Completed the Wifi Security Bootcamp at Pentester Academy :-)

Lately I lost the masterkey to my Bitwarden vault. As Bitwarden does not provide a way out of that rabbit hole, losing my masterkey would mean losing all of my data within the vault. Something around 300 entries.

Luckily I had access to the vault on one of my computers as the vault has not been locked there and on my mobile which is using Face ID to unlock my vault. But without my masterkey I was unable to export the entries, so my only choices had been

1. lose everything
2. transcribe all entries manually
3. patch bitwarden Firefox extension so I could bypass the masterkey in order to export the vault

It goes without saying that option #1 is totally unacceptable. Option #2 was nice to have as a backup plan and option #3 was nice to know and something probably worthwhile to follow through someday.

But, as the title suggests, there is an other option: bruteforcing. My masterkey actually is a passphrase comprised of a number of words. I was pretty sure about which words most likely have been lost. I also had a list of candidates. Basically I assumed that I have no more than to two words which could have been wrong. So I searched my system for the wordlist used by bitwarden to generate passphrases and started to assemble a wordlist with likely candidates for bruteforcing. My final wordlist has 187735 candidates. I was also able to extract my keyHash from data.json and with a little help of a friend I also found how Bitwarden was generating the keyHash saved on disk which basically is

pepper  = pbkdf2(sha256, pass = masterkey, salt = email,     rounds = 100000)
keyHash = pbkdf2(sha256, pass = pepper,    salt = masterkey, rounds = 1)

googling for a bitwarden specific bruteforcer was unsuccessful so the plan grew on me to write my own. As I still had access to the vault I was under no pressure at least not on the time front. Some hours later bw_brute.py has been conjured and tests with a list of one thousand entries finished in 9s on my 8 core, 16 threads Ryzen CPU which left me …

This is my Powershell Cheat Sheat for purple teams. Starting point for this blog is the excellenct Attacking and defending Active Directory course by Nikhil Mittal and my first machines over at HackTheBox. Feel free to get inspired. This list is also a moving target and will most likely grow with time and experience.

Generic Powershell Stuff

• Where does a Command come from?

  PS C:\> Get-Command Get-Command
  

• Silence errors

  $nh_oea = $ErrorActionPreference ; $ErrorActionPreference = "SilentlyContinue"
  

• Restore errors

  $ErrorActionPreference = $nh_oea
  

• Import AD-Modules

  Import-Module .\Microsoft.ActiveDirectory.Management.dll
  Import-Module .\ActiveDirectory\ActiveDirectory.psd1
  

Recon / Enumeration

• Get all admin groups of all domains in the forest (AD Modules)

  $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; (Get-ADGroup -Filter { Name -like "*admin*" } -Server $nh_dom).name | foreach { "[-] " $_ } } ; "`n"
  

• Enumerate Users (AD Modules)

  (Get-ADUser -Filter { Enabled -eq $true }).name
  

• Enumerate Computers (AD Modules)

  (Get-ADComputer -Filter *).name
  

• Get Domain Admins for all domains in the forest (AD Modules)

  $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; Get-ADGroupMember -Identity "Domain Admins" -Server $nh_dom | foreach { "[-] " + ($_).Name + " (" + ($_).ObjectClass + ")" } } ; "`n"
  

• Get Enterprise Admins for all domains in the forest (AD Modules)

  $nh_doms = (Get-ADForest).domains ; foreach ($nh_dom in $nh_doms) { "`n[*] " + $nh_dom ; Get-ADGroupMember -Identity "Enterprise Admins" -Server $nh_dom | foreach { "[-] " + ($_).Name + " (" + ($_).ObjectClass + ")" } } ; "`n"
  

• Find sensitive shares (PowerView)

  Invoke-ShareFinder -ExcludePrint -ExcludeStandard -ExcludeIPC
  

• Get all OU in Domain (AD modules)

  Get-ADOrganizationalUnit -Filter * | …

Finally certified. Too bad I haven’t found the time to tackle the Advanced+ certification but there are enough machines left in the lab and I am pretty sure that I will revisit the lab for the Advanced+ certification, too.

I had a lot of fun in the lab and the guys were quick to respond whenever problems with or questions arised (mind you: not to the individual machines).

I can warm heartedly recommend them. Can’t say too much about the Courseware though as I didn’t have to rely on it. But the few things I saw seemed to be ok.

I will use this post to publish my progress while working on virtual hacking lab. It does not have the same reputation as OSCP but I do enjoy the lab and am very pleased with the lab material and dashboard. Also support is quick and nice if you need it (not for clues, of course!). The lab is also regularily expanded. All of this for a fraction of the price tag called for OSCP.

Without any further ado here are the machines I have rooted so far: