Since @_MG_ posted the first video of his O.MG-cable about a year ago I have been so excited and followed his work closely from twitter and on his blog .
Now the cable can be bought in hak5s shop and as soon as it was available in the shop I placed an order. I really enjoy hacking gadgets and have really enjoyed playing with BadUSB so the thought of now being able to run the same payloads on command via a lightning cable with an implant is out of this world.
The price in the shop is $129 and I paid ~$170 + duty for the cable including shipping to Sweden. I was surprised on how quickly I received it. I got the cable delivered within two working days from USA. Unfortunately I got the first cable with hardware fault so I had to wait some more time.
I spent some hours troubleshooting the cable together with MG himself via Slack and after we verified that the cable was faulty he told me to get a replacement cable. MG seems like a really good guy and I really appreciate what he has done with this cable. On the other hand the support from Hak5 were really slow and a disappointment. Without the help from MG I would probably have had to wait months to get a new replacement cable. Three weeks after getting the faulty cable I now have a new cable in my hand which works perfect so I’m really happy now.
I didn’t have too much time to spend this evening but after flashing the cable with the firmware I tried some basic payloads and it seems to be working great. Later this week I will try to record while I run some of my best (most evil) payloads so I can share it with you and show you which possibilities you have with this cable.
This post is about httprobewhich is a tool for quickly probing for active http and https servers. If you have a list with subdomains you can quickly check which are active by using this tool. Httprobe is available on Github and the tool was created by Tom Hudson (@tomnomnom on Twitter).
2. Download ‘httprobe’ by running go get -u github.com/tomnomnom/httprobe
3. If you used my guide to install Go you can now find ‘httprobe’ at: /root/go-workspace/bin/assetfinder
Basic usage: To use httprobe you need to print out your domains and pipe them to httprobe. In the example below we are are using cat to read the data from domains.txt and gives its content as output to httprobe. cat domains.txt | httprobe
Adding extra ports: By default httprobe is probing for http on port 80 and https on port 443. We can add other ports by using the ‘-p’ parameter. cat domains.txt | httprobe -p http:8080 -p https:8443
Skip default ports and only probe for defined ports: By adding ‘-s’ parameter the default ports will be ignored. cat domains.txt | httprobe -s -p http:8080 -p https:8443
Specify a timeout: If you know that the response time on the target server might be high you can specify a custom timeout by using the ‘-t’ parameter. The time is configured in milliseconds. cat domains.txt | httprobe -t 10000
Combine with other tools: You can combine ‘httprobe’ with other tools such as ‘assetfinder’. If you don’t know about assetfinder you can read my earlier post that helps you getting started with assetfinder.
One example on how you can chain assetfinder with httprobe. assetfinder --subs-only yahoo.com | httprobe -s -p http:80 In the example we first searched for subdomains at yahoo.com and piped the result to httprobe to find out which of the subdomains that were listening on port 80.
In this post I will write a bit about Assetfinder which is an quick and awesome tool for finding subdomains. The tool is available in Github and was created by Tom Hudson (@tomnomnom on Twitter).
According to the information on Github, Assetfinder uses the following resources to find subdomains
2. Download assetfinder by running the following command. go get -u github.com/tomnomnom/assetfinder
3. If you used my guide to install Go you can now find assetfinder at: /root/go-workspace/bin/assetfinder
How to use Assetfinder: Navigate to assetfinder and run ./assetfinder exampledomain.com If you only want the subdomains you can add –subs-only. ./assetfinder --subs-only exampledomain.com
Save the output to a file: You can also save the output to a file by adding “> filename” ./assetfinder --subs-onlyexampledomain.com > domains
The tool is really quick so it is perfect to use it when you want a fast way to find subdomains for a target company. I really love this tool. <3
Golang (Go) is a programming language that are becoming more and more popular and I have seen many interesting tools that are written in Go. Since Go are not being installed by default in Kali Linux I thought that publishing a quick-start guide could be a good idea.
