Jump to content

Nytro

Administrators
  • Posts

    18748
  • Joined

  • Last visited

  • Days Won

    719

Everything posted by Nytro

  1. Ce ar putea sa se posteze in acea categorie? E prea "mic" domeniul in legatura cu securitatea IT.
  2. [h=1]Security Summer School[/h] From „Voodoo“ to „You Do“ via hex and fun. Proudly brought to you by ACS, Ixia and Hexcellents. [h=2]Period[/h] 23rd of June - 10th of August 2014 [h=2]Links[/h] Wiki Facebook page Google Plus page E-mail contact address [h=2]Summary[/h] The first edition of a new Security Summer School focused on Practical Software Exploitation will take place between June 23rd and August 10th 2014, at the Faculty of Automatic Control and Computers, University POLITEHNICA of Bucharest. Students will be go through an in-depth tour of what it means to discover, successfully exploit and patch a software vulnerability and develop the necessary skills and insights needed to embark on such an endeavor. Activities will take place during two intensive training sessions per week as well as two Capture the Flag (CTF) contests that will be held mid-term and at the end of the summer school. The final CTF contest will be the highlight of the summer school and students will able to showcase the skills they have learned and be awarded prizes offered by Ixia. [h=2]Application[/h] We welcome students to apply via Stagii pe Bune. Choose „Security Summer School“ under the „Summer Schools“ heading, for the company „Facultatea de Automatica si Calculatoare, UPB“. Apart from filling out your CV, we want to see your h4x0r sk111z by solving set of three challenges. Please download the challenge tasks, go through the README and then submit your solution on this Google form; you may edit your submission if you forget something during the first try. The deadline for submitting your answers is Sunday, May 25th. After May 25th we will organize a set of interviews to decide who will take place in the Security Summer School. [h=3]Requirements[/h] We expect good programming skills and a fair knowledge of C programming language. Python and shell scripting skills are welcome. More than anything we expect a proactive attitude, a love for challenges and „tinkering“ and the interest in security and hacking. [h=2]Location & Schedule[/h] The Security Summer School will take place in Faculty of Automatic Control and Computers, University POLITEHNICA of Bucharest, room EG106 (Ixia lab), first floor, EG wing. Activities will take place twice a week: Monday, 4pm-8pm Thursday, 9am-1pm Each session will be highly practical: a presentation of a set of basic concepts on slides follow by hands-on activities (tutorials and tasks). The 9th-10th of August week-end is reserved for the final CTF contest and awards ceremony. [h=2]Syllabus[/h] Introduction into the World of Security 23rd of June: crash course CTF, OS (pmap, strace, ltrace, file descriptors, lsof, ldd), Linux dinamic analysis 26th of June: assembly intro: registers, mnemonics, the stack, gdb (step instruction/read-only) Binary Formats 30th of June: writing assembly, executable code analysis (IDA) 3rd of July: from ELF to a process, PLT, PIC ? gdb / IDA [*] Vulnerability Assessment 7th of July: overwrite data in GDB, overflow of allkinds: function pointers, vtable, local variables, format string, use after free 10th of July: CTF Demo (4 challenge tasks) [*] Vulnerability Discovery 14th of July: stateless fuzzing (on files), fuzzer + gdb 17th of July: stateful fuzzing (on protocol) [*] Weaponizing the vulnerability 21st of July: shellcode + stack, NUL terminator, call trampoline 24th of July: DEP, ASLR [*] Weaponizing the vulnerability II 28th of July: information leak, canary value, format strings 31st of July: ROP, remote + socket reuse [*] Preventing vulnerabilities in your own code + Windows 4th of August: secure programming techniques (sanitizing, system()) 7th of August: Windows: shell code exploit on windows (Immunity, WinDbg) [h=2]Team[/h] Adrian ?endroiu Dan Gioga Drago? Com?neci Radu Caragea R?zvan Crainea R?zvan Deaconescu Silviu Popescu Tudor Azoi?ei [h=3]Supporting members[/h] Irina Pre?a Lucian Cojocar Vlad Dumitrescu In case of any inquiries please send us an e-mail. Sursa: Security Summer School [Wiki-ul Departamentului de Calculatoare]
      • 1
      • Upvote
  3. Ma pis pe Ucraina. Dar totul pana la Rep. Moldova sau Romania.
  4. Ar trebui sa fim indeajuns de civilizati incat sa nu inceapa un razboi, mai ales ca la armele nucleare din ziua de azi nu e nevoie de mare lucru ca sa "dispara" cateva tari. Eu imi fac ceva griji, pentru Romania si Republica Moldova, in privinta rusilor pentru ca sunt capabili de multe lucruri.
  5. https://www.youtube.com/watch?feature=player_embedded&v=NJmi_QCbYGU + http://site.oasteafiara.net/2012/01/ce-ar-fi-daca-ati-recunoaste-ca.html
  6. Fara a face vreo referire la conflictul ruso-ucrainian, cred ca si Romania se apropie de un conflict cu Rusia. Incet, incet. Rogozin: România a închis spa?iul aerian pentru avionul meu. Autorit??ile române nu comenteaz? informa?ia: Rogozin: România a închis spa?iul aerian pentru avionul meu. Autorit??ile române nu comenteaz? informa?ia | adevarul.ro Suntem in NATO, SUA ar trebui sa ne ia apararea, dar tare sunt curios daca vor face asta. Daca "ataca" Republica Moldova, ar trebui sa luam in considerare un conflict. Desi Ucraina si Republica Moldova sunt "pe jumatate" rusi (nici chiar asa), eu ma gandesc ca relatia noastra cu Rusia nu va fi tocmai una de prietenie. As fi curios, daca avem membri din Republica Moldova, care locuiesc acolo, sa ne spuna care este situatia.
  7. Sa salvati si voi undeva discutiile. De pe HY nu vorbeste nimeni? PS: Probabil ar fi fost mai interesant pe TeamSpeak.
  8. [h=1]An Experiment In Performing Remote Calls on x64[/h] Posted on May 4, 2014 by admin Recently I was trying to do something more than just executing code in the context of a remote process: I wanted to call a function remotely, including supplying arguments, and have the program continue execution afterwards. What I will present in this post is what I have quickly come up with to achieve the task. There certainly are edge cases (discussed at the end) where the code will run into issues, but the general logic of it is Suspend all threads in the target process. This is achieved in the code with a call to the NtSuspendProcess native API. Allocate space in the process that will contain the x64 assembly code which will set up the parameters and stack to perform the call. Save all registers that will be used in performing the call. The example code does not save flags, but a full implementation will want to do that as well. Write in the parameters following the Windows x64 ABI (first four parameters in RCX, RDX, R8, and R9) respectively, with the rest on the stack. The caller will have to know and supply the stack offset to the other parameters. Set up the trampoline to perform the call. Resume the process via NtResumeProcess and let the call happen. Save the result of the call and continue execution. Articol: An Experiment In Performing Remote Calls on x64 | RCE Endeavors
  9. Mic? antologie a patriotismului am?rât Andrei Ple?u Am publicat ?i cu alte prilejuri textele de mai jos. Simt nevoia s? le reamintesc cititorilor, într-un moment în care trîmbi?ele unui patriotism rudimentar, l?ut?resc, ?îfnos, au reaprins spiritele. Patriotismul a ajuns s? fie un amestec indigest de vorbe l?cr?moase ?i încrunt?turi de grot?. Pentru campionii lui, patria nu trebuie „ajutat?” decît cu lingu?eli ?i jocuri de bicep?i. Ideea c? o po?i iubi cu disperare, întristat de relele care o desfigureaz? (?i care, nu odat?, vin din noi în?ine) e prea subtil? pentru l?tr?torii de parad?, convin?i c? a te gudura servil în poala ??ri?oarei e modul optim de a o sluji, cînd, de fapt, e un soi de r?zgîi mai curînd dezonorant. În general, profesioni?tii retoricii patriotarde sunt, mai curînd, oameni f?r? identitate, incapabili de ispr?vi cu adev?rat ziditoare ?i, tocmai de aceea, dornici s? se salveze identificîndu-se cu str?mo?i mai f?lo?i. Gigi luat în sine nu e nimic. Dar Gigi ca „urma?” al lui ?tefan cel Mare, sau ca veri?or al lui Brâncu?i începe s? cread? c? exist?… Citeste mai mult: adev.ro/n53au0
  10. [h=1]Reverse DOM XSS[/h] by Pedro Laguna on May 4, 2014 I came recently with an idea about how to exploit a DOM XSS vulnerability that it might be worth sharing here so others can use this trick, adapt it and defeat some poor filters with a little of JavaScript and some creativity. During an engagement I found a piece of code similar to this one: <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id=[INJECTION]&category=CARS');"> The code behind goToWebsite was something like this: function goToWebsite(e, param, base) { window.location = base + param + "=" + actionURL.value; } It’s a very clear example of DOM XSS where we can control the flow of the page using the window.location element. But why it wasn’t a reflected XSS? Well, they have some filters in place. Double quotes ( ‘”‘ ), brackets ( ‘<’ and ‘>’ ) and even semicolon ( ‘;’ ) where filtered so we couldn’t escape from the injection point, having to dig deeper into the goToWebsite function to find our way into executing arbitrary JavaScript. Lucky for us we were still allowed to use some characters that were necessary for this trick, like parenthesis ( ‘(‘ and ‘)’ ), quotes ( ”’ ) and dots ( ‘.’ ). For a DOM XSS attack we need to modify the address where the window.location is going to navigate and make it go to javascript: URL handler. But, in this case we couldn’t write directly as the injection is happening in the middle of a string, which contains some reference to a relative URL: “/ShowInfo.php?id=“ How do we overcome this problem? Well, we cannot escape from the function call but as we can insert quotes and parenthesis we can modify the string that is received by the goToWebsite function like this: <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id='.split('').reverse().join('').concat('&category=CARS');"> These function (split, reverse and join) will reverse the string ‘/ShowInfo.php?id=‘ to be ‘=di?php.ofnIwohS/‘. And we are using concat to make the code valid and as it’s at the end of the result string we don’t care about modifying it. So now we need to insert our payload, the classic alert(1): <a href="#" onclick="goToWebsite(this, 'url', '/ShowInfo.php?id=//)1(trela:tpircsavaj'.split('').reverse().join('').concat('&category=CARS');"> Now, if we execute that code, the resulting string will be: javascript:alert(1)//=di?php.ofnIwohS/&category=CARS Perfe… wait! What’s this? Code is not being executed! We have managed to insert our javascript payload at the beginning of the string passed to window.location but the code is not being executed. A closer look at the generated code on the page revealed the mystery: %2f%2f)1(trela%3Atpircsavaj'.split('').reverse().join('').concat(' Key characters as slash ( ‘/’ ) and colon ( ‘:’ ) were encoded, so our code wasn’t able to executed. Time to think how to bypass the encoding of these characters. JavaScript has the ability to replace a character inside a string like: replace(‘old’, ‘new’) so I thought I could use String.fromCharCode to bypass the character limitations and make my code execute, replacing ‘/’ and ‘:’ by two other characters that are not URLEncoded like ‘~’ and ‘+’ but it was a problem: comma character was also URL encoded so I couldn’t use the replace function. Time for the second trick! Apparently, in JavaScript, you can split a string by a character and then use another character to join the strings together, like this: 'abc-def'.split('-').join('!') After being executed this will render abc!def The best part? We are not using any forbidden characters! Just again our old friends quotes and parenthesis. If we put everything together we have something like this in order to exploit this DOM XSS bug: ~~)1(trela+tpircsavaj'.split('').reverse().join('').split('~').join(String.fromCharCode(47)).split('+').join(String.fromCharCode(58))).concat(' That way I was able to execute JavaScript code in this particular scenario without using any forbidden char. I am pretty sure you will not find yourself in this exact situation in the future but hopefully you can use these two little tricks someday! Sursa: Reverse DOM XSS | Pentura Labs's Blog
  11. New Flash Player 0-day (CVE-2014-0515) used in watering-hole attacks Vyacheslav Zakorzhevsky Kaspersky Lab Expert In mid-April we detected two new SWF exploits. After some detailed analysis it was clear they didn't use any of the vulnerabilities that we already knew about. We sent the exploits off to Adobe and a few days later got confirmation that they did indeed use a 0-day vulnerability that was later labeled as CVE-2014-0515. The vulnerability is located in the Pixel Bender component, designed for video and image processing. We received a sample of the first exploit on April 14, while a sample of the second came on April 16. The first exploit was initially recorded by KSN on April 9, when it was detected by a generic heuristic signature. There were numerous subsequent detections on April 14 and 16. In other words, we succeeded in detecting a previously unknown threat using heuristics. According to KSN data, these exploits were stored as movie.swf and include.swf at an infected site. The only difference between the two pieces of malware is their shellcodes. It should be noted that the second exploit (include.swf) wasn't detected using the same heuristic signature as the first, because it contained a unique shellcode. Each exploit comes as an unpacked flash video file. The Action Script code inside was neither obfuscated nor encrypted. As is usually the case with this kind of exploit, the first stage is a heap spray - preparing the dynamic memory for exploitation of the vulnerability. The exploits are also designed to check the OS version. If Windows 8 is detected, a slightly modified byte-code of the Pixel Bender component is used. A fragment of the vulnerable Pixel Bender code (the data in the red box is changed according to system version) Fragment of the decompiled exploit code Next comes the actual exploitation of the vulnerability, namely modification of one of the indices in the table of methods/virtual functions. Interestingly, both exploits have two shellcodes. The first is similar in both applications; it is quite short and prepares the memory for the successful functioningof the second shellcode. A fragment of the first shellcode debugged in WinDBG Firstly, the current memory is marked as read, write and execute with the API function VirtualProtect, and then additional memory is allocated using VirtualAlloc. The second shellcode is copied to this memory and control is transferred to it. The initialization of API functions and transfer of the control to the second shellcode appear in red boxes in the screenshot above. The exploits' second shellcodes differ significantly. The exploit that we detected first has a standard shellcode (movie.swf). It performs a search of system libraries in the memory, and then downloads and runs the payload. Unfortunately, the link turned out to be inactive at the time of our research. Fragment of the movie.swf exploit's second shellcode responsible for the download and launch of the payload In the other exploit - include.swf - the second shellcode was unusual. It receives the base DLL address for flash10p.ocx, searching it for specific fragments and interacts with the ciscompeaddin5x0 - Cisco MeetingPlace Express Add-In version 5x0. This add-in is used by web-conference participants to view documents and images from presenter's screen. It should be noted that the exploit will not work if the required versions of Adobe Flash Player ActiveX and Cisco MPE are not present on the system. Fragment of the include.swf exploit's second shellcode It appears that part of the information for the exploit include.swf is passed on from outside. According to KSN data, the referer to include.swf points to another SWF file: stream.swf. At the same time, the referer of the first exploit - movie.swf - points to index.php located in the same folder as the exploit (see below). We couldn't establish the exact payload of the exploit include.swf due to a lack of data relayed from the landing page and/or other exploits. We are sure that all these tricks were used in order to carry out malicious activity against a very specific group of users without attracting the attention of security solutions. We believe that the Cisco add-in mentioned above may be used to download/implement the payload as well as to spy directly on the infected computer. Both the exploits detected by us spread from a site located at ???? ??????? ???????? ??????. The site was launched back in 2011 by the Syrian Ministry of Justice and was designed as an online form for citizens to complain about law and order violations. We believe the attack was designed to target Syrian dissidents complaining about the government. The site was hacked in September 2013, something the alleged hacker announced on his twitter account. The link to these exploits is as follows: http://jpic.gov.sy/css/images/_css/***********. When we entered the site, the installed malware payloads were already missing from the "_css" folder. We presume the criminals created a folder whose name doesn't look out of place on an administration resource, and where they loaded the exploits. The victims were probably redirected to the exploits using a frame or a script located at the site. To date, April 28, the number of detections by our products has exceeded 30. They were detected on the computers of seven unique users, all of them in Syria, which is not surprising considering the nature of the site. Interestingly, all the attacked users entered the website using various versions of Mozilla Firefox. It's likely that the attack was carefully planned and that professionals of a pretty high caliber were behind it. The use of professionally written 0-day exploits that were used to infect a single resource testifies to this. Moreover, while the first exploit is pretty standard and can infect practically any unprotected computer, the second exploit (include.swf) only functions properly on computers where Adobe Flash Player 10 ActiveX and Cisco MeetingPlace Express Add-In are installed. The Flash Player Pixel Bender component, which Adobe no longer supports, was used as the attack vector. The authors were counting on the developers not finding a vulnerability in that component and that the exploit would remain active for longer. All this suggests that the attackers were not targeting users en masse. We detect such exploits by AEP technology as PDM:Exploit.Win32.Generic and by heuristics as HEUR:Exploit.SWF.CVE-2014-0515.gen. Sursa: https://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks
  12. [h=3]Windows Heap Overflow Exploitation[/h]Hi , In this article I will be talking about exploiting a custom heap : which is a big chunk of memory allocated by the usermode application using VirtualAlloc for example . The application will then work on managing 'heap' block allocations and frees (in the allocated chunk) in a custom way with complete ignorance of the Windows's heap manager. This method gives the software much more control over its custom heap, but it can result in security flaws if the manager doesn't do it's job properly , we'll see that in detail later. To see an implementation of a custom heap manager in C/C++ please refer to my previous blog post : Reverse Engineering 0x4 Fun: Creating and using your own 'heap' manager Heap Manager Source code : [C++] Custom Heap Manager - Pastebin.com The vulnerability that we'll exploit together today is a 'heap' overflow vulnerability that's occuring in a custom heap built by the application. The vulnerable software is : ZipItFast 3.0 and we'll be exploiting it today and gaining code execution under Windows 7 . ASLR , DEP , SafeSEH aren't enabled by default in the application which makes it even more reliable to us . Even though , there's still some painful surprises waiting for us ... Let's just start : The Exploit : I've actually got the POC from exploit-db , you can check it right here : http://www.exploit-db.com/exploits/17512/ Oh , and there's also a full exploit here : http://www.exploit-db.com/exploits/19776/ Unfortunately , you won't learn much from the full exploitation since it will work only on Windows XP SP1. Why ? simply because it's using a technique that consists on overwriting the vectored exception handler node that exists in a static address under windows XP SP1. Briefly , all you have to do is find a pointer to your shellcode (buffer) in the stack. Then take the stack address which points to your pointer and after that substract 0x8 from that address and then perform the overwrite. When an exception is raised , the vectored exception handlers will be dispatched before any handler from the