SoldierX.com SquidBlackList - the world's largest porn blacklist! HAX Radio - The stream the FBI Listens to! Offensive Security Wireless Professional PWNIE 2012 Nominations The Hip-Hop Realm

Archive for the ‘Information Security’ Category

WARCARRIER for Android Version 1.1

Saturday, March 1st, 2014

Almost complete. WARCARRIER for Android Tablets.



This is the main screen at startup, including the menu options.

Click on “catchMeNG! in the settings bar at the top right and you can input a string to troll for. This includes Bluetooth devices, BSSIDs, ESSIDs, etc.

You can also choose “Plot Waypoint” to plot a new way point onto the Google Map:

If you long-press on a any field (as the “Help” dialog shows from the Settings menu) You can find more information on the specific data that is presented.

And as of 1.1 Beta, you can plot and scan for Bluetooth devices:

This will make my life so much easier as I only have to write this Java code to run on one specific hardware type. Anything that goes wring is the SDKs fault, or the manufacturer for not using standard or compliant hardware (e.g. for radios).

Time to catch up on some R&R
~Douglas

WARCARRIER 802.11 Probe Request Scanner for Android

Monday, February 24th, 2014

The Application

I just finished up coding a simple 802.11 scanning application for Android that uses Probe Requests to ask for all AP info in the vicinity. A station sends a probe request frame when it needs to obtain information from another station. It’s considered an “active” scan since it’s sending a request – using RFMON on your radio is passive and only sniffing. What’s cool about this type of scan is that it is easier to scan for networks when already associated to a service set. In passive scanning, with software like Airodump-ng, you get this same data from the APs just in 0×08 subtype Beacon Frames. I also added some CatchMeNG! functionality as well for searching for devices.

This is the main screen you see above. It is a simple TableLayout (actually two since one is programmatically destroyed upon returning scan results.) within a RelativeLayout user interface. When you start the application, it checks to see if WiFi is enabled and if so it will scan the area using Probe Requests. This is very similar to how the old NetStumbler application worked. The EditText field you see is for CatchMeNG! in which you can troll for any specific string you wish: BSSID, ESSID, channel, WEP, etc.

In this image above I am initializing CatchMeNG! which turns the label green once the “Enable” button is pressed. I had a hard time with the EditText stealing the focus of the app when the onCreate(); method was initially called, but was able to stop that programmatically.


In the screenshot above you can see that the label has turned green for CatchMeNG! inidicating that it is on. I did this simply by creating a TextView object with the Integer ID of the actual Resources ID. e.g.: “R.id.label“.


In the above screenshot you can see what is shown when the object is found. I gave more details so that the RSSI can maybe be used as an indicator for signal strength. Just like in older versions of CatchMeNG!, a sound is played also to alert the users attention. Scanning takes place by hitting the Refresh AP List menu item in the applications menu in the top right side and not automatically.

TODO

Add automatic scanning.
Add case insensitivity.
Create a new section in Programming for Android and cover in depth details on how this project was created.

~Douglas

PHP and JSON Arrays of Password Data

Tuesday, January 21st, 2014

With all of the leaked databases which seem to flood the internet on a daily basis, one can only wonder why we don’t have more sites like leakdb. Recently I have been writing some applications in which require parsing of JSON. JSON Is a Javascript Object Notation which is commonly used as a structured output from a web service. My research proved fruitless the more complex the design of this output. Luckily, I was able to easily come up with an analogy in which may save a few folks some time during development and testing of multidimensional arrays within JSON output. It’s easy: it’s just a big associative array just like in any other language!

So let’s go through a simple example in which one of the results itself is an array.

Let’s use Leakdb‘s API for JSON output from their database. Leakdb allows us to pass a hash or plain text to it and it will differentiate between the two and return anything found. If we go to the main page and search for something like “securepassword” It will return a list of results that can be obtained in JSON format by going to: http://api.leakdb.abusix.com/?j=securepassword The output is pure JSON:

{
 "found": "true",
 "hashes": [
   {
    "gost": "6f85785dc94752933c72e4ad6ff779781ea793546e9cb5...",
    "md4": "11128c94a904b8cac8518a98307866a1",
    "md5": "b0439fae31f8cbba6294af86234d5a28",
    "mysql4_mysql5": "*214c2faf32f109ae748170bfabddfb9b0588...",
    "ntlm": "132a0e327625a4a32c14b5a08912b9f0",
    "plaintext": "securepassword",
    "ripemd160": "08815cd9c4dbbd5e85362f06669ddbe0b64c8446",
   "sha1": "ea0c04513c32717f3a09ff7b1fa882c4d8424b2a",
    "sha224": "5736e684eb72c3d419f1d91c7f2c885a29e056789bd6...",
    "sha256": "e0e6097a6f8af07daf5fc7244336ba37133713a8fc73...",
    "sha384": "5c2e9d4d732687dd790aad47ad6285bdd647f4820de8...",
    "sha512": "54c8e9ed836eb9622f6694876dabd83e44c6f7ce11cb...",
    "whirlpool": "1af2629aa6809f7a480111ebc5bcd43bf11fa4b9e..."
   }
  ],
  "info": "https://leakdb.abusix.com - reverse hash search and calculator",
  "msg": "",
  "query": "securepassword",
  "time": "0.279",
 "type": "plaintext"
}

by “pure” I simply mean that what you see is what you get. Try hitting CTRL+U and checking it for yourself. Now let’s use PHP to get this output from the leakdb API. PHP has a few functions that we will use: file_get_contents(); and json_decode(); You don’t actually have to look at those links, they are just there for reference. I don’t usually refer folks to the actual developer’s documentation. The reason for this is that the user’s experience is so dynamic and organic that it is actually of a higher chance you find more useful information from their “example” or “tutorial” websites than the convoluted and bloated examples by the languages owner. (here’s looking at you Adobe). Anyways, the first function, as you may have guessed, is what I use to get the JSON response from the leakdb API server. The second is what I use to “decode” the output. Let’s take a look at those two in PHP using our example.

$url = "http://api.leakdb.abusix.com/?j=" . $_GET['h'];
$rest_json = file_get_contents($url);
$res = json_decode($rest_json, true);

In the first line I simply get the password from the URL HTTP GET parameter “h” as in http://myserver.com/hash/index.php?h=securepassword Then I create the REST JSON object in the second line, then parse it in the third. Simple! If we dump this output to the screen with var_dump(); we can see the JSON returned from the Leakdb web service. We can easily see that one of the elements, “hashes” is an associative array. The results were returned as an associative array because of the “true” we add into the json_decode(); function.

So instead of looping through each value to find what we want (which, seemingly, is what every other tutorial seems to be about), we can access it directly with simple programming multidimensional array notation. Say we want the NTLM hash only, of the plain text that we send to Leakdb:

echo $res['hashes'][0]['NTLM'];

Will do the trick! The first layer is the hashes array which contains one element labeled “0″ This element contains 13 associative arrays, each of which have two elements. The hash type and the hash itself, including the plain text version for reverse look ups! I have highlighted and bullet-pointed out the list items in the image above. When dealing with JSON, it’s easy to remember that simple object nodes are denoted in {} and array object nodes are within []. Now with a little CSS TLC, we can easily style the returned output to embed in our websites.

Snippet:

if($res['found'] == 'true'){ # has was found
  echo "<div class='content'><h3>".$_GET['h']." (".$res['type'].")</h3><table>";
  echo "<tr><td class='tdTitle'>text:</td><td class='tdVal'>".$res['hashes'][0]['plaintext']."</td></tr>";

We can even use it in our Android applications with getJSONArray(); but I will save that for another long-winded staircase tutorial :)

~Douglas

Catching Pink Dolphins with Libpcap via 802.11

Monday, September 9th, 2013

Having trouble understanding libpcap with 802.11? Having a hard time finding documentation that makes you really grasp the concept of packet sniffing programmatically with 802.11?

libpcap is the libraries most commonly used for packet sniffing and generation. Most of the best network hacking tools use it and the documentation is few and far between for a newbie. I’ve actually wanted to write this for a long long time. I just finished creating a lot of C Programming tutorials and if you followed through with them, you will have no problem at all with this tutorial – so let’s put these two together.

802.11 protocol analyzer’s like Airodump-ng make use of libpcap. When designing WARCARRIER, I ended up making my own version of Airodump-NG so to not have any dependencies. I tried using scapy and lorcon with Python and even Net::PCAP with Perl, but they were just wrappers for the real thing which didn’t offer the type of control that I needed. I needed to use libpcap and C. It sounds rather daunting, because it is heavily filled with computer science and many manjor aspects of networking 802.11, C, libraries, and more need to be known, but I will cover all of these bases with you step by step and even display packets in Wireshark so to see exactly what we are doing.

I realize the code isn’t optimal, but it’s a quick start. I’ll dig into it later and make the WARCARRIER portion a lot smoother. You can click on the image above to go directly to the document. If you find any errors or need any help, feel free to email me in the address in the masthead at the top of this weblog.

~Douglas

ALFA RTL8187 and Dragorn’s 802.11 Protocol Analyzer with Android 4.3 Jellybean

Saturday, September 7th, 2013

For _gh0st in #lunatics — Works great and was easy to set up. No root required. This would be perfect to use when doing an on-site pentest.

~Douglas