Archive for November, 2009
John the Ripper w/ Jumbo Patch (Updated for 1.7.5)
Password cracking Windows hashes on Linux using John the Ripper (JtR). If you prefer the Linux operating system JtR is the password cracking utility to use. By default JtR does not support the hashes that we are interested in cracking. See below for installation and patching instructions for JtR. Applying the patch to JtR adds the functionality to crack NTLM and MS-Cache passwords. NOTE: This install was done on Ubuntu 10.4 but should work on any Linux system since we are compiling from source.
$./john --format=mscash --rules --wordlist=<PASSWORD_LIST> <CACHE_HASH_FILE>
$./john --format=nt --rules --wordlist==<PASSWORD_LIST> <NTLM_HASHE_FILE>
For additional information you can read the JtR documentation and wiki from Openwall.
OpenSSL is needed. This can be installed through your package manager or may already be installed. Remember to install the development package (libssl-dev or libssl-devel). Instructions on download and compile are included below.
$ wget http://www.openssl.org/source/openssl-1.0.0a.tar.gz
$ tar zxvf openssl-1.0.0a.tar.gz
$ cd openssl-1.0.0a
$ ./config --openssldir=/usr/local
$ make
$ sudo make install
$ wget http://www.openwall.com/john/g/john-1.7.5.tar.gz
$ tar zxvf john-1.7.5tar.gz
$ cd john-1.7.5/
$ wget http://www.openwall.com/john/contrib/john-1.7.5-jumbo-3.diff.gz
$ gzip -d john-1.7.3-jumbo-3.diff.gz
$ patch -p1 < john-1.7.5-jumbo-3.diff
$ cd src/
$ make linux-x86-sse2
John will be found in the run directory.
Using Perl to Parse Nmap XML
As an auditor I liked to quickly analyze my Nmap scan results by parsing the XML output produced and loading it into my favorite spreadsheet application.
From there I could sort by host, port, service, or operating system for analysis. The parsed results are a lot easier to add to reports and workpapers. Just remember to keep the original Nmap results.
I’ve developed a LAMP framework to parse and load Nmap results into a database for reporting and analysis. However if you are just looking to quickly parse the results of individual scans I’ve got a Perl script for you!
First a quick blurb on getting installing Perl and and Nmap-Parser module.
Windows
Download ActivePerl from the Active State website: https://www.activestate.com/activeperl/downloads/
Once ActivePerl is installed you will need to install the Nmap Parser written by Anthony Persaud.
From the Command Prompt enter the following command:
C:\>ppm install nmap-parser
Downloading Nmap-Parser-1.19...done
Downloading XML-Twig-3.32...done
Unpacking Nmap-Parser-1.19...done
Unpacking XML-Twig-3.32...done
Generating HTML for Nmap-Parser-1.19...done
Generating HTML for XML-Twig-3.32...done
Updating files in site area...done
21 files installed
Linux
For Ubuntu/Debian you can install the package.
#apt-get install libnmap-parser-perl
For every Linux distro you can install the package via CPAN.
#perl -MCPAN -e 'install Nmap::Parser'
Copy the following Perl code below and save it as nmap_parse.pl.
use Nmap::Parser;
my $np = new Nmap::Parser;
my $infile = @ARGV[0];
$np->parsefile($infile);
#GETTING SCAN INFORMATION
print "Scan Information:\n";
my $si = $np->get_session();
print
'Number of services scanned: '.$si->numservices()."\n",
'Start Time: '.$si->start_str()."\n",
'Finish Time: '.$si->time_str()."\n",
'Scan Arguments: '.$si->scan_args()."\n";
print "Host Name,Ip Address,MAC Address,OS Name,OS Family,OS Generation,OS Accuracy,Port,Service Name,Service Product,Service Version,Service Confidence\n";
for my $host ($np->all_hosts()){
for my $port ($host->tcp_ports()){
my $service = $host->tcp_service($port);
my $os = $host->os_sig;
print $host->hostname().",".$host->ipv4_addr().",".$host->mac_addr().",".$os->name.",".$os->family.",".$os->osgen().",".$os->name_accuracy().",".$port.",".$service->name.",".$service->product.",".$service->version.",".$service->confidence()."\n";
}
}
Save the above code and run it from the command line as follows:
C:\>nmap_parse.pl nmap_scan_output.xml >> results.csv
Additional Information
ppm – Perl Package Manager, version 4
http://docs.activestate.com/activeperl/5.10/bin/ppm.html
ActiveState CPAN PPM Repository
http://ppm4.activestate.com/
Nmap Parser
http://search.cpan.org/dist/Nmap-Parser/Parser.pm