SEH chain, and your shellcode will be called using a CALL DWORD PTR DS: [ESI + 0x8] (ESI = stack pointer to the pointer to your buffer - 0x8). You can google the _VECTORED_EXCEPTION_NODE and check its elements. And why wouldn't this work under later versions of Windows ? Simply because Microsoft got aware of the use of this technique and now EncodePointer is used to encode the pointer to the handler whenever a new handler is created by the application, and then DecodePointer is called to decode the pointer before the handler is invoked. Okay, let's start building our exploit now from scratch. The POC creates a ZIP file with the largest possible file name , let's try it : N.B : If you want to do some tests , execute the software from command line as follows : Cmd :> C:\blabla\ZipItFast\ZipItFast.exe C:\blabla\exploit.zip Then click on the Test button under the program. Let's try executing the POC now : An access violation happens at 0x00401C76 trying to access an invalid pointer (0x41414141) in our case. Let's see the registers : Basically the FreeList used in this software is a circular doubly linked lists similar to Windows's . The circular doubly linked list head is in the .bss section at address 0x00560478 and its flink and blink pointers are pointing to the head (self pointers) when the custom heap manager is initialized by the software. I also didn't check the full implementation of the FreeList and the free/allocate operations in this software to see if they're similar to Windows's (bitmap , block coalescing ...etc). It's crucial also to know that in our case , the block is being unlinked from the FreeList because the manager had a 'request' to allocate a new block , and it was chosen as best block for the allocation. Let's get back to analysing the crash : - First I would like to mention that we'll be calling the pointer to the Freelist Entry struct : "entry". Registers State at 0x00401C76 : EAX = entry->Flink EDX = entry->Blink [EAX] = entry->Flink->Flink [EAX+4] = entry->Flink->Blink (Next Block's Previous block) [EDX] = entry->Blink->Flink [EDX+4] = entry->Blink->Blink (Previous Block's Next block) Logically speaking : Next Block's Previous Block and Previous Block's Next Block are nothing but the current block. So the 2 instructions that do the block unlinking from the FreeList just : - Set the previous freelist entry's flink to the block entry's flink. - Set the next freelist entry's blink to the block entry's blink. By doing so , the block doesn't belong to the freelist anymore and the function simply returns after that. So it'll be easy to guess what's happening here , the software allocates a static 'heap' block to store the name of the file and it would have best to allocate the block based on the filename length from the ZIP header (this could be a fix for the bug , but heap overflows might be found elsewhere , I'll propose a better method to fix ,but not fully, this bug later in this article). Now , we know that we're writing past our heap block and thus overwriting the custom metadata of the next heap block (flink and blink pointers). So, We'll need to find a reliable way to exploit this bug , as the 2 unlinking instructions are the only available to us and we control both EAX and EDX. (if it's not possible in another case you can see if there are other close instructions that might help), you can think of overwriting the return address or the pointer to the structured exception handler as we have a stack that won't be rebased after reboot. This might be a working solution in another case where your buffer is stored in a static memory location. But Under Windows 7 , it's not the case , VirtualAlloc allocates a chunk of memory with a different base in each program run. In addition , even if the address was static , the location of the freed block that we overwrite varies. So in both cases we'll need to find a pointer to our buffer. The best place to look is the stack , remember that the software is trying to unlink (allocate) the block that follows the block where we've written the name , so likely all near pointers in the stack (current and previous stack frame) are poiting to the newly allocated block (pointer to metadata) . That's what we don't want because flink and blink pointers that we might set might not be valid opcodes and might cause exceptions , so all we need to do is try to find a pointer to the first character of the name and then figure out how to use this pointer to gain code execution , this pointer might be in previous stack frames. And here is a pointer pointing to the beginning of our buffer : 3 stack frames away Remember that 0x01FB2464 will certainly be something else when restarting the program , but the pointer 0x0018F554 is always static , even when restarting the machine. So when I was at this stage , I started thinking and thinking about a way that will help me redirect execution to my shellcode which is for sure at the address pointed by 0x0018F554 , and by using only what's available to me : - Controlled registers : EAX and EDX. - Stack pointer to a dynamic buffer pointer. - 2 unlinking instructions. - No stack rebase. Exploiting the vulnerability and gaining code execution: And Then I thought , why wouldn't I corrupt the SEH chain and create a Fake frame ? Because when trying to corrupt an SEH chain there are 3 things that you must know : - SafeSEH and SEHOP are absent. - Have a pointer to an exisiting SEH frame. - Have a pointer to a pointer to the shellcode. The pointer to the shellcode will be treated as the handler,and the value pointed by ((ptr to ptr to shellcode)-0x4) will be treated as the pointer to the next SEH frame. Let's illustrate the act of corrupting the chain : (with a silly illustration , sorry) Let me explain : we need to achieve our goal by using these 2 instructions , right ? : MOV [EDX],EAX MOV [EAX+4], EDX We'll need 2 pointers and we control 2 registers , but which pointer give to which register ? This must not be a random choice because you might overwrite the pointer to the shellcode if you chose EAX as a pointer to your fake SEH frame. So we'll need to do the reverse , but with precaution of overwriting anything critical. In addition we actually don't care about the value of "next SEH frame" of our fake frame. So our main goal is to overwrite the "next SEH frame" pointer of an exisiting frame , to do so we need to have a pointer to our fake frame in one of the 2 registers. As [EAX+4] will overwrite the pointer to the buffer if used as a pointer to the fake SEH frame , we will use EDX instead. We must not also overwrite the original handler pointer because it will be first executed to try to handle the exception , if it fails , then our fake handler (shellcode) will be invoked then. So : EDX = &(pointer to shellcode) - 0x4 = Pointer to Fake "Next SEH frame" element. EDX must reside in the next frame field of the original frame which is : [EAX+4]. And EAX = SEH Frame - 0x4. Original Frame after overwite : Pointer to next SEH : Fake Frame Exception Handler : Valid Handler Fake Frame : Pointer to next SEH : (Original Frame) - 0x4 (we just don't care about this one) Exception Handler : Pointer to shellcode The SEH frame I chose is at : 0x0018F4B4 So : EAX = 0x0018F4B4 - 0x4 = 0x0018F4B0 and EDX =0x0018F554 - 0x4 = 0x0018F550 When the overwrite is done the function will return normally to its caller , and all we have to do now is wait for an exception to occur . An exception will occur after a dozen of instructions as the metadata is badly corrupted. The original handler will be executed but it will fail to handle the access violation and then our fake handler will be called which is the shellcode . Making the exploit work : Now all we need to do is calculate the length between the 1st character of the name and the flink and blink pointers , and then insert our pointers in the POC. Inserting the shellcode : The space between the starting address of the buffer and the heap overwritten metadata is not so large , so it's best to put an unconditional jump at the start of our buffer to jump past the overwritten flink and blink pointers and then put the shellcode just after the pointers. As we can calculate the length , this won't cause any problem. Final exploit here : [Perl] ZipItFast Heap Overflow - Pastebin.com I chose a bind shellcode , which opens a connection to (0.0.0.0:4444). Let's try opening the ZIP file using ZipItFast and then check "netstat -an | find "4444" : Bingo ! A Fix for this vulnerability ?? The method I stated before which consists on allocating the block based on the filename length from the ZIP headers can be valid only to fix the vulnerability in this case , but what if the attackers were also able to cause an overflow elsewhere in the software ? The best way to fix the bug is that : when a block is about to be allocated and it's about to be unlinked from the Freelist the first thing that must be done is checking the validity of the doubly linked list , to do so : safe unlinking must be performed and which was introduced in later versions of Windows. Safe unlinking is done the following way : if ( entry->flink->blink != entry->blink->flink || entry->blink->flink != entry){ //Fail , Freelist corrupted , exit process } else { //Unlink then return the block to the caller } Let's see how safe unlinking is implemented under Windows 7 : The function is that we'll look at is : RtlAllocateHeap exported by ntdll Even if this method looks secure , there is some research published online that provides weaknesses of this technique and how can it be bypassed. I also made sure to implement this technique in my custom heap manager (Line 86) , link above. I hope that you've enjoyed reading this paper . See you again soon , Souhail Hammou. Sursa: Reverse Engineering 0x4 Fun: Windows Heap Overflow Exploitation
  13. [h=1]Let's Write Some X86-64[/h] This a beautiful quote, one that I think truly captures the relationship between higher level languages and the Instruction Set Architecture (ISA)’s machine code, though this is from the angle of controlling the machine with its implementation specific quirks which can detract from what you’re actually trying to do. This blog is meant for those who don’t know x86-64 assembly, but maybe know a little C, and are curious about code generation. Or maybe if you’ve ever tried to hand write x86-64 assembly, and got stuck trying to understand the tooling or seemingly random segfaults from what appears to be valid instructions. Articol: https://nickdesaulniers.github.io/blog/2014/04/18/lets-write-some-x86-64/
  14. [h=2]Volafox Mac OS X Memory Analysis Toolkit[/h]May 4th, 2014 Mourad Ben Lakhoua Volafox is an open source toolkit that you can use for Mac OS X and BSD forensics. The tool is a python based and allows investigating security incidents and finding information for malwares and any malicious program on the system. Security analyst can have the following information using this tool: MAC Kernel version, CPU, and memory specification Mounted filesystems Kernel Extensions listing Process listing Task listing (Finding process hiding) Syscall table (Hooking detection) Mach trap table (Hooking detection) Network socket listing (Hash table) Open files listing by process Show Boot information EFI System Table, EFI Runtime Services Print a hostname Screenshot for volafox (click to enlarge) You can download the tool on the following link: https://code.google.com/p/volafox/ Sursa: Volafox Mac OS X Memory Analysis Toolkit | SecTechno
  15. [h=2]LiME – Linux Memory Extractor[/h]January 19th, 2014 Mourad Ben Lakhoua Mobile platform security tools are increasing and we have more open source tools that allow to conduct forensic analyses on phone devices. if you want to investigate Android operating system you can use LiME. LiME (formerly DMD) allows to investigate file system from memory or over network, this can be used to have a full memory capture to see if there are abnormal process or services that have been used in a previous attack. Working on the system during the analyses is not recommended as this may modify file system so LiME minimizes the interaction between user and kernel space processes during acquisition, which allows it to produce memory dumps that are more forensically sound than those of other tools designed for Linux memory acquisition. To have the memory over TCP tunnel we need to first make the device listen on specified port which we connect from our host. when the host connect to the socket it will automatically start to get the RAM image to the host for analysis. On the host computer, we connect to this port with netcat and redirect output to a file. You can download the tool on the following link: lime-forensics - LiME - Linux Memory Extractor - Google Project Hosting Sursa: LiME – Linux Memory Extractor | SecTechno
  16. [h=2]DSploit Android Toolkit for Security Testing[/h]April 20th, 2014 Mourad Ben Lakhoua dSploit is a very comfortable tool that you can install on Android to run a pentest or network security assessment. The toolkit allows fingerprinting the remote operating systems and identifying different hosts, scans the network for system vulnerabilities and performing MITM to sniff sensitive information such as user’s password. The features included in dSploit are: WiFi Scanning & Common Router Key Cracking Deep Inspection Vulnerability Search Multi Protocol Login Cracker Packet Forging with Wake On Lan Support HTTPS/SSL Support ( SSL Stripping + HTTPS -> Redirection ) MITM Real-time Network Stats MITM Multi Protocol Password Sniffing MITM HTTP/HTTPS Session Hijacking MITM HTTP/HTTPS Hijacked Session File Persistence MITM HTTP/HTTPS Real-time Manipulation MITM module screenshot from dSploit (click to enlarge) The toolkit will help security officer or penetration tester to demonstrate how it is possible to exploit vulnerabilities and take control on targeted systems. The team have officially announced that they have a new nightly builds that you can download over this link: http://update.dsploit.net/nightly
      • 1
      • Upvote
  17. [h=2]Watcher Web passive vulnerability scanner[/h]September 29th, 2013 Mourad Ben Lakhoua Web applications are one of the most targeted systems as they are directly exposed to internet. There is no web server without serious vulnerabilities, it is enough that you open exploit DB where you will find how it is simple to exploit vulnerable CMS or web applications. Hackers are often searching and having those bugs where there is no correct code that may leak some very sensitive information, by the end developers are people and they often conduct some incautious mistakes. Developers mostly looking to have more functionality to increase usability and as you add that functionality you need to add more code which may lead to more vulnerabilities. That’s why you need to conduct penetration testing on periodic bases to detect those bugs. During a pentest you can try Watcher. Watcher is an open source tool that can be a good addition to your penetration testing toolkit. it will passively scan the web applications searching for some serious vulnerabilities in the user input fields. First you start by installing Fiddler a proxy framework to integrate watcher. Next you just open on the browser the website you need to verify where you can find important information by severity if high, medium or low. Online reference for the security issue and how to fix the bug, you can also export the results to an html or xml report. screenshot for Watsher (click to enlarge) Watcher is developed using C# and contain more then 30 checks to perform the vulnerability assessment against your target. this will be as part from your evaluation project and it is extremely fast to find the security issues. You can download the latest release on the following link: Watcher: Web security testing tool and passive vulnerability scanner - Home Sursa: Watcher Web passive vulnerability scanner | SecTechno
  18. [h=2]Weevely 1.1 – PHP Webshell[/h]June 16th, 2013 Mourad Ben Lakhoua Weevely – is a PHP webshell that provides SSH connection to manage website remotely. it can be used as a backdoor system to PoC during a pentest or a web shell to manage legit web accounts. The shell consists of more then 30 modules to automate both administrative and post-operational tasks including: Execute commands and browse remote filesystem, even with PHP security restriction Audit common server misconfigurations Run SQL console pivoting on target machine Proxy your HTTP traffic through target Mount target filesystem to local mount point Simple file transfer from and to target Spawn reverse and direct TCP shells Bruteforce SQL accounts through target system Run port scans from target machine. First of all penetration tester needs to generate the php backdoor file with password of connection. Next upload the weevely.php file to the webserver that is generated by the tool, weevely will automatically detects the best way to execute the commands on targeted system. Weevely communications are hidden in HTTP Cookies and is obfuscated to bypass NIDS signature detection. if you are using Backtrack you can find the tool already integrated under /pentest/web/backdoors/. it is also possible to find it on BackBox. To download and use Weevely make sure to follow this link. Sursa: Weevely 1.1 – PHP Webshell | SecTechno
  19. [h=2]HookME 0.2 – API Spying Tool[/h]April 28th, 2013 Mourad Ben Lakhoua Hooking API calls on operating system allows to intercept useful information, new release of HookMe have been issued to add more stability to the application , a way to choose what API functions to hook and some fixes to the program. HookMe provides a nice graphic user interface allowing you to change the packet content in real time, dropping or forwarding the packet. It also has a python system plugin to extend the HookMe functionality. HookME application interface (click to enlarge) the tool can be a perfectly used in penetration testing for analyzing and modifying network protocols, creating some type of malwares or backdoors for PoC embebed into network protocols. hooking the API calls for sending and receiving network data (even SSL clear data). or to investigate any rootkit that is hooking API calls. You can download the latest version of HookMe over this link: https://code.google.com/p/hookme/ Sursa: HookME 0.2 – API Spying Tool | SecTechno
  20. [h=2]Fino Android Security Assessment Tool[/h]February 2nd, 2014 Mourad Ben Lakhoua Security assessment tools have several ways for conducting the technical analyses. Fino is another program that you can use to run dynamic analyses for Android based application. The tool allows injecting services in the application for controlling and monitoring the change. The android application we want to verify will be running in emulator that is called gadget or what we call usually a sandbox and dynamically verify all changes on the system. Next it is possible to run python scripts to get or modify the services. You may get all target activities by running “activities =app.find(‘android.app.Activity’)“ the idea of monitoring services with the injection can make you monitor the application from inside and you will have details about the android application with more accurate results. Fino design in the slide deck the full pdf file over here: http://events.ccc.de/congress/2012/Fahrplan/attachments/2237_SmallFootprintInspectionAndroid-slides.pdf You can download Fino on the following link: https://github.com/sysdream/fino Sursa: Fino Android Security Assessment Tool | SecTechno
  21. [h=2]Fuzzware 1.5- Fuzzing Tool[/h]March 2nd, 2014 Mourad Ben Lakhoua Fuzzing is a process that is used during a penetration testing to find out if the application is vulnerable, the process come by sending incorrect data to the targeted application in order to cause a failure or an error situation that security analyst will use as a PoC in their report. Fuzzware is a generic fuzzing framework that can be considered for such operation. Fuzzware UI (click to enlarge) Fuzzware allows to make testcases as required: fuzz a file format such as XML file. fuzz network protocol or a network service by sending a predefined network packets. fuzz an interface that you need to test including web services. you can define a custom input that is coming from a code. You can download Fuzzware 1.5 over this link: download Sursa: Fuzzware 1.5- Fuzzing Tool | SecTechno
  22. https://rstforums.com/proiecte/LikePwnerChromeExtension.crx
  23. Cracking MD5, phpBB, MySQL and SHA1 passwords Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat, cudaHashcat, oclHashcat on Kali Linux Hashcat or cudaHashcat is the self-proclaimed world’s fastest CPU-based password recovery tool. Versions are available for Linux, OSX, and Windows and can come in CPU-based or GPU-based variants. Hashcat or cudaHashcat currently supports a large range of hashing algorithms, including: Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats, MySQL, Cisco PIX, and many others. Contents Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat, cudaHashcat, oclHashcat on Kali Linux My Setup NVIDIA Users: AMD Users: [*]Getting hashes: [*]Cracking hashed MD5 passwords MD5 cracking using hashcat and cudahashcat [*]Cracking hashed MD5 – phpBB passwords MD5 – phpBB cracking using hashcat and cudahashcat [*]Cracking hashed MySQL passwords MySQL hashed password cracking using hashcat and cudahashcat [*]Cracking hashed SHA1 passwords SHA1 password cracking using hashcat and cudahashcat [*]Location of Cracked passwords [*]Creating HASH’es using Kali [*]Conclusion [*]Google+ Hashcat or cudaHashcat comes in two main variants: Hashcat – A CPU-based password recovery tool oclHashcat or cudaHashcat – A GPU-accelerated tool Many of the algorithms supported by Hashcat or cudaHashcat can be cracked in a shorter time by using the well-documented GPU-acceleration leveraged in oclHashcat or cudaHashcat (such as MD5, SHA1, and others). However, not all algorithms can be accelerated by leveraging GPUs. Hashcat or cudaHashcat is available for Linux, OSX and Windows. oclHashcat or cudaHashcat is only available for Linux and Windows due to improper implementations in OpenCL on OSX. My Setup My setup is simple. I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for this whole exercise. In this post, I will show How to crack few of the most common hashes MD5 MD5 – phpBB MySQL and SHA1 I will use 2 commands for every hash, hashcat and then cudahashcat. Because I am using a NVIDIA GPU, I get to use cudaHashcat. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Correct me if I am wrong here! Before you enable GPU Cracking, I’ve spent last few months writing guides on how to enable those features in Kali Linux. NVIDIA Users: Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda AMD Users: Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6 Install AMD APP SDK in Kali Linux Install Pyrit in Kali Linux Install CAL++ in Kali Linux AMD is currently much faster in terms of GPU cracking, but then again it really depends on your card. You can generate more hashes or collect them and attempt to crack them. Becuase I am using a dictionary, (it’s just 135MB), I am limited to selection number of passwords. The bigger your dictionary is, the more you’ll have success cracking an unknown hash. There are other ways to cracking them without using Dictionary (such as RainBow Tables etc.). I will try to cover and explain as much I can. Advanced users, I’m sure you already know these, so I would appreciate constructive comments. As always, read the manual and help file before you ask for help. Most of the things are covered in manuals and wiki available in www.hashcat.net. A big thanks goes to the Hashcat or cudaHashcat Dev team, they are the ones who created and maintained this so well. Cudos!. Getting hashes: First of all, we need to get our hashes. You can download hash generator applications, but there’s online sites that will allow you to create them. I will use InsidePro who kindly created a page that allows you create hashes on the fly and it’s publicly available. Visit them and feel free to browse their website to understand more about hashes. The password I am using is simple: abc123 All you need to do is enter this in password field of this page Hash Generator and click on generate. Cracking hashed MD5 passwords From the site, I copied the md5 hashed password and put it into a file. vi md5-1.txt cat md5-1.txt MD5 cracking using hashcat and cudahashcat Now it’s simple, I just typed in the following command and it took few seconds. hashcat -m 0 -a 0 /root/md5-1.txt /root/rockyou.txt Similarly, I can use cudahashcat. cudahashcat -m 0 -a 0 /root/md5-1.txt /root/rockyou.txt Cracking hashed MD5 – phpBB passwords From the site, copy the phpBB hashed password and put it into a file. vi md5phpbb-1.txt cat md5phpbb-1.txt What I didn’t explain in previous section, is that how do you know who mode to use or which attack code. You can type in hashcat --help or cudahashcat --help and read through it. Because I will stick with attack mode 0 (Straight Attack Mode), I just need to adjust the value for -m where you specify which type of hash is that. hashcat --help | grep php So it’s 400 MD5 – phpBB cracking using hashcat and cudahashcat Let’s adjust our command and run it. hashcat -m 400 -a 0 /root/md5phpbb-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 400 -a 0 /root/md5phpbb-1.txt /root/rockyou.txt Cracking hashed MySQL passwords Similar step, we get the file from the website and stick that into a file. vi mysql-1.txt cat mysql-1.txt NOTE: *6691484EA6B50DDDE1926A220DA01FA9E575C18A <– this was the hash from the website, remove * from this one before you save this hash. First of all let’s find out the mode we need to use for MYSQL password hashes. hashcat --help | grep My Ah, I’m not sure which one to use here … MySQL hashed password cracking using hashcat and cudahashcat I’ll try 200 and see how that goes … hashcat -m 200 -a 0 /root/mysql-1.txt /root/rockyou.txt Nope not good, Let’s try 300 this time… hashcat -m 300 -a 0 /root/mysql-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 300 -a 0 /root/mysql-1.txt /root/rockyou.txt Cracking hashed SHA1 passwords Similar step, we get the file from the website and stick that into a file. vi sha1-1.txt cat sha1-1.txt Let’s find out the mode we need to use for SHA1 password hashes. hashcat --help | grep SHA1 SHA1 password cracking using hashcat and cudahashcat We already know what to do next… hashcat -m 100 -a 0 /root/sha1-1.txt /root/rockyou.txt and cudahashcat cudahashcat -m 100 -a 0 /root/sha1-1.txt /root/rockyou.txt Location of Cracked passwords Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory. cat hashcat.pot Creating HASH’es using Kali As always, great feedback from zimmaro, Thanks. See his comment below: (I’ve removed IP and email details for obvious reasons). dude got some massive screen!!! 1920×1080 16:9 HD 1080p!!! [TABLE] [TR] [TD]zimmaro_the_g0at <email truncated> <ip address truncared>[/TD] [TD] Submitted on 2014/03/30 at 2:43 am all always(our-friend): excellent explanation and thank you for sharing your knowledge / experiences PS:if I may some “” basic-hash “” can be generated directly with our KALI ImagesTime.com-hash.PNG [/TD] [/TR] [/TABLE] Conclusion This guide is here to show you how you can crack passwords using simple attack mode.You might ask why I showed the same command over and over again! Well, by the end of this guide, you will never forget the basics. There’s of course advanced usage, but you need to have a strong basics. I would suggest to read Wiki and Manuals from www.hashcat.net to get a better understanding of rule based attacks because that’s the biggest strength of Hashcat. The guys in Hashcat forums are very knowledgeable and know what they are doing. If you need to know anything, you MUST read manuals before you go and ask something. Usually RTFM is the first response … so yeah, tread lightly. Thanks for reading. Feel free to share this article. Sursa: Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux | blackMORE Ops
  24. Cracking WPA WPA2 with Hashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) This entry was posted in Cracking How to Kali Linux Linux and tagged Cracking Hashcat How to Wifi on March 27, 2014 by blackMORE Ops. Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or crack WPA WPA2 handshake .cap files. Only constraint is, you need to convert a .cap file to a .hccap file format. This is rather easy. Contents Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) My Setup NVIDIA Users: AMD Users: [*]Why use Hashcat to crack WPA/WPA2 handshake file? Built-in charsets Numbered passwords Letter passwords – All uppercase Letter passwords – All lowercase Passwords – Lowercase letters and numbers Passwords – Uppercase letters and numbers Passwords – Mixed matched with uppercase, lowercase, number and special characters. Passwords – when you know a few characters [*]Capture handshake with WiFite [*]Cleanup your cap file using wpaclean [*]Convert .cap file to .hccap format [*]Cracking WPA/WPA2 handshake with Hashcat [*]Dictionary attack [*]Brute-Force Attack Sample: Sample .hcmask file [*]Location of Cracked passwords [*]Conclusion [*]Google+ My Setup I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for most of the exercise. In this post, I will show How to crack WPA/WPA2 handshake file (.cap files) with cudaHashcat or oclHashcat or Hashcat on Kali Linux. I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect. To enable GPU Cracking, you need to install either CUDA for NVIDIA or AMDAPPSDK for AMD graphics cards. I’ve covered those in in my previous posts. NVIDIA Users: Install proprietary NVIDIA driver on Kali Linux – NVIDIA Accelerated Linux Graphics Driver Install NVIDIA driver kernel Module CUDA and Pyrit on Kali Linux – CUDA, Pyrit and Cpyrit-cuda AMD Users: Install AMD ATI proprietary fglrx driver in Kali Linux 1.0.6 Install AMD APP SDK in Kali Linux Install Pyrit in Kali Linux Install CAL++ in Kali Linux Why use Hashcat to crack WPA/WPA2 handshake file? Pyrit is the fastest when it comes to cracking WPA/WPA2 handshake files. So why are we using Hashcat to crack WPA/WPA2 handshake files? Because we can? Because Hashcat allows us to use customized attacks with predefined rules and Masks. Now this doesn’t explain much and reading HASHCAT Wiki will take forever to explain on how to do it. I’ll just give some examples to clear it up. Hashcat allows you to use the following built-in charsets to attack a WPA/WPA2 handshake file. Built-in charsets ?l = abcdefghijklmnopqrstuvwxyz ?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ ?d = 0123456789 ?s = !”#$%&'()*+,-./:;??@[\]^_`{|}~ ?a = ?l?u?d?s Numbered passwords So lets say you password is 12345678. You can use a custom MASK like ?d?d?d?d?d?d?d?d What it means is that you’re trying to break a 8 digit number password like 12345678 or 23456789 or 01567891.. You get the idea. Letter passwords – All uppercase If your password is all letters in CAPS such as: ABCFEFGH or LKHJHIOP or ZBTGYHQS ..etc. then you can use the following MASK: ?u?u?u?u?u?u?u?u It will crack all 8 Letter passwords in CAPS. Letter passwords – All lowercase If your password is all letters in lowercase such as: abcdefgh or dfghpoiu or bnmiopty..etc. then you can use the following MASK: ?l?l?l?l?l?l?l?l It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at. Passwords – Lowercase letters and numbers If you know your password is similar to this: a1b2c3d4 or p9o8i7u6 or n4j2k5l6 …etc. then you can use the following MASK: ?l?d?l?d?l?d?l?d Passwords – Uppercase letters and numbers If you know your password is similar to this: A1B2C3D4 or P9O8I7U6 or N4J2K5L6 …etc. then you can use the following MASK: ?u?d?u?d?u?d?u?d Passwords – Mixed matched with uppercase, lowercase, number and special characters. If you password is all random, then you can just use a MASK like the following: ?a?a?a?a?a?a?a?a Note: ?a represents anything …. I hope you’re getting the idea. If you are absolutely not sure, you can just use any of the predefined MASKs file and leave it running. But yeah, come back to check in a million years for a really long password …. Using a dictionary attack might have more success in that scenario. Passwords – when you know a few characters If you somehow know the few characters in the password, this will make things a lot faster. For every known letter, you save immense amount of computing time. MASK’s allows you to combine this. Let’s say your 8 character password starts with abc, doesn’t contain any special characters. Then you can create a MASK rule file to contain the following: abc?l?l?l?l?l abc?u?u?u?u?u abc?d?d?d?d?d abc?l?u??d??d?l abc?d?d?l?u?l There will be 125 combinations in this case. But it will surely break it in time. This is the true power of using cudaHashcat or oclHashcat or Hashcat on Kali Linux to break WPA/WPA2 passwords. You can even up your system if you know how a person combines a password. Some people always uses UPPERCASE as the first character in their passwords, few lowercase letters and finishes with numbers. Example: Abcde123 Your mask will be: ?u?l?l?l?l?d?d?d This will make cracking significantly faster. Social engineering is the key here. That’s enough with MASK’s. Now let’s capture some WPA/WPA2 handshake files. Following WiFite section was taken from a previous guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux which was one of the best guides about cracking Wifi passwords out there. Capture handshake with WiFite Why WiFite instead of other guides that uses Aircrack-ng? Because we don’t have to type in commands.. Type in the following command in your Kali Linux terminal: wifite –wpa You could also type in wifite wpa2 If you want to see everything, (wep, wpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes wifite Once you type in following is what you’ll see. So, we can see bunch of Access Points (AP in short). Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all. So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic. Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it. This is actually a great feature of WIfite. It now asks me, What do you want to do? [c]ontinue attacking targets [e]xit completely. I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time. And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake. This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file. Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back. Now that we have a capture file with handshake on it, we can do a few things. Cleanup your cap file using wpaclean Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand. Here’s how to do it: To convert your .cap files manually in Kali Linux, use the following command wpaclean <out.cap> <in.cap> Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion. In my case, the command is as follows: wpaclean hs/out.cap hs/BigPond_58-98-35-E9-2B-8D.cap Convert .cap file to .hccap format We need to convert this file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux can understand. To convert it to .hccap format with “aircrack-ng” we need to use the -J option aircrack-ng <out.cap> -J <out.hccap> Note the -J is a capitol J not lower case j. In my case, the command is as follows: aircrack-ng hs/out.cap -J hs/out Cracking WPA/WPA2 handshake with Hashcat cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most common and basic scenarios: Dictionary attack Mask attack Dictionary attack Grab some Wordlists, like Rockyou. Read this guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux for detailed instructions on how to get this dictionary file and sorting/cleaning etc. First we need to find out which mode to use for WPA/WPA2 handshake file. I’ve covered this in great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux guide. Here’s a short rundown: cudahashcat --help | grep WPA So it’s 2500. Now use the following command to start the cracking process: cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it. Depending on your dictionary size, it might take a while. You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can. Another guide explains how this whole Dictionary attack works. I am not going to explain the same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux for dictionary related attacks in full length. Brute-Force Attack Now this is the main part of this guide. Using Brute Force MASK attack. To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the following command: Sample: cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d Where -m = 2500 means we are attacking a WPA/WPA2 handshake file. -a = 3 means we are using Brute Force Attack mode (this is compatible with MASK attack). capture.hccap = This is your converted .cap file. We generated it using wpaclean and aircrack-ng. ?d?d?d?d?d?d?d?d = This is your MASK where d = digit. That means this password is all in numbers. i.e. 7896435 or 12345678 etc. I’ve created a special MASK file to make things faster. You should create your own MASK file in similar way I explained earlier. I’ve saved my file in the following directory as blackmoreops-1.hcmask. /usr/share/oclhashcat/masks/blackmoreops-1.hcmask Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat or Hashcat: ls /usr/share/oclhashcat/masks/ In my case, the command is as follows: cudahashcat -m 2500 -a 3 /root/hs/out.hccap /usr/share/oclhashcat/masks/blackmoreops-1.hcmask Sample .hcmask file You can check the content of a sample .hcmask file using the following command: tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip. Location of Cracked passwords Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory. cat hashcat.pot Conclusion This guide explains a lot. But you should read read Wiki and Manuals from www.hashcat.net to get a better understanding of MASK and Rule based attacks because that’s the biggest strength of Hashcat. Thanks for reading. Feel free to share this article. Sursa: Cracking WPA WPA2 with Hashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords) | blackMORE Ops
×
×
  • Create New...