Category Archives: Tools

There are a lot of products out there, and when I use one I want to remember what I did. This is also to try and share my successes (and failures) with you!

Installing Kali and Metasploitable on VirtualBox

Have you ever wanted to be a 1337 hacker like you see in the movies? Metasploit automates some of the harder tasks related to penetration testing. This blog post is quick setup to install two virtual machines that will allow you to explore how to use Metasploit.

Step 1: Get files needed to create the VMs

Step 2: Setup Kali

Open VirtualBox, click File > Import Appliance. Choose the kali.ova file that you downloaded from the link above. Click continue to review the VM settings. Hit import, none of the settings should require changing. The import will take a few minutes to complete depending on your machine.

If the VM fails to start after import, read the details of the failure. If it’s related to USB emulation then change the settings. Open the VM settings by right clicking the VM. Click settings. Find the ports tab and click USB. Change the emulation from 2.0 to 1.1 and everything will be good to go.

The default credentials are u: root / p: toor to log in. To use Metasploit for the first time there’s some setup required. Using terminal, start a postgres database by running service postgressql start. Initalize the database by running msfdb init. Check Metasploit by running msfconsole.

Step 3: Setup Metasploitable2

We will need to create a linux machine and use the virtual hard drive from the .zip folder that was downloaded earlier. First step is to unzip the folder and find the Metasploitable.vmdk file.

Next go to VirtualBox and create a new 64bit ubuntu machine. Name it whatever you’ll remember. I used Metasploitable2. Click continue once everything looks correct.

Change the memory size to at least 512mb and click next. There select “Use existing hard drive” and select the .vmdk file we found earlier. Last step is to click create.

Start the box and confirm everything is working as expected. The default credentials are msfadmin/msfadmin. Type ifconfig to see what the boxes IP address is. This will come in handy when trying to scan for the machine from Kali. My machine is at 10.0.2.15.

Step 4: Double check networking

Metasploitable is one of those VMs that are intentionally vulnerable for you to attack. To ensure that no one else attacks your box, make sure it can’t access the internet by confirming in VirtualBox that the network type is set to NAT.

Host-Only would work if we weren’t using another VM to use Metasploit. This is still an option if you want to install Metasploit on your base host and skip the Kali install.

Step 5: Attack

Now play around with Metasploit! Get on Kali, ping the Metasploitable2 machine to make sure it’s in reach. Run msfconsole for a CLI interface or open armitage for a GUI. A lot of walkthroughs are online that can be a good place to start playing with Metasploit.

More info

For more information on how to use Metasploit, check out Offensive Security’s free course. Look for some articles such as the series from null-byte. Read a book about it, buy now from No Starch Press. My motive for posting this is a lightning talk I gave at #misec this month. The IntroToMSF slides are hosted here for those who are interested.

Breaking My Blog with WPscan

One of the tools offered by default in Kali and many other hacking related distros is WPscan, a black box WordPress vulnerability scanner. I wanted to learn how to use this tool because it would help with recon on CTF challenges, practice boxes from vulnhub, and even trying to keep my own blog vulnerability free.

Disclaimer

Before I tell you more about the tool and how it can be used, I have to throw out the usual disclaimer. Do not use this tool on any WordPress site you don’t own or have permission to scan. I ran WPscan on my own blog and brought the whole site to it’s knees. If you did that to a professional blog or your company’s blog then you could have major problems when you get caught.

Setup

If you don’t have a personal WordPress instance to test, then look at getting OWASP’s Broken Web App installed. It has a vulnerable instance of WordPress included that you can scan against and even try to harden. When things break, just reinstall the VM and start over from scratch.

I have a Kali VM installed on most of my computers. By opening a terminal and typing wpscan -h you can learn about all of the options and possibilities for how to scan a WordPress instance. If you want to avoid all the “bells and whistles” then just run wpscan –url <target> –enumerate p to scan and try to find vulnerable plugins.

The scan and the results

WPscan scans the site looking for version numbers and other exposed information that can be compared to a database of vulnerabilities. While running the scan against my site, there was one vulnerability found. There was also a small issue because the WordPress version was public. I was able to research the vulnerability using the links provided from the scan output. While the “fix” isn’t a perfect patch, it’s better than ignoring the vulnerability until the next update is ready. The version was easy enough to hide by deleting the stock readme.html file.

The issue wasn’t removed on the next scan. The scanner is a quick tool to find some vulnerabilities based on version numbers and other information from the site. There’s no proof of concepts or attempts to validate if a vulnerability is a false positive.

Unexpected fun with WPScan

While running the scanner the –enumerate p option will brute force the website with requests to gather information about plugins. This crippled my site when over 20 simultaneous database connections made the site unresponsive. This wasn’t solely due to the scanner, but to the fact that I created this blog in college. Which means I took the cheap and easy route. Digital Ocean’s one click solution on the smallest VM made that possible.

