discovery/dns-names.txt this is used when you pass the “-c” option, so the easiest work around until this gets updated is to copy one of these files into your current directory.  On my box both were the exact same file.

admin
Comments Off on Patterns in passwords

Funny thing about people and passwords… just about anything really, we get comfortable with certain things, for example, you probably know of a family where all the kids first names start with the same letter.  Kids tend to be a little more creative, but adults tend to hold onto things, similar things.  Lets look at passwords, now keep in mind I am not saying everyone is like this, you may not be, but chances are….the majority of people will have a password that is similar in structure.  Lets say this is your password: Cathat89! Your original password was probably something similar to you, say you liked cat in the hat, and you were born in the year 1989.  But the content of the password will change over time… but the structure could stay the same.  You see how the first character is a capitol, then there are several lower case […]

admin
Comments Off on Create a targeted wordlist – to use with password audits

There are lots of ways to create a wordlist, you can just generate them, find pre-built ones online, etc.  In this case I want to create a wordlist that contains components specific to the organization I am auditing. cupp is good if you know details about individuals cupp -i cewl is good to scrape a website for words cewl https://customer-site.com -v -w cewl-wordlist-customer-site.txt there are other options, like following links more than 2 deep (-d option) or target words larger than 8 characters with the (-m 8 option)  or if you feel crazy, the -o option will spider to other sites

admin
Comments Off on Windows (windblows) password audit notes

Well, it’s that time of the year/quarter/month…. whatever policy you have on performing the password audit…  Some of my notes are from references that are a few years old, so not sure if they will be around much longer, I hope so, they have good info.  Keep in mind I am using kali 2017.1 for my fun today. First Windows password audit, or as I call it, Windblows Password Audit. Retrieve the ntds.dit and SYSTEM file: – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html C:\>ntdsutil ntdsutil: Activate Instance ntds ntdsutil: ifm ifm: create full c:\cool-pass-pentest-audit ifm: quit ntdsutil: quit copy the c:\cool-pass-pentest-audit folder to your kali box install the libesedb-utils apt install libesedb-utils export the ntds tables – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html esedbexport -m tables ntds.dit (this may take a while…a long while) Now we need to extract the hashes…. currently I am using this: https://github.com/csababarta/ntdsxtract git clone https://github.com/csababarta/ntdsxtract.git python ntdsxtract/dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.6 hashdumpwork –syshive SYSTEM –passwordhashes –lmoutfile […]

admin
Comments Off on SSH proxy through my VM cloud server (using firejail and chrome)

Oh.. you have country blocking turned on at the firewall… or some other web filter or firewall that is preventing you from viewing a website. Keep in mind you do need a server you have access to via ssh… I like cloud servers, they tend to not have web filters..lol First we need to setup the ssh socks5 proxy, we will ssh into our VM (virtual machine server) and proxy through there on local port 8080: ssh -D 8080 myuser@myserver.mydomain Now, keep in mind I am using Kali 2017.1 for this next part but you can use other distros and even configure other browsers to connecto to your localhost:8080 proxy, I am using firejail and google-chrome. Firejail allows me to have an independant isolated browser running so I can still have my regular browser up and running as needed. This is how we connect: firejail –private google-chrome –proxy-server=”socks5://localhost:8080″ Boom, good […]