Author Archives: admin

Home »  Author: admin

admin
Comments Off on TheHarvester on Kali – and dns brute force

Just a quick note wile performing recon on a customer I struggled with the dns-names.txt issue on kali, basically thehavester is looking for a file named dns-names.txt in the current directory when you are requesting to perform a dns brute force.  The good news is the file exists in two spots on a kali box: yourname@kali:~/Desktop$ locate dns-names.txt /usr/share/golismero/tools/theHarvester/dns-names.txt /usr/share/golismero/tools/theHarvester/discovery/dns-names.txt this is used when you pass the “-c” option, so the easiest work around until this gets updated is to copy one of these files into your current directory.  On my box both were the exact same file.

admin
Comments Off on Patterns in passwords

Funny thing about people and passwords… just about anything really, we get comfortable with certain things, for example, you probably know of a family where all the kids first names start with the same letter.  Kids tend to be a little more creative, but adults tend to hold onto things, similar things.  Lets look at passwords, now keep in mind I am not saying everyone is like this, you may not be, but chances are….the majority of people will have a password that is similar in structure.  Lets say this is your password: Cathat89! Your original password was probably something similar to you, say you liked cat in the hat, and you were born in the year 1989.  But the content of the password will change over time… but the structure could stay the same.  You see how the first character is a capitol, then there are several lower case […]

admin
Comments Off on Create a targeted wordlist – to use with password audits

There are lots of ways to create a wordlist, you can just generate them, find pre-built ones online, etc.  In this case I want to create a wordlist that contains components specific to the organization I am auditing. cupp is good if you know details about individuals cupp -i cewl is good to scrape a website for words cewl https://customer-site.com -v -w cewl-wordlist-customer-site.txt there are other options, like following links more than 2 deep (-d option) or target words larger than 8 characters with the (-m 8 option)  or if you feel crazy, the -o option will spider to other sites

admin
Comments Off on Windows (windblows) password audit notes

Well, it’s that time of the year/quarter/month…. whatever policy you have on performing the password audit…  Some of my notes are from references that are a few years old, so not sure if they will be around much longer, I hope so, they have good info.  Keep in mind I am using kali 2017.1 for my fun today. First Windows password audit, or as I call it, Windblows Password Audit. Retrieve the ntds.dit and SYSTEM file: – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html C:\>ntdsutil ntdsutil: Activate Instance ntds ntdsutil: ifm ifm: create full c:\cool-pass-pentest-audit ifm: quit ntdsutil: quit copy the c:\cool-pass-pentest-audit folder to your kali box install the libesedb-utils apt install libesedb-utils export the ntds tables – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html esedbexport -m tables ntds.dit (this may take a while…a long while) Now we need to extract the hashes…. currently I am using this: https://github.com/csababarta/ntdsxtract git clone https://github.com/csababarta/ntdsxtract.git python ntdsxtract/dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.6 hashdumpwork –syshive SYSTEM –passwordhashes –lmoutfile […]

admin
Comments Off on SSH proxy through my VM cloud server (using firejail and chrome)

Oh.. you have country blocking turned on at the firewall… or some other web filter or firewall that is preventing you from viewing a website. Keep in mind you do need a server you have access to via ssh… I like cloud servers, they tend to not have web filters..lol First we need to setup the ssh socks5 proxy, we will ssh into our VM (virtual machine server) and proxy through there on local port 8080: ssh -D 8080 myuser@myserver.mydomain Now, keep in mind I am using Kali 2017.1 for this next part but you can use other distros and even configure other browsers to connecto to your localhost:8080 proxy, I am using firejail and google-chrome. Firejail allows me to have an independant isolated browser running so I can still have my regular browser up and running as needed. This is how we connect: firejail –private google-chrome –proxy-server=”socks5://localhost:8080″ Boom, good […]

admin
Comments Off on SaintCon2015 – presentation slides and notes

SaintCon 2015 was great!  I presented on the first day, on “Cracking Wireless” Had just a couple of  hickups with my demos, but I had 4 laptops with me and about 10 wireless access points, so I had backups to my backups… Here are the updated slides and notes: LanceGrover-CrackingWireless-SaintCon2015 (PDF) LanceGrover-CrackingWireless-SaintCon2015 (Notes)

admin
Comments Off on limit ssh to specific hosts with firewalld (firewall-cmd)

Here is a little reminder on how to limit ssh (or any port really) to a specific IP using firewalld: <code> systemctl start firewalld.service systemctl enable firewalld.service firewall-cmd –zone=”trusted” –add-source=<external IP 1> firewall-cmd –zone=”trusted” –add-source=<external IP 1> –permanent firewall-cmd –zone=”trusted” –add-source=<external IP 2> firewall-cmd –zone=”trusted” –add-source=<external IP 2> –permanent firewall-cmd –zone=”trusted” –add-service=ssh firewall-cmd –zone=”trusted” –add-service=ssh –permanent firewall-cmd –zone=”trusted” –list-all firewall-cmd –zone=public –remove-service=ssh firewall-cmd –zone=public –remove-service=ssh –permanent </code>

admin
Comments Off on pyrit – gpu wpa/wpa2 cracking

A little more on cracking wpa/wpa2 passphrases…. Why not bring in the GPU? Fun little program called pyrit – it does seem to require a wordfile though, I may have to try piping in JTR like we did with aircrack-ng… Anyway, here is a little tutorial https://code.google.com/p/pyrit/wiki/Tutorial Basically you take the cap file you made using airodump-ng and do something like this: (this one requires that you have imported passwords into it’s database) pyrit –all-handshakes -r WPAcrack-01.cap attack_batch

admin
Comments Off on How about a little aircrack of wpa?

Make sure you own the network/wireless access point or have permission to attack/break in to the WPA network you are attacking before you start.  In this case I got permission, and I have several witnesses and documentation to support it. First do this to find the network airodump-ng -i wlan1 Focus in on that one network wap and capture the goodies airodump-ng –bssid 00:1E:52:78:AA:5C -c6 –write WPAcrack wlan1 on another interface, do a deauth to force devices to reconnect aireplay-ng –deauth 100 -a 00:1E:52:78:AA:5C wlan2 notice the “WPA handshake: 00:1E:52:78:AA:5C” at the top of the airodump screen? now crack it with this: aircrack-ng WPAcrack-01.cap -w /usr/share/wordlists/dirb/big.txt or by using john the ripper: john –incremental=all –session=WirelessBrute –stdout | aircrack-ng -a 2 -b 00:1E:52:78:AA:5C WPAcrack-01.cap -w – Resume works as well: john –restore=WirelessBrute | aircrack-ng -a 2 -b 00:1E:52:78:AA:5C WPAcrack-01.cap -w – the other I am doing right now john –incremental=all –session=BruteRockSteady […]

admin
Comments Off on Proxy web traffic through your linux server?

sshuttle is a fun little application that basically acts as a quick and easy VPN over ssh. As an ethical hacker you can also use this to proxy your traffic over this connection….think of the possibilities. This is an easy one to setup, first on the server side just make sure you have python installed. Then on the client side you need to have sshuttle installed and on the client side you will need root level access since you are changing routing and firewall rules. Now to actually start routing traffic over ssh: sshuttle -r username@sshserver 0.0.0.0/0 -vv to route dns traffic sshuttle –dns -vvr username@sshserver 0/0