SoldierX.com SquidBlackList - the world's largest porn blacklist! HAX Radio - The stream the FBI Listens to! Offensive Security Wireless Professional PWNIE 2012 Nominations The Hip-Hop Realm

PHP and JSON Arrays of Password Data

January 21st, 2014 • Howto, Information Security, Programming, Web SecuirtyNo Comments »

With all of the leaked databases which seem to flood the internet on a daily basis, one can only wonder why we don’t have more sites like leakdb. Recently I have been writing some applications in which require parsing of JSON. JSON Is a Javascript Object Notation which is commonly used as a structured output from a web service. My research proved fruitless the more complex the design of this output. Luckily, I was able to easily come up with an analogy in which may save a few folks some time during development and testing of multidimensional arrays within JSON output. It’s easy: it’s just a big associative array just like in any other language!

So let’s go through a simple example in which one of the results itself is an array.

Let’s use Leakdb‘s API for JSON output from their database. Leakdb allows us to pass a hash or plain text to it and it will differentiate between the two and return anything found. If we go to the main page and search for something like “securepassword” It will return a list of results that can be obtained in JSON format by going to: http://api.leakdb.abusix.com/?j=securepassword The output is pure JSON:

{
 "found": "true",
 "hashes": [
   {
    "gost": "6f85785dc94752933c72e4ad6ff779781ea793546e9cb5...",
    "md4": "11128c94a904b8cac8518a98307866a1",
    "md5": "b0439fae31f8cbba6294af86234d5a28",
    "mysql4_mysql5": "*214c2faf32f109ae748170bfabddfb9b0588...",
    "ntlm": "132a0e327625a4a32c14b5a08912b9f0",
    "plaintext": "securepassword",
    "ripemd160": "08815cd9c4dbbd5e85362f06669ddbe0b64c8446",
   "sha1": "ea0c04513c32717f3a09ff7b1fa882c4d8424b2a",
    "sha224": "5736e684eb72c3d419f1d91c7f2c885a29e056789bd6...",
    "sha256": "e0e6097a6f8af07daf5fc7244336ba37133713a8fc73...",
    "sha384": "5c2e9d4d732687dd790aad47ad6285bdd647f4820de8...",
    "sha512": "54c8e9ed836eb9622f6694876dabd83e44c6f7ce11cb...",
    "whirlpool": "1af2629aa6809f7a480111ebc5bcd43bf11fa4b9e..."
   }
  ],
  "info": "https://leakdb.abusix.com - reverse hash search and calculator",
  "msg": "",
  "query": "securepassword",
  "time": "0.279",
 "type": "plaintext"
}

by “pure” I simply mean that what you see is what you get. Try hitting CTRL+U and checking it for yourself. Now let’s use PHP to get this output from the leakdb API. PHP has a few functions that we will use: file_get_contents(); and json_decode(); You don’t actually have to look at those links, they are just there for reference. I don’t usually refer folks to the actual developer’s documentation. The reason for this is that the user’s experience is so dynamic and organic that it is actually of a higher chance you find more useful information from their “example” or “tutorial” websites than the convoluted and bloated examples by the languages owner. (here’s looking at you Adobe). Anyways, the first function, as you may have guessed, is what I use to get the JSON response from the leakdb API server. The second is what I use to “decode” the output. Let’s take a look at those two in PHP using our example.

$url = "http://api.leakdb.abusix.com/?j=" . $_GET['h'];
$rest_json = file_get_contents($url);
$res = json_decode($rest_json, true);

In the first line I simply get the password from the URL HTTP GET parameter “h” as in http://myserver.com/hash/index.php?h=securepassword Then I create the REST JSON object in the second line, then parse it in the third. Simple! If we dump this output to the screen with var_dump(); we can see the JSON returned from the Leakdb web service. We can easily see that one of the elements, “hashes” is an associative array. The results were returned as an associative array because of the “true” we add into the json_decode(); function.

So instead of looping through each value to find what we want (which, seemingly, is what every other tutorial seems to be about), we can access it directly with simple programming multidimensional array notation. Say we want the NTLM hash only, of the plain text that we send to Leakdb:

echo $res['hashes'][0]['NTLM'];

Will do the trick! The first layer is the hashes array which contains one element labeled “0″ This element contains 13 associative arrays, each of which have two elements. The hash type and the hash itself, including the plain text version for reverse look ups! I have highlighted and bullet-pointed out the list items in the image above. When dealing with JSON, it’s easy to remember that simple object nodes are denoted in {} and array object nodes are within []. Now with a little CSS TLC, we can easily style the returned output to embed in our websites.

Snippet:

if($res['found'] == 'true'){ # has was found
  echo "<div class='content'><h3>".$_GET['h']." (".$res['type'].")</h3><table>";
  echo "<tr><td class='tdTitle'>text:</td><td class='tdVal'>".$res['hashes'][0]['plaintext']."</td></tr>";

We can even use it in our Android applications with getJSONArray(); but I will save that for another long-winded staircase tutorial :)

~Douglas

Harness Unused WiFi Signals for Power with Metamaterials

November 12th, 2013 • 802.11, In the Media, In the News, Mathematics, WiFi HackingNo Comments »

I recently saw this article (http://tinyurl.com/ssrwifi) from a comment iBall made on FaceBook.

First, this isn’t that new. It’s been worked on for about a decade now and founded/hypothesized back in 1968. And yeah, from 1968 to about 1999 most of the work was “theoretical.” What I am talking about is a material designed to “catch” electro[magnetism].

In Physics, there is something called the “index of refraction” which is measured by how electro[magnetic] energy changes velocity in a new material. A simple example of refraction is in the case of light into glass or water. Have you ever seen a long rigid pole go into water and thought that it looked bent?

This refraction is the cause for that bend. Light bends as it enters a denser material. This is also true with other forms of electromagnetism including WiFi. If we have an orthogonal normal and send light straight down it from air into glass, we will see the light bend to the left, for example. This would be normal refraction. If the light bent in the opposite direction into a material away from the orthogonal normal, it is said to be a negative index of refraction since it bends into the negative side of our point of reference.

A lot more diffraction/refraction/reflection physics goes on behind the scenes, but for generalization purposes, let’s use these simple examples. Now for a negative refraction to occur, the permittivity and permeability BOTH need to be negative. This is unusual, and doesn’t occur naturally in nature. Some metal materials can have negative permitivity at lower wavelengths of radiation, but to achieve negative permeability, the “meta” material needs to be align and designed to do so. A material which has one, but not both of these negative refraction properties will not allow WiFi’s electro[magnetism] to pass through it.

Let’s not confuse refraction with reflection:

Refraction is a surface phenomenon, but remember the article I wrote addressing the leakage of WiFi and how that should NOT be labeled a “crime” to analyze incoming signals that seemingly trespass (technically it is a shared ISM/free band anyways.) into one’s own property? Well, this “Mylar” material I was speaking of, actually has an extremely low transmittance level due to it’s amazing ability to reflect radiation. In fact, if we analyze a curve or wavelength and transmittance with Mylar, we see that the closer we get to the smaller wavelengths of WiFi (2.4-5GHz) we see the transmittance percent drop completely. This means that mostly all radiation is reflected and nothing passes through. Refraction is a different concept and relies on the density and molecular structure of how the material the light goes into is structured. Permeability and Permittivity are different from refraction and are why i have outlined the word “magnetism” in “electromagnetism” in this article. They deal with how magnetism effects the internal molecular alignment. Lining a room with Mylar, or emergency blankets is a cheap way to keep radiation in and/or out using reflection!

Now, to make a material which is not affected by an external magnetic field (in our case from the electro[magnetism] within an a WiFi signal), we need to make the permeability level negative. This is done in the construction of the meta-material. The meta-material is a set, or aligned grid of SRRs, or “split ring resonators.”

These resonators are just copper split-rings that when affected by electromagnetism generate an internal looping current which in turn generates it’s own magnetism which perfectly opposes the field from the WiFi signal’s electromagnetism. These “rings” are not rings. They are non continuous with a small section removed. This small gap is not visible in the article’s image because they have the SRRs in foam to brace them, but they are there. These rings with small gaps in them allow the SRR to accept a variable of wavelengths larger than the ring itself. If the ring were closed, it would only accept a tiny amount of frequencies.

