How to setup a honeypot in the cloud. Part 1:2 Using putty with EC2

In part one I talked about how to setup your ec2 instance. Now I will teach you how to logon to your instance. If you followed my instructions in step one you have installed the putty suite. Now what putty takes is a different kind of key. So you will have to use puttygen (it comes with putty) to convert your instance key to something that putty can recognize. Here are the steps:

•         Fire up puttygen.
•         Click on the load button or use the file menu
•         You will have to select to show all files
•         Select the *.pem key file you got from the instance.
•         You will see a popup. Push OK.
•         Push save private key. And you are done.

Now open putty or Extraputty and your AWS console. If you followed the tutorial and chose a Ubuntu instance then in the host name field of putty enter Ubuntu as your username, in this format ubuntu@yourec2host. Of course you will replace the second half with your ip address to the instance, which you will find by going to the ec2 tab and clicking on the instance. All the info will be in the bottom pane.

Now this is important, in putty on the right side expand the ssh list item and then click on the auth tab. Now click browse and select the *.ppk key file you just generated. The only way into an amazon instance is with public/private key encryption. So it should be pretty secure as long as you don’t release or lose your public key. You can retrieve it, but that is for another post (Note to self).

OK now go ahead and mess with the appearance tab. If you like to have your shell display in a certain way. Not many settings though. I would love to have a color selector. But anyway back to hacking.

To connect simply push the open button on the bottom of the application. This will pop up a command window, and authenticate with your username which is Ubuntu and for your password it will use your private key that you supplied. This is a very secure way of connecting to a server, I recommend it if you use ssh to log into any box you own (You do have a box with linux on it) Someday I will get around to writing how to do that. Well I think I will end here and call this Part 1.2.

How to setup a honeypot in the cloud. Part 1: Setup

In this series of articles I will be showing you how to setup your own honeypot on an Amazon EC2 instance. I have experimented and read a lot about how malware works but nothing beats seeing it in action, and trapping malware that’s in the wild.

Well the first thing that you have to do is get an AWS account. Simply go to http://aws.amazon.com  and sign up, unfortunately you have to input a credit card. But they offer a free tier, so go ahead and put it in and make sure you select free tier options. In this article I will be using nothing but free tier services. So you can setup a honeypot in the cloud that runs 24/7 for free!

OK I will show you how to setup your instance. First you will need a few things. First of all the AWS account. But you can modify my process for use in a virtual machine or a main rig, but I recommend AWS.

Go ahead and get putty, the url is:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Ok lets setup your instance, its very simple. First you want to select your region, because malware is different and more rampant in different regions. You can select this in the upper right corner of the AWS site. The selections are:

•    US East (North Virginia)
•     US West (Oregon)
•     EU (Ireland)
•     EU (Frankfurt)
•     Asia Pacific (Singapore)
•     Asia Pacific (Tokyo)
•     Asia Pacific (Sydney)
•     South America (Sao Paulo)

Ok now that you have picked your location lets setup your instance. Choose the EC2 tab in AWS, and choose launch instance. Click on the Community AMI’s tab. Search for Ubuntu ubuntu-trusty-14.04-amd64-server-20150325 (ami-d05e75b8). If this distro is not available in your region just search for Ubuntu 14.04 with a root store of “EBS”.

We want the most updated distro we can find. We are going to be messing with hackers, and you never know who might be pissed you got ahold of their malwares. (Fair warning)

Make sure you select the instance type to micro, there will be Free Tier Eligible under it.

Continue until you reach the prompt to create a key pair, choose a name for your instance. For example honeypot, no one will see this but you. Ok, now download that key and save it for later in this tutorial, this is the only way to connect to your instance so don’t lose it!

Now to create the security group, make sure you create new and choose all traffic, and source 0.0.0.0. This will open you up to the world, but that is what we want right? OK, push continue and then Launch. Give your new instance time to startup, and there we go!

In the next installment of this I will show how to login to your new instance and setup Kippo!

Septembers Two Hacking Challenges (Postponed for a few days)

I am sorry to everyone that started the hacking challenge. I had some personal issues that interfered with me setting up the test servers.

I will get them up and running and repost the challenges. Stay turned, if you haven't already follow my blog for up to the minute updates.

I plan to update this blog at least once a week with some good Linux information and tutorials!

Cracking Wordpress Password MD5 Hashes with hash-identifier and hashcat on Kali Linux

In my daily search for knowledge I come across all types of challenges. Today I am going to teach you how to crack a Wordpress MD5 hash.

The secret is knowing the right tool to use for the job. Lets go.

Tools:
1. Hashcat            ==> Hash Cracker
2. Rockyou.txt      ==> Or any wordlist you like
3. Hash-Identifier  ==> This shows what type of hash you have (never know)

First we need to dump the hash from the wordpress somehow. I will leave this up to my readers to find there own hash to crack :) (I hope you all can get to this stage, if you are not to this level yet, follow me and read. I will be putting several new posts covering SQLi and WP hacking, promise)

Here is my dump, I managed to get the wp-config.php file, which contains the Database pass and username. From here I will use there PHPMYADMIN to snatch the hash!! Lets go.

Dig through the database untill you find the wp_users database entry. Open that and find the pw hash you want to crack. Here is mine:

$P$BZnLsG/hc/xHbB9WIaiVR07lGAV0fa1

Now we need to make sure that the hash that we have dumped is a wordpress MD5. There are several out there and hashcat can crack most of them!

Just type hash-identifier into the terminal for this to pop up, simply paste your hash here and it will check it. This confirms it is indeed a wordpress MD5. Now the fun...

Ok now write the hash to a txt file. Simplest way:

echo $P$BZnLsG/hc/xHbB9WIaiVR07lGAV0fa1 > md5.txt

Wrong, after running a cat on MD5.txt to check if it wrote, and I found that echo take anything with a $ in front of it as a variable. So the echo does not work in this case. Just a simple leafpad, nano, vim, or kate program will work perfect. Anyways save this file with just the hash in it.

Now to attempt to crack it. I have no idea if my wordlist is up the task, but I am using rockyou which is a great list. Lets see:

Here are the options we will run on hashcat:

 hashcat -m 400 /root/Desktop/hashMD5.txt /usr/share/wordlists/rockyou.txt

Options:
 -m                  = --hash-type=NUM  --Hash-type 400                 = MD5(Wordpress) MD5.txt          = path hash directory /usr/share/wordlists/rockyou.txt = path to wordlist 


That is all there is to it. Unfortunatly, my password was not in the list so, blah, in this case I would find more dictionaries from the link that says rockyou.txt and try more. This is the only way I know of to crack Wordpress MD5. Good luck and thank you for reading! As always, stay safe.

-Meo