How to Backup and Restore phpIPAM

phpIPAM is an awesome IP address management application. I have used it for many years and really like it. In this guide I will show you how you can schedule automatic backups of your IPAM and how you easily can restore the database if something goes wrong.

Schedule automatic backups

  1. Create backup folder
    mkdir /mnt/backups/phpipam/db/
  2. Create a file for your credentials
    This is done to prevent the credentials to be stored in clear text inside crontab.
    touch ~/.msql.cnf
    vim ~/.msql.cnf
    #[mysqldump]
    #user=root
    #password=*yoursupersecretpassword*
  3. Restrict permissions to file
    chmod 600 ~/.msql.cnf
  4. Add to cron – backup the database every day at 23:00
    crontab -e
    0 23 * * * mysqldump --defaults-file=~/.msql.cnf phpipamdb01 > /mnt/backups/phpipam/db/phpipamdb01_$(date +"%F")_bak.sql

Remove old backups

You can easily remove your old backups (30 days+) by running the command below.
find /mnt/backups/phpipam/db/ -ctime +30 -delete

So what you can do is just adding that command to crontab like I showed you in the example above. But I personally don’t like that approach because if someone changes the date/time on your server there is a risk that all of the backups gets removed and you don’t want to risk that. To make sure that the time is configured correctly you can first verify that NTP is synchronized before you remove the old backup files. (This of course assumes that your NTP servers provides you with the correct time) You can create a simple bash script that will verify that NTP is being synchronized and if it’s not synchronized you will get notified by email:

  1. Create the script
    vim rm-old-backups.sh
    # #!/bin/bash
    # #Simple script to remove old phpIPAM backups if NTP i synced.
    # #By: Rickard Carlsson (@tzusec)
    # #IF NTP WORKS THEN REMOVE FILES
    # if (ntpstat | grep -qF "synchronized to NTP server")
    # then
    #_____find /mnt/backups/phpipam/db/ -ctime +30 -delete
    # else
    # ____mail -s "NTP-error - Backups won't be deleted" rickard@tzusec.com <<< 'NTP wasn't synced so no old backups were removed.'
    # fi

  2. Make the script executable
    chmod +x rm-old-backups.sh
  3. Verify that it works as expected
    Manually run the script to make sure that is works as you want.
  4. Add it to cron – remove old backups once every day at 23:30
    crontab -e
    30 23 * * * /root/rm-old-backups.sh

Restore database

  1. Locate the backup you want to use
    ls -l /mnt/backups/phpipam/db/
  2. Restore the database from the backup
    mysql -u root -p phpipamdb01 < /mnt/backups/phpipam/db/phpipamdb01_*DATE*_bak.sql

I hope this guide was useful for you. Reach out to me on twitter @tzusec if you have any questions.

Find all non-default services on you Windows machine with Powershell

I just released a new video on Youtube where I show you how to use my new Powershell script for getting a list of all services that run on your windows machine that are not default services. You probably won’t need a video instruction on how to run a simple Powershell script but I’m sure it can help someone who is not so familiar with scripts.

The script is not something fancy, just a simple script that will list all non-default services and show you the info you might want to know.

  • Display Name
  • State
  • Start Mode
  • Status
  • Process ID
  • Exe Path
  • Description

Here is a link to the video if you want to check it out 🙂

// Rickard

Review – Terraform Associate Certification

In this blog post I will give my review on the latest certification I obtained, Hashicorp Terraform Associate. I will start by describing what Terraform is and then give you my take on how to study to pass this exam at your first attempt.

What is Infrastructure as Code (IaC)

If you are not familiar with the concept of IaC I would recommend you to watch this quick explanation.

What is Terraform

Terraform is an open-source software tool for IaC created by HashiCorp. The tool helps users to define and provision a cloud infra the Hashicorp Configuration Language (HCL), or optionally JSON. Three days ago they also released a CDK with Python and Typescript support. Terraform supports most of the big of cloud infrastructure providers.

Exam details

The exam is online based and you will be monitored by a proctor. To be able to do the exam you will need to have a webcam, speakers, a microphone and the zoom client installed.

  • Exam format: (Link to Sample questions)
    • Multiple Choice Questions (MCQs)
    • Multiple Answer Questions (MAQs)
    • True or False
    • Text match questions.
  • No of questions: 57
  • Exam duration: 1 hour
  • Exam cost: The website says $70.50 plus taxes, for me the total cost including taxes were around 90 euro which is very cheap compared to other certifications.

