Hashcat examples

Posted on February 17, 2020 by admin

Rule based attack

Use a wordlist and best64 rules to try and crack a wordpress hash. Using rockyou.txt as an example.

-m Specifies the hash type

hashcat -m 400 wordpress.hash -r rules/best64.rule wordlist/rockyou.txt

wordpress.hash is a text file that contains the password hash. You can list multiple hashes in the file

Example contents of file

bob@localhost:~$ cat wordpress.hash 
$P$BeJ2ZWVgSx/rR8ifcTFyjq1ouCCWwu0
bob@localhost:~$

Brute force

Attempt every 8 numeric combination for a WPA2 key.

hashcat -m 2500 -a3 capture.hccapx ?d?d?d?d?d?d?d?d

Hashcat built in Charsets

You can swap out the ?d from the above command with any of the built in character sets below.

  ? | Charset
 ===+=========
  l | abcdefghijklmnopqrstuvwxyz
  u | ABCDEFGHIJKLMNOPQRSTUVWXYZ
  d | 0123456789
  h | 0123456789abcdef
  H | 0123456789ABCDEF
  s |  !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
  a | ?l?u?d?s
  b | 0x00 - 0xff

More information
https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2
Rule based attacks are recommended
https://hashcat.net/wiki/doku.php?id=rule_based_attack

Check if Mikrotik is an Open DNS Resolver

Posted on December 23, 2019 by admin

https://www.openresolver.com

You can test if a router is acting as an open DNS resolver by running the following command from a Linux terminal. If you need to install dig, refer to here for Debian/Ubuntu and here for RPM/CentOS/Fedora Distros.

Replace 192.168.88.1 with the host you want to test against.

dig +short test.openresolver.com TXT @192.168.88.1

If you receive the following

"open-resolver-detected"

The router is acting as an open resolver.

If you get

;; connection timed out; no servers could be reached

Then you are unable to use that router to resolve DNS.

Example running the command against a Mikrotik router with Remote DNS turned on Then adding a firewall rule to block unwanted request.

bob@localhost:~$ dig +short test.openresolver.com TXT @192.168.88.1
"open-resolver-detected"
bob@localhost:~$ 
<<-- Put firewall rule on router -->>
bob@localhost:~$ dig +short test.openresolver.com TXT @192.168.88.1
;; connection timed out; no servers could be reached  
bob@localhost:~$

Extra notes

If you have firewall rules allowing your IP address to use the router for DNS, then the above command to test will show it as an Open Resolver. Ideally you would want a connection from the outside to test. Or you can use this link and test it from the website. https://www.openresolver.com

Crack LUKS volume with Hashcat

Posted on November 19, 2019 by admin

Install hashcat

apt install hashcat

Find LUKS Volume

bob@localhost:~/$ dmesg
...
[ 1057.776074] sd 0:0:0:0: [sda] Write Protect is off
[ 1057.776074] sd 0:0:0:0: [sda] Mode Sense: 43 00 00 00
[ 1057.776593] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 1057.780234]  sda: sda1
[ 1057.783346] sd 0:0:0:0: [sda] Attached SCSI removable disk
bob@localhost:~/$

From the above we see that the drive we just pluGged into the system is “sda” so our path and partition is “/dev/sda1”

Run hashcat

The following command will run hashcat against “/dev/sda1”, change if the encrypted partition is different. Mode is to brute force every 8 numeric character combination. Refer to the following link to learn more about mask attacks.
https://hashcat.net/wiki/doku.php?id=mask_attack

Note: You should be able to dump the header and work off of that as well.

sudo hashcat -a 3 -m 14600 /dev/sda1 ?d?d?d?d?d?d?d?d

Create LUKS Encrypted Thumb Drive

Posted on November 19, 2019 by admin

Find the thumb drive with lsblk, dmesg, or sudo fdisk -l. In the following examples we are using /dev/sdc1, replace as needed.

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdc1
sudo cryptsetup luksOpen /dev/sdc1 encrypted_usb
sudo mkfs.ext4 /dev/mapper/encrypted_usb

Now we can mount the drive. We are mounting it to /mnt change if needed.

sudo mount /dev/mapper/encrypted_usb /mnt

Or go ahead and close the channel and remove the drive

sudo cryptsetup luksClose /dev/mapper/encrypted_usb

Command Explanation

sudo cryptsetup --verbose --verify-passphrase luksFormat /dev/sdc1

Wipe /dev/sdc1 and set the password when prompted for it.

sudo cryptsetup luksOpen /dev/sdc1 encrypted_usb

Open up a secure channel to the drive, and decrypt it so we can access it

sudo mkfs.ext4 /dev/mapper/encrypted_usb

Using the channel we created in the previous command, we can now format the drive.

sudo cryptsetup luksClose /dev/mapper/encrypted_usb

We can now close the channel for the drive and remove it.