Download the latest version for Linux – “gox.xx.x.linux-amd64.tar.gz”
Open your terminal and navigate to your downloads folder cd /root/Downloads
Extract the files tar -C /usr/local/ -xzf go1.13.6.linux-amd64.tar.gz
Add variables for GO by modifying “~/.bashrc” vim ~/.bashrc Add the following paths to the end of the file export GOPATH=/root/go-workspace export GOROOT=/usr/local/go PATH=$PATH:$GOROOT/bin/:$GOPATH/bin
Now we need to refresh the bashrc to get the updated variables source ~/.bashrc
Now we just need to verify that everything is correct configured and we can do that by creating a simple ‘hello world’ program in Go. vim helloworld.go Add the following code to the file: package main import "fmt" func main() { fmt.Printf("Hello world!\n") } Then save the file and try to run the program: go run helloworld.go If everything was configured correctly you should see something like this:
You are now ready to use Golang on your Kali Linux machine!
Holiday season is coming closer and I would like to take this opportunity to discuss phishing since the amount of phishing attacks increases a lot during holiday season. According to Zscaler the amount of phishing attacks increased with 400% from October to November this year as Black Friday and Cyber Monday came closer.
Phishing, which is a type of social engineering, is based upon exploiting people’s feelings. During shopping-holidays like Black Friday and Cyber Monday but also during Christmas people are more vulnerable. Phishing campaigns are designed based on the holiday. During shopping holidays, it is very common with emails or texts that contains:
Fake Amazon Gift Cards.
Fake login portals to Paypal and other payment sites.
Scams related to other shopping or shipmen companies like Postnord or DHL.
During other holidays like Christmas and Easter it’s more common with greetings with bad URLs included. It can for example be a Merry Christmas email with a link to malicious site. It is also common with emails where the sender wishes you a merry Christmas and tells you that they have donated money to charity and that you can click on the link to read more. When people get these kinds of emails and like what they read they have already lowered the guard and it’s much more likely they will click on a unknown malicious link.
It’s crucial to always be vigilant and know how to distinguish phishing emails from legitimate ones, especially since 94% of all malware are delivered via email according to Verizon. I came across a poster from LogRythm a few years ago with a top ten list for how to spot and handle a phishing email and it’s still viable.
I recommend you to think about these tips when you get an email and make sure to always keep the guard up when it comes to emails.
Have you just created your first Azure VM and are looking for a good, secure way to connect to you new machine without exposing more than necessary to the internet? Maybe you just want to run a few machines and don’t want to spend money on firewalls to configure VPN to your Azure Virtual Network (VNET)?
In this post I will explain a method that can be used to connect to your machine securely without any cost. After reading this post you will know how you can set up a SSH tunnel to your machine so you only need to expose TCP port 22 to the internet. I will also show you how you can limit the access to that port by configuring a Network Security Group (NSG) in Microsoft Azure to only allow your own IP to connect. You will connect to the VM using Putty and either Google Chrome or Mozilla Firefox. We start off by configuring the NSG in Azure.
Configuring NSG in Azure: The first thing that we need to do is to allow you to SSH to your machine and we do that by configuring the NSG. You want to modify the inbound security rule named ‘default-allow-ssh’ and you do that by clicking on ‘Inbound security rules’ in the left menu.
You should now add your public IP to the rule to allow you to connect from your home network. You probably know how to get your public IP but if you don’t know, one simple way is by visiting https://ipinfo.io and copy the address from there.
When you have the IP ready, click on the ‘default-allow-ssh’-rule to expand it and then add your IP to ‘Source IP addresses/CIDR ranges’ and press ‘Save’.
The Azure configuration is now done. Lets move on to the Putty configuration.
Configuring Putty: If you don’t have Putty installed you can download it from the official website and then just install it. After you have installed the software the first step is to run Putty and add the public IP of your Azure VM and select SSH port 22.
