Posts

Posted on

Another successful meeting on the books.

Only a couple members could make tonight’s meeting, but it was a positive meeting anyway. I was working on my Vic-20 recovery when Kevin arrived, and we pretty quickly ended up in a conversation about Zeek. He needs to master it for work, and I need to master it just because. I found a lab from FAU that might be helpful. Here’s the link:

http://ce.sc.edu/cyberinfra/docs/workshop/Zeek_Lab_Series.pdf

We did a bit of research on network taps, and settled on Great Scott Gadgets’ Lan Tap Pro (or, if you’re cheap and handy like me, the Throwing Star Lan Tap Kit). both are passive LAN taps, and will pipe all traffic that passes through them into your Zeek, Snort or other IDS box.

We’re looking forward into the new year and planning some exciting talks and presentations. Maybe we’ll talk about Zeek in February if we’re ready, and Dan wants to talk about social engineering research tools, possibly in March.

Next meeting is Monday February 24. I hope you can make it.

Posted on

Site move

Today I migrated the DC540 website to an overseas VPS. Somehow an overseas VPS, with just 2GB of RAM, responds faster by multitudes than shared hosting at Hostgator. I guess Hostgator has reached maximum oversubscription. Please let me know how YOU experience the website, and let me know if I missed any bugs. Took me longer than I should have to get the events plugin working, for stupid configuration reasons that I am too proud to admit.

DC540 January Meetup

Let’s try this again —

Several regulars can’t make January 27.
I can’t make January 20, conflicting meeting.

How do any stragglers feel about January 21 (Tuesday)?

Thoughts?

Posted on

TIL about john the ripper and trigraph frequencies.

I have an assignment to crack an Office password for a document. I have tried using john and hashcat with several large wordlists, and had no luck, so I decided to go all-in and just leave a Kali instance running john in incremental (brute force) mode for “as long as it takes.” It’s been two days so far.

I have it running within ‘screen’ so that I can occasionally login to the system remotely to check progress without risk of losing it. I was excited at one point yesterday seeing that it was in the middle of checking seven-character passwords, but then I checked back later and it was checking six-character passwords. This morning, five. I wanted to understand — I assumed (without doing a deep dive on the mechanics) that it would just go literally incrementally. aaaaa, aaaab, aaaac, etc. That was an incorrect assumption.

John’s incremental mode actually operates on “trigraph frequencies.” While I understand the concept of trigraph frequencies (certain sets of three characters occur more frequently than others, and this can help with decryption efforts, I have my doubts as to whether this helps in cracking passwords. Passwords aren’t always natural speech, after all.

Anyhow, it’s been running for two days now, and I’ll post about it again when it’s done just to give an idea of whether it’s successful, and if so, how long it took vs the complexity of the password.

If anyone else wants to try using similar or other methods, let me know, and I’ll send you the hash (generated by office2john). No, I can’t send you the actual document. That would be unethical.

January DC540 Meeting

Currently penciled in for January 21 (third Tuesday) since several members are unavailable during the fourth week. If you prefer another date, indicate on website or Twitter via comments.

Options include:
Original 4th Monday (27th)
3rd Monday (20th, MLK day)
some evening in between.

Posted on

Holy Crap, It’s 2020!

Several people indicated being unavailable on the fourth Monday in January. Options: 4th Monday anyway, 3rd Monday (MLK day), some other day. I’ll pencil in 4th Monday anyway until we achieve consensus.

Posted on

It’s been a few days now, so…

I can safely say that I believe this show will be recognized, when the rest of the world catches up and watches it, as right up there with Breaking Bad as some of the best television ever written.

Someone on Reddit posted this, and I’m really glad I didn’t have a mouthful of coffee when I saw it. Laugh with me, fellow devotees!

Posted on

Apache, filebeat and Graylog – Oh My

I’ve been getting notices from one of my more popular WordPress sites of an increasing number of attempts to login lately. Compared to my other sites, this one feels like it’s being targeted for some reason. Normally I don’t pay a whole lot of attention to Apache logs unless I’m troubleshooting something, but I felt like ignoring this would be a missed opportunity.

The site is hosted on a shared site out in the wild. I don’t have full access to the server, but the vendor is kind enough to deposit apache logs into a known location on a regular basis.

So I spun up a Graylog instance at home, setup an automated rsync to suck down the logs, and then used filebeat with a logstash output to pipe them into Graylog for me. At some point I might set up a real SIEM (maybe SIEMonster’s community edition?) to do a bit of threat intel for me, but for now it’s a good pull this morning to have the logs for 20-30 websites sucked into my Graylog VM as a starter.

It’s a two-pot coffee day today.

The exercise ended up pulling in about 3 million log lines, and now I can easily visualize a history of what these ass-monkeys did on my hosting server.

FOLLOWUP: Yeah, turns out they were attracted to the WordPress by the unsecured Wiki hiding underneath. On 11/6, I upgraded mediawiki, and apparently missed turning off registrations. Since then, I’ve had 55,000 new users on the Wiki, and over 60,000 page edits (new pages, spam vandalism, etc). It was relatively easy to clean up after, but they were really having their way with that site.

I suspect the brute-forcing is going on especially hard today because they think nobody’s watching on a holiday weekend. BITCH I’M ALWAYS WATCHING.