Extract encrypted Signal backup

Posted on November 16, 2019 by admin

https://github.com/xeals/signal-back
More information at the above link

Installation of precompiled binary for Signal-Back

wget https://github.com/xeals/signal-back/releases/download/v0.1.7-alpha.2/signal-back_linux_amd64
chmod +x signal-back_linux_amd64
./signal-back_linux_amd64

Help info

Usage: signal-back_linux_amd64 COMMAND [OPTION…] BACKUPFILE
   --help, -h     show help
   --version, -v  print the version
 Commands: 
   format   Read and format the backup file
   analyse  Information about the backup file
   extract  Retrieve attachments from the backup
   check    Verify that a backup is readable
   help     Shows a list of commands or help for one command

Extract attachments from backup

Replace ~/Desktop/signal…backup with the path to your Signal backup.

./signal-back_linux_amd64 extract ~/Desktop/signal-2019-09-30-01-43-21.backup

It’ll ask for the password and then start pulling out the attachments and putting them in the current directory.

Export messages to CSV file

Default option is XML. CSV will let you open it up in Excel.

./signal-back_linux_amd64 format -f CSV --output signal-output.csv ~/Desktop/signal-2019-09-30-01-43-21.backup

Specify password to use

You can use the -p option to specify the password. It does not matter if there are spaces every 5 numbers or not. Also the -P option is suppose to let you use a file.

./signal-back_linux_amd64 extract -p "48294 55709 09123 94563 74662 12800" ~/Desktop/signal-2019-09-30-01-43-21.backup

Other help options

bob@localhost:~/Downloads/signal-back$ ./signal-back_linux_amd64 help
 Usage: signal-back_linux_amd64 COMMAND [OPTION…] BACKUPFILE
 --help, -h     show help
   --version, -v  print the version
 Commands:
   format   Read and format the backup file
   analyse  Information about the backup file
   extract  Retrieve attachments from the backup
   check    Verify that a backup is readable
   help     Shows a list of commands or help for one command
bob@localhost:~/Downloads/signal-back$ ./signal-back_linux_amd64 help format
 Usage: signal-back_linux_amd64 format [OPTION…] BACKUPFILE
 Parse and transform the backup file into other formats.
 Valid formats include: CSV, XML, RAW.
 --format FORMAT, -f FORMAT  output the backup as FORMAT (default: "xml")
   --message TYPE, -m TYPE     format TYPE messages (default: "sms")
   --output FILE, -o FILE      write decrypted format to FILE
   --password PASS, -p PASS    use PASS as password for backup file
   --pwdfile FILE, -P FILE     read password from FILE
   --verbose, -v               enable verbose logging output
bob@localhost:~/Downloads/signal-back$ ./signal-back_linux_amd64 help extract
 Usage: signal-back_linux_amd64 extract [OPTION…] BACKUPFILE
 Decrypt files embedded in the backup.
 --outdir DIRECTORY, -o DIRECTORY  output attachments to DIRECTORY
   --password PASS, -p PASS          use PASS as password for backup file
   --pwdfile FILE, -P FILE           read password from FILE
   --verbose, -v                     enable verbose logging output
bob@localhost:~/Downloads/signal-back$

Convert Kismet NetXML capture to CSV

Posted on October 25, 2019 by admin

First download the following python script which we’ll use to convert the Kismet NetXML file.

https://github.com/MichaelCaraccio/NetXML-to-CSV

wget https://raw.githubusercontent.com/MichaelCaraccio/NetXML-to-CSV/master/main.py

You should now be able to run the script with.

python main.py

Help output for NetXML to CSV

bob@localhost:~$ python main.py  
Usage: main.py <NetXML File> <oUTPUT File Name> <Filter> (Filter is optional)
bob@localhost:~$

Usage

python main.py Kismet-file-input.netxml Kismet-csv-output.csv

Example of converting file.

bob@localhost:~$ python main.py Kismet-20191023-12-50-42.netxml Kismet-20191023-12-50-42.csv

You can now import the csv into Google Earth.

Port scan with Netcat

Posted on September 12, 2019 by admin

Install netcat with

sudo apt install netcat

or on RedHat based systems

yum install netcat

The below command will scan all the ports up to 1000. Change if needed.

nc -v -z 192.168.1.20 1-1000

OpenVas set password for user

Posted on August 29, 2019 by admin

After installing OpenVAS you may need to setup a user. Running the following command will create the user admin and will print the password for the user below.

openvasmd --create-user admin

Example output.

User created with password 'b4539967-c521-fe41-d255-aeb53e735h9a'.

If needed you can delete a user with the following command

openvasmd --delete-user=USERNAME

Secure Erase Hard Drive using DD

Posted on January 9, 2019 by admin

The following commands are dangerous! Proceed with caution!

Change /dev/sdX to your drive. Make sure you get the correct drive, or you could wipe you main system.

dd if=/dev/zero of=/dev/sdX bs=1M status=progress

The status=progress part shows how much dd has writen. Helpful to gauge how far along it is.

If you want a more secure way to erase the drive, change zero to random. Makes it slower, but should be more secure.

dd if=/dev/random of=/dev/sdX bs=1M status=progres

Side note, these commands should work in macOS, but you may need to drop the status=progress option.

Incredigeek

Category Archives: Security