Study plan

In this section I will describe how I recommend that you study for this exam. When talking about certifications people always wonder how long time it takes to study for the exam. The answer to that question is the same as always, it depends on your background, your motivation to learn, how much time you can put into it and how easy you have to learn new stuff.

I had no prior knowledge of IaC before starting to study for this exam and I was able to learn the concepts to pass this exam in around two weeks. I have heard people saying that it is recommended to have 1-2 years of experience with Terraform before taking the exam but I don’t think that is necessary.

If you follow my study plan below I don’t think that you will have any problems with passing the exam.

  1. Official HashiCorp study material
    Begin by reading the official study guide.

    If you have some experience with Terraform and just want to fresh up your skills before the exam you can read the official exam review instead.

  2. Spin up a Lab environment
    I used Microsoft Azure for this since I’m familiar with Azure and the fact that Microsoft offer you a $200 credit to explore Azure for 30 days. I think that most cloud providers offer similar stuff so choose the cloud provider of your taste and spin up a lab environment.

    Installation guide and videos on how to get started are included in the study guide but here is a link directly to the installation video.

  3. Video courses combined with lab time
    My third recommendation is to watch some video courses. Learning from videos is my personal favorite and I really recommend that you watch the videos and try to follow the instructor in your own lab environment. The best video series I found online was on Youtube and it was created by Will Brock. Really awesome content that I highly recommend you to watch.
  1. Practice exams
    When you feel like you understand everything in the videos and have spent some hours in you lab environment I recommend you to do some practice exams so you get a feeling on how the questions will be structured on the real exam. I did some practice exams on Udemy after getting a free voucher from the creator. He shared it in the subreddit /r/Terraform so keep an eye there.

    I also found an awesome blog post by a guy named Bhargav Bachina. He goes through each of the exam objectives and have created practice questions based on the objectives. In total there are 250 questions. I really recommend you to read this one.

Summary

When you have completed the steps above you should be ready for the exam. I think that the exam was very fair and I would say that 60min is more than enough time. I think that I had around 20 minutes left when I pressed submit.

In summary I would say that Terraform is a really awesome tool and that the certification was fun. I hope you liked this post. If you have any questions, feel free to send me an email or contact me at twitter. (@tzusec)

// Rickard

Cracking KeePass Database

In this post I will describe how you can crack a KeePass Database file (.kdbx) in an easy way. Or to be correct we are not cracking the DB, we are cracking the password hash.

To demonstrate this I created a new database that I called “SecretDB.kdbx” and our mission will be to find out which master password I chose for the database.

Keepass-DB-file

To be able to crack the hash we will need to extract and save it and that can be done with the John the ripper utility tool “keepass2john“. It comes with Kali Linux so you don’t have to install it.

What you do to extract the hash is really simple, you just run:

keepass2john SecretDB.kdbx


You can also send the output to a file by adding “>” like I did in the screenshot below.

keepass2john SecretDB.kdbx > Keepasshash.txt

keepass2john-screenshot

We now have our hash ready to be cracked. In this example we will try to crack it using a dictionary and John the ripper. I used a modified version of rockyou.txt as dictionary. You can also use other great cracking tools like hashcat but I went with john here.

We run john and specify our custom wordlist with “–wordlist” parameter and then define our hash file.

john --wordlist=rockyou.txt KeepassHash.txt

We then just let it run for some time and as soon as we crack the hash it will be displayed. As you can see in the screenshot we did crack the hash and the password of this SecretDB.kdbx-database was “SuperSecretPassword2020”.

I hope you found this post useful and make sure to not use weak password for your database.

// Rickard

How to crack hashes with John the Ripper – Linux

In this post I will show you how you can crack passwords with John the Ripper. We will start off by collecting the hashes from a linux machine, then use the tool unshadow and at last crack the hashes with John the Ripper.

john the ripper

1 – Collect hashes from a Linux machine
We will start with collecting the hashes from the target machine. We will need both /etc/passwd and /etc/shadow. Save them to your Kali Linux machine, preferably on the desktop. It can be done with the following commands.
cat /etc/passwd > ~/Desktop/passwd.txt

