FTP Logs Used to Determine Attack Vector

Logs can be very useful because they are a record of what was done by whom. They are especially useful when you need to find out more on how a website has been compromised. Since our job at Sucuri is to clean website malware, we don’t have any access to logs, or what we can see is very limited.
However, to help make the internet a safer place, we like to extend ourselves and conduct some forensics to investigate how some accounts are compromised.
Continue reading FTP Logs Used to Determine Attack Vector at Sucuri Blog.

Link: https://blog.sucuri.net/2019/06/ftp-logs-used-to-determine-attack-vector.html

Zydra – File Password Recovery Tool And Linux Shadow File Cracker

Zydra is a file password recovery tool and Linux shadow file cracker. It uses the dictionary search or Brute force method for cracking passwords.Supported FilesRAR FilesLegacy ZIP FilesPDF FilesLinux Shadow Files (zydra can find all the user’s password in the linux shadow file one after the other)PrerequisitesTo run the app, minimal requirements are:Python 3.3 or higherdebian-based linux distro, preferably Kali linux 2qpdf and unrar packages Installing these packages on kali is as easy as running the following commands on terminal: $ sudo apt-get update $ sudo apt-get install qpdf unrarsome python modules in this program need to be installed manually, like: zipfile, rarfile, crypt, pyfiglet, py-term(for term module) and so on. you can use pip3 for install them example: $ pip3 install py-term notice: rar,zip and pdf files must have an extension, shadow files does not need an extension.DisclaimerThis tool is only for testing and academic purposes Do not use it for illegal purposes!FeaturesCracking files password using two methods: 1. dictionary method 2. brute force methodIn the brute force method, you can specify the min length and max length of the passwords.In the brute force method, you can specify the type of characters that may be used in the password.There is a percent progress bar showing how much of the process has been performed.Error handling.One of the most important features of Zydra is the multiprocessing feature that speeds up the program. For example if you have 8 CPU cores, Zydra will use all of them for processing at the same time.InstallationDownload Zydra by cloning the Git repository: $ git clone https://github.com/hamedA2/Zydra.gitUsageTo get a list of all options and learn how to use this app, enter the following command:$ python3 Zydra.py -h Examples1- Dictionary search to find the password for a zip file In this example I use rockyou.txt dictionary $ python3 Zydra.py –f file.zip –d rockyou.txt2- Brute force search to find the password for the users in the shadow file Minimum length of password is 4 and maximum length is 4 and we try to find passwords that are composed of numbers and symbols letters. $ python3 Zydra.py –f shadow –b digits,symbols –m 4 –x 4AuthorHamed HosseiniA special thank to, Hamed IzadiDownload Zydra

Link: http://feedproxy.google.com/~r/PentestTools/~3/6ATnAnKScCs/zydra-file-password-recovery-tool-and.html

WordPress Hacks: 5 Ways to Protect WordPress from Hacking

WordPress is one of the most popular content management systems (CMS) out there. That’s why it is vital to prevent WordPress hacking.
Statistically, over 33% of websites currently run on WordPress.
This post is not a “one size fits all” overview, as there are many other ways to protect WordPress from hacking. Here at Sucuri, we certainly advocate researching and expanding core security values.
Here are some tips on protecting your site against WordPress hacks.
Continue reading WordPress Hacks: 5 Ways to Protect WordPress from Hacking at Sucuri Blog.

Link: https://blog.sucuri.net/2019/05/wordpress-hacks-5-ways-to-protect-wordpress-from-hacking.html

Security Assumptions – Don’t Make an ASS of U and ME

Have you ever stopped to ask yourself if the things you are defending against are really your biggest security problems? I am going to challenge you to think about things a little differently, as I have been myself recently. Prepare yourself, as this may challenge some of your core security beliefs, things we have been taking as gospel since the early days of securing networks. We all know our time is precious and limited, so it is more important than ever to use what time we have wisely. That is exactly why I think we need to look deep into our beliefs and be willing to challenge ourselves on a profound, uncomfortable level. So, let’s make an attempt to be completely and utterly honest with ourselves about our security assumptions.
Do you require users to have long, complex passwords and expect them not to write them down? Do you use firewalls to cover up unpatched software, block access to vulnerable or unused services or to make up for poor configuration? What about Full Disk Encryption? Do you deploy that on every machine in your organization?
The post Security Assumptions – Don’t Make an ASS of U and ME appeared first on The Ethical Hacker Network.

