jordan-wright

root@bt:~# cd /pentest/passwords/john
root@bt:/pentest/passwords/john# ./unshadow /etc/passwd /etc/shadow > ~/passwords.txt
root@bt:/pentest/passwords/john# cat ~/passwords.txt
root:$6$jcs.3tzd$aIZHimcDCgr6rhXaaHKYtogVYgrTak8I/EwpUSKrf8cbSczJ3E7TBqqPJN2Xb.8UgKbKyuaqb78bJ8lTWVEP7/:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh

jordan-wright

root@bt:/pentest/passwords/john# john --single ~/passwords.txt
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Loaded 1 password hash (sha512crypt [32/32])
toor             (root)
guesses: 1  time: 0:00:00:00 DONE (Fri Jan  4 10:12:42 2013)  c/s: 35.00  trying: toor
Use the "--show" option to display all of the cracked passwords reliably
root@bt:/pentest/passwords/john# john --show ~/passwords.txt
root:toor:0:0:root:/root:/bin/bash

jordan-wright

nmap -A -Pn -v -p1-1024 192.168.56.103
nmap -A -Pn -v -p1024-10000 192.168.56.103

jordan-wright

  # Reset our signal handler
	signal.signal(signal.SIGINT, signal.SIG_DFL)
	target_bssid = raw_input('Enter a BSSID to perform an deauth attack (q to quit): ')
	while target_bssid not in networks:
		if target_bssid == 'q' : sys.exit(0)
		raw_input('BSSID not detected... Please enter another (q to quit): ')
	# Get our interface to the correct channel
	print 'Changing ' + args.interface + ' to channel ' + str(networks[target_bssid][1])
	os.system("iwconfig %s channel %d" % (args.interface, networks[target_bssid][1]))
	# Now we have a bssid that we have detected, let's get the client MAC

jordan-wright

level4@io:~$ /levels/level04
sh-4.1$ cat /home/level5/.pass
Zx5VdzACNMY9lQ

jordan-wright

#The MIT License (MIT)

# Copyright (c) 2012 Jordan Wright <jordan-wright.github.io>

# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:

jordan-wright

def check_hosts():
    ''' Checks each host to see if it's running '''
    for host, result in execute(run_command, "uptime", hosts=env.hosts).iteritems():
        running_hosts[host] = result if result.succeeded else "Host Down"

jordan-wright

<snip>
r IviazAsdNL AASW0qAJEUE0tk2UHR7BHiLUzno tILb+kHI/szC4u467eg/Z4G8UEo 2013-09-11 23:00:49 213.127.162.10 3074 0
s Exit Named Running Valid
v Tor 0.2.4.17-rc
w Bandwidth=5
p accept 80,443
r metroholografix ACEhJSRnU4ydobwjeJl+ZGKYFPY 9fsNMx/fO+VW3tn43n9f+KWy5Hc 2013-09-11 17:10:09 46.4.253.194 9001 9030
s Fast Guard Named Running Stable V2Dir Valid
v Tor 0.2.3.25
w Bandwidth=515

jordan-wright

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html>

<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <style type="text/css">
        /*BEGIN RAPPORTIVE*/
        body {
            padding:0;
            margin:0

jordan-wright

package main

import (
	"database/sql"
	"fmt"
	"time"

	"github.com/jinzhu/gorm"
	_ "github.com/mattn/go-sqlite3"
)