Screenshots and Default Passwords with EyeWitness

February 5, 2019February 5, 2019 GameOfPWNZ

EyeWitness

“EyeWitness is designed to take screenshots of websites, RDP services, and open VNC servers, provide some server header info, and identify default credentials if possible.”
https://tools.kali.org/information-gathering/eyewitness

Assumptions:

You’re using Kali Linux

Downloads:

https://github.com/FortyNorthSecurity/EyeWitness

Setup

root@kali:/opt# git clone https://github.com/FortyNorthSecurity/EyeWitness.git

root@kali:/opt# cd EyeWitness/setup

root@kali:/opt/EyeWitness/setup# ./setup.sh

Using a file with hosts (-f)

root@kali:/PATH/TO/HOSTSFILE# python /opt/EyeWitness/EyeWitness.py -f hosts.txt --web

Using an nmap xml file (x)

root@kali:/PATH/TO/NMAP/SCANS# python /opt/EyeWitness/EyeWitness.py -x nmapscan.xml --web

If you want to add more http or https ports, you can use the following:

--add-http-ports 9000, 9001-add-https-ports 9002, 9003

Extra!

You can perform an active scan which will search for common locations of login forms and attempt to use common credentials against those web applications.

--active-scan

Example Output

Performing a Quick Password Audit on NTDS.dit

January 31, 2019January 31, 2019 GameOfPWNZ

Assumptions

You’re using the latest Kali OS.
You can contact the Domain Controller.
You have an admin account on the Domain Controller.

What is the NTDS.dit?

“The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain.”

Extracting Password Hashes from the Ntds.dit File

Getting a copy of the NTDS.dit

There are many different tools for getting the Ntds.dit file and extracting hashes from it, but this post will be covering one tool. You can check other tools such as VSSAdmin, NinjaCopy, etc.

Impacket

In this blog, I’ll be using Impacket’s secretsdump.py.

If you’re not using Kali, you can install impacket on Linux just using the following:

pip install pyasn1

pip install impacket

Then to dump the password hashes, you can use the following syntax:

secretsdump.py -just-dc-ntlm
<DOMAIN>/<USER>@<DOMAINCONTROLLER> >> ntds.txt

It’ll ask you for the password for that user. This will save the output to ntds.txt.

John The Ripper

You can crack the hashes using wordlists:

john --wordlist=/PATH/TO/WORDLIST /PATH/TO/HASHFILE--pot=FILENAME.pot

You may have to include the format using the –format.

Wordlists

Here are some good places to get wordlists:

https://hashes.org (LinkedIn Breach, HIBP, etc).

https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm

https://github.com/danielmiessler/SecLists/tree/master/Passwords

Writing A Penetration Test Report

October 14, 2018October 14, 2018 GameOfPWNZ

Penetration testing can be fun. You get to PWN all the things. You get to solve puzzles. But when it is all done, it’s time to write the report for the client.

If you’ve never written a penetration test report, this post is for you. What I did is exploited SOME of the vulnerabilities in Metasploitable 2 and created a sample penetration test report.

The sample report: http://gameofpwnz.com/uploads/documents/Metasploitable_Report.docx

Here are some things to make sure you include:

Executive Summary (Keep in mind who your audience is)
Scope (This should have been determined during pre-engagement)
Methods (What is your penetration methodology or formula?)
Risk Rating (A risk rating is important in determining which risks need to be mitigated and which could possibly be accepted)
Impact (What happens if an attacker exploits the vulnerability?)
Remediation (Exploitation is fun, but we need to help the blue team know what the corrective actions would be to mitigate the issue)

Screenshots and steps to reproduce are great for showing the client how you were able to exploit the vulnerability. It also allows the client to check their fixes when they try to reproduce.

This report template is not the actual report template I use in penetration testing, but it’s something I’m willing to share. Feel free to use it. Also, feel free to leave comments about what else you think should be added or any other recommendations.

Dislocker USB with Bitlocker (LAB)

October 14, 2018October 14, 2018 GameOfPWNZ

This lab will take you through using Dislocker to view data on a USB disk image that has Bitlocker encryption. The password for Bitlocker will be provided.

