Thursday, January 30, 2014

How to install node.js on Ubuntu 13.10

In Ubuntu, nodejs !== node.

Ubuntu has nodejs and some packet radio thing called node. Tools like gruntjs expect the nodejs binary to be named 'node' but guess which one is /usr/sbin/node and which is /usr/bin/nodejs? Worse yet, typing node or grunt just silently fails if you have the wrong node installed. Sad faces...

So, if you want nodejs and for things like gruntjs to work... here's what you do:

Monday, January 20, 2014

How do I add Burp Suite to the Ubuntu Unity Launcher?

Portswigger recommends launching from the terminal for good reasons. Configuring memory allocation for the JVM being one of them. But, sometimes having a terminal hanging around while Burp is running can be annoying. In those cases, starting Burp Suite from the launcher is pretty convenient. Just replace the BURP_VER and BURP_PATH variables below with the appropriate values, and copy/paste.


Wednesday, September 21, 2011

Cracking OS X Hashes with oclHashcat

Either my Google skills are weaksauce or there are no good references regarding cracking OS X's password hashes using Hashcat. This isn't a tutorial on how to install oclHashcat or best crack user passwords, but a simple how-to so you can use it to start cracking right away.

Before you start.. some assumptions. While you will be obtaining the hashes on an OS X (v10.4 - 10.6) computer, you are using a Linux workstation with a fully working oclHashcat v0.26 or greater to do the hash cracking. Previous versions don't support hex salts and hex character sets.

So, let's get started... OS X versions from 10.4 - 10.6 store password hashes in /var/db/shadow/hash in files named after each user's GUID that look similar to this: 0B32C1A9-1352-4A13-BBA0-79EB0BA317E3. They have accompanying .state files, but we're not interested in those for the purposes of cracking.

We're going to try and crack all hashes, but to look up specific users and their GUIDs, check out this blog post, or just use the following commands:

10.4
$ niutil -readprop . /users/<username> generateduid

10.5 - 10.6
$ dscl localhost -read /Search/Users/<username> | grep GeneratedUID | cut -c15-

These hash files store various hashes including LM and NTLM, but we will concentrate on OS X's native hashing algorithm which is a salted SHA-1. You can use this simple one-liner to extract just the SHA-1 hashes and write them to a file:
$ sudo su -
# cut -c169-216 /var/db/shadow/hash/* > /tmp/my_hashes.txt

Within this file, you should see something similar to this:
C225222894237AEAFA66F93EEA5F98BEFE3095B9F8C1C1D1
4FC6D37E2C37C9CA23DCBA109D752D4BD108B7EC97272C31
2B068A2EA4990F16027642282EEA9996745EF1A01E6B6DB0

The first 8 characters in each line are the hex representations of the salt and the rest is the actual hash. For example, in the first hash the salt would be C2252228 and the hash is 94237AEAFA66F93EEA5F98BEFE3095B9F8C1C1D1

For the purposes of oclHashcat, we'll have to convert these lines to a hash:salt style format. We can do that with another one-liner:
# sed  -i.orig 's/^\(........\)\(.*\)/\2:\1/g' /tmp/my_hashes.txt

After which, you should end up with something like this:
94237AEAFA66F93EEA5F98BEFE3095B9F8C1C1D1:C2252228
2C37C9CA23DCBA109D752D4BD108B7EC97272C31:4FC6D37E
A4990F16027642282EEA9996745EF1A01E6B6DB0:2B068A2E

Now, we're ready to feed this file to oclHashcat (or cudaHashcat for NVIDIA users). For the purposes of this tutorial, we're just going to do a mindless brute-force and assume the password is 8 characters with at least 1 upper, 1 lower, 1 number, and 1 special character. 

So, here we go...
$ ./oclHashcat64.bin -m102 --hex-salt --hex-charset /tmp/my_hashes.txt -o/tmp/cracked_hashes.txt -1?l?u?d?s ?1?1?1?1 ?1?1?1?1

For more information on oclHashcat usage, check out the Hashcat manual and for better ways to crack passwords, check out d3ad0ne's blog here.