Link: https://www.ethicalhacker.net/columns/kron/security-assumptions/

JWT Tool – A Toolkit For Testing, Tweaking And Cracking JSON Web Tokens

jwt_tool.py is a toolkit for validating, forging and cracking JWTs (JSON Web Tokens).Its functionality includes:Checking the validity of a tokenTesting for the RS/HS256 public key mismatch vulnerabilityTesting for the alg=None signature-bypass vulnerabilityTesting the validity of a secret/key/key fileIdentifying weak keys via a High-speed Dictionary AttackForging new token header and payload values and creating a new signature with the key or via another attack methodAudienceThis tool is written for pentesters, who need to check the strength of the tokens in use, and their susceptibility to known attacks. It may also be useful for developers who are using JWTs in projects, but would like to test for stability and for known vulnerabilities, when using forged tokens.RequirementsThis tool is written natively in Python 2.x using the common libraries.Customised wordlists are recommended for the Dictionary Attack option. As a speed reference, an Intel i5 laptop can test ~1,000,000 passwords per second on HMAC-SHA256 signing. YMMV.InstallationInstallation is just a case of downloading the jwt_tool.py file (or git cloneing the repo). (chmod the file too if you want to add it to your $PATH and call it from anywhere.)Usage$ python jwt_tool.py (filename)The first argument should be the JWT itself, followed by a filename/filepath (for cracking the token, or for use as a key file).For example: $ python jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw /usr/share/wordlists/rockyou.txtThe toolkit will validate the token and list the header and payload values. It will then provide a menu of your available options. Note: signing the token is currently supported using HS256, HS384, HS512 algorithmsInput is in either standard or url-safe JWT format, and the resulting tokens are output in both formats for your ease of use.Further Reading A great intro to JWTs – https://jwt.io/introduction/ A lot of the inspiration for this tool comes from the vulnerabilities discovered by Tim McLean. Check out his blog on JWT weaknesses here: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ My introduction to using this toolkit, and a bit of the history behind it can be found on my blog – https://www.ticarpi.com/introducing-jwt-tool/ A whole bunch of exercises (7 at time of writing) for testing JWT vulnerabilities are provided by Pentesterlab. I’d highly recommend a PRO subscription if you are interested in Web App Pentesting. JWT (alg=None vulnerability) exerciseJWT_II (RS/HS256 public key mismatch vulnerability) exerciseJWT_III (key-id header field non-sanitisation vulnerability) exerciseand just head on over to https://pentesterlab.com/exercises to search for the others!PLEASE NOTE: This toolkit will solve all of the Pentesterlab JWT exercises in a few seconds when used correctly, however I’d strongly encourage you to work through these exercises yourself, working out the structure and the weaknesses. After all, it’s all about learning… TipsRegex for finding JWTs in Burp Search (make sure ‘Case sensitive’ and ‘Regex’ options are ticked) [= ]ey[A-Za-z0-9_-]*\.[A-Za-z0-9._-]* – url-safe JWT version [= ]ey[A-Za-z0-9_\/+-]*\.[A-Za-z0-9._\/+-]* – all JWT versions (higher possibility of false positives)Download Jwt_Tool