Real life use: Hard drive with Bitlocker fails to boot. You need to recover data from it.

Bitlocker USB DD image: https://drive.google.com/a/gameofpwnz.com/file/d/0B3KtykBk15nNamdMSVpYaXRPRlU/view?usp=sharing

MD5 Checksum: 90860ff85a78f1421e6f26f44c10b8ae

In Kali, you can use this to get the mount 🙂 :

losetup --partscan --find --show encrypted.001

The Bitlocker Password is password

Use this Procedure: https://gameofpwnz.com/dislocker-recovering-data-from-drive-with-bitlocker-requires-bitlocker-recovery-key-or-password/

The procedure can be altered slightly for this lab. I used a Kali Linux Virtual Machine instead of a live USB to complete this lab. In this lab, I use the password rather than the recovery key. Notice the slight difference in the command when using each.

Lab created by @GameOfPWNZ

Dislocker: Recovering Data from Drive with Bitlocker – Requires Bitlocker Recovery Key or Password

October 14, 2018October 14, 2018 GameOfPWNZ

This procedure is for recovering data from a disk drive with Microsoft Bitlocker Full Disk Encryption when the drive no longer boots.

Also, a lab for practicing this procedure will be provided here: https://gameofpwnz.com/dislockerlab/

Required tools

The computer and hard drive that has Bitlocker
USB Drive: Needs enough storage for files that need to be backed up
Kali Linux Live USB or CD/DVD (Kali Doc, Null-Byte Doc, Wireless Shack Doc – CD/DVD)
Bitlocker Recovery Key or Bitlocker Password (Active Directory Bitlocker Recovery – only if saved in AD & Microsoft TechNet Doc)

Procedures

Make sure the hard drive with Bitlocker is connected. If you never removed it, then you’re good.
Boot from Kali Linux Live USB or CD/DVD.
Update:
apt-get update
Install git and dependencies:
apt-get install git libfuse-dev libmbedtls-dev cmake

5. Git clone Dislocker:

git clone git://github.com/Aorimn/dislocker.git

6. Change working directory to the dislocker directory

cd dislocker

7. cmake the Dislocker directory

cmake .

8. Make and make install

make
make install

9.Find the drive with Bitlocker

fdisk -l (should look like /dev/sda# if SATA/SCSI)

10. Create directories tmp and dis

mkdir /mnt/tmp
mkdir /mnt/dis

11. Run Dislocker

Using Recovery Key: dislocker -v -V /dev/(whichever is the one you found in Step 9) -p<Bitlocker Recovery Key> — /mnt/tmp
1. Hopefully you saved your recovery key in Active Directory or somewhere you know. The Recovery key is 55 characters with the hyphens.
Using Bitlocker Password: dislocker -v -V /dev/(whichever is the one you found in Step 9) -u<Bitlocker Password > — /mnt/tmp

12. Check if it worked

ls /mnt/tmp (You should see a dislocker-file. If so, then it worked)

13. Mount the volume

mount -o loop,ro /mnt/tmp/dislocker-file /mnt/dis

14. Change working directory to the volume

cd /mnt/dis

15. List out directory listing

16. Backup files

To make this easier, open up the GUI file explorer window (2x). In one, open the USB drive. In the 2^nd, open up /mnt/dis. Then copy the files that you need to the USB.

17. Profit

If you found this tutorial useful, let me know in the comments 🙂 And make sure to check out the lab 🙂

References

http://www.alexandreviot.net/2015/06/10/active-directory-how-to-display-bitlocker-recovery-key/

https://technet.microsoft.com/en-us/library/dd759200(v=ws.11).aspx

Wireless Shack Doc – CD/DVD

Null-Byte Doc

Kali Doc

https://github.com/Aorimn/dislocker

https://linux.die.net/man/1/dislocker

https://askubuntu.com/questions/617950/use-windows-bitlocker-encrypted-drive-on-ubuntu-14-04-lts