Category: Miscellaneous

Posted on

Installing JohnTheRipper

Recently I was working on a boot2root called FourAndSix (walkthrough here), and I needed to brute force the password for an encrypted 7z archive. If you haven’t used it, JohnThe Ripper comes with all kinds of tools to pull hashes from various file types into a format the John can work with, a common example being unshadow. In this case, I found that the version of JTR that comes with kali doesn’t contain a lot of those tools, including the 7z one. There is a jumbo version out there that you can install to get access to an increased variety of tools.

I found a pretty good guide for installing this version of John here (or inserted below), and found it so useful that I wanted to save it for future use in Kali installations. So, with all due credit to webpwnized, I’m going to copy the content of his video here for future use. I encourage you to go ahead and watch the actual video if you want to set up the jumbo version of JTR, sometimes it’s better to watch along rather than read along, and he/she deserves the views for his/her work.

Before we can install our new version of JohnTheRipper, we have some prerequisites to work through. First:



apt install build-essential libssl-dev yasm libgmp-dev libpcap-dev libnss3-dev libkrb5-dev pkg-config libopenmpi-dev openmpi-bin zlib1g-dev libbz2-dev

Next, Rexgen prerequisites



apt install flex cmake bison git

Now Rexgen itself



cd /opt

git clone https://github.com/teeshop/rexgen.git

cd rexgen

./install.sh

ldconfig

Now we can download JohnTheRipper:



cd /opt

git clone https://github.com/magnumripper/JohnTheRipper.git

And install it



cd /opt/JohnTheRipper/src/

./configure --enable-mpi

make -s clean && make -sj4

Not only can this version of JTR do more, it’s a great deal faster than the version bundled with Kali. See the video below to see how to compare the two versions, webpwnized was able to get roughly 4 times faster speeds.

Posted on

gpg

First things first, I have no prior experience with GNU Privacy Guard (GPG). I’ve been aware of it, and familiar with its purpose, but I have never actually used it. Time to change that! In carrying out most of this, I followed a guide here

apt update
apt install gnupg

Create a key pair

gpg --gen-key

Choose (1) RSA and RSA, set a keysize, and determine an expiration
Enter your information, and generate the key

gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/home/user/.gnupg' created
gpg: new configuration file `/home/user/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/user/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/user/.gnupg/secring.gpg' created
gpg: keyring `/home/user/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: User Name
Email address: your_email@address.com
Comment: <comment>
You selected this USER-ID:
"User Name (comment) &lt;your_email@address.com&gt;"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++
......+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.....................+++++
....+++++
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key ████████ marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 4096R/4F2220F6 2017-12-06
Key fingerprint = ████ ████ ████ ████ ████ ████ ████ ████ ████ ████
uid User Name (comment) &lt;your_email@address.com&gt;
sub █████/███████ 2017-12-06

Create revocation certificate

gpg --output ~/revocation.crt --gen-revoke your_email@address.com

Select the reason for the revocation (I chose 0)

gpg --output revocation.crt --gen-revoke your_email@address.com
sec █████/████████ 2017-12-06 User Name (comment) &lt;your_email@address.com&gt;

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
&gt; revocation certificate for your_email@address.com key
&gt;
Reason for revocation: No reason specified
revocation certificate for your_email@address.com key
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "User Name (comment) &lt;your_email@address.com&gt;"
4096-bit RSA key, ID ████████, created 2017-12-06

gpg: gpg-agent is not available in this session
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!

With that revocation certificate, you can revoke your GPG key if it should become lost or compromised. For this reason, it’s critically important that you protect it just like your private key, otherwise someone could revoke your key without your knowledge.

chmod 600 ~/revocation.crt

A few commands follow:

    • Importing Other Users’ Public Keys
gpg --import name_of_pub_key_file
gpg --keyserver pgp.mit.edu --search-keys search_parameters
    • Fingerprint public key
gpg --fingerprint your_email@address.com
    • Sign the key, telling the software to trust it
gpg --sign-key email@example.com
    • Sending back the signed key
gpg --output ~/signed.key --export --armor email@example.com
    • They can then import it, adding the signature to their database
gpg --import ~/signed.key
    • To retrieve your public key
gpg --output ~/mygpg.key --armor --export your_email@address.com

Now for the good stuff. In order to encrypt messages, do the following:

gpg --encrypt --sign --armor -r person@email.com name_of_file

If you want to be able to read the message (you made it so theoretically you don’t need to do this) then add a second -r recipient
And in order to decrypt messages, it’s pretty simple:

gpg file_name.asc

There’s no point in having a key if other people don’t have your public key. An easy way to enable that is by submitting it to public key repositories, like below. At the time of writing, pgp.mit.edu seemed to be having some issues, so I instead uploaded to keyserver.ubuntu.com. The nice thing is these keyservers exchange their entries with one another, so it’ll make it to a number of places eventually. A solid list of keyservers can be found here.

gpg --list-keys your_email@address.com
pub 4096R/311B1F84 2013-10-04
uid Test User &lt;test.user@address.com&gt;
sub 4096R/8822A56A 2013-10-04

The 311B1F84 portion is your key’s ID

gpg --send-keys --keyserver pgp.mit.edu key_id

Now in the event that your key gets compromised or lost, you can use the revocation certificate that you created previously like so

gpg import revocation.crt
gpg --key-server pgp.mit.edu --send-keys key_id

List of keyservers: link

Now there’s a whole lot more to GPG than what I’ve written, and the link I posted at the beginning of this post is a good primer on a lot of it. My purpose is to get GPG up and running, and I think that that has been achieved!

As a side note, I’ll also mention keybase.io. Their whole deal seems to be lowering the bar to using GPG and simplifying the process of verifying peoples’ online identities. You can use it to encrypt and decrypt messages from a GUI, and can chat with other users while the encryption process happens in the background. They have also recently added a ‘teams’ functionality which seems to be a response to Slack, except since everyone has GPG keys, everything is encrypted. Check it out, and give me a follow while you’re at it.

Posted on

Securing SSH

SSH is probably the best way to interact with the Raspberry Pi, especially if it is a headless machine. As a way in to your machine, it can also present a security hazard and needs to be properly configured.

nano /etc/ssh/sshd_config

And add / change the following

Port RANDOMPORT
PermitRootLogin no
PubKeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
X11Forwarding no
IgnoreRhosts yes
MaxAuthTries 3
AllowUsers USERNAME

If necessary, create the directory and file for your authorized keys and ensure that only you can read it.

mkdir ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

You can test your configuration with ssh -t. When ready, restart the SSH daemon with service ssh restart. I suggest allowing password authentication until you are certain that your public key works. I also recommend protecting your key with a password. Sure, a password-less key is still more secure than a simple password, but if anyone else gains access to your key then they can access your machine without issue. A password on your key will help to prevent this and allow you to revoke the lost keys (hopefully) before that password can be cracked. And the failed authentication attempts will be a good indicator that the key may have been compromised.

Generate your keys either in BASH or with PuTTYGen (which is what I used), insert the public key into the authorized_keys file (ensuring to use the proper format), and make sure that it works.

Posted on

Raspberry Pi – Connect to Wi-Fi from BASH

Connecting to Wi-Fi from GUI = Very Easy. From BASH, less so. The following steps should get you connected to Wi-Fi. Followed this guide.

wpa_passphrase “SSID” “PASSWORD” >> /etc/wpa_supplicant/wpa_supplicant.conf
wpa_cli -I wlan0 reconfigure

Not sure if last step is necessary. Shouldn’t be, but I also wasn’t able to connect, even after bringing the interface down and up again. Rebooting immediately connected.

reboot now
Posted on

Raspberry Pi – Portknocking with knockd

56 Raspberry Pi – Portknocking with knockd Security through Obscurity is not Security. That being said, obscuring your SSH port via port knocking can be a great way to protect your SSH service from drive-bys and script kiddies. It is no replacement for a proper service configuration, but when paired with a good config can greatly improve your security. Also, it’s just kind of cool; who doesn’t wish they had a secret passage in their home?