Then navigate to SSH and check ‘Don’t start a shell or command at all’.
Move on by expanding SSH (+) and go to Tunnels. Add a forwarded port by choosing ‘Source port’. In this example we use port 1080. Select ‘Dynamic’ for destination and then press ‘Add’. Now you should see ‘D1080’ added above.
If you don’t want to configure these settings every time you want to use the tunnel you can save the session. That is done by going back to ‘Session’ and enter a name and then press ‘Save’.
Now the tunnel is ready and we just need to start it. Click on ‘Open’, enter your SSH credentials and press enter and the tunnel should be up and running.
Verify that the tunnel works: You will probably want to make sure that the tunnel works as expected and we can verify that by configuring a simple HTTP server on the VM. In this example CentOS7 was used but it can be done on most machines.
Step one is to open another putty window and connect to you VM via SSH. Navigate to your home folder (cd /home) and create a directory (mkdir testfolder). Cd into that folder and create a testfile (touch text.txt). Then run the following command to run a python based HTTP-server on port 80.
sudo python -m SimpleHTTPServer 80
Your server will now listen for incoming connections on port 80. But since you don’t allow any connections to port 80 in the NSG you won’t be able to go directly to port 80. We need to send our HTTP traffic in the SSH tunnel to be able to reach it and we do that by configuring proxy settings in our web browser. This can be done in most of the common browsers and I will show you how to do it in Firefox and Chrome.
Chrome: To configure proxy for Chrome you just right click on Chrome in the task bar and select ‘Properties’. You then need to add some run parameters.
Today I will continue to write about tools that you can use to generate wordlists. Today we will take a look at crunch.
Background and the functionality: Crunch is another great tool that can be used to create wordlists. The tool was initially released in 2004 and the author is bofh28 according to tools.kali.org.
You use the tool to generates wordlists based on the charset you specify.
How to get started with Crunch: To make sure that you have crunch installed, which comes pre-installed with Kali, you just open up the terminal and write crunch.
If you start off by running the tool with only the required parameters you will get all possible words using all characters. So if you for example run “crunch 8 8” you will get all words that are eight characters long.
You can also specify which characters you want to use for your wordlist.
In the example above you can see that we specified all worlds between 5-6 that uses the following charcters: abcd123.
-o With the -o variable you can chose where the output should be saved. Example: crunch 8 8 -o wordlist.txt
-b With the -b parameter you can specify how big wordlist-files you want. In the example below I first created a wordlist with the size of ~2kB. When I use the -b parameter to define that each file only can be 1kB big you see that three files was created instead and none of them were bigger than 1kB.
-i With the -i parameter you can invert the order of the words. If you use crunch 3 3 without using the -i parameter you will get a file that starts with
aaa
aab
aac
If you use -i you will instead get the following result:
-t The -t parameter is one of my favorites to use. If you know that a password uses a special pattern you can use the -t parameter to specify that pattern and reduce the amount of words in your list significantly and make your wordlist more efficient.
A normal use case can be that you got information about that many users in your targets company creates passwords based on the current season, for example Summer2019! . You can then create a wordlist based on that structure.
You can use the following characters to build your patterns:
@ will insert lower case characters
, will insert upper case characters
% will insert numbers
^ will insert symbols
-z You can also use the -z parameter to compress and create an archive-file. You can choose between gzip, bzip2, lzma and 7z. Gzip is fastest but compression is minimal while 7z is slowest with best compression.
That was everything for this time. Please contact me if you feel like I missed something or if you want to share any special tips and tricks for Crunch.
This is the first blog post in my series where I will go through all built-in Kali Linux tools. I will write information about how the tools work and give you examples on when to use them. This will be an excellent way for me to learn the tools in depth and hopefully it can come in handy for some of you. I won’t get much enjoyment if I write about them in one by one from top to bottom since that will be boring. The first tool I will write about is from section 05- Password Attacks and the tool I have chosen to start with is CeWL.
