[LINUX] Install SSL certificates on Apache

Just follow the following steps:

# mv myprivatekey.key /etc/ssl/private

# mv mycertificate.crt /usr/local/share/ca-certificates/

# mv CAcert.crt /usr/local/share/ca-certificates/

# update-ca-certificates

# ll /etc/ssl/certs/ | grep -i mycert

# vim /etc/apache2/sites-enabled/default-ssl.conf
----------------------------------------
[...]
SSLCertificateFile /etc/ssl/certs/mycertificate.pem
SSLCertificateKeyFile /etc/ssl/private/myprivatekey.key
SSLCertificateChainFile /etc/ssl/certs/CAcert.pem
[...]
----------------------------------------

# systemctl restart apache2.service

[INTEL] Useful tools for cyber and intelligence cases

https://i0.wp.com/www.startmag.it/wp-content/uploads/threat-intelligence-data-867x487.jpg?resize=525%2C295&ssl=1

Below my personal collection of useful tools to help with the analysis of cyber and intelligence cases (alphabet order by category).

Clearly, you wont’t find some famous tools like Google Map, Metasploit, Yandex Image Search or Hashcat. They are already included in other public collections.

Last udpate: April 01, 2022

Chrome and Firefox Extensions

  • Cookie-Editor
    Cookie-Editor lets you efficiently create, edit and delete a cookie for the current tab.
  • Fake Profile Detector
    A Google Chrome extension capable of detecting artificially generated profile pictures.
  • Instant Data Scraper
    Instant Data Scraper extracts data from web pages and exports it as Excel or CSV files.
  • User-Agent Switcher
    Spoof your browser “user-agent” string to a custom designation, making it impossible for websites to know specific details about your browsing arrangement.

Cyber Threat and Darkweb Intelligence

  • Cisco Talos Intelligence
    Talos defends against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large.
  • Cyber Feeds (by ENISA)
    A list of several feeds about malwares, botnets, phishing, spam.
  • Dark.Fail
    The uncensored internet: a collection of darknet sites.
  • Darknetlive
    Massive list of onion service links.
  • DarkTracer
    DarkTracer is design to monitor and trace malicious activities in Darkweb and Deepweb.
  • DeepDarkCTI
    Collection of Cyber Threat Intelligence sources from the Deep and Dark Web.
  • Intelligence X
    It searches in places such as the darknet, document sharing platforms, whois data, public data leaks and others.
  • OnionSearch
    Scrape urls on different “.onion” search engines.
  • Onyphe
    Onyphe is a cyber defense search engine for open-source and cyber threat intelligence data collected by crawling various sources available on the Internet or by listening to Internet background noise.
  • Ransomware Groups
    A list of ransomware groups including their official channels.
  • TorBot
    TorBot is an open source intelligence tool developed in python. Its main objective is to collect open data from the deep web.
  • VX Underground
    The largest collection of malware source code, samples, and papers on the internet.

DNS and other Domain tools

  • Crt.sh
    Certificate Search (with history).
  • Dig.pm
    A DNS log platform, mainly used for the log4j vulnerability testing. Previously https://log.xn--9tr.com.
  • DNSDumpster
    A free domain research tool that can discover hosts related to a domain.
  • DNSTwister
    The anti-phishing domain name search engine and DNS monitoring service
  • FinalRecon
    FinalRecon is an automatic web reconnaissance tool written in python. It provides an overview of the target in a short amount of time while maintaining the accuracy of results.
  • MXToolBox
    All of your MX record, DNS, blacklist and SMTP diagnostics in one integrated tool.
  • Newly Registered Domains (by WhoisDS)
    Daily list of newly registered domains. DomainAlerting is an automated tool capable of alerting when a new domain name is registered and contains your keywords.
  • Subfinder
    Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.
  • Sublist3r
    Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT.
  • TorWhois
    TorWhois Onion Search.

Dorks

  • Dorkbot
    Scan Google (or other) search results for vulnerabilities.
  • Google Hacking (by Pentest tools)
    Use advanced search operators (Google Dorks) to find juicy information about target websites.
  • Katana Dork Scanner
    Katana-ds (ds for dork_scanner) is a simple python tool that automates Google Hacking/Dorking and supports Tor.

Encoding, Encryption, Hashing

  • CyberChef
    A all-in-one web app for analyzing and decoding data without having to deal with complex tools or programming languages.
  • Morse Code
    With respect to other Morse coders, this one has several Morse versions, including the Russian one.
  • Punycoder (or IDN converter)
    A tool for Punycode to Text/Unicode.

Hacking News

  • Bleeping Computer
    Accurate and relevant information about the latest cybsecurity threats and technology advances.
  • Malvuln
    Finding and exploiting vulnerable Malware.
  • PacketStorm
    A site providing news about real security issues.

IPs, Hostnames and Services

  • Censys
    Searching and proactively monitoring your digital footprint.
  • Check Host
    Checking availability of hosts, DNS records, IP addresses.
  • GeoPeeker
    A platform to see how a site appears to the rest of the world.
  • MAC Vendors
    Find the vendor / manufacturer of a device by its MAC Address.
  • MyIp.ms
    Hosting info, websites and IPs database.
  • LeakIX
    LeakIX goes around the Internet and finds services to index them.
  • Shodan
    Shodan is a search engine for Internet-connected devices. If a device is directly hooked up to the Internet then Shodan queries it for various publicly-available information.

OSINT collections

Penetration Testing

  • Cotopaxi
    Set of tools for security testing of Internet of Things devices using protocols: AMQP, CoAP, DTLS, HTCPCP, HTTP, HTTP/2, gRPC, KNX, mDNS, MQTT, MQTT-SN, QUIC, RTSP, SSDP.
  • Ddosify
    A high-performance load testing tool, written in Golang.
  • Excel 4 Macro Generator
    A python script that takes x86 and x64 beacon raw shellcode and generates XLM macro.
  • EXCELntDonut
    EXCELntDonut is a XLM (Excel 4.0) macro generator. Start with C# source code (EXE) and end with a XLM (Excel 4.0) macro that will execute your code in memory.
  • Fsociety
    Fsociety is a penetration testing system comprises of all penetration testing tools that a hacker needs.
  • Hackingtool
    HackingTool is a all in one hacking tool for hackers.
  • Hping3
    Hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping do with ICMP replies.
  • Lazy script
    A script automating many procedures about wifi penetration and hacking.
  • Mentalist
    Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
  • Mimikatz
    Extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
  • PacketSender
    Packet Sender is an open source utility to allow sending and receiving TCP, UDP, and SSL (encrypted TCP) packets as well as HTTP/HTTPS requests and panel generation.
  • Ping Castle
    Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework.
  • Racketeer
    The goal of this project is to provide a way for teams to simulate and test detection of common ransomware operation, in a controlled manner, against a set of company assets and network endpoints.
  • Reverse Shell Generator
    An online reverse shell generator that allows anyone to configure their IP addresses, ports, and shell of choice for your favorite reverse shell payloads.
  • Spraykatz
    Spraykatz is a tool able to retrieve credentials on Windows machines and large Active Directory environments.
  • VulnX
    Vulnx is an intelligent bot auto shell injector that detects vulnerabilities in multiple types of CMS.
  • Webshells collection
    A collection of webshells for ASP, ASPX, CFM, JSP, Perl, and PHP servers by BlackArch Team.

People

Programming

  • Grep.app
    It searches code from over a half million public repositories on GitHub.
  • Localtunnel
    Localtunnel allows you to easily share a web service on your local development machine without messing with DNS and firewall settings.
  • HTML tester
    A web page to test HTML code
  • Markdown
    A web page to test the Markdown markup language
  • Regex101
    A very complete regular expressions tester.
  • SearchCode
    Search 75 billion lines of code from 40 million projects.
  • Shellcheck
    Finds bugs in your shell scripts.
  • Text manipulation
    A web page of useful string tools.

Radio and Streaming

Social Engineering

  • Browser in the Browser (BITB) Attack
    Browser templates for Browser In The Browser (BITB) attack.
  • Canary Tokens
    Canary tokens are a free, quick, painless way to help defenders discover they’ve been breached (by having attackers announce themselves.)
  • Evilginx
    Evilginx2 is a man-in-the-middle attack framework used for phishing login credentials along with session cookies, which in turn allows to bypass 2-factor authentication protection.
  • Grabify
    Grabify IP logger will help you find and track the IP address of any person.
  • Gophish
    Gophish is a powerful, open-source phishing framework that makes it easy to test your organization’s exposure to phishing.
  • Trape
    Trape is an OSINT analysis and research tool, which allows people to track and execute intelligent social engineering attacks in real time.

Social Media Analysis

  • Birdhunt
    BirdHunt is a free OSINT tool to find tweets based on a location.
  • Ignorant
    Check if a phone number is used on different sites like snapchat, instagram.
  • Instahunt
    Instahunt is a free OSINT tool to find Instagram posts based on a location.
  • Instaloader
    Instaloader is a tool to download pictures (or videos) along with their captions and other metadata from Instagram.
  • Map of Reddit
    A massive interactive map of subreddits.
  • Nitter
    Nitter allows you to view Twitter content without logging in.
  • Osintgram
    Osintgram is a OSINT tool on Instagram to collect, analyze, and run reconnaissance.
  • Reddit Comment Search
    Search through comments of a particular reddit user.
  • Reddit Search
    Search through both deleted posts and deleted comments on Reddit.
  • Reddit User Analyser
    A tool that helps analyze a Reddit user’s account.
  • Reveddit
    Reveal reddit’s removed content. Search by username, subreddit, link or domain.
  • Sherlock
    Hunt down social media accounts by username across social networks.
  • Tarantula
    OSINT tool to automate LinkedIn searches, scraping profiles to compile relevant information about users and filtering profiles by searching for keywords in them.
  • Tinfoleak
    The most complete open-source tool for Twitter intelligence analysis.

Traffic, Tracking, Geolocation and WWW Analysis

  • Archive Wayback Machine
    A digital library of Internet sites and other cultural artifacts in digital form.
  • Archive Today
    A time capsule for web pages.
  • Flightradar24
    Flightradar24 is a global flight tracking service that provides you with real-time information about thousands of aircraft around the world.
  • Greynoise
    GreyNoise is a cybersecurity platform that collects and analyzes Internet-wide scan and attack traffic.
  • Httpx
    Httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.
  • PublicWWW
    Find any alphanumeric snippet, signature or keyword in the web pages HTML, JS and CSS code.
  • Search All Junk
    Search multiple classifieds sites at once. Covers Craigslist, Recycler, Penny Saver, Oodle and Facebook Marketplace
  • SecretFinder
    SecretFinder is a python script based on LinkFinder, written to discover sensitive data like apikeys, accesstoken, authorizations, jwt in JavaScript files.
  • Unshorten
    Analysing the website for safety and letting you see it before you decide whether to proceed.
  • Urlscan
    A sandbox for the web.
  • Wigle
    Consolidate location and information of wireless networks world-wide to a central database.

[Check Point] Search for AD users in Access Roles

Alice's Adventures in Wonderland

Search for AD users in Access Roles

Are you using Identity Awareness functionality on your Check Point Firewall? Is it very convenient, isn’t it? Identity Awareness can be used for local traffic and VPN remote access as well. You can directly map Active Directory Users and Computers in your Access Roles and build rules per user (or computer), instead of IP address. Read the official documentation for getting more information, you could discover a new world!
Now, do you like to search for AD users in your Access Roles? Have you noticed that the only searchable users through the Object Explorer are local users? In other terms, you can only search users created locally on the management database, but you can’t do that for external accounts like AD users! Sigh…

This is a serious lack of the SmartConsole: the impossibility to find if an AD user is already configured in any Access Role. Indeed, there’s no way to know if a user already exists in one of your Access Roles. You may happen to create duplicated Access Roles including same users. That might be very confusing during a troubleshooting. Thus, before adding a new Access Role, you should verify if the interested user to be mapped already exists in another one.

The Bianconiglio script

For that reason, I wrote a simple python script able to search AD users in Access Roles. I named it Bianconiglio, who is the White Rabbit of Alice’s Adventures in Wonderland.

Download the Bianconiglio script

It is very simple to use. The syntax just accepts the username and the optional case-insensitive parameter:

Search for AD users in Access Roles

So, assuming you want to search the user 012345, the command to run is:

./getADuser.py 012345

The result will be something like the following. It shows the Access Role containing the user you’re searching for and other members (users and groups) within the same Access Role.

Search for AD users in Access Roles

The only configuration you need to implement on your firewall is the creation of a Read Only All user authenticated by API key. For instance:

Read only All User

Then, you need to copy&paste your Management Server IP address and the generated API key within the Bianconiglio script. For instance:

Bianconiglio configuration

If you have found this post useful, please visit the Contribute page

[Check Point] Automated IP Blacklist v2

In my previous post I introduced several methods to create an automated IP blacklist in Check Point Firewalls. At that time I was using Check Point v80.20, so, for obvious reasons, the best choice was Dynamic Objects.

However, if you read again that post, you can see as I was already talking about SecureXL Blacklist (solution n. 5). Well, I upgraded my Firewall infrastructure to v80.40, and here I am… I want to share my updated version of the automated IP blacklist script.

SecureXL Blacklist

I totally changed the previous logic. I’m not using dynamic objects anymore since they can cause performance issue to your firewall when loading thousands and thousands of ranges. Instead, fwaccel dos blacklist -L <blacklist_file> is preferred in Check Point v80.40 since it performs very well. It can load thousands of IPs in 1-2 seconds.

See sk112454 for more information. Below some useful commands:

  • Load a list of IPs from file
    fwaccel dos blacklist -L /path/file
  • Flush the blacklist
    fwaccel dos blacklist -F
  • Show the Blacklist items
    fwaccel dos whitelist -s
    Download the Blacklist script v2

The above script works very well if scheduled in a cron job. For instance my firewall autonomously updates the SecureXL blacklist every hour.

No more DoS or massive scan!

If you have found this post useful, please visit the Contribute page

[Threat Intelligence] Sapienza Blacklists

threat intelligence

Attacks, cyber threats and social engineering techniques are evolving rapidly. We live in an age where criminal organizations speculate on stolen data, spy citizens and companies. Therefore, cyber ​​security techniques must progress to allow companies to better protect their systems. In doing so, they can be compliant with recent regulations on the protection of personal data.

Every day we test innovative and advanced techniques to protect Sapienza’s IT systems. We try to anticipate and prevent latest generation attacks. Firewall and Intrusion Prevention System are essential for rejecting known attacks. However, they are no longer sufficient to completely defend systems from massive and advanced attacks.

For that reason, we created some blacklists made up of thousands of malicious IPs. They are automatically updated thanks to our continuous analysis of “anomalies” from the Internet. Our blacklists contain mostly IPs not detected by other organizations. So, Sapienza’s blacklists are a valid addition to the lists published in TLP: WHITE, such as FireHOL or Talos.

Sapienza Blacklist

Please contact me if you’d like to use them. You can also integrate our blacklists with Check Point technologies freely available scripts published in other two posts: script_v1 and script_v2.

If you have found this post useful, please visit the Contribute page

[Check Point] Automated IP Blacklist

You Shall Not Pass

Check Point Firewalls do not have an easy and ready-to-use “automated IP blacklist” mechanism. Indeed, SmartConsole lacks of this kind of feature.

For that reason, you need to write some code using Check Point tools and API so that you are able to populate a blacklist (or blocklist) with IPs collected by external feeds. In doing so, your firewall can easily drop incoming traffic from malicious sources.

What are the solutions?

Following the solutions I tested to implement an automated mechanism.

1. Network Objects

Add new host and network objects into an existing network group object.

  • Pros: easy to implement by using mgmt_cli (e.g., an example of implementation is provided here).
  • Cons: process of addition and deletion very heavy since it acts as a sequence of several manual changes. Furthermore, you need to publish and install all changes. A well-known issue is the expiration of Apache session (see my post on CheckMates).

2. The script using samp rules

Use the script provided in sk103154 (samp rules).

  • Pros: ready-to-use script. Maybe, you need to apply some changes to better suit your environment.
  • Cons: not supported in VSX configuration. Someone in CheckMates says samp rules could be heavy in terms of performance.

3. Custom Intelligence Feeds

Use Intelligence Feeds, as documented in sk132193.

  • Pros: new approach enriching cyber intelligence funciontalities with IOC feeds.
  • Cons: traffic is blocked by Anti-Virus and Anti-Bot blades, not by Access Control. This approach is not optimal for blocking incoming traffic from thousands of IPs. Better to only use with Anti-Virus feeds (e.g., URL, md5, and so on) for outgoing traffic.

4. Dynamic Objects

Use Dynamic Objects as implemented by “Open Dynamic Block Lists” (see post on CheckMates).

  • Pros: dynamic approach able to provide a very fast process of change. Dynamic objects don’t require “publish and install”.
  • Cons: OpenDBL script does not support VSX configuration. In addition, it lacks of “covering” between the deletion process of the old blacklist and the creation process of the updated blacklist. This lack can last seconds in case of thousands of IPs or minutes in case of ten of thounsands of IPs.

5. SecureXL Blacklist

Use fwaccel dos blacklist to drop packets in SecureXL (see sk112454).

[UPDATE] Please also read this other post if you’re running v80.40.

  • Pros: For R80.40 and newer, it can scale to millions of IP addresses. A scalability hotfix is available for R80.20/R80.30.
  • Cons: networks in CIDR notation are not supported; you need to use rate limiting policy rules instead.

The defenitive solution

After several experiments, I eventually chose the Dynamic Objects approach (4). However, since the script provided by OpenDBL was not suitable to my configuration (i.e., a cluster of 3 x 23900 appliances in VSX configuration), I decided to rewrite the code.

Download the script

Improvements

  • Processing of multiple URL feeds in one script-file.
  • Support of network strings in CIDR format as well as IP.
  • Inputs verified by robust regular expressions.
  • “Diff” mechanism to add new IPs and remove obsolete sources (no more lack of covering).
  • Caching mechanism to preserve feed if its online resource is not available.

Instructions

  • Create the directory path /scripts/blacklist/ on your Gateway.
  • Copy the bash script into the /scripts/blacklist/ directory.
  • Change the VSID variable with the correct Virtual System ID.
  • Change the CONTEXT variable with the name of your blacklist.
    IMPORTANT: the name must be the same of the Dynamic Object BLDO_ContextName you will create on SmartConsole (see below).
  • Copy your feeds in URL array elements (e.g. URL[0]="...").
  • Give execution permissions to the bash script: chmod +x blacklist.sh.
  • Manually run the script in VS0 to test if everything is properly working: ./blacklist.sh.
  • Check logs within /scripts/blacklist/logs/.
  • Add a cron job in VS0 to automatically run the bash script (crontab -e command). For instance:
    # Blacklist running every hour at :15 min
    15 * * * * /scripts/blacklist/blacklist.sh
  • Create a Dynamic Object on your Smart Console named BLDO_ContextName and add it to a drop rule. For instance:

    Blacklist Drop Rule

Feeds to subscribe

  • FireHOL is a very good resource containing several feeds.
  • In Sapienza Università di Roma we manage a very excellent feed containing thousands of IPs that are not discovered by any other feed. This list is updated every 5 minutes thanks to the correlation of our Cyber Threat Intelligence technology. Every IP within the list lives for 48 hours.

    If you are interested in subscribing our feed, please contact me (have a look at Professional Services as well).

    Sapienza Blacklist

Further thoughts

  • A 23900 appliance can manage up to 100.000 IPs with no performance issue. Beyond that threshold, you may incur in some drops of perfomance.
  • The fwaccel solution is a good future candidate if Check Point implements the mechanism to add networks as well as single IPs.

If you have found this post useful, please visit the Contribute page

[LINUX] Extract multiple zip files with password

extract multiple zip files with password

Sometimes visual programs can’t help us. For istance, let’s assume you would like to extract multiple zip files protected with a common password. How can you do that using a desktop environment, or more in general, visual programs? That’s simple, you can’t do that. Fortunately, shell is our friend, so you can use 7z command to extract your zip files.

First thing, install 7z using apt or yum, depending on your Linux distribution, then run the following command within the directory containing your zip-protected files.

~$ for z in *.zip; do 7z x -pPASSWORD -y "$z"; done

You have done!

If you have found this post useful, please visit the Contribute page

Pay me or will reveal videos of you watching adult vids

In the last few days you likely received a mail from @outlook.com or @hotmail.com domain accounts saying “XXXXXXXXX is one of your password” and asking you for an amount of Bitcoin (BTC) to avoid revealing videos while you watch adult/sex vids.

Well, that’s clearly fake. Your password has been probably taken from a public data breach (e.g., LinkedIn Data Breach). So, the main cyber-criminal ‘s scope is to scare you, so that you are encouraged to pay the requested amount of money.

Of course, don’t send any money to that BTC account. Instead, consider to change all your passwords.

You can verify if your account has been previously hacked on the following web site: haveibeenpwned.com

Below the text of two mails.


I know xxxxxxxxxxx is your pass. Lets get directly to point. You may not know me and you're probably thinking why you are getting this email? No person has paid me to investigate about you.

In fact, I setup a malware on the X vids (porno) web-site and you know what, you visited this website to have fun (you know what I mean). While you were watching video clips, your browser started functioning as a RDP with a key logger which provided me with access to your screen as well as web cam. Just after that, my software program collected every one of your contacts from your Messenger, social networks, as well as e-mailaccount. And then I made a double video. First part displays the video you were viewing (you've got a nice taste hehe), and next part displays the recording of your cam, yeah it is you.

There are two different choices. Let us explore these possibilities in details:

Very first choice is to dismiss this e-mail. Then, I will send out your actual video clip to each of your your personal contacts and consider about the disgrace you feel. And consequently should you be in a relationship, precisely how it will eventually affect?

2nd option will be to give me $7000. Lets refer to it as a donation. In this scenario, I will straightaway remove your video recording. You can go on daily life like this never happened and you will not ever hear back again from me.

You'll make the payment through Bitcoin (if you don't know this, search "how to buy bitcoin" in Google search engine).

BTC Address to send to: 115MFNAVvRKTBvBxwZQNVpnhrCeePMmYRt
[CASE-sensitive so copy & paste it]

In case you are curious about going to the cop, surely, this e-mail can not be traced back to me. I have dealt with my actions. I am also not trying to ask you for money very much, I just want to be rewarded. You now have one day in order to pay. I have a special pixel in this e mail, and right now I know that you have read this message. If I do not receive the BitCoins, I will, no doubt send out your video to all of your contacts including relatives, coworkers, and so forth. Having said that, if I receive the payment, I'll destroy the recording right away. If you want to have proof, reply with Yes & I definitely will send your video to your 13 friends. It is a nonnegotiable offer and so please do not waste mine time and yours by replying to this email message.


xxxxxxxxxxx one of your password. Lets get straight to the point. No one has compensated me to check about you. You do not know me and you are probably wondering why you are getting this email?

Let me tell you, I actually setup a malware on the adult vids (sexually graphic) web site and do you know what, you visited this website to experience fun (you know what I mean). When you were viewing video clips, your web browser started out working as a Remote Desktop that has a key logger which provided me with access to your screen as well as cam. after that, my software collected your complete contacts from your Messenger, social networks, as well as e-mail . Next I made a double video. First part displays the video you were viewing (you have a good taste rofl), and 2nd part shows the recording of your cam, yea it is u.

There are two choices. Lets read these options in details:

First alternative is to ignore this e mail. In this scenario, I am going to send your video recording to each one of your contacts and just imagine concerning the embarrassment you will see. Not to forget should you be in a loving relationship, exactly how this will affect?

Second option is to compensate me 3000 USD. We will regard it as a donation. In this instance, I will promptly delete your videotape. You will keep on everyday life like this never took place and you will not ever hear back again from me.

You will make the payment via Bitcoin (if you don't know this, search for "how to buy bitcoin" in Google).

BTC Address: 1E3aD3Z2WVFf3yKiddmLU1hbunRXmGv4tf
[CASE sensitive copy & paste it]

In case you are making plans for going to the law enforcement, very well, this e mail cannot be traced back to me. I have covered my actions. I am also not attempting to ask you for money a lot, I only want to be paid for. I've a specific pixel within this message, and right now I know that you have read this e-mail. You have one day in order to make the payment. If I don't get the BitCoins, I will send out your video recording to all of your contacts including relatives, coworkers, and many others. However, if I receive the payment, I'll erase the recording immidiately. If you want to have evidence, reply with Yes! & I definitely will send out your video to your 14 friends. This is the non-negotiable offer and thus please do not waste mine time and yours by responding to this e mail.

[HACK] Crack IBM Domino LDAP password hashes

hashcat

If you have an IBM Lotus Domino LDAP server, you should know password hashes can be easily cracked. Actually, there are three versions of the hash algoritms:

  • Version 1: 32 characters long, hexadecimal character set (A-F, 0-9), starts and ends in parentheses
  • Version 2: 22 characters long, extended character set (A-Z including upper and lower case, 0-9 plus special characters), starts with (G and ends in )
  • Version 3: 51 characters long, same character set as version 2, starts with (H and ends in )

You can read more details about those algoritms at the following link: Understanding IBM Domino password hashes

In this post we will see how to break V1 password hashes. First of all, download hashcat and search for good dictionaries (weakpass is an awesome resource… ssssh!). Then, before starting with the cracking process, look at mask attack documentation to better understand all charsets used in hashcat.

Good, now you are ready to start…

# All passwords having any-char and length from 1 to 6
 hashcat -m 8600 --increment --increment-min=1 -a 3 hashes.txt ?a?a?a?a?a?a

# All [a-z0-9] passwords having length from 7 to 8
hashcat -m 8600 --increment --increment-min=7 -1 ?l?d -a 3 hashes.txt ?1?1?1?1?1?1?1?1

# All numeric passwords having length from 9 to 10
hashcat -m 8600 --increment --increment-min=7 -a 3 hashes.txt ?d?d?d?d?d?d?d?d?d?d

# All passwords having 5 lowercase letters and 3 numbers
hashcat -m 8600 -a 3 hashes.txt ?l?l?l?l?l?l?d?d?d

# All passwords having 5 lowercase letters, 1 dot and 2 numbers
hashcat -m 8600 -a 3 hashes.txt ?l?l?l?l?l.?d?d

# All passwords having 1 any-char, 5 lowercase letters, 1 any-char and 1 number
hashcat -m 8600 -a 3 hashes.txt ?a?l?l?l?l?l?a?d

# All passwords having 1 [a-zA-Z] char, 6 lowercase letters and 2 numbers
hashcat -m 8600 -1 ?l?u -a 3 hashes.txt ?1?l?l?l?l?l?l?d?d

# All passwords contained in dictionaries
hashcat -m 8600 -a 0 hashes.txt dictionaries/weakpass_2
hashcat -m 8600 -a 0 hashes.txt dictionaries/HashesOrg

# All passwords combining words in dictionaries and masks
hashcat -m 8600 -1 ?l?u?d -a 6 hashes.txt dictionaries/rockyou.txt ?1?1
hashcat -m 8600 -a 6 hashes.txt dictionaries/rockyou.txt ?d?d?d
hashcat -m 8600 -a 6 hashes.txt dictionaries/hk_hlm_founds.txt ?a

# All passwords combining masks and words in dictionaries
hashcat -m 8600 -1 ?l?u?d -a 7 hashes.txt ?1?1 dictionaries/rockyou.txt
hashcat -m 8600 -a 7 hashes.txt ?d?d?d dictionaries/rockyou.txt
hashcat -m 8600 -a 7 hashes.txt ?a dictionaries/hk_hlm_founds.txt

[LINUX] Recursively change permissions only on files or dirs

Use the command below to recursively change permissions only on files:

~$ find /<path> -type f -exec chmod 644 {} \;

While use the following command to recursively change permissions only on directories:

~$ find /<path> -type d -exec chmod 755 {} \;

where:
/<path> is the path containing the interested files or directories.
644 assigns permissions of “read/write” on the owner, while “read” on the group and others.
755 assigns permissions of “read/write/execute” on the owner, while “read/execute” on the group and others.

[LINUX] Recursively change permissions on specific file type

Use the following command to recursively change permissions only on specific file type (e.g, all php files in the main path and related sub-directories):

~$ find . -name "*.php" -exec chmod +x {} \;

The command above searches all php files and excute the chmod command to apply the execution permission (+x).

If you have found this post useful, please visit the Contribute page

[REGEX] Common Regular Expressions

We all know that “regex is the power”! 🙂 So, below some common regular expressions:

Anything (Lazy):		.*?
Anything (Greedy):		.*
Alphanumeric:			[a-zA-Z0-9]
Alphanumeric (including _):	\w
White Space:			\s
Tab:				\t
Email Address:			[\w\.-]+@[a-zA-Z\d\.-]+
IP Address:			\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
Port Number:			\d{1,5}
MAC Address:			([0-9a-fA-F]{2}\:){5}[0-9a-fA-F]{2}
Protocol:			(tcp|udp|icmp)
Device Time:			\w{3}\s\d{2}\s\d{2}:\d{2}:\d{2}

[LINUX] Type Special Characters

Below you can find a list of keyboard codes to type the corresponding special characters:

` : AltGr-'
{ : AltGr-7
} : AltGr-0
~ : AltGr-ì
¹ : AltGr-1
² : AltGr-2
³ : AltGr-3
¼ : AltGr-4
½ : AltGr-5
⅛ : AltGr-Shift-4
⅜ : AltGr-Shift-5
⅝ : AltGr-Shift-6
⅞ : AltGr-Shift-7
¬ : AltGr-6
“ : AltGr-v
” : AltGr-b
« : AltGr-z
» : AltGr-x
€ : AltGr-e
@ : AltGr-q
← : AltGr-y
→ : AltGr-i
↓ : AltGr-u
< : AltGr-Shift-z
> : AltGr-Shift-x
© : AltGr-Shift-c
® : AltGr-Shift-r
™ : AltGr-Shift-8
× : AltGr-Shift-,
÷ : AltGr-Shift--

[LINUX] Backup your data

Below some of the solutions to backup your data on Linux systems. All backup and restoring procedures should be executed in read-only mode (e.g., running a Live Distro).

Logical backup using find and cpio of the entire file system

~# find / -path '/media' -prune -o -path '/tmp' -prune -o -path '/lost+found' -prune -o -print | cpio -dumpv /media/<backup_dir>

The above command find and copy (preserving original permissions and owners) all directories and files within /. We exclude from backup the following paths: /media, /tmp, /lost+found

Physical backup using dd

~# dd if=/dev/sdXY of=/media/<backup_dir>/<backup_file>.dmp conv=noerror,sync

where X is the character identifying the disk, while Y is the digit identifying the partition. Remove the number of the partition if you like to backup the entire disk (i.e., MBR, partition table and all partitions).

If your partition has some errors, before restoring your data, you can directly work on the dump file to fix the problems. For instance, assuming to have a partition with the old EXT3, run the following command to automatically fix the errors:

~# fsck.ext3 -p /media/<backup_dir>/<backup_file>.dmp

If the above command fails, you can try to manually repair the file system running the command with the -f parameter:

~# fsck.ext3 -f /media/<backup_dir>/<backup_file>.dmp

After all fixes, you can mount the dump file to investigate if everything is OK:

~# mount -o loop,ro -t ext3 /media/<backup_dir>/<backup_file>.dmp /media/<mount_point>

Finally, you can restore all data in a new partition (or disk in case of an entire backup):

~# dd if=/media/<backup_dir>/<backup_file>.dmp of=/dev/sdXY

Hack: you can display the backup/restore progress running the following command:

~# killall -USR1 dd

or

~# ps -ef | grep -i dd
~# kill -USR1 <pid>

Some alternatives to dd
1) sdd: a custom version of dd. You can check the progress of the operation if you run the command with the parameter -time and then press CTRL-/ or CTRL-4 (SIGQUIT).
2) ddrescue: another data recovery tool. Besides copying files from one block to another, it also tries to rescue data in case of read errors.

~# ddrescue -v -r3 /dev/sdXY /media/<backup_dir>/<backup_file>.dmp

where -r3 says to try atmost 3 times on bad sectors.

[LINUX] Audit rules to monitor user activity

Monitoring 1-level directory changes

-a always,exit -F path=</path_dir> -F perm=w -k dir-to-watch

where </path_dir> is the directory you’d like to monitor.

Recursively monitoring directories changes

-a always,exit -F dir=</path_dir> -F perm=w -k dirs-to-watch

where </path_dir> is the path you’d like to recursively monitor.

Monitoring commands executed by specific users (syscall rules)

-a always,exit -F path=</path/command> -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged_users
-a always,exit -F path=</path/command> -F perm=x -F gid=333 -k normal_users

where </path/command> is the command path you’d like to monitor.

Monitoring commands executed by all users (FS rules)

-w </path/command> -p x

where </path/command> is the command path you’d like to monitor.

Excluding specific audit types, e.g. CWD and PATH

-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=PATH

[LINUX] Add new APT repository

Adding a new APT repository to a Debian-based distro can be done running the following two commands:

~$ wget -O - <url_key> | sudo apt-key add -
~$ sudo wget -O /etc/apt/sources.list.d/<source>.list <url_source_list>

where:
<url_key> is the URL of the key
<source> is the name of the source
<url_source_list> is the URL of the remote source list file

The first command downloads the corresponding APT key, while the second one adds the repository into a new source list file.

Now you can update APT executing the usual command:

~$ sudo apt-get update

[APACHE] Enable files and directory listing

Sometimes it’s useful to enable files and directory listing (or indexing) to allow users viewing and downloading all the files within a directory.

To enable this feature just add or change the corresponding portion of the Apache configuration. The configuration file is usually /etc/apache2/apache2.conf or /etc/httpd/httpd.conf.

<Directory /files>
	Options Indexes FollowSymLinks MultiViews
	AllowOverride None
	Require all granted
</Directory>

The outcome is showed below:

Directory Listing

If you have found this post useful, please visit the Contribute page