Port knocking, at its core, is pretty simple. The daemon listens for connection attempts, and if attempts are made to the correct ports, in the correct order, in the specified amount of time, then it executes a command. Typically the command is to either add or delete a firewall rule. I followed this guide to get it up and running, but it is deprecated, and therefore there were some issues. All of the solutions are contained herein. First, we need to set up our firewall rules per this guide, ensuring that we don’t lock ourselves out of SSH access until we are certain that everything works.

apt install knockd
touch /var/log/knockd.log
nano /etc/knockd.conf
1
2
3
4
5
6
7
8
9
10
11
[options]
    LogFile = /var/log/knockd.log
    interface = wlan0

[SSH]
    sequence = 7303,40303,33528
    tcpflags = syn
    seq_timeout = 15
    start_command = /sbin/iptables -I INPUT 4 -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout = 10
    stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Next edit

nano /etc/default/knockd

and change the following line

START_KNOCKD=1

IMPORTANT! This is where we run into some issues. The Debian version of knockd will not start at boot, no matter what you do. In theory, the above modification to /etc/default/knockd should make this happen, but it doesn’t. After countless Google searches, I found a patch in a Debian bug post. The patch follows:

nano /lib/systemd/system/knockd.service

Append the following:

[Install]
WantedBy=multi-user.target
Alias=knockd.service

Finally, run the following and knockd will start at boot

systemctl enable knockd.service

Start knockd and test it out. If you have any issues, you can run the following to try to debug your problems

knockd -D -v
service knockd start

In order to carry out the port knocking, I chose to write a Python script, since I knew that that would work on both my Linux and Windows machines since they all have Python installed. As long as Scapy is installed then it’s good to go. See the script here.

Posted on

Raspberry Pi – iptables for knockd

54 Raspberry Pi – iptables for knockd I’m sure that there are more secure ways to configure iptables, what follows is a basic configuration to get knockd up and running (the guide to which can be found here rel=”noopener” target=”_blank”). All of the below came from following the linked guide at DigitalOcean.

Our iptables configuration will block most traffic, while still allowing local, established, and port 80 connections. Our first rule will allow local traffic which the machine uses to talk to itself

iptables -A INPUT -i lo -j ACCEPT

You’ll notice that the rule is being applied to the INPUT chain, to the lo or loopback interface (where you find local traffic), and has been configured to ACCEPT rather than DENY the traffic.

Next we want to ensure that all established connections and traffic related to them are allowed. I’m a bit hazy on the specifics of what we’re doing in this rule, so I’ll need to look up the particulars later.

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

This rule is pretty important, because without it we would lose our active SSH connection (which we are presumably using rather than hooking our pi up to a monitor) when we enter our deny all rule. Next, since we have a web service running, we’ll make a rule to ensure that that is accessible.

iptables -A INPUT -p tcp --dport 80 -j ACCEPT

Pretty straight forward stuff. Now that we know that all traffic we want to allow has been accounted for, we will add our final rule. It’s important to note that as we add each of these rules, they get appended to the bottom of that list. When iptables checks the firewall rules to determine whether or not to allow traffic, it starts at the top of the list and works towards the bottom until it finds a rule that tells it what to do. So if traffic doesn’t match any of the above, iptables will check it against our final rule which will tell it to drop the traffic.

iptables -A INPUT -j DROP

Go ahead and view the rules with the following command

iptables -L --line-numbers
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    ACCEPT     all  --  anywhere             anywhere
2    ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
3    ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
4    DROP       all  --  anywhere             anywhere

This is a useful way to look at them because each rule is in a more orderly format, and has a line number attached. If you ever wanted to delete a rule or insert one at a specific point in the list, you would need to know which line number you needed. With this command, you can easily determine that. An alternative is

iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP

Unfortunately, iptables has an annoying tendency to flush your rules on shutdown if you don’t make them persistent. We’ll do this by installing iptables-persistent.

apt install iptables-persistent

At this point, I learned that the service that we need to start is no longer iptables-persistent, but netfilter-persistent. That’s what I get for following a deprecated guide. I don’t know if we could avoid installing iptables-persistent and just install netfilter-persistent, which comes with it, but I’m not going to bother trying to figure it out. It works. So now just start the service and we’re good to go, the rules will remain persistent over power cycles.

service netfilter-persistent start

Save the current rules to persistence:

netfilter-persistence save

With that, we’re ready to move on to setting up knockd.

Posted on

Creating WordPress Shortcodes

As I built this site, I found myself wanting to have more and more control over the content of these posts. As someone who started out building websites with notepad.exe, I’m used to having complete, and more importantly, up front control over content. When I learned that I couldn’t simply add php or js to the body of a post, it made some sense from a security standpoint, but I wanted to be able to add my own dynamic content without reverting to other people’s products by default.
I started with the desire to be able to insert today’s date. The end product is currently utilized in the site’s canary at the bottom of our privacy page. It will probably need to be replaced with a month by month update or something similar to appropriately, and legally function, but it was a good exercise for now.

