Compile Medusa with SMBv2 Support – Kali Linux

I’ve been doing this for way too long and I’m getting old. I’m comfortable with specific tools I’ve used for 15 years. I like using Medusa created by jmk-foofus. What if your client has their shit together and have finally removed SMBv1? Originally I went and found a Windows XP system to run my password guessing attack against but that system isn’t in scope anymore. I also used other tools written in Powershell that can do a password spray but I like how quick Medusa is. It is also one of the few tools which can tell me if a password is valid but the account will need to change that password. So the commands below will get Medusa compiled with SMBv2 support in Kali Linux.

Step 1 – Install all dependencies


sudo apt install autoconf automake docbook-xsl doxygen findutils libkrb5-dev libtool libxml2 libxslt1.1 libunistring-dev m4 libssl-dev pkg-config libwbclient-dev gettext

Step 2 – Download the Source Code for Medusa and additional dependencies.

cd ~/
mkdir source
cd ~/source
git clone https://github.com/simo5/gssntlmssp.git
git clone https://github.com/sahlberg/libsmb2.git
git clone --branch add-libsmb2-support https://github.com/jmk-foofus/medusa.git

Step – 3 Compile and Install Downloaded Software

cd ~/source/gssntlmssp
autoreconf -f -i
./configure
make
sudo make install

cd ~/source/libsmb2
autoreconf -f -i
./configure
make
sudo make install

cd ~/source/medusa
autoreconf -f -i
./configure
make
sudo make install

References
https://github.com/jmk-foofus/medusa
Ronnie Sahlberg – Authored libsmb2
https://github.com/sahlberg/libsmb2
https://github.com/simo5/gssntlmssp.git

Reset to Defaults – Cisco Router

Reset Cisco 1720 Router to Factory Defaults

Part of building the Cisco lab is setting up the cheap router I bought on Ebay. I want start the configuration from scratch so we will reset the device to factory defaults without knowing the “enable” password. The link listed below is a good start on what needs to be done. We will get “enable” access and erase the startup-config.

http://www.jedge.com/wordpress/2018/05/cisco-router-password-recovery-console-access/
Read More

ESCAM QF100 – UART

Please see the original post on IP Camera Security before reading the rest of this post.

Based on comment #1 by Carlo UART exists on his Hi3518 wifi cameras. He also mentions the default password of “zg2014” for both of his cameras. A Google search for that password reveals other Hi3518 cameras including the Mustcam H809P which has detailed images posted on a forum. This camera board is very different from the ESCAM QF100 but examining the traces from the SoC to the documented TX/RX on the Mustcam shows potential UART on the QF100. I was off by a couple pins based on my attempt in the original post.
Read More

Obtaining Domain Controller Password Hashes

I have referred to the following bookmarked URL in the past as a reminder on how to easily obtain the NTDS.dit and SYSTEM registry for analysis.
Obtaining NTDS.Dit Using In-Built Windows Commands
https://www.cyberis.co.uk/2014/02/obtaining-ntdsdit-using-in-built.html
I revisit this URL and document additional ways to obtain NTDS.dit and the Windows Registry files but also how to extract the password hashes. Additional methods on obtaining the password hashes from the Domain Controller will also be listed.
Read More

PCI-DSS Requirement 8.2.3 Makes you Less Secure

FAILThis is a quick blog post on my thoughts regarding PCI-DSS password requirement 8.2.3 and how I think it creates an environment where all non-CDE data is left exposed via weak password requirements. I still see organizations that do not understand password strength vs password length and PCI-DSS 8.2.3 requires neither! I like to back up my posts with some data and statistics so feel free to use this information to let your auditors know that compliance does not equal secure. I show how quickly hashcat will run through a seven (7) alphanumeric password for the most common password hashes.
Read More

Have fun at Goodwill part 2 – Finding Networking Equipment for Fun and Profit

Netgear WGT624As I’ve written about previously, a great place to pick up outdated, and potentially vulnerable, wireless routers is your local Goodwill. Depending on the store those shelves can be packed with devices for only a couple bucks. While you are there you can just Google the model number followed by “exploit”, “openwrt”, or “dd-wrt” to see if you have a device worth playing with. Today I got a Netgear WGT624v2 which dates back to POTUS 43’s first term. I will detail a different adventure than my previous post. When cracking open this device I was greeted with two pre-populated headers! We will use the JTAGulator and Dangerous Prototypes BusBlaster v4 to get access via UART and JTAG.
Read More

IP Camera Security

In reviewing my browser bookmarks I see this blog https://reversatronics.blogspot.com/ is still active.  I’m examining the blog entry at https://reversatronics.blogspot.com/2013/10/sunluxy-dvr-backdoor.html to learn and document my own adventures in embedded device security.

The author (Billy) has a Sunluxy CCTV DVR. The company website no longer exists but is basically a JuanDVR. You can still find these devices if you search on Ebay or Alibaba. The author’s link for the company no longer works but can be found at www.juancctv.com. No photos were posted in the blog. Based on the the author identifying 5v TTL and references found in the blog comments the unit referenced would be similar to the stock image from DX.com.
Read More