Background and the functionality: CeWL is a tool that was created by Robin Wood and it is used for creating custom word lists based on the text from a target website. It can come in handy to use this tool if you are doing a pen test and you haven’t been successful with your usual word lists and want to create one that is more customized for the target company.
CeWL are built in Ruby and the main idea is that the program spiders the specified URL according to the configuration and returns a list of words that was found on that site. These custom word lists can later be used when trying to crack passwords with the other available tools. In a later post I will show you how that is being done.
How to get started with CeWL: So how do you use CeWL then? It’s pretty easy and straight forward and you can get out the most information from the manual which you get by running “man cewl”. I will go through some of the most common options that you can configure and these are:
-w
-d
-m
–with-numbers
-c
-e
-w Define where the word list should be saved. example: customwordlist.txt -d Define the depth the scan should spider. Default value is 2 and that means that it will go to all links that are presented on the defined URL and collect words from them as well. -m Define the minimum length of a word. No words with less characters than this will be saved.
So let’s try it and see how it works in practice. For this example I will just use a website that I know include many words and which site are better than Wikipedia? I’ve set the parameters to depth = 1 and characters = 10.
It can take some time if you want to spider through many sites but if you use a configuration like mine it will be very quick and in this example I got out 1895 useful words.
–with-numbers Accept words where numbers are included as well. Like for example the word below. “Riteshkumar1256”.
-c – counts number of entries If you add the -c parameter the tool will also count how many times each word was found on the site. You can use that for many purposes and one example is that you easy can find out which words the company likes to mention and that might be something users uses in their passwords.
-e – includes email addresses You can also save all email addresses that can be found on the website to a file. Perfect for recon and helps you find mailboxes at the target company. If you also include –email file you can specify where you want to save the emails addresses.
That was everything for this time. Please contact me if you feel like I missed something or if you want to share any special tips and tricks for using CeWL?
Last week I attended my first OWASP-event and the event was hold i Gothenburg, Sweden. Before I read about this event I hadnt heard about SQRL (Secure Quick Reliable Login) but the enthusiastic presentation by the author himself, Steve Gibson got me hooked. I really like the idea of SQRL as a replacement for username and passwords and hopefully we will see and use this system everywhere in the future.
If you are not familiar in how SQRL works and why it is so good you can now watch the presentation on OWASP GBGs Youtube channel. It’s better to watch the author talk about it than me trying to explain it. So bring some popcorn and watch it.
This year’s amazing Security Fest has now come to an end. I’ve had two really great days where I learned a lot and got new inspiration and ideas to work with.
Christoffer Jerkeby – Load Balancer with RCE, Hacking F5
My favorite talk from this conference that I want to write a bit about was the super interesting talk by Christoffer Jerkeby about Remote Code Execution in F5’s Load Balancer, called Big-IP. Big-IP has a feature in the Local Traffic Manager that is called iRule which can be used to manage the network traffic. The language that is used for defining these iRules is a fork of the language TCL-8.4.
Christoffer provided two demos to show how these flaws can be
exploited. It can lead to MITM(Man-in-the-Middle), the ability to set
and remove any HTTP header, intercept and inject user traffic for any
session and termination of HTTPS.
This language has a few flaws that are not well known and they are
related to how the language expands variables and options. If the iRules
are not written correctly, which they in many cases aren’t because the
lack of knowledge of these flaws, the code will not work as expected to
say the least.
Since the flaws are in how the language was built it’s not something that F5 can fix and no patch will or can be released that will mitigate this. This means that the people who configure these load balancers need to analyze their code in depth. It’s not easy to do that but Christoffer shared some great tools that can be used to help with the clean-up process and help you find out if your code is vulnerable.
You can find the tools and read more about them on github:
If you want to watch the whole presentation you can watch it below. It will be well worth your time:
Various pictures from the conference:
Security Fest have uploaded all the presentations on their Youtube channel so if you are interested you can watch all presentations from both days on their channel: