ブログはじめました。日本語だと不便です。機能も少ないです。 なのでそのうち他のサービスを探します。ここはとりあえず実験的に。

金曜日, 5月 22, 2020

Networking | Switching And Routing | Tutorial 3 | 2018


Welcome to my 3rd new tutorial of networking (Routing and Switching). In this blog you will able to watch an interesting video about basic device navigation such as changing device (router or switch) name, configuration of login password, configuring a device information, router IP addresses and many more.

What is router?

Router is a network layer device which is the 3rd layer in the OSI model which is used to communicate different networks. It is an intelligent device fixed at the boundary of network that connects to other networks and responsible for end to end delivery of the packet that requires an IP address which is known as the logical address which is the basic identity of the device just like our identity card number or roll number and so on, for the identification of source and destination devices. Router is the gateway of the network having two interfaces such as inbound and the outbound interface through which the traffic comes in from different networks and comes out traffic to the different networks.

What is an IP address?

Internet protocol (IP) address is a numeric label given to each and every device in the network for the identification of the device just like our roll numbers in collages, universities which identity each and every student uniquely everywhere. So same concept here, it is a logical address which is used whenever the device want to communicate outside the network that means to another network.

What is Switch?

Switch is basically layer 2 device, which is used to connect two or more than two devices with each other in the same network. It is an intelligent device which doesn't allow the broadcast. It requires Media access control (MAC) address to communicate within the network. Now let's move to the video for further.




As a reference here are the two device options I used in the video and the needed cable: 

Hardware Used: 

Get OBD2 Cable:
https://amzn.to/2QSmtyL

Get CANtact:
https://amzn.to/2xCqhMt

Get USB2CAN:
https://shop.8devices.com/usb2can


Creating Network Interfaces: 

As a reference here are the commands from the video for creating a CAN network interface: 

USB2Can Setup: 
The following command will bring up your can interface and you should see the device light color change: 
sudo ip link set can0 up type can bitrate 125000

Contact Setup: 
Set your jumpers on 3,5 and 7 as seen in the picture in the video
Sudo slcand -o -s6 /dev/ttyACM can0 <— whatever device you see in your DMESG output
Ifconfig can0 up

Summary: 

That should get you started connecting to physical cars and hacking around. I was also doing a bit of python coding over these interfaces to perform actions and sniff traffic. I might post that if anyone is interested. Mostly I have been hacking around on blockchain stuff and creating full course content recently so keep a look out for that in the future. 

Related articles

木曜日, 5月 21, 2020

BurpSuite Introduction & Installation



What is BurpSuite?
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.

In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed.











Everyone has their favorite security tools, but when it comes to mobile and web applications I've always found myself looking BurpSuite . It always seems to have everything I need and for folks just getting started with web application testing it can be a challenge putting all of the pieces together. I'm just going to go through the installation to paint a good picture of how to get it up quickly.

BurpSuite is freely available with everything you need to get started and when you're ready to cut the leash, the professional version has some handy tools that can make the whole process a little bit easier. I'll also go through how to install FoxyProxy which makes it much easier to change your proxy setup, but we'll get into that a little later.

Requirements and assumptions:

Mozilla Firefox 3.1 or Later Knowledge of Firefox Add-ons and installation The Java Runtime Environment installed

Download BurpSuite from http://portswigger.net/burp/download.htmland make a note of where you save it.

on for Firefox from   https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/


If this is your first time running the JAR file, it may take a minute or two to load, so be patient and wait.


Video for setup and installation.




You need to install compatible version of java , So that you can run BurpSuite.

Continue reading


  1. Curso Hacker
  2. Growth Hacking Examples
  3. Como Hacer Hacker
  4. Google Hacking Search
  5. Curso De Hacking Gratis
  6. Como Ser Hacker

TorghostNG: Make All Your Internet Traffic Anonymized With Tor Network

About TorghostNG
   TorghostNG is a tool that make all your internet traffic anonymized with Tor network. TorghostNG is rewritten from TorGhost with Python 3.

   TorghostNG was tested on:
  • Kali Linux 2020a
  • Manjaro
  • ...

What's new in TorghostNG 1.2

Before you use TorghostNG
  • For the goodness of Tor network, BitTorrent traffic will be blocked by iptables. Although you can bypass it with some tweaks with your torrent client 😥 It's difficult to completely block all torrent traffic.
  • For security reason, TorghostNG is gonna disable IPv6 to prevent IPv6 leaks (it happened to me lmao).

Screenshots of Torghost (Version 1.0)
   Connecting to Tor exitnode in a specific country: torghostng -id COUNTRY ID

   Changing MAC address: torghostng -m INTERFACE

   Checking IP address: torghostng -c

   Disconnecting from Tor: torghostng -x

   Uninstalling TorghostNG: python3 install.py

Installing TorghostNG
   TorghostNG installer currently supports:
  • GNU/Linux distros that based on Arch Linux
  • GNU/Linux distros that based on Debian/Ubuntu
  • GNU/Linux distros that based on Fedora, CentOS, RHEL, openSUSE
  • Solus OS
  • Void Linux
  • Anh the elder guy: Slackware
  • (Too much package managers for one day :v)

   To install TorghostNG, open your Terminal and enter these commands:
   But with Slackware, you use sudo python3 torghostng.py to run TorghostNG :v

Help
    You can combine multiple choices at the same time, such as:
  • torghostng -s -m INTERFACE: Changing MAC address before connecting
  • torghostng -c -m INTERFACE: Checking IP address and changing MAC address
  • torghostng -s -x: Connecting to Tor anh then stop :v
  • ...
   If you have any questions, you can watch this tutorial videos 🙂
   I hope you will love it 😃

How to update TorghostNG
   Open Terminal and type sudo torghostng -u with sudo to update TorghostNG, but it will download new TorghostNG to /root, because you're running it as root. If you don't like that, you can type git pull -f and sudo python3 install.py.

Notes before you use Tor
   Tor can't help you completely anonymous, just almost:
   It's recommended that you should use NoScript before before surfing the web with Tor. NoScript shall block JavaScript/Java/Flash scripts on websites to make sure they won't reveal your real identify.

And please
  • Don't spam or perform DoS attacks with Tor. It's not effective, you will only make Tor get hated and waste Tor's money.
  • Don't torrent over Tor. If you want to keep anonymous while torrenting, use a no-logs VPN please.
   Bittorrent over Tor isn't a good idea
   Not anonymous: attack reveals BitTorrent users on Tor network

Changes log
   Version 1.2
  • Fixed update_commands and others in torghostng.py
  • Changed a few things in theme.py
  • Changed a few things in install.py
  • Now you can change Tor circuit with -r
   Version 1.1
  • Check your IPv6
  • Change all "TOR" to "Tor"
  • Block BitTorrent traffic
  • Auto disable IPv6 before connecting to Tor

Contact to the coder

To-do lists:
  • Block torrent, for you - Tor network (Done 😃)
  • Connect to IPv6 relays (maybe?)
  • GUI version
  • Fix bug, improve TorghostNG (always)

And finally: You can help me by telling me if you find any bugs or issues. Thank you for using my tool 😊

Related articles

  1. Growth Hacking Sean Ellis
  2. Seguridad Y Hacking
  3. Hacking Etico Certificacion
  4. Hacking Etico
  5. Hacking Ethical
  6. Servicio Hacker
  7. Definicion De Hacker
  8. Hacking Quotes
  9. Paginas De Hackers
  10. Hacking With Swift

水曜日, 5月 20, 2020

OVER $60 MILLION WORTH OF BITCOINS HACKED FROM NICEHASH EXCHANGE

Over $60 Million Worth of Bitcoins Hacked from NiceHash Exchange. Bitcoin mining platform and exchange NiceHash has been hacked, leaving investors short of close to $68 million in BTC.
As the price of Bitcoin continues to rocket, surging past the $14,500 mark at the time of writing, cyberattackers have once again begun hunting for a fresh target to cash in on in this lucrative industry.
Banks and financial institutions have long cautioned that the volatility of Bitcoin and other cryptocurrency makes it a risky investment, but for successful attackers, the industry potentially provides a quick method to get rich — much to the frustration of investors.
Unfortunately, it seems that one such criminal has gone down this path, compromising NiceHash servers and clearing the company out.
In a press release posted on Reddit, on Wednesday, NiceHash said that all operations will stop for the next 24 hours after their "payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen."
NiceHash said it was working to "verify" the precise amount of BTC stolen, but according to a wallet which allegedly belongs to the attacker — traceable through the blockchain — 4,736.42 BTC was stolen, which at current pricing equates to $67,867,781.
"Clearly, this is a matter of deep concern and we are working hard to rectify the matter in the coming days," NiceHash says. "In addition to undertaking our own investigation, the incident has been reported to the relevant authorities and law enforcement and we are co-operating with them as a matter of urgency."
"We are fully committed to restoring the NiceHash service with the highest security measures at the earliest opportunity," the trading platform added.
The company has also asked users to change their online passwords as a precaution. NiceHash says the "full scope" of the incident is unknown.
"We are truly sorry for any inconvenience that this may have caused and are committing every resource towards solving this issue as soon as possible," the company added.
Inconvenience is an understatement — especially as so much was left in a single wallet — but the moment those coins shift, we may know more about the fate of the stolen investor funds.

Related posts


C++ Std::Condition_Variable Null Pointer Derreference


This story is about a bug generated by g++ and clang compilers (at least)
The condition_variables is a feature on the standard library of c++ (libstdc++), when its compiled statically a weird asm code is generated.


Any example on the link below will crash if its compiled statically:
 https://en.cppreference.com/w/cpp/thread/condition_variable



In this case the condition_variable.wait() crashed, but this happens with other methods, a simple way to trigger it:




If this program is compiled dynamically the crash doesn't occur:

Looking the dissasembly there is a surprise created by the compiler:


Compilers:
    g++  9.2.1+20200130-2
    clang++ v9

Both compilers are generating the "call 0x00"

If we check this call in a dynamic compiled:




The implementation of condition_variable in github:
https://github.com/gcc-mirror/gcc/blob/b7c9bd36eaacac42631b882dc67a6f0db94de21c/libstdc%2B%2B-v3/include/std/condition_variable


The compilers can't copile well this code in static,  and same happens on  other condition_variable methods.
I would say the _lock is being assembled improperly in static, is not exacly a null pointer derreference but the effects are the same, executing code at address 0x00 which on linux is a crash on most of cases.

More info

火曜日, 5月 19, 2020

CrackMapExec: Una Navaja Suiza Para El Pentesting (2 De 2)

Vamos a continuar la segunda parte de este artículo, viendo alguna cosa más que podemos realizar en un Ethical Hacking de un sistema Windows utilizando CrackMapExec. En esta parte vamos a ver cómo podemos hacer un Credential Dumping, o lo que es lo mismo, el volcado de usuarios, hashes y contraseñas, cómo podemos utilizar WMI para la ejecución remota de comandos y cuáles son los módulos que podemos utilizar en la herramienta.

Figura 11: CrackMapExec: Una navaja suiza para el pentesting (2 de 2)


Como ya hemos dicho, CME es una navaja suiza para el pentesting con muchas posibilidades, y por supuesto se complementa con las utilidades que podemos utilizar en un entorno de post-explotación dentro de un Pentesting con PowerShell, o de las cosas que podemos hacer como Metasploit. Es decir una herramienta más en nuestra mochila de pentesters.
Credential Dumping

Cuando uno tiene privilegios en la post-explotación siempre necesitará obtener credenciales para poder volver a las máquinas comprometidas o poder moverme lateralmente a otras máquinas.  CME proporciona diferentes parámetros, incluso diferente técnicas, para llevar a cabo el volcado de credenciales. En la siguiente imagen vamos a ver cómo hacer un volcado de credenciales de la SAM, de LSA y de NTDS. Con este último, se pueden utilizar diferentes técnicas, se recomienda leer la documentación de la herramienta, ya que con detalles como estos, gana muchos puntos. 

Figura 12: Pidiendo el volcado de la SAM


Pero, volvemos al movimiento lateral. Antes hemos utilizado credenciales en plano que, por supuesto, se pueden logran en un Ethical Hacking, pero lo suyo es ver en acción el uso de, por ejemplo, hashes NTLM. Si hay un libro que explica en detalle todos los sistemas de autenticación que están disponibles en Windows y cómo gestiona su seguridad el sistema es el libro de Máxima Seguridad en Windows Gold Edition de nuestro compañero Sergio de los Santos que os recomiendo sin duda.


Si tenemos un hash NTLM se puede hacer uso de éste con el parámetro -H. Se puede probar de manera rápida el comando crackmapexec -u [usuario] -H [hash NTLM] y ver que la autenticación funciona. 

Figura 14: Comprobando que el hash funciona  

Para ver que la autenticación con hash funciona y que podemos ejecutar acciones, módulos y comandos remotos se añade el parámetro --users, como hicimos anteriormente, para ver que el resultado es el mismo. Es decir, funciona.

Hacemos uso de WMI y la ejecución de comandos remotos

Con el parámetro -x podemos hacer invocaciones de comandos, con diferentes técnicas, una de ellas sería a través de WMI. El servicio Windows Management Instrumentation o WMI provee de un lenguaje de instrumentación del sistema operativo que, como os podéis imaginar, es muy utilizado en la fase de post-explotación, ya que permite realizar un gran número de acciones en este momento del pentesting

Por ejemplo, vamos a utilizar el parámetro --wmi seguido de la consulta WMI entrecomillada, tal y como se puede observar en la imagen. El resultado es similar al del uso del parámetro --users. 
 
Figura 15: Probando WMI

Es importante probar el uso del parámetro -x y el comando que se quiere ejecutar, ya que es fácil ejecutar comandos de terminal a través de este protocolo. Esto puede acabar provocando que algo más potente se ejecute lateralmente, por ejemplo… ¿Un Meterpreter? ¿Una iBombShell? ¿Un Empire?

Módulos en CrackMapExec

Para listar los módulos, como se comentó anteriormente, se puede hacer uso del parámetro -L, indicando previamente el protocolo que queremos utilizar. Como se puede ver en la imagen, CME tiene una gran cantidad de módulos de diferente índole: enumeración, volcado de credenciales, ejecución de código, recogida de configuración, etcétera. 

Figura 16: Listado de módulos en CME

 
Como una pequeña prueba se ha ejecutado el módulo de User Account Control. Este módulo lo que devuelve es la configuración del UAC en el sistema.

Figura 17: Accediendo a info de UAC

Otras opciones interesantes son: 

- Módulo de Mimikatz. Opción -M mimikatz.
  
- Mimikatz y el parámetro -o con el que se indica COMMAND='[Comando Mimikatz]'. Es decir, se ejecuta el comando Mimikatz que queramos. Por ejemplo:
 
crackmapexec smb [IP] -u administrator -H [hash ntlm] -M Mimikatz -o 'sekurlsa:logonPasswords'.
 
Esto ejecutaría Mimikatz y éste intentaría volcar todas las credenciales de lsass.exe.  
 
- El módulo de Web_Delivery está presenta también para invocar un Meterpreter a través de Powershell, directamente a memoria. Aquí es posible que, previamente hubiera que hacer bypass AMSI. Pero con PowerShell decides tú el límite.

Figura 18: Libro de Pentesting con PowerShell 2ª Edición

 
- El módulo de wdigest también es interesante, ya que permite habilitar el proveedor de autenticación wdigest a través de la manipulación de una clave de registro. La instrucción sería: crackmapexec smb [IP] -u administrador -H [hash ntlm] -M wdigest -o ACTION=enable.

Sin duda, una interesante herramienta que aporta bastante opciones en un pentesting. Otra herramienta que debemos meter en la mochila del pentester y con muchas opciones para tener éxito en nuestro trabajo.
 
Saludos,

*****************************************************************************
*****************************************************************************

Autor: Pablo González Pérez (@pablogonzalezpe), escritor de los libros "Metasploit para Pentesters", "Hacking con Metasploit: Advanced Pentesting" "Hacking Windows", "Ethical Hacking", "Got Root",  "Pentesting con Powershell" y de "Empire: Hacking Avanzado en el Red Team", Microsoft MVP en Seguridad y Security Researcher en el equipo de "Ideas Locas" de la unidad CDCO de Telefónica.  Para consultas puedes usar el Buzón Público para contactar con Pablo González

Figura 19: Contactar con Pablo González

Related links
  1. Curso Hacking Etico Gratis
  2. Geekprank Hacking
  3. Fake Hacking
  4. Programa De Hacking
  5. Hacking Team
  6. Hacking Articles
  7. Certificacion Ethical Hacking
  8. Hacker Profesional
  9. Hacking Etico Curso Gratis
  10. Definicion De Hacker

BASICS OF METASPLOIT – BASIC COMMANDS OF METASPLOIT

Metasploit is an advanced hacking tool that comes itself with a complete lack of advanced penetration testing tools. Penetration testers and hackers are taking so much advantage of this tool. It's a complete hack pack for a hacker that he can play almost any attack with it. Here I am going to discuss the basics of Metasploit. I am not covering attacks in this article, as I am just making sure to share the basics of Metasploit and basic commands of Metasploit. So, we can get back to cover attacks of Metasploit in the next articles.

BASICS OF METASPLOIT

The Metasploit framework has three types of working environments.
  1. msfconsole
  2. msfcli interface
  3. msfweb interface
However, the most preferred and used is the 'msfconsole'. It's a very efficient command-line interface that has its own set of commands and system's working environment.
First of all, it's most important to know and understand all the useful commands of Metasploit that are going to be used.

BASIC COMMANDS OF METASPLOIT

Metasploit have a huge number of command that we can use in different type of attacks, but I am just going to share the most used and useful commands here that a beginner can easily understand and follow 'em.
  • help (It will give the basic commands you need to launch an exploit.
  • search (Finds out the keywords in the selected attack method).
  • show exploits (Shows list of an available exploit in the selected option).
  • show payloads (It lists all the payloads available).
  • show options (It helps you to know all the options if you might have forgotten one).
  • info (This is used to get information about any exploit or payload).
  • use (It tells Metasploit to use the exploit with the specified name).
  • set RHOST (Sets the address of specified remote host).
  • set RPORT (Sets up a port that connects to on the remote host).
  • set PAYLOAD (It sets the payload that gives you a shell when a service is exploited).
  • set LPORT (Sets the port number that the payload will open on the server when an exploit is exploited).
  • exploit  (It actually exploits the service).
  • rexploit (Reloads your exploit code and then executes the exploit without restarting the console).
These are the most used Metasploit commands which come in handy in most of the situations during any sort of attack. You must give all the commands a try and understand 'em how it works and then move to the next part of designing an attack.
Related articles

Wireless Scenarios Part 1: EAP-Radius JTR Hashcat, SSID MAC Issues And More

Intro: 
I have been on a number of wireless engagements again lately and much like the wireless blog i wrote over a year ago i am trying various combinations of techniques and tools in conjunction to gain access to networks. I will show a range of tools and techniques mostly as a reminder to myself. The format will be scenario based on what i have been seeing while testing.  Some of these tools include JTR/Hashcat with specialized rulesets, mdk3 for SSID/MAC bruteforcing, evil access points for bypassing guest networks, DNS redirection/tunneling as well as radius-wpe attacks etc... This will be a 2 part blog, first blog being more Pre-Auth attacks and the second blog being more client attacks.



Finding Hidden SSID's and Limited user network attacks:
Recently i have been on a lot of tests where administrators think its a wonderful idea to hide their SSID's. Administrators feel that if they hide their SSID's they are magically secure. While Cloaked SSID's may pose a slight problem it's not a security feature. Especially when hiding WEP encrypted networks. One issue that keeps coming up is hidden networks with NO clients thus no probe request/response traffic available to passively capture an SSID. Without clients you can't de-authenticate and force reconnections requests with SSID's. To top that off administrators are also running another trivial security feature known as MAC filtering. While MAC filtering is also easy to bypass, again there are no clients on the network so we must come up with strategies to figure out both the SSID's and the possible client MAC addresses. Lets start by addressing the SSID issue.
SSID's can generally be seen in the Beacon traffic. However, if MAC cloaking or hidden SSID's are enabled on your access point they are stripped from the beacon traffic. Striping the beacons of SSID's is usually not a problem if there are clients looking to join the network. As the SSID's must be sent in probe traffic to successfully inquire about joining the network, and SSID's are than easily obtained. Thus why tools like kismet can passively discover the correct SSID given a bit of time and a few clients probing for the hidden network. But, what happens if there is no client traffic?
So the actual scenario i was presented with recently was a Cloaked SSID on a limited use network running WEP, which had a MAC filtered client device. This device would attach to the network once a day for a limited amount of time. So the first piece of the puzzle would be figuring out the SSID for later use then tackling the rest of the problem.

We start with a nice little tool called MDK3 which can be used to send out mass SSID requests in either dictionary style or bruteforce in order to determine an SSID. Lets start with the simple syntax then get into some more fine tuned strategies for determining SSID's based on the mind of the sysadmin.

There are 2 modes i have been using, one is dictionary mode and the other bruteforce mode, i would always start with dictionary because its faster. If a dictionary gives no resultes then move to bruteforce techniques. Also have your Airodump-ng/Kismet running during the attack and if the SSID is found it should apear in there as well as your MDK3 results window. You can get your target BSSID value from airodump along with useful information sometimes regarding length of a hidden SSID value which can be used in fine tuning bruteforcing. MDK3 will automatically pick the correct length and then begin bruteforcing based on that length value:

Below is an example of SSID Length Output: 
CH 6 ][ Elapsed: 8 s ][ 2012-03-01 21:08
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:24:A5:6F:2E:D5 -59 5 0 0 5 54 WEP WEP length: 12
00:1A:A1:05:E8:20 -61 2 0 0 3 48 . WEP WEP length: 1
00:24:A5:6F:37:9F -64 2 0 0 5 54 WEP WEP length: 12

You will notice example output above says that one SSID is of length 12 and another is of length 1, these are the SSID perceived length values based on values in the packet capture. Not always accurate because these values are just Null place holder values and not always set accurately. Essentially one SSID packet above has a one null value while the other packet has 12 null values as placeholders. If a length of 1 is present you may have to start at 1 and go through the whole range of brute forcing. If the length is known then you can start and end at 12 in this case shortening the full bruteforce time considerably.

Attack Modes and Info:
Dictionary Mode:
./mdk3 [Interface] p -c 1 -t [BSSID] -f [dictionary] -s 100

Bruteforce mode:
./mdk3 [Interface] p -c 1 -t [BSSID] -b u -s 100

Above Switch mappings are defined as the following:
b = bruteforce also can add a character set b [charset]
s = packet speed
c = channel
f = ssid dictionary file

I first tried a regular dictionary attack of common words:
ficti0n:# mdk3 mon0 p -c 1 -t 00:01:55:B1:A3:A5 -f english.txt
channel set to: 1
SSID Wordlist Mode activated!
Waiting for beacon frame from target...
Sniffer thread started
Found SSID length 1, usually a placeholder, no information about real SSIDs length available.
Trying SSID:
Packets sent: 1 - Speed: 1 packets/sec
Got response from 03:F0:9F:17:08:32, SSID: "Secure_Access"
Last try was: (null)
Trying SSID: beauty
Packets sent: 167 - Speed: 166 packets/sec
Got response from 03:F0:9F:17:08:33, SSID: "Guest_Access"
Last try was: (null)
Trying SSID: bianca
Trying SSID: winnie
Trying SSID: isabella
Trying SSID: sierra
Trying SSID: 00000000
Trying SSID: dancer1
Packets sent: 32507 - Speed: 376 packets/sec
Got response from 00:3B:10:47:33:32, SSID: "wow"

I began with a dictionary against a network address i got from my initial airodump-ng. On my first MDK3 run i found one new access point named "wow" but i didnt find the target AP's SSID. If you look at the above MDK3 output there are 2 other networks with similar formats which may reflect our target networks format. Below you will see a similar format.
  • Guest_Access
  • Secure_Access
Creating a Custom dictionary based on observations:
If the target company has a repeating SSID format we can create our own dictionary file. According to the above output the format is [Word]_Access, we can take advantage of this by creating a new list with python using the company format. Break open your python editor and create a quick script to parse the english dictionary in the proper format for our attack by uppercasing every dictionary word and appending the word "Access".

#--------------------------------------------------------------
#!/usr/bin/python

dictionary = open("rockyou-75.txt", "r")
SSID_List = open("SSID_List.txt", "a")


for word in dictionary:
word = str.capitalize(word) + "Access"
SSID_List.write(word)


SSID_List.close()
dictionary.close()

#----------------------------------------------------------------

I then ran MDK3 again with my modified list. When this was done I then was able to get a response from MDK3 and determine the SSID of the target network, shown below.

Got response from 00:01:55:B1:A3:A5, SSID: "Secret_Access"


Luckily i didn't have to resort to a true bruteforce attack although the format is shown above for completeness. 



MDK3 MAC address Bruteforce:
The next issue is that of determining a valid MAC address on a network without any known clients, this can also be done with MDK3 and bruteforce mode.  I would suggest looking at other client MAC addresses on the guest or corporate networks as a starting point. Then use those vendor startpoints as your bruteforce values. So if for example you know a bit about the company based on other network MAC values you can use this knowledge in your brute forcing with the -f switch. Below is a basic command ouput for bruteforcing MAC address filters.


ficti0n:# mdk3 mon0 f -t

Trying MAC 00:00:22:00:00:00 with 100.0000 ms timeout at 0 MACs per second and 0 retries
Trying MAC 00:00:22:00:00:00 with 100.0000 ms timeout at 0 MACs per second and 1 retries
Packets sent: 2 - Speed: 1 packets/sec

Found a valid MAC adress: 00:00:22:00:00:00
Have a nice day! :)

Mdk3 -fullhelp output:
--------------------------------------------------------------

MAC filter bruteforce mode
This test uses a list of known client MAC Adresses and tries to
authenticate them to the given AP while dynamically changing
its response timeout for best performance. It currently works only
on APs who deny an open authentication request properly
-t
Target BSSID
-m
Set the MAC adress range to use (3 bytes, i.e. 00:12:34)
Without -m, the internal database will be used
-f
Set the MAC adress to begin bruteforcing with
(Note: You can't use -f and -m at the same time)
---------------------------------------------------------------------

I wasn't aware of the above technique at the time of testing but i did give it a try on a local Access Point and found a useable mac address under contrived scenarios. So this was worth noting as I found almost zero mention of it when searching around. Also note that some access points do not properly handle the authentication scenarios in which case the above technique will not work correctly. Usually the user sends an auth request and then the AP sends an auth response denoting success or failure along with an error code, but MAC filering is not part of the normal standard so results will vary regarding error codes. This is AP functionality independent. When it does work it gives you a little smily face and says it found a useable MAC address [SHOWN ABOVE] . Unfortunately in my penetration test I was stuck waiting for a client to come online to get a useable MAC address. Below are a few ideas for the rest of the scenario.


Depending on the location and use of the limited connectivity device there are a few options available for retrieving the WEP key. Networks with hidden SSID's have clients who are always probing for hidden networks whether onsite or remote. You could attack a client directly via a Cafe Latte attack. A Caffe Latte attack woud attack a client with a fake access point and gratuitas ARP requests to discover the WEP key of "Secret_Access" by flooding the client with ARP requests it responds to, generating enough traffic to derive the WEP key. This technique is useful now that you know the SSID, especially if the device is being used at the local coffee shop. I will take a look at this attack in the next blog when focusing on client based attacks.

Caffe Latte was not a good option for me because the device appears online for a short period of time and might not be available either offsite at a coffee shop or even locally long enough to generate enough traffic to crack the network. In this test I however didn't have enough time to see client actually get online but had I see the client get online I would have noted his MAC address and then configured a chop chop or fragmentation attack against the network whether the client was available or not all i would really need is one data packet. I will not illustrate this whole technique as it is fully covered in the following link Cracking WEP with no Clients.


Cracking Radius /PEAP/TTLS Hashes: (Post EAP Attack)
This is about attacking hashes from WPE Radius attacks, but just as a reference before we start here is a quick radius attack setup guide without going into to much detail.


Steps to Setup WPE attack
  1. Install the following freeradius server and WPE patch. http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html
  2. Start your WPE server by typing 'radiusd'
  3. Tail your log file so you can see incoming credentials 'tail -f /usr/local/var/log/radius/freeradius-server-wpe.log
  4. Setup an access point with similar settings as to what you are seeing in airodump or wireshark essentially this will be a WPA Enterprise with AES and a default secret of 'test' which is set in the WPE installed package by default so it can talk between the AP and the radius server. You will also need to run an ifconfig on your radius server box so you know what address to point the AP too.
  5. Optionally you can use hostAP instead of a physical enterprise AP setup.

Use one of your local computers to connect to the FreeRadius wireless network and type in a fake username/password to grab an example hash. If you dont see your hash output in the logfile then double check all your ip addresses and insure your server is running. In a real attack you would wait for clients to attach to your Access point and the credentials will be forwarded to your FreeRadius-WPE server. Once this is done the fun begins and also where we will start in our attack scenario.

Formatting hashes:
Your hashes can come in a few formats, they might come back as PAP responses in which case they will be plain text passwords. Plaintext PAP can sometimes be a result of mobile devices sending paswords. Otherwise your attack will result in MSChap password challenge/response hashes. Once you receive your MSChap hashes they have to be formated in a specific way in order to crack them. Here is an example hash and the proper format to use before trying to crack the hashes.

Example Hash:
mschap: Mon Feb 05 19:35:59 2012
username: test
challenge: b3:f8:48:e9:db:02:22:83
response: 15:36:d7:e9:da:43:1f:5f:d2:4b:51:53:87:89:63:b7:12:26:7c:a8:f7:ea:9c:26

Formated for john:(username::::response:challenge)
test::::1536d7e9da431f5fd24b5153878963b712267ca8f7ea9c26:b3f848e9db022283

Tool to automate this: (Tool Link)
One of my friends wrote a python script that will take your freeradius-server-wpe.log as input and format out all of the hashes one per line.. The script output can be fed directly into John The Ripper(JTR).

JTR Cracking and Custom Rulesets:
One way to crack these hashes is to use JTR with a bunch of dictionary attacks and if that fails procede from there with custom korelogic rulesets. Check out preceding link for more info on password cracking techniques which can be employed in addition to this blog. Below I will reiterate a few points on setting up JTR with custom rulesets from the Defcon challenge in 2010 based on the previous link and then how to parse them out and use them.

The first thing to note is that the format of the hashes you get from WPE will generally be considered NETNTLM within JTR so we will have to specify that as well as the wordlists we would like to use to start.

Dictionary attacking first:
First go into your JTR directory and try to crack with some dictionaries of your choosing:
ficti0n:# cd Desktop/Tools\ /john/run
ficti0n:# ./john --wordlist=wordlists/wpa.txt --format=NETNTLM JohnFormat.txt

Loaded 1 password hash (NTLMv1 C/R MD4 DES [netntlm])
test             (test)
guesses: 1  time: 0:00:00:00 100.00% (ETA: Tue Mar 20 19:29:31 2012)  c/s: 692441  trying: test

Custom Rules: korelogic rulesets (Link)
If the cracking fails on all of your wordlists then try installing custom rulesets with the following sequence of commands meant do download and then append the rules to the current john file. The following command can also be found at the above Korelogic link.
ficti0n:# wget http://contest-2010.korelogic.com/rules.txt
ficti0n:# cat rules.txt >> john.conf


Once this is done you can directly specify any rule in the file similar to the following:
ficti0n:# ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:KoreLogicRulesAppendNum_AddSpecialEverywhere johnFormat.txt


Or if you are time independent just let them all rip and go on vacation and check the results when you get back LOL
ficti0n:# for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:${ruleset} JohnFormat.txt; done


Hashcat rulesets and building pasword files:
Another way to build complex password files is to use tools like HashCat with supplied password rules and pipe it out to STDOut, either into a file or the STDIn of other cracking programs like John the Ripper. There is a rules folder in HashCat which has a number of rules provided by default.


Available Hashcat Rules:
ficti0n:# ls
best64.rule      generated.rule   passwordspro.rule  T0XlC.rule     toggles3.rule
combinator.rule  leetspeak.rule   perfect.rule       toggles1.rule  toggles4.rule
d3ad0ne.rule     oscommerce.rule  specific.rule      toggles2.rule  toggles5.rule

Creating Passwords with Hashcat and a dictionary:
ficti0n:# ./hashcat-cli32.bin -r rules/passwordspro.rule ../wordlists/cain.txt --stdout

You can also pipe passwords directly into JTR from hashcat output but its really slow so I suggest you make a world list then load it up with --wordlist, but the example is shown below.

Piping Hashcat password rules into JTR: (really slow)
ficti0n:# ./hashcat-cli32.bin -r rules/passwordspro.rule ../wordlists/rockyou-75.txt --stdout |/pentest/passwords/john/john --format=NETNTLM JohnFormat.txt --stdin


I hope someone finds my above notes useful, I am going to write up some client side attack stuff as well and post it up here... Let me know if you have any questions or need more clarification on anything covered in the blogs. 

Related articles

  1. Rom Hacking Pokemon
  2. Body Hacking
  3. Hacking Music
  4. Libro Hacking Etico
  5. Diferencia Entre Hacker Y Cracker
  6. Capture The Flag Hacking
  7. Hacking Videos
  8. Hacking With Swift
  9. Machine Learning Hacking