/etc/passwd

cat /etc/shadow > ~/Desktop/shadow.txt

/etc/shadow


2 – Combine passwd and shadow with unshadow
Now we need to combine these two files into one. This can be done with the tool unshadow.
unshadow passwd.txt shadow.txt > hashtocrack.txt

unshadow passwd and shadow files


3 – Crack with John
Now we are ready to crack the hashes. John can run in different modes. You can use wordlists or straight brute force. The method I will use in this example is wordlist mode since that is the most effective way. Brute forcing takes a lot of time and I recommend you to only use it as a last resort when your wordlists won’t crack the hashes. In this example we define the wordlist to use to the built in rockyou.txt.
john --wordlist=/usr/share/wordlists/rockyou.txt hashtocrack.txt

crack with rockyou.txt

4 – Show cracked credentials
If you let john run you will be prompted with the credentials as soon as they have been cracked. In this example we can see that the the password for the user SuperAdmin was Password1.

We can also come back at a later time and check the credentials again by defining the unshadowed file and add the parameter –show.

john hashtocrack.txt --show

//Rickard

O.MG-CABLE – How To Get Started

This guide will help you get started with the O.MG-cable. When you open your package it should include three things:

  1. A card with instructions
  2. The programmer
  3. The OMG-cable
OMG-cable

If you read the instruction card you will see that you can find instructions on how to get started at https://o.mg.lol/setup. You will there find a link to the Github project where you can download the latest firmware that we will use to flash the cable.

Download the firmware by clicking on the link to the .zip-file. You will then need to unzip the file and you can do that by navigating to your download folder and run:
unzip O.MG_cable-Firmware_v1.4.0.zip

Then move into the new folder and you will see the following files.

folder

The next step is to plug in the programmer in your computer and then plug in the cable into the programmer. You are now ready to flash your cable and you do that by running the flash_linux:

./flash_linux

You will be able to either program it into Station or Access Point mode. In this case just go by default (AP mode) by pressing Enter. When the flashing is done you are ready to use the cable.

Flashing OMG

Disconnect the programmer from your computer and plug in your cable. Wait for ~60 seconds and then connect to the cable via WiFi with the default credentials above. When you are connected to the cables wireless network you can open a web browser and browse to http://192.168.4.1 and you will get to the UI.

Now you are ready to run your first scripts. Good luck!

// Rickard

How to use Undercover-mode in Kali Linux

Yesterday a new version of Kali Linux were released, Kali 2020.1. You can download it here. Make sure that you have read the release notes to make sure that you don’t break anything you don’t want.

Upgrade your existing machine:

  1. Run sudo apt full-upgrade -y
  2. Wait for the job to finish.
  3. Verify that you got the new version by running
    cat /etc/os-release
    Verify-installation

How to use undercover mode in Kali Linux 2020.1:
Undercover mode is a new feature for version 2020.1 that will help you hide that you are a super elite hacker when you are out in public by temporarily changing the desktop to look like a Windows 10 machine. I’m not sure I see the real use cases for this but it’s actually a funny feature. To use it you just need to run kali-undercover.

Kali undercover

After a few seconds you will see a Windows 10-like appearance, pretty cool.

Windows10-like-Kali-Linux

omg-cable finally arrived

Since @_MG_ posted the first video of his O.MG-cable about a year ago I have been so excited and followed his work closely from twitter and on his blog .

Now the cable can be bought in hak5s shop and as soon as it was available in the shop I placed an order. I really enjoy hacking gadgets and have really enjoyed playing with BadUSB so the thought of now being able to run the same payloads on command via a lightning cable with an implant is out of this world.

OMG-cable and programmer
The cable looks and feels exactly like a real cable from Apple. Insane!

The price in the shop is $129 and I paid ~$170 + duty for the cable including shipping to Sweden. I was surprised on how quickly I received it. I got the cable delivered within two working days from USA. Unfortunately I got the first cable with hardware fault so I had to wait some more time.

WhyMe-Meme

I spent some hours troubleshooting the cable together with MG himself via Slack and after we verified that the cable was faulty he told me to get a replacement cable. MG seems like a really good guy and I really appreciate what he has done with this cable. On the other hand the support from Hak5 were really slow and a disappointment. Without the help from MG I would probably have had to wait months to get a new replacement cable. Three weeks after getting the faulty cable I now have a new cable in my hand which works perfect so I’m really happy now.

I didn’t have too much time to spend this evening but after flashing the cable with the firmware I tried some basic payloads and it seems to be working great. Later this week I will try to record while I run some of my best (most evil) payloads so I can share it with you and show you which possibilities you have with this cable.

excited-meme
Copyright © 2022