SoldierX.com SquidBlackList - the world's largest porn blacklist! HAX Radio - The stream the FBI Listens to! Offensive Security Wireless Professional PWNIE 2012 Nominations The Hip-Hop Realm

Archive for the ‘Howto’ Category

WARCARRIER 802.11 Probe Request Scanner for Android

Monday, February 24th, 2014

The Application

I just finished up coding a simple 802.11 scanning application for Android that uses Probe Requests to ask for all AP info in the vicinity. A station sends a probe request frame when it needs to obtain information from another station. It’s considered an “active” scan since it’s sending a request – using RFMON on your radio is passive and only sniffing. What’s cool about this type of scan is that it is easier to scan for networks when already associated to a service set. In passive scanning, with software like Airodump-ng, you get this same data from the APs just in 0×08 subtype Beacon Frames. I also added some CatchMeNG! functionality as well for searching for devices.

This is the main screen you see above. It is a simple TableLayout (actually two since one is programmatically destroyed upon returning scan results.) within a RelativeLayout user interface. When you start the application, it checks to see if WiFi is enabled and if so it will scan the area using Probe Requests. This is very similar to how the old NetStumbler application worked. The EditText field you see is for CatchMeNG! in which you can troll for any specific string you wish: BSSID, ESSID, channel, WEP, etc.

In this image above I am initializing CatchMeNG! which turns the label green once the “Enable” button is pressed. I had a hard time with the EditText stealing the focus of the app when the onCreate(); method was initially called, but was able to stop that programmatically.


In the screenshot above you can see that the label has turned green for CatchMeNG! inidicating that it is on. I did this simply by creating a TextView object with the Integer ID of the actual Resources ID. e.g.: “R.id.label“.


In the above screenshot you can see what is shown when the object is found. I gave more details so that the RSSI can maybe be used as an indicator for signal strength. Just like in older versions of CatchMeNG!, a sound is played also to alert the users attention. Scanning takes place by hitting the Refresh AP List menu item in the applications menu in the top right side and not automatically.

TODO

Add automatic scanning.
Add case insensitivity.
Create a new section in Programming for Android and cover in depth details on how this project was created.

~Douglas

PHP and JSON Arrays of Password Data

Tuesday, January 21st, 2014

With all of the leaked databases which seem to flood the internet on a daily basis, one can only wonder why we don’t have more sites like leakdb. Recently I have been writing some applications in which require parsing of JSON. JSON Is a Javascript Object Notation which is commonly used as a structured output from a web service. My research proved fruitless the more complex the design of this output. Luckily, I was able to easily come up with an analogy in which may save a few folks some time during development and testing of multidimensional arrays within JSON output. It’s easy: it’s just a big associative array just like in any other language!

So let’s go through a simple example in which one of the results itself is an array.

Let’s use Leakdb‘s API for JSON output from their database. Leakdb allows us to pass a hash or plain text to it and it will differentiate between the two and return anything found. If we go to the main page and search for something like “securepassword” It will return a list of results that can be obtained in JSON format by going to: http://api.leakdb.abusix.com/?j=securepassword The output is pure JSON:

{
 "found": "true",
 "hashes": [
   {
    "gost": "6f85785dc94752933c72e4ad6ff779781ea793546e9cb5...",
    "md4": "11128c94a904b8cac8518a98307866a1",
    "md5": "b0439fae31f8cbba6294af86234d5a28",
    "mysql4_mysql5": "*214c2faf32f109ae748170bfabddfb9b0588...",
    "ntlm": "132a0e327625a4a32c14b5a08912b9f0",
    "plaintext": "securepassword",
    "ripemd160": "08815cd9c4dbbd5e85362f06669ddbe0b64c8446",
   "sha1": "ea0c04513c32717f3a09ff7b1fa882c4d8424b2a",
    "sha224": "5736e684eb72c3d419f1d91c7f2c885a29e056789bd6...",
    "sha256": "e0e6097a6f8af07daf5fc7244336ba37133713a8fc73...",
    "sha384": "5c2e9d4d732687dd790aad47ad6285bdd647f4820de8...",
    "sha512": "54c8e9ed836eb9622f6694876dabd83e44c6f7ce11cb...",
    "whirlpool": "1af2629aa6809f7a480111ebc5bcd43bf11fa4b9e..."
   }
  ],
  "info": "https://leakdb.abusix.com - reverse hash search and calculator",
  "msg": "",
  "query": "securepassword",
  "time": "0.279",
 "type": "plaintext"
}

by “pure” I simply mean that what you see is what you get. Try hitting CTRL+U and checking it for yourself. Now let’s use PHP to get this output from the leakdb API. PHP has a few functions that we will use: file_get_contents(); and json_decode(); You don’t actually have to look at those links, they are just there for reference. I don’t usually refer folks to the actual developer’s documentation. The reason for this is that the user’s experience is so dynamic and organic that it is actually of a higher chance you find more useful information from their “example” or “tutorial” websites than the convoluted and bloated examples by the languages owner. (here’s looking at you Adobe). Anyways, the first function, as you may have guessed, is what I use to get the JSON response from the leakdb API server. The second is what I use to “decode” the output. Let’s take a look at those two in PHP using our example.

$url = "http://api.leakdb.abusix.com/?j=" . $_GET['h'];
$rest_json = file_get_contents($url);
$res = json_decode($rest_json, true);

In the first line I simply get the password from the URL HTTP GET parameter “h” as in http://myserver.com/hash/index.php?h=securepassword Then I create the REST JSON object in the second line, then parse it in the third. Simple! If we dump this output to the screen with var_dump(); we can see the JSON returned from the Leakdb web service. We can easily see that one of the elements, “hashes” is an associative array. The results were returned as an associative array because of the “true” we add into the json_decode(); function.

So instead of looping through each value to find what we want (which, seemingly, is what every other tutorial seems to be about), we can access it directly with simple programming multidimensional array notation. Say we want the NTLM hash only, of the plain text that we send to Leakdb:

echo $res['hashes'][0]['NTLM'];

Will do the trick! The first layer is the hashes array which contains one element labeled “0″ This element contains 13 associative arrays, each of which have two elements. The hash type and the hash itself, including the plain text version for reverse look ups! I have highlighted and bullet-pointed out the list items in the image above. When dealing with JSON, it’s easy to remember that simple object nodes are denoted in {} and array object nodes are within []. Now with a little CSS TLC, we can easily style the returned output to embed in our websites.

Snippet:

if($res['found'] == 'true'){ # has was found
  echo "<div class='content'><h3>".$_GET['h']." (".$res['type'].")</h3><table>";
  echo "<tr><td class='tdTitle'>text:</td><td class='tdVal'>".$res['hashes'][0]['plaintext']."</td></tr>";

We can even use it in our Android applications with getJSONArray(); but I will save that for another long-winded staircase tutorial :)

~Douglas

Catching Pink Dolphins with Libpcap via 802.11

Monday, September 9th, 2013

Having trouble understanding libpcap with 802.11? Having a hard time finding documentation that makes you really grasp the concept of packet sniffing programmatically with 802.11?

libpcap is the libraries most commonly used for packet sniffing and generation. Most of the best network hacking tools use it and the documentation is few and far between for a newbie. I’ve actually wanted to write this for a long long time. I just finished creating a lot of C Programming tutorials and if you followed through with them, you will have no problem at all with this tutorial – so let’s put these two together.

802.11 protocol analyzer’s like Airodump-ng make use of libpcap. When designing WARCARRIER, I ended up making my own version of Airodump-NG so to not have any dependencies. I tried using scapy and lorcon with Python and even Net::PCAP with Perl, but they were just wrappers for the real thing which didn’t offer the type of control that I needed. I needed to use libpcap and C. It sounds rather daunting, because it is heavily filled with computer science and many manjor aspects of networking 802.11, C, libraries, and more need to be known, but I will cover all of these bases with you step by step and even display packets in Wireshark so to see exactly what we are doing.

I realize the code isn’t optimal, but it’s a quick start. I’ll dig into it later and make the WARCARRIER portion a lot smoother. You can click on the image above to go directly to the document. If you find any errors or need any help, feel free to email me in the address in the masthead at the top of this weblog.

~Douglas

ALFA RTL8187 and Dragorn’s 802.11 Protocol Analyzer with Android 4.3 Jellybean

Saturday, September 7th, 2013

For _gh0st in #lunatics — Works great and was easy to set up. No root required. This would be perfect to use when doing an on-site pentest.

~Douglas

C Programming Tutorial 9

Friday, July 26th, 2013

Comments

C Comments are hidden messages in the source code that only the developer(s) or anyone with access to the source can see. The generally are used for maintaining code, debugging, and making it easier for expanding your code. Its always good practice to use as much comments as possible when dealing with huge applications. Let’s take a look at how we can add comments into our source code, though we have come across one way already – the // comment.

// Comment

Above we can see someone with a slight obsessive problem to comment small applications in C. The compile simply ignores everything from the double slashes to the end of the line. That’s it. This is a pretty hefty application for what we are used to, but if you have followed along this far you should understand it well enough to know what it does. I just over commented for a nice screen shot :)
Now there’s one more type pf comment I’d like to brush on and that’s the multi-line comment /* */

/* Comment */

The compiler also allows a comment to spread across multiple lines. Once it see’s a starting /* anywhere in our code, it will ignore all lines until it hits a */ end.

And that his how we make a multi-line comment in C. If you were kinda hazy over the meaning of the application from the first example, I completely explain it in this example in a multi-lined comment. This concludes this small tutorial in C comments.

—notes———