The reason I’m not afraid to tell all you hackers about this is because I was able to resolve the issue with some help from friends at #misec. They told me about adding a swapfile that could help boost some power to my little VM. Since then I’ve been able to run WPscan multiple times without a single fatal performance issue.

Edit: A swapfile is NOT recommended for preventing DoS resulting from scans or a spike in traffic. This is a quick fix and a cheap band aid. If your company uses WordPress or you have a personal blog thats getting a lot of traffic, upgrade the VM or migrate to a better server that can handle the requirements. This was pointed out to me when I first heard of using a swapfile and again on Twitter after posting this.

Twitter reply

Monitoring Honeypot Output

Last week I posted in Hacking about installing a Honeypot to record SSH traffic. Since it was installed, I’ve been working on easily monitoring of the output. Michel Oosterhof, the creator of Cowrie, has done a lot of development work to create some awesome logging output from the honeypot. There are a lot of different options and you can even store output in a mySql database. I found instructions for that on a wordpress blog. Feel free to checkout the current page at greenjam94.me/honeypot.html

First Attempt

After setting up my mySQL, I wrote a page of php functions to run about 8 different queries to get back information I thought was relevant. At first, the page was as simple as possible, the same page with all those functions also displayed the front end. It was a late night rushed kind of job, but you could see some pretty cool stats, in the first 24 hours of the site, we had over 500 attempts to establish a SSH connection to the honeypot. I linked the php page to my website and was happy for the night.

Second Attempt

After looking at the page for a while, the load page took forever, it also didn’t look that good. For one thing, the code was horrible. I had so many php echo statements where there were paragraphs of unformatted HTML. The front end web page was a clear reflection of that. My goal of my second attempt was to make the webpage load fast, even on mobile devices. To accomplish that, I moved all the html to an actual html file and used Javascript and AJAX to bounce requests to the old PHP page.

AJAX

It’s not anything new, but the site loads immediately and info fills if possible. If for some reason the PHP fails, the site doesn’t break, the page simply doesn’t display that part of the content. With the page being more formatted it was easier to make design changes. The site is slightly more responsive and mobile friendly thanks to better implementation of the Bootstrap framework.

IP Info

The website also uses ipinfo.io to get more information about where an IP address is located, right now the page is only displaying Country Codes, but the idea is to display the IP addresses over a map. Wouldn’t that look really cool? I want to use something like d3 but I haven’t had any experience with it so it may take a while. It’d be nice if it could look like this cesium example.

VirusTotal

Our honeypot is monitoring traffic and we see results, but we aren’t doing anything with them. Files and uploads are saved so it’s possible to analyze things further. VirusTotal is a website with a public API to review IP addresses and files for viruses and malicious code. One of my future goals is to set up a connection to the API to turn in anything that gets uploaded through the honeypot. The only issue I see is that filenames get changed, and VirusTotal doesn’t like that. The name is changed to a hash of information about the session that uploaded the file.

Future Plans

Better use of IpInfo and VirusTotal are the next steps to improve the site. After that I’ll work on improving the site in other ways. Right now, the honeypot is logging through regular log files, JSON, and mySQL. In the five days it’s been running, we’ve had over 1,000 sessions and logging those in triplicate might get expensive on the hard drive. It’d be more efficient to write the PHP backend to pull from the JSON logs instead of needing the SQL database.

Cowrie Honeypot Installation

Who likes honey? I know I do. Unfortunately Cowrie isn’t the like of honeypot you might imagine. Instead of thinking source of deliciousness, think something yWinnie the poohou will get your hand stuck in. In security terms a Honeypot is where a system is set up to record everything that’s going on. In those terms, cowrie is a SSH monitor that tracks everything that happens over an ssh connection.

This is a project that I started with @Taco_Pirate. He had a digital ocean VM that he wasn’t using and we decided to turn that into a honeypot of some sort. At first we were going to use Kippo, but after reading though some of the wiki we found that Cowrie is just  newer and more updated flavor of Kippo.

So what did we end up doing to get everything set up? Well first we started with a basic linux installation on the VM. From there we followed the instructions on Kippo to install any necessary services.

sudo apt-get install build-essential python-dev libmysqlclient-dev python-virtualenv python-pip

It’s probably also a good idea to run apt-get update first as well. From there we followed the instruction’s on cowrie’s INSTALL.md. First we created a user, cloned the directory from the github repo, and then copied the configuration. By default, the honeypot listens to port 2222, so we set up an IP table config rule to port any traffic from port 22 to go there. That rule is:

sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j REDIRECT --to-port 2222

For admin reasons we also opened another port for Taco_Pirate and I to connect to. All it takes to start the honeypot is a single command from the directory that Cowrie is installed to which is “./start.sh” \, stopping is as simple as running “./stop.sh”. It was a pretty easy set up, so this post is short compared to my last few but that’s good. If you’re interested in learning about how people or robots (scripts that do malicious things) interact with servers over SSH or what people use to try and guess accounts or passwords, I would suggest you make a honeypot for yourself.

The author of Cowrie started with kippo and made some really cool additions, you can read them all on his website. Some of them that I really like are the SFTP support and improved logging. There are a lot of options in the config file for different uses of the logs. For example you can add attempts to a MySQL database or send files to VirusTotal in order to see if things are malicious.  Integrating with VirusTotal was something I requested from the creator of Cowrie and he set it up really quickly. If you have a similar idea, you can create an issue on Github.

Thanks for reading this, if you have any questions about how I implemented Cowrie then please comment below. If you want to view the statistics of the people getting caught then feel free to look here.

Installing BWA (Broken Web App)

OWASP BWA is a safe place to practice some fun stuff and is basically a collection of applications to test everything security related. OWASP has a few projects like Web Goat, Security Shepard, and more. Broken Web Apps is a collection of these guides and some outdated apps to test your developing skills.

Install All The Things!

In order to set things up, it’s important to have everything you need installed. While you don’t need Kali to execute some web exploits,  it is useful because of all the tools at your disposal. You do however need VirtualBox or VMware player to host the VM. If you haven’t set up a VM before, I suggest you use the VirtualBox and the .osa files. The rest of the guide will assume you want to use VirtualBox.

Extract Kali Files

For a mac, go to the app store and download The Unarchiver, a free app to extract 7zip files. Windows can download the 7-zip program and extract using that. On gentoo you can use p7zip, a command line 7zip tool. it’s apparently in the debian repos. extract with 7z x archive_you_want_to_extract.7z from a terminal.

Setting it up (For VirtualBox)

Once everything is installed, run VirtualBox, and click File > Import Application. You will choose the files that you just downloaded from the links above. The default settings that come from the app should appear and you can click ok.

BWA Virtual Machine
Once the VM is fully installed. VirtualBox should look like this.

After you see a new Virtual Machine available, you’ll want to check and make sure it you can access it from either your Kali VM or your actual machine. To do this you can set up either a NAT network or a Host-only Adapter for the VM. I choose to do Host-only but either will work as long as you configure it correctly. Go to File > Preferences. On the left sidebar click Network. There you’ll see tabs for NAT and Host-only. Pick one, there will be three buttons on the right, click the one with the + icon. That will add a new network for your VM to use. Hit OK to go back to the main page of the app.

Network Settings
Add a new NAT network or Host-only network to VirtualBox

Go to your VM’s setting by clicking to select it, then hit the big settings button above it. Go to Networks, then select the network type you just made and be sure the network is correct then hit ok for everything.

VM network settings
Change the network settings for the BWA VM

Start up the BWA

Run the VM! This should go without a hitch, the VM should start up in a new window, as it does it should display a lot of lines as it’s starting but once it’s ready to log in you can use the user: root and passwd: owaspbwa. This is the default user and password for all the administrative accounts across the VM. As you log in, the entrance text should say what the IP address is for the VM. On your actual machine, open a web browser and try to go to that site by typing the ip address into the URL, like http://192.XXX.XXX.XXX

To make it easier for future use, you can edit the hosts file on your main computer to accept a url instead of an IP address. On linux or a mac, open a terminal and write sudo nano /etc/hosts and add the line 192.XXX.XXX.XXX        owaspbwa.com. That’s a tab between the IP Address and the url. The URL can be whatever you want if you don’t like owaspbwa.com. Change the IP Address in the browser and replace it with the new url. If that doesn’t work, try restarting the browser and try again.

BWA homepage
This is the first page of the OWASP BWA project

SSH into Kali

I’ve had a couple posts about Kali on here already. But I still haven’t had a chance to fully get in to it myself. I know, it’s tragic right? Well for those who know less than I do about it; Kali is a linux distro from Offensive Security that comes packed with tools and programs that make hacking easy. However carrying around a computer for work, one for class, one with Windows, and a tablet or two isn’t really an option, unless your bag is designed for 80lbs. A quick fix for that is to allow remote connections between other computers. My infosec mentor suggested this idea so I could have easy access to the tools available on Kali.

Setting up SSH

I want to set up an SSH port on my kali box so I can access the tools from anywhere I have an internet connection. Currently I have Kali on an old windows computer that used to run vista. I really don’t want to carry that around. However I always have my macbook air for classes so I can use that and then connect to my other, heavier, computer. Setting up SSH on a kali box is really easy, I followed one of many tutorials online and it all seems to work when i run ssh user@localhost. I even set up some cool ascii art to personalize the process of logging in. I had fun with that part.

Continuing Issues

The complicated part is my router from Comcast. For some reason I cant set up correct port forwarding so outside SSH traffic can get to my laptop. If anyone can help me figure that part out, I’d owe you one! At first I thought it was because I have a router behind a router on my network. but even after fixing that and moving to the outter network. I still can’t get port forwarding to work and it seems that it’s because Comcast doesn’t like having their rental equipment used as a network bridge. I’m not entirely sure if those reports are true; but after struggling for so long with this and not being able to get it working I’m starting to assume it’s true.

Duo Security’s 2FA

I hope you’ve been enjoying my posts. I know that writing these posts have been a good outlet for all I have learned over the last few years. This website is hosted on a VM, but it’s still a server that’s vulnerable to your every day hacks. For instance, every day someone pings my server, finds the SSH port and attempts to brute force into it. Now  while there’s nothing here for them to steal, there’s still 20GB of free internet storage for whatever they want and the only thing stopping that brute force attack is that they can’t guess my password.

This is where Two Factor Authentication (2FA) comes into play. 2FA is where a user presents a password (first factor) and a key (second factor) for authentication. That key is usually a randomized code that is generated from secure app or hardware device like a USB drive. An attacker can guess that your password is scriptKitty but they can’t guess a randomly generated key. So to prevent someone from gaining access to my VM I’m setting up 2FA using Duo.

Why Duo? Well honestly they were recommended by my mentor and they also sponsored a2y.asm. So that’s two brownie points for them. But the real reason I went with them is because 2FA is their bread and butter. Duo already has mobile apps, APIs, and tons of documentation that allow anyone (even a college student) to set up high quality 2FA in under an hour. Not to mention that Duo’s mobile app helps prevent social engineering attempts or other 2FA hacks (Yes, people still hack 2FA even though I said you can’t guess the key).

I sleep more soundly at night knowing that no one will be able to brute force my server thanks to Duo. However that’s not the only thing I want to do to my server. I want to run through the other services being used on my server and make sure everything is locked down tight. I also want to customize Duo’s login process. For one thing, when the root account tries to log in there is a message that comes back saying something like “Register here www.api.duo.com/###…” and I don’t like that because I know people are using the root account for brute force. I’d prefer to remove the url from the message entirely. So that only I have access to the api and no one is trying to break the 2FA.

Step 4: Get into the toy chest

KaliTools

If you’ve never played with BASH/terminal or you don’t know what Linux is. I suggest you read into that first before you get much further into hacking. Most of Kali’s toys are based off of the terminal, so in order to run them, you will be typing commands like “nmap -A http://your-ip-address”. This link is Offensive Security’s website where they have some awesome documentation about what’s available on Kali.

KaliTerminal

If you want a link to learn about terminal / Linux, try here. I borrowed this link from a web administration class, but the information is what matters!

Step 3: Set Up Your Hacking Environment

Everyone wants to break into their neighbors wifi or steal someones password at Starbucks, but depending on National, State, and local law, even packet sniffing could be illegal. So how do we safely practice how to hack before we are ready to find Sony’s back door? We set up a environment for virtual machines on our local computer or server!

For those of you who don’t know what a Virtual Machine is, it’s a “computer” inside your computer. Using programs like VMware or Oracle’s VM VirtualBox (which is free) you can have multiple systems running on your computer depending on your computer’s RAM and processing power. I suggest you download VirtualBox to get started: https://www.virtualbox.org/wiki/Downloads

VirtualBox view of environments

After you have that installed, you need to get the operating systems that’ll make up your VMs. I suggest using Kali for your “hacker” machine and OWASP’s BWA for your “victim” machine. OWASP is a open source community for watching web application security. You should check outhttp://www.owasp.org to learn more about them. Be sure to check out their top 10 vulnerabilities for websites. You can download the files for both VMs at the links below. Special note about the BWA VM: It’s made of VMware files, there’s no installing like you would with Kali. Be sure to use an existing harddrive and select one of the files from the .zip folder you downloaded.
https://www.kali.org/downloads/
http://www.slideshare.net/michael_coates/lab-setup-28126110

Follow these tutorials to get your systems online!
Installing Kali as a Virtual Macine

Installing OWASPs BWA as a Virtual Machine

If you’ve never used a linux operating system before, I suggest you learn fast! Check out how to use the bash commands (terminal) and learn some of the tools that Kali has to offer.

Kali environment

Now, your “victim” is specifically made to have vulnerabilities! Its up to you to find them, or if you want more of a step by step then I suggest you google how to get in or check out the BWA project files

 

OWASP BWA environment

 

Confession: While writing this blog I got OWASP BWA working on my Windows machine for the first time. I’m very excited to try it out!