The rest of the small circuit is just a DC doubler which utilizes the bias of the diodes to direct each portion (negative and positive from the wave) of the AC current into the twin capacitors. This is an extremely simple concept and design. The paper is mostly about how they are optimizing the captured current from the current loops in the SRRs when any RF at around 900MHz is received. WiFi has been used at 900MHz, and will more openly be used at 900MHz with the new 802.11 amendment “ah” The authors are able to harness 7.4VDC at 104mA at the load. Now, if you’re thinking, “great! I could use one of these, I have a WiFi router!” You may be missing the whole picture. This is low power we are talking about here, even if we are to swallow up a large charge into, say, a battery. It would cost less to harness the power to charge that battery directly from your power source at the wall outlet. Let’s take a look at why.

Your router, by default, most likely came equipped with a dipole antenna and is spraying signal at a higher TX than needed for your application. The whole time the little batteries that the authors have designed are filling up with energy from the signal, your router is most likely using 5-12VDC at .250-3A! If we are to lower the amount of low power material our router is spraying, such as beacons which are sent out every 100ms usually, and lower our TX, or transmit power in the router, then use a proper antenna for applications which are wireless but stationary, or close to stationary – we can save more energy – obviously. Also, RF doesn’t necessarily mean 802.11 packets. It can be any radiation at 900MHz or even below (higher wavelengths) due to the simple, yet efficient design of the SRRs. Now, if you thought, “wow! I can harness the power from all RF at 900MHz” – that makes more sense!

Now, let’s scare ourselves. Imagine a low powered trolling drone equipped with a switched GPS radio that searches for a BSSID, or MAC of a phone or station that is powered by leaked RF? :) Next article up: a few WiFi device patents that I can’t afford!

~Douglas

Catching Pink Dolphins with Libpcap via 802.11

September 9th, 2013 • 802.11, Howto, Information Security, Publications, Systems Administration, Warcarrier Application, WiFi HackingNo Comments »

Having trouble understanding libpcap with 802.11? Having a hard time finding documentation that makes you really grasp the concept of packet sniffing programmatically with 802.11?

libpcap is the libraries most commonly used for packet sniffing and generation. Most of the best network hacking tools use it and the documentation is few and far between for a newbie. I’ve actually wanted to write this for a long long time. I just finished creating a lot of C Programming tutorials and if you followed through with them, you will have no problem at all with this tutorial – so let’s put these two together.

802.11 protocol analyzer’s like Airodump-ng make use of libpcap. When designing WARCARRIER, I ended up making my own version of Airodump-NG so to not have any dependencies. I tried using scapy and lorcon with Python and even Net::PCAP with Perl, but they were just wrappers for the real thing which didn’t offer the type of control that I needed. I needed to use libpcap and C. It sounds rather daunting, because it is heavily filled with computer science and many manjor aspects of networking 802.11, C, libraries, and more need to be known, but I will cover all of these bases with you step by step and even display packets in Wireshark so to see exactly what we are doing.

I realize the code isn’t optimal, but it’s a quick start. I’ll dig into it later and make the WARCARRIER portion a lot smoother. You can click on the image above to go directly to the document. If you find any errors or need any help, feel free to email me in the address in the masthead at the top of this weblog.

~Douglas

ALFA RTL8187 and Dragorn’s 802.11 Protocol Analyzer with Android 4.3 Jellybean

September 7th, 2013 • 802.11, Android, Howto, Information Security, WiFi HackingNo Comments »

For _gh0st in #lunatics — Works great and was easy to set up. No root required. This would be perfect to use when doing an on-site pentest.

~Douglas

Thank you Rapid7!

September 5th, 2013 • Information Security, RecognitionNo Comments »

When I got home yesterday, I had a nice package waiting for me!

Not only did I get three free shirts, but I also got a flashlight with batteries, beer cozy, pen, a bunch of cool clear Metasploit logo stickers, a Rapid7 totebag, passive iphone speaker, and a very kind note from the rep who handled my shirt design. Wow. just wow and thank you guys so much! I’d love to see pictures from the 2013 Blackhat conference!

So I decided to search Google for some random images and found a few people wearing them. One’s even on the wall with my name on it at the conference!

I think they got the names mixed up here, I’m in the middle.

Above is Tod Beardsley, an engineer for Metasploit with Rapid7.

Here’s one with DualCore in it below!

Awesome! I hope I get to go one year!

~Douglas