I own most, if not all, of the Hak5 gear because I like to see how each product works and possibly come up with a way to prevent the attack. 

    The other day I received an email from them, went to their website, and was reminded of Bash Bunny.  I then wondered what it would take to make a Bash Bunny script to ping scan the network.  Then I wondered what it would take to do that in PowerShell, eliminating the Bunny from the equstion.  And that's where this post is headed.

    In Linux, I might not necessarily know the exact syntax for what I want to do but I probably have a good idea as to which commands I can use to do it.  I know that from ifconfig, I can get the IP address.  And with various other commands like sed, awk, cut, head, and tail, I can isolate to what I want exactly. 

    The following one-liner parses ifconfig for the subnet:

    Penetration testing, red teaming, hacking, being enthusiastic about information security, or whatever else you want to call it -- to some degree, it's an art form.  A significant portion of this type of work is non-linear and it requires a creative mind to piece together the puzzle.  While the example I'm about to give seems relatively straightforward, there are other aspects of hash cracking that require an artistic imagination and I've seen challenges where I was amazed by the creativity of both the challenger and the participant.  Today, we're keeping it simple but this is a real world situation.

    While scanning a host, we uncover the following:

    I assume when I say "Brute Force Attack" that we all know what I'm talking about.  Just in case -- let's pretend we have a lock, a pocket full of keys, and we try each key in the lock until we exhaust the collection of keys or we are able to open the lock.  Now let's say the lock is a login, the pocket full of keys, the wordlist, and the act of trying the keys is some sort of application to perform the task.

    I'm not sure that helps or hurts so I'll move on to what we're attempting to do in our first example. 

    I've setup a user on an Ubutnu server and that server has SSH access enabled.  Our victim user is:  bforce and the password is:  123456

    The first tool we're going to use is Hydra.  

    I was talking with a guy the other day and he said something along the lines of -- "Sometimes there are bad things that happen on the Internet."  I replied:  "There are bad things happening on the Internet ALL THE TIME."

    Fast forward to today -- I'm working on a project and I need to parse through the Apache access.log file, create a unique list of IP addresses, perform an nslookup on each of the IP addresses, ignore the addresses that do not resolve, and I need to spit out the list of addresses that resolve. 

    Not that I'm shocked but while writing this up and using cat to show the first part of the log for this screenshot, I see mostly malicious traffic hitting this server:

    I have a pay account on Hack the Box and I feel like I should be using it more than I do.  When I'm not complaining about their CTF-style boxes, I do like some of the challenges.  The unfortunate part is that with the Active boxes, I don't normally write them up.  While I do hone my craft at the hacking part, I don't sharpen up my skills for documenting the process.  When I'm posting the write-ups here, I can miss a thing or two but I try not to do that because documentation is as important as the actual process of exploiting the system.  Something to think about if you're solving these problems for more than just your entertainment.

    With Nibbles, there wasn't anything really all that new except for two things.  First, I got to work on yet another content management system.  Second, I learned something about hash cracking -- but I'll get to that in a minute.

    As a hacker security professional, I'm more of a generalist than a specialist and while I'm ok at web application security, I wouldn't tout my prowess in that area. 

    A few weeks ago, I took a class specific for web app security because that area is so vast, I felt like I wanted to move further up the line by hiring a professional to teach me some things I don't know.  Two areas that I've spent little time banging around on are Node and Mongo.  Both were discussed in class but briefly.  To continue my education, I've been playing around with vulnerable Node apps on Github.  

    NodeGoat is a vulnerable application built for the specific purpose of education and while you could go the route of using the Docker image, I would suggest going the manual installation avenue.  At least for me, I find it helpful to see both the front and the back-end.  The installation is not complicated.

    © 2020 sevenlayers.com