Link: http://www.kitploit.com/2019/05/jwt-tool-toolkit-for-testing-tweaking.html

Kerbrute – A Tool To Perform Kerberos Pre-Auth Bruteforcing

A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-AuthenticationGrab the latest binaries from the releases page to get started.BackgroundThis tool grew out of some bash scripts I wrote a few years ago to perform bruteforcing using the Heimdal Kerberos client from Linux. I wanted something that didn’t require privileges to install a Kerberos client, and when I found the amazing pure Go implementation of Kerberos gokrb5, I decided to finally learn Go and write this.Bruteforcing Windows passwords with Kerberos is much faster than any other approach I know of, and potentially stealthier since pre-authentication failures do not trigger that “traditional" An account failed to log on event 4625. With Kerberos, you can validate a username or test a login by only sending one UDP frame to the KDC (Domain Controller)For more background and information, check out my Troopers 2019 talk, Fun with LDAP and Kerberos (link TBD).UsageKerbrute has three main commands:bruteuser – Bruteforce a single user’s password from a wordlistpasswordspray – Test a single password against a list of usersusernenum – Enumerate valid domain usernames via KerberosA domain (-d) or a domain controller (–dc) must be specified. If a Domain Controller is not given the KDC will be looked up via DNS.By default, Kerbrute is multithreaded and uses 10 threads. This can be changed with the -t option.Output is logged to stdout, but a log file can be specified with -o.By default, failures are not logged, but that can be changed with -v.Lastly, Kerbrute has a –safe option. When this option is enabled, if an account comes back as locked out, it will abort all threads to stop locking out any other accounts.The help command can be used for more information$ ./kerbrute __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __//_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/Version: v1.0.0 (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnopThis tool is designed to assist in quickly bruteforcing valid Active Directory accounts through Kerberos Pre-Authentication.It is designed to be used on an internal Windows domain with access to one of the Domain Controllers.Warning: failed Kerberos Pre-Auth counts as a failed login and WILL lock out accountsUsage: kerbrute [command]Available Commands: bruteuser Bruteforce a single user's password from a wordlist help Help about any command passwordspray Test a single password against a list of users userenum Enumerate valid domain usernames via Kerberos version Display version info and quitFlags: --dc string The location of the Domain Controller (KDC) to target. If blank, will lookup via DNS -d, --domain string The full domain to use (e.g. contoso.com) -h, --help help for kerbrute -o, --output string File to write logs to. Optional. --safe Safe mode. Will abort if any user comes back as locked out. Default: FALSE -t, --threads int Threads to use (default 10) -v, --verbose Log failures and errorsUse "kerbrute [command] --help" for more information about a command.User EnumerationTo enumerate usernames, Kerbrute sends TGT requests with no pre-authentication. If the KDC responds with a PRINCIPAL UNKNOWN error, the username does not exist. However, if the KDC prompts for pre-authentication, we know the username exists and we move on. This does not cause any login failures so it will not lock out any accounts. This generates a Windows event ID 4768 if Kerberos logging is enabled.root@kali:~# ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __//_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/Version: dev (43f9ca1) - 03/06/19 - Ronnie Flathers @ropnop2019/03/06 21:28:04 > Using KDC(s):2019/03/06 21:28:04 > pdc01.lab.ropnop.com:882019/03/06 21:28:04 > [+] VALID USERNAME: amata@lab.ropnop.com2019/03/06 21:28:04 > [+] VALID USERNAME: thoffman@lab.ropnop.com2019/03/06 21:28:04 > Done! Tested 1001 usernames (2 valid) in 0.425 secondsPassword SprayWith passwordwpray, Kerbrute will perform a horizontal brute force attack against a list of domain users. This is useful for testing one or two common passwords when you have a large list of users. WARNING: this does will increment the failed login count and lock out accounts. This will generate both event IDs 4768 – A Kerberos authentication ticket (TGT) was requested and 4771 – Kerberos pre-authentication failedroot@kali:~# ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123 __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __//_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/Version: dev (43f9ca1) – 03/06/19 – Ronnie Flathers @ropnop2019/03/06 21:37:29 > Using KDC(s):2019/03/06 21:37:29 > pdc01.lab.ropnop.com:882019/03/06 21:37:35 > [+] VALID LOGIN: callen@lab.ropnop.com:Password1232019/03/06 21:37:37 > [+] VALID LOGIN: eshort@lab.ropnop.com:Password1232019/03/06 21:37:37 > Done! Tested 2755 logins (2 successes) in 7.674 secondsBrute UserThis is a traditional bruteforce account against a username. Only run this if you are sure there is no lockout policy! This will generate both event IDs 4768 – A Kerberos authentication ticket (TGT) was requested and 4771 – Kerberos pre-authentication failedroot@kali:~# ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __//_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/Version: dev (43f9ca1) – 03/06/19 – Ronnie Flathers @ropnop2019/03/06 21:38:24 > Using KDC(s):2019/03/06 21:38:24 > pdc01.lab.ropnop.com:882019/03/06 21:38:27 > [+] VALID LOGIN: thoffman@lab.ropnop.com:Summer20172019/03/06 21:38:27 > Done! Tested 1001 logins (1 successes) in 2.711 secondsInstallingYou can download pre-compiled binaries for Linux, Windows and Mac from the releases page. If you want to live on the edge, you can also install with Go:$ go get github.com/ropnop/kerbruteWith the repository cloned, you can also use the Make file to compile for common architectures:$ make helphelp: Show this help.windows: Make Windows x86 and x64 Binarieslinux: Make Linux x86 and x64 Binariesmac: Make Darwin (Mac) x86 and x64 Binariesclean: Delete any binariesall: Make Windows, Linux and Mac x86/x64 Binaries$ make allDone.Building for windows amd64..Building for windows 386..Done.Building for linux amd64…Building for linux 386…Done.Building for mac amd64…Building for mac 386…Done.$ ls dist/kerbrute_darwin_386 kerbrute_linux_386 kerbrute_windows_386.exekerbrute_darwin_amd64 kerbrute_linux_amd64 kerbrute_windows_amd64.exeCreditsHuge shoutout to jcmturner for his pure Go implemntation of KRB5: https://github.com/jcmturner/gokrb5 . An amazing project and very well documented. Couldn’t have done any of this without that project.Download Kerbrute

Link: http://feedproxy.google.com/~r/PentestTools/~3/IAxyISi4bAc/kerbrute-tool-to-perform-kerberos-pre.html

Reset Email Account Passwords After a Website Malware Infection

It’s not uncommon for bad actors to use compromised websites to send large amounts of email spam. This can cause major headaches for website owners — spam can lead to the blacklisting of a web host’s mail server IPs, or the domain name itself may be placed on blacklists like Spamhaus DBL.
Reset Email Passwords After a Website Hack
Blacklisting is problematic. It has serious consequences for a website’s reputation, may impact sales and revenue, and it can be a tedious process to remove a domain from a blacklist authority.
Continue reading Reset Email Account Passwords After a Website Malware Infection at Sucuri Blog.

Link: https://blog.sucuri.net/2019/04/reset-email-account-passwords-after-a-website-malware-infection.html

pwnedOrNot v1.1.7 – OSINT Tool To Find Passwords For Compromised Email Addresses

pwnedOrNot uses haveibeenpwned v2 api to test email accounts and tries to find the password in Pastebin Dumps.Featureshaveibeenpwned offers a lot of information about the compromised email, some useful information is displayed by this script:Name of BreachDomain NameDate of BreachFabrication statusVerification StatusRetirement statusSpam StatusAnd with all this information pwnedOrNot can easily find passwords for compromised emails if the dump is accessible and it contains the passwordTested onKali Linux 18.2Ubuntu 18.04Kali NethunterTermuxInstallationUbuntu / Kali Linux / Nethunter / Termuxchmod 777 install.sh./install.shUsagepython3 pwnedornot.py -husage: pwnedornot.py [-h] [-e EMAIL] [-f FILE] [-d DOMAIN] [-n] [-l] [-c CHECK]optional arguments: -h, –help show this help message and exit -e EMAIL, –email EMAIL Email Address You Want to Test -f FILE, –file FILE Load a File with Multiple Email Addresses -d DOMAIN, –domain DOMAIN Filter Results by Domain Name -n, –nodumps Only Check Breach Info and Skip Password Dumps -l, –list Get List of all pwned Domains -c CHECK, –check CHECK Check if your Domain is pwned# Examples# Check Single Emailpython3 pwnedornot.py -e #ORpython3 pwnedornot.py –email <email># Check Multiple Emails from Filepython3 pwnedornot.py -f <file name># ORpython3 pwnedornot.py –file <file name># Filter Result for a Domain Name [Ex : adobe.com]python3 pwnedornot.py -e <email> -d <domain name>#ORpython3 pwnedornot.py -f <file name> –domain <domain name># Get only Breach Info, Skip Password Dumpspython3 pwnedornot.py -e <email> -n#ORpython3 pwnedornot.py -f <file name> –nodumps# Get List of all Breached Domainspython3 pwnedornot.py -l#ORpython3 pwnedornot.py –list# Check if a Domain is Pwnedpython3 pwnedornot.py -c <domain name>#ORpython3 pwnedornot.py –check <domain name>DemoDownload pwnedOrNot

Link: http://feedproxy.google.com/~r/PentestTools/~3/zMsIKFBaGtY/pwnedornot-v117-osint-tool-to-find.html