Thursday, May 31, 2012

From LM to NTLM passwords in John the Ripper

so you dump some passwords from a machine and you see it contains LM and NTLM hashes. obviously LM is quicker to crack so you go for that one first and it gives you the uppercase plaintext password:
./john --format=lm /root/hashes

which provides the plaintext uppercase password "KITTENBOOTIES". Great, now we need the real password, the one with upper/lower cases. we do this easily by supplying the "KITTENBOOTIES" password as the wordlist (with mangling) to john again. so do this:
echo KITTENBOOTIES > wordlist1
./john -rules --format=nt /root/hashes --wordlist=wordlist1
This will output the proper password of "kiTTenBooTiES"


Tuesday, May 29, 2012

shut bonjour up

Bonjour makes a lot of annoying noise from a mac when you are trying to do some traffic analysis. you can help that by disabling bonjour's multicasts with:
sudo defaults write /System/Library/LaunchDaemons/ ProgramArguments -array-add "-NoMulticastAdvertisements"

SANs guide to basics of securing datacenters and their location

Friday, May 18, 2012

Make your bash usage/movement faster and more efficient

Sudo doesnt work with "&&" and various other bash keywords

    Lets say I want to run apt update and upgrade one after another. Typically you do this with:

apt-get update && apt-get upgrade

    Unfortunately, oftentimes you need root permissions to do that. So a person will usually simply type:

sudo apt-get update && apt-get upgrade

    And if you hit enter, "apt-get update" will run successfully and "apt-get upgrade" will fail. This is do to the fact that when you hit enter, bash has to interpret the line you just submitted. And according to the rules of bash, your line was interpreted to mean three things. First run "sudo apt-get update" then if that returns an execution code of 0, then continue to "apt-get upgrade".
    What you want to do is send your WHOLE line to sudo for execution. You do this with the "-s" argument of sudo. so that:

sudo -s 'apt-get update && apt-get upgrade'

Of course my short way is usually simply typing "sudo !!" after i mess up the line, it works just fine.

Thursday, May 17, 2012

Learning to love the man

manpages are awesome. some people tend to think there are only manpages for programs, which is completely not true. take for example "man ascii" or "man hier" which display the ascii tables and an explanation of the purpose of each unix directory respectively. You can discover where the manpages on your system are located by executing 'manpath'. This will output a list of directories in a similar format to  "echo $PATH". Look through the directories to find the 7zipped files containing the manpage data.

I've gotten into the habit of opening each one just out of curiosity. Its actually kind of fun if you have nothing to do.

SSH Inception

I must go deeeeper -_-

I have a box on a network that is only accessible via connecting to multiple SSH boxes in succession. the "-t" option in ssh allows me to go straight through all the boxes using one line:

ssh -t ssh user@homeserver -t ssh user@home-desktop

You literally just chain together as many ssh connections as you'd like. They just pass the arguments on and on. If you alias that to something like:

et-phone-home="ssh -t ssh user@homeserver -t ssh user@home-desktop"

then you should be all set.

Thursday, May 10, 2012

Supplying a file to metasploit rhosts

Apparently lots of people dont know you can do this... I will often parse things like FTP hosts into a file and then supply that file as the value of the RHOSTS option in metasploit. This makes it much easier for me to supply a crap ton of hosts without actually typing much of anything.

msfcli auxiliary/scanner/ftp/anonymous RHOSTS=file://root/clients/clientname/nmap/ftphosts E

Apparently it only takes absolute paths unforuntaely, but if your using msfcli instead of msfconsole, why not use bash to your advantage?

msfcli auxiliary/scanner/ftp/anonymous RHOSTS=file://$(pwd)/ftphosts E

That line works great if you're 10 directories deep and are too lazy to type.

I noticed I didn't actually talk about msfconsole, in case it wasn't obvious you do "set rhosts file:/root/blah/ftp.hosts" or whatever your file is and it will take it.

Doesnt work if the module only takes on host though :(

Delete conflicts in known_hosts

Often times i will connect to an ssh server in one network and so some work. Later on, I will move somewhere else and connect to some other network and have to ssh in. Incidentily i'm ssh'ing into two different servers that happen to have the same IP (even though they are two completely different networks). I know whats going on here and i'm doing it all on purpose. Unfortunately ssh still likes to freak out that this IP now magically has a new public key. cool story bro, i already knew.

I got sick of every time this happened to have to go into known_hosts and delete that entry. ssh will always tell you the line number that contains the conflicting key, so all i have to do is delete that line from known_hosts and bam. i'm done.  So i came up with this little function to make my life easier:

ssh-del-line() {

    if [[ -z $1 ]]; then

        echo 'Deletes the specified linenumber from ~/.ssh/known_hosts'

        echo 'Usage: ssh-del-line linenumber'


        sed -i "/$1/d" ~/.ssh/known_hosts

    fi; }

Wednesday, May 9, 2012

A better way to expand hosts in a subnet

Before i mentioned that you could expand the hosts in a subnet by using bash brace expansion. While that works fine, if you have a file with 40 different CIDR subnets in them it can be REALLY annoying. In walks nmap.
Nmap has a scan feature called list scan that will output the IPs to be tested. All you need to do is supply it with a range/file-with-ranges and it will output the IPs, one in a line. The output may be a little ugly so i created a quick function to parse out just the IPs
expandrange() {
    if [[ -z $1 ]]; then
        echo 'Expands the subnets/ranges provided in the first argument to output in the second argument (file)'
        echo 'Usage: expandrange range.cidr.txt range.long.txt'
        nmap -sL -n -iL $1 | grep 'Nmap scan' | cut -d ' ' -f 5 > $2
    fi; }

Tuesday, May 8, 2012

Cisco VPN - Fix for Error 51: Unable to communicate with the VPN subsystem

sudo kextload /System/Library/Extensions/CiscoVPN.kext

CLI Twitter and Oauth

Since twitter no longer allows the "basic" authentication mechanism for posting tweets, it has moved over to a much more secure alternative: OpenAuth

Before it was as easy as creating a cURL line to post the contents to the twitter api. Things have gotten more complicated since then. I could describe everything, but someone else has already done a fine job of the walk-through: