RV Project Part 3

Sorry for the extended break , got super busy with work etc.. so here’s part 3 installing the solar after we got the roof back together. The OG house batteries were worthless for what I wanted to do , additionally the bay they were in wouldn’t fit newer LIPO4 batteries.

Ended up going with Renogy products because they have decent enough equipment and they had a good sale going on at the time, I think roughly cost about $4500 for all the equipment, wiring, tools etc…

4x200watts of solar for 800watts total
2x200AH batteries for 400 AH total
3000 watt inverter/charger
60 amp solar charger
The RV also has a built in 1000w generator that runs off the gas tank and a propane tank to do heating, hot water, and runs the fridge. Coupled with a 30 gallon water tank and Starlink & T-Mobile MiFi for internet I can stay off grid for a bit without needing to use hookups. So far in the few years I’ve had this, I made it to Florida/Florida Keys and back to Connecticut 3 times, Tennessee and back, CT to Mt. Detroit/Rushmore/Yellowstone/Vegas/Area51/Grand Canyon and back on Rt 66 for 3 weeks. No major issues so far for less than $10k for the whole project from start to finish.

Kali 11 yrs

Looking back to last year’s post https://www.kali.org/blog/10-years/ going over the history of the Kali pentesting distro I noticed that they still had the screenshots from the desktop background image (check the bottom right) I made when I was part of the original IRC group on irc.unixgods.net that started from muts’ (Mati Aharoni) old website, whitehat.co.il site. I originally found muts from an article he wrote My meanest hack in early 2004. It started out with Whoppix based off the Knoppix live CD then Whax based off the live Slax CD. Though I didn’t take the OSCP test until 2015, it’s crazy to think that 20+yrs later I’m still playing around on the distro for work and for fun (hackthebox), and finally making money fulltime from a hobby that I love.

Cracking Zynga

Working on a personal project collecting breach DBs, I had come across the Zynga dump. On September 12th, 2019, Zynga publicly acknowledged the data breach had happened. The company developed games including Farmville, Zynga Poker, Words With Friends, Mafia Wars, Café World, and Empires & Allies etc… The breach contains 206,267,210 records including duplicates and 150,363,954 records without duplicates.
The following information was leaked:

Continue reading

Cracking WiFi – phone number wordlist

I used to see alot of networks setup and either the tech or the end user choosing the person/business’s phone number as the password. So I usually try to test these first when trying to crack a WiFi password.

I was looking into more efficient ways to crack the password if you were working in a virtual machine and didn’t have access to a GPU cracking rig to utilize hashcat.

Continue reading

Kon-Boot

Kon-Boot password tool

Kon-Boot is an awesome tool that I’ve used extensively with tech jobs that I’ve had in the past (it’s been around since 2009), for clients that couldn’t remember their password :/ or a employee that was fired etc… Most recently Red-Team pentest engagements when I’ve had physical access to a box and needed quick and stealth access. It allows accessing a target computer (Windows/Mac OSX) without knowing the user’s password.

Kon-Boot does not need to remove or modify the user’s password and all changes are reverted back to previous state after system restart unlike other tools that just remove/modify the password and is currently the only solution that I know of that can bypass Windows 10 online passwords.

Continue reading

ESXI 6.7 Password recovery / reset

Recently I had done some training where we setup ESXI 6.7 on a Intel NUC. It’s been over a month since I’ve touched it. Apparently during the training my coworker had set a root password for the install, which was supposedly written down, but was either typed wrong in the notes or fat-fingered while setting it. Unfortunately, you can no longer boot into single user mode or Service Console to reset the password and VMware suggest you reinstall ESXI to reset the password. I didn’t want to risk trying that method because I wasnt sure if it would affect the currently installed VMs and I didn’t have a copy of ESXI with me to do so. Instead I used a bootable Kali USB to mount the ESXI drive and reset the root password to a blank password by editing the shadow file.

Continue reading

skiptracer

My new open source python OSINT framework, skiptracer was released @ HushCon East on June 1st. Initial attack vectors for recon usually involve utilizing pay-for-data/API (Recon-NG), or paying to utilize transforms (Maltego) to get data mining results. Using some basic python webscraping of PII paywall sites to compile passive information on a target. The modules will allow queries for phone/email/screen names/real names/addresses/IP/Hostname/breach credentials etc.. It will help you collect relevant information about a target to help expand your attack surface.`Everyone should be encourage to submit new ideas/modules. You can get the code here: https://github.com/xillwillx/skiptracer feel free to submit new modules or code fixes.

Office DDEAUTO attacks

Sensepost posted 10 days ago about a vulnerability which can trigger command execution, without use of macros, when someone opens a specially crafted Office document. Although a little bit of social-engineering needs to come in play for the victim to click ‘yes’ to the first 2 of 3 message boxes, most end-users are easily tricked. They found that by abusing the parameters of the DDEAUTO function that they could use powershell to download malicious payloads remotely. DDE is a legacy Inter-Process Communication (IPC) mechanism dating back to 1987, which establishes a dynamic data exchange (DDE) link with a document created in another Microsoft Windows-based program, (new information becomes available in a linked document, a DDE field inserts new information when you update the field). SensePost discovered that instead of specifying an application like Excel, an attacker can specify arbitrary parameters of another application as the first parameter, and quoted arguments as the second parameter (which cannot exceed 255 bytes). Continue reading

Equihax


In July, CVE-2017-9805, was reserved for the Apache Struts RCE vulnerability in the REST plugin. Apache Struts 2.5 through 2.5.12 that are using REST plugin are vulnerable to this attack. It had an initial disclosure on 7/17/2017, and a patch was released recently on 9/5/2017, with Apache updating Struts to version 2.5.13 was released. The flaw exists in using the Struts REST plugin with XStream handler to handle XML payloads. If exploited correctly, it allows a remote unauthenticated attacker to run malicious code on the application server to either take over the machine or launch further attacks from it. The problem occurs in XStreamHandler’s toObject () method, which does not impose any restrictions on the incoming value when using XStream deserialization into an object. lgtm has in in depth article along with a press release from Apache Foundation. The company Lgtm, who discovered the CVE-2017-9805 vulnerability, had warned that at least 65 percent of Fortune 100 companies use Struts, and they could all be exposed to remote attacks due to this vulnerability. Continue reading

CVE-2017-0213 – Windows COM EoP

Wrote another blog post for Milton Security about details of a vulnerability that James Forshaw of Google Project Zero found in January, that exploits a bug in Windows COM Aggregate Marshaler. An attacker can use this bug to elevate privileges on Windows machines.

Microsoft had 90 days to patch, which they have with last month’s security updates. The post includes a proof of concept code for 32 and 64 bit versions of Windows from Win7-10 and Server 2k8-2k16.
https://www.miltonsecurity.com/company/blog/cve-2017-0213-windows-com-privilege-escalation-vulnerability