I used two guides to figure out how to do this, located here and here

The first step was to create a child theme. I currently use WordPress’ Twenty Seventeen theme, but if I wanted to create my own functions without worrying about them being deleted on an update, a child is necessary. First we create a folder for the child theme, containing style.css and functions.php files.

mkdir /var/www/html/wp-content/themes/twentyseventeen-child
touch /var/www/html/wp-content/themes/twentyseventeen-child/style.css
touch /var/www/html/wp-content/themes/twentyseventeen-child/functions.php
chown -R www-data:www-data /var/www/html/wp-content/themes/twentyseventeen-child/

Note that the best practice is to name child themes with their parent’s name and -child appended to it. Next we edit style.css to add the requisite theme header to it:

/*
 Theme Name:    Twenty Seventeen Child
 Theme URI:     http://example.com/twenty-seventeen-child/
 Description:   Twenty Seventeen Child Theme
 Author:        CairnSec
 Author URI:    http://example.com
 Template:      twentyseventeen
 Version:       1.0.0
 License:       GNU General Public License v2 or later
 License URI:   http://www.gnu.org/licenses/gpl-2.0.html
 Tags:          test
 Text Domain:   twenty-seventeen-child
*/

Best practice for importing the parent’s style is now to do so in functions.php:

<?php
add_action( 'wp_enqueue_scripts', 'my_theme_enqueue_styles' );
function my_theme_enqueue_styles() {
        wp_enqueue_style( 'parent-style', get_template_directory_uri() . '/style.css' );
}
?>

If we look at themes on our wordpress site, we should now be able to see our child theme available. Activate it (and unfortunately fix several of the customization settings, not sure if there’s a way to carry those over…). We are now ready to write our shortcode. In functions.php, within our tags, create a function:

<?php
...
function getToday( $atts ) {
        return date(get_option('date_format'));
}
...
?>

This function will return today’s date by pulling ‘date_format’ from $atts, that is, it will use the site’s date format. Kind of neat. Last thing is to define the shortcode itself. We have the function that the shortcode will execute now. To define the shortcode:

<?
...
function getToday( $atts ) {
        return date(get_option('date_format'));
}
add_shortcode( 'today', 'getToday');
...
?>

In add_shortcode(), the first parameter is the shortcode itself. It is what we will type in our post in order to execute getToday(). The second parameter is just the name of the function, we’re tying the function to that name.

Now, we should be able to type [[today]] and get today’s date: [today]

Posted on

Raspberry Pi – Set Up LAMP Stack & WordPress

I recently received a Raspberry Pi 3, and I’m an immediate fan. I’ve had a 2 for a while, but having wireless services built into the board makes things so much easier. Pretty much all of my stuff is still packed, so I was a bit limited in terms of what projects I could use it for, so instead I decided to just mess around with various services and configurations on it. These posts will follow.

A LAMP (Linux, Apache, MySQL, PHP) Stack is a pretty standard solution for running a web service like WordPress. Whatever I use my Pi for, chances are that I’m going to want a pleasant HTML interface. And since I have little experience with WordPress, I decided to start there. To do so, I followed the guide here.

First off, perform the necessary installations. I imagine you could probably install them all at once, on one line, but I did it piece by piece.

apt install apache2
apt install php7.0 libapache2-mod-php7.0
service apache2 restart
apt install mysql-server php7.0-mysql
mysql_secure_installation

Accept defaults ensuring to set a password

service apache2 restart
cd /var/www/html
rm ./*
wget http://wordpress.org/latest.tar.gz
tar xzf latest.tar.gz
mv wordpress/* .
rm -rf wordpress latest.tar.gz
chown -R www-data:www-data /var/www/html

Create wordpress database in mysql

mysql -uroot -p
CREATE DATABASE wordpress;

Create wordpress user in mysql

GRANT ALL PRIVILEGES ON wordpress.* TO 'wordpress'@'localhost' IDENTIFIED BY 'password';

Set up wordpress online

Some final configurations:

a2enmod rewrite
nano /etc/apache2/sites-available/000-default.conf

add after line 1

<Directory “/var/www/html”>
    AllowOverride All
</Directory>
Service apache2 restart