SoldierX.com SquidBlackList - the world's largest porn blacklist! HAX Radio - The stream the FBI Listens to! Offensive Security Wireless Professional PWNIE 2012 Nominations The Hip-Hop Realm

Archive for July, 2011

MAC Address Spoofing (the easy way)

Tuesday, July 19th, 2011

(For defensive reasons of course! =P)

Ever wonder what your “MAC address” really is? It stands for “Media Access Control address”. It’s hard-coded into your network interface card (NIC) – and is what’s used to identify your hardware on a network.

Why would you want to spoof this?

  1. Say [hypothetically] you do something naughty (anything from looking at porn to hacking on company computers) and you want the IT guy to “look the other way” on the issue, you can make it look like someone else, or have just plain unregistered mumbo-jumbo.
  2. Maybe you’ve bought a new computer and your modem/router is registered to only work with one specific MAC address – this being your old computer.
  3. Often times airports, coffee shops, hotels, etc. are set to block out all traffic connecting to the network – except for one website (you guessed it!) – the website to pay for more access to actually access other websites! Encrypt your connection, monitor mode to sniff out the right MAC to use, and the SIRF TEH INTERWEBZ FO FWEE!!!
  4. Also, another good point – when your ISP complains and sends the feds to your door for those 100′s of movies and 1,000′s of songs you’ve downloaded via torrents (hopefully your hard-drive is encrypted so they can’t just go in and examine its contents willy-nilly) – your NIC’s MAC address won’t match the one they’re looking for.

(more…)

Cracking Passwd Hashes with Perl

Sunday, July 17th, 2011

I usually post about how the LulzSec releases are good for penetration testers because when the “victim” is storing their customer’s passwords in plain text, it gives us a better foothold for password cracking. The most common word lists II can find online for offline brute force attacks are just words. Sure we can use Perl to change case, randomize case change, append numbers, etc. But when you have access to passwords that thousands of people have chosen, and thought secure, the lists are “organic.” Now, if we say to most people they need to change their passwords because our servers were compromised, what do they do? Change case, append numbers, etc. :)

The recent release of 90k Marines, Army, AF, user names and passwords was amazing to say the least. Unfortunately, for some I guess, the passwords were encoded in the DB. After doing a little research I read that they were UPPERCASE+Base 64+SHA1 on @CrackMeIfYouCan ‘s Twitter page. So I decided to put this to the test with Perl.

Perl is slow, because it’s interpreted as apposed to being compiled into machine language. Now, after using Perl for many years, I realized there are a bunch of ways we can speed it up. For instance, using Hashes instead of lists, or arrays. In fact, I once read something that Larry Wall wrote about his Perl language, that stated something like – if you are not using or thinking in hashes while coding in Perl, you aren’t thinking in Perl.

Another great way to speed things up is to not re-code the wheel. Use C compiled applications to do text parsing with system calls when possible. Rather than open a file with:

open(FLE, "file.txt");

then read that into a array and close it, “slurp” the contents of the file into the array with a system call to cat:

@array = `cat file.txt`;

Use egrep rather than going through line by line in the array or grepping the array with Perl itself. Smaller things can greatly improve your performance when doing heavy Perl coding.

So, I decided to give the Anonymous 90k hash file a whirl to see if I could get a few passwords and it was successful. First, I slurped the lines of the Marines.txt file into an array after using sed and egrep to get rid of all the html bullshit and turned it into a CSV file. Then I did the same with my word list, which I compiled directly from @CrackmeIfYouCan ‘s website. He offers some great word lists. I used sort and made one big unique file out of a few, which came out to about 60MB. I even coded a Perl application to append some numbers and run through 000000 – 999999 <-- which greatly increased the file size, but is faster than running through that in Perl itself.

Next with my word list array, I created a hash table of the structure: word => hash and once completed I used the Perl Module "Digest::SHA1 sha1_base64" to encode every line for the value. One thing I should note, is that the Perl Module didn't "pad" the encoded words in the word list. I actually had to make sure the hashes were divisible by 4, and if not, append a "=" to it.

sub pad { # add padding for Base64:
$enc = $_[0];
if (length($enc) % 4 == 0) {
return $enc; # okay string.
}else{
$enc .= '=';
pad($enc); # call itself, cos we aren't done.
}
}

After making this function, it can be called like so:

pad("string");

Then, I undefined the word list array to free up some memory. Finally, I ran a foreach loop through the Marines array and asked my word list hash if the Marine's passwd hash was in there like so:

sub crk { # reading the wordlist:
if ($hash{$_[0]}) { # if it exists in the hash you win! :-)
# FINISH HIM !!
print $hash{$_[0]} . " is the password for " . $email . "\n";
print FLE $hash{$_[0]} . " == " . $email . "\n";
return;
$win++;
}
}

With this, there's no need for a "POT" because the hash is so fast, all we do is ask it if the key "Marine's hashed passwd" equals the value "Word list hashed value" :) It seems to have worked, since it returned results like "airborne," "semperfi," and "warpig." What I don't understand is that why weren't these passwords validated before being accepted by the server? Something as easy as a regular expression like so:

[A-Za-z][0-9][A-Za-z]

would have easily warded off peoples bad attempts at choosing good, strong passwords. Was this list created in the 90's?

Anyways, skids stuff. Easy, fun, and I just luff programming. <3

~Douglas

“Wi-Fi–Hacking Neighbor From Hell” Wired Article

Thursday, July 14th, 2011

[Source of Article]
[Actual Sentencing Memo]

From “Hell” ??

I just couldn’t help myself to talk about this article. This is awful.

Ardolf downloaded Wi-Fi hacking software and spent two weeks cracking the Kostolnik’s WEP encryption.

Seriously? 2 weeks? What did he use, wireshark and Aircrack-ng only? Kismac? LOL!

A forensics computer investigator working for Kostolnik’s law firm examined the packet logs, and found the e-mail sessions sending the threats. In the data surrounding the threatening traffic, they found traffic containing Ardolf’s name and Comcast account .

Yeah, so, what lesson(s) do we learn here?

  • Don’t have your browser profile open your email page when you are leeching WiFi.
  • Remove any software that will “phone home” including email clients.
  • Spoof your MAC address.
  • When you can, get access to the AP and disable logging for the duration of your (spoofed) sessions.

…reams of evidence…hacking manuals with titles such as Cracking WEP Using Backtrack: A Beginner’s Guide; Tutorial: Simple WEP Crack Aircracking and Cracking WEP with BackTrack 3 — Step-by-Step instructions.

Aircracking” <-- LOL!!! Anyways, that's not evidence. At all. In fact, it is completely regular to any computer security enthusiast to have such items. Plus the assface at Wired got it wrong. Those articles were found by his supervisor at work after he was fired. This is form the real sentencing memo:

When he was terminated, a supervisor cleaned out his work space and found 25 printed pages containing articles relating to hacking into WEP-encrypted wireless routers.

Just because he had these, spoonfeeding print-outs doesn’t mean he committed any crime. I mean, c’mon, the guy was a technician FFS. I am in no way sticking up for his actions, I just think it’s silly that we are so close minded sometimes. The other stuff, like the stolen mail stashed under his bed and the hand written notes about his plans for revenge, yeah, that’s just plain stupid and either planted by feds and police who know nothing about infosec and needed more momentum to get over the hump of the hill we call the patriot act, or hard evidence. A few thumb drives where reported found in his room full of useless information. The information was about his hacks and harassments. Who does this? Why would you keep logs or records of any of it EVEN if you did? This guy is insane.

One of the manuals had Ardolf’s handwriting on it and another had the unique identifying ID for the Kostolniks’ router typed into it

What? What is that? the BSSID? That’s not illegal information either. In fact, that’s sent out in Beacon packets 10 times per second. Sniffing beacons and other mgmt/ctrl frames is not illegal. Google could have avoided the whole lawsuit / Microsoft bash for sniffing wifi data if their programmers had brains and ignored/dropped the data packets. No joke. There’s another lesson for us:

  • Encrypt your traffic

he sent that family a postal-mail message consisting of a one-page, color print-out of the family’s “TurboTax” return with personally identifying information, in addition to several skull images

The “skulls” part made me lulz a little bit, I’m sorry.

With Kostolnik’s permission, they installed a packet sniffer on his network to try and get to the bottom of the incidents.

Ahh, hacking the hacker. This is great you know why? Because it can be implemented transparently. Want to give it a test? Grab an old Linux computer and put two NIC’s in it. Make the IP’s all zeros: 0.0.0.0 using ifconfig. Then use brctl and bride the two connections. plug your (in their case Qwest (according to the official sentencing memo)) modem into one NIC and then the wifi router in the the other. Start Wireshark, Snort or whatever, and begin monitoring your network. Because the IPs are non IPv[0-9] they won’t even show up in an arp scan with Ettercap-ng!

Alas, the actual sentencing memo states things like:

the Kostolniks woke the next morning to find that the tires on the vehicles had been slashed. The perpetrator was never identified.

So, it wasn’t him? Or it was?

Ardolf was also able to access all of the Kostolniks’ computers that were connected to the router.

He remotely exploited the systems, or they were so careless were sharing their C:\ drives with RW access? Proof? The files on his machine? If they were shared, they were shared. Gaining access to the network is still illegal.

…accessed a Yahoo.com email account he had created in Matt Kostolnik’s name and, posing as Matt Kostolnik, sent three separate emails to his coworkers.

So, the machines weren’t pwned? If they were, he would have no problem gaining their identity and would not have to “pose.” Also, since when is this illegal? Does Yahoo! make you agree to ToS saying “THIS EMAIL NICKNAME BETTER BE YOUR REAL NAME, ELSE { DIE(); }” ? He didn’t have to send them from their WiFi router to get them traced back to him, but it’s a sure fire way to speed the process up. If he can sniff packets, he can see the MAC address of the laptops used. spoof yours to theirs and use a coffee shop, with a baseball hat on and fake mustache. LOL!

The vandalism, however, was never witnessed or definitively connected back to Ardolf.

Again, this shouldn’t be in the memo if it wasn’t proved to be him. If it fits his MO, then what if he paid someone else to do it?

Also, was there any more evidence found in his home that fit the “pedophile” MO? Imagine if he really DIDN’T do what the kids parents said he did? The only thing I see is the two images used in the harassment.

Conclusion

I think about wireless security a lot, I guess. Radios have fascinated me since I was a child. There are a lot of changes being made to, not only network and computer security, but now radio and radio network security too. For instance, the fact that ISPs are trying to “formalize the concept that you are not permitted to run open Wi-Fi” Can this really be done? Locking down wifi means more than just not using WEP. You NEED WPA2. You NEED to be very careful as to where yo uare typing the WPA2 passphrase. You NEED a MAC filter. You NEED a VERY strong password. And still, you won’t be able to lock it down. Will 802.11ac change this? I tried in this paper here, which I submitted to engineers at Cisco. They said it was completely possible and worth pursuing, but either didn’t want to fork over the time/effort. Or they stole the idea. Who knows?

Dear Wired, how is this man “from Hell?” If this family really did see their son in danger of a pedobear, they would have secured their lives, cared more about security or moved. They neglected this? Isn’t this a relativity issue and you are spewing propaganda? Yeah. You should look at (both|all) sets of idiots in this case. Yours never, ~Douglas.

Where is WiFi security going to go now? I’d like to be there. :)

~Douglas.