Tuesday, August 31, 2010

Ntfsclone, Backup/Restore ntfs partitions

So i did a fresh install of xp and installed a couple apps and wanted to make an appropriate backup image using linux. Being the Backtrack user that i am, the popular choice of backup/imaging known to me at the time were the programs dd or partimage. For my purposes, dd would'nt be a valid choice as it will back up used space as well as unused space, so i was left with partimage.

Partimage is a great program, but support for ntfs file systems were experimental. However, i proceeded to try it out and all went fine, the backup was succesful. However, i didn't want to risk trying a restore and lose everything on that partition (as docs said the support for ntfs was experimental). I then turned to google to find a reasonable alterative.

A few minutes after, i learned of ntfsclone (and its already installed on backtrack 4 as well). Ntfsclone will do as the name says, clone ntfs drives. You can clone to an image file, disk or stdout (useful for piping to programs like split, gzip, bzip etc) . It had the major feature i was looking for that was also present in partimage; the ability to backup only the used blocks of data on the partition and not the entire partition itself. Actually, it backs up the used space on the partition and fills the rest of the image with zero's which makes for easy compression.

Usage is quite simple

To make clone of partition 1 on device sda
# ntfsclone --save-image -o /mnt/usb/disk.img /dev/sda1

To restore image
# ntfsclone --restore-image -O /dev/sda1 /mnt/usb/disk.img //note we are using the capital O in the options to overite the destination /dev/sda1 if existing

Because of the file size limit (4G) on fat32 formatted disks, if you are cloning any drive bigger than four gigs and wanted to copy the saved image to a fat 32 disk, you will therefore run into issues. To overcome this, the following commands can be utilized.

# ntfsclone --save-image -o - /dev/sda1 | split -d -b 1000m - XPSP2.img_ // the '-' will cause ntfsclone to output to standard out. The split utility will split the data every 1000 megabytes (1 gig) from its standard in '-' and output to files with the prefix XPSP2.img_ and because of the '-d' option, numbers will be appended to the individual files. Example: XPSP2.img_01, XPSP2.img_02, XPSP2.img_03.

Just something important to note, taking from the article here:

If you want to copy, move or restore a system or boot
partition to another computer, or to a different disk or partition (e.g.
hda1→hda2, hda1→hdb1 or to different disk sector offset) then you will need to
take extra care.

Usually, Windows will not be able to boot, unless you
copy, move or restore NTFS to the same partition which starts at the same sector
on the same type of disk having the same BIOS legacy cylinder setting as the
original partition and disk had.

The ntfsclone utility guarantees to
make an exact copy of NTFS but it will never deal with booting issues. This is
by design: ntfsclone is a filesystem, not system utility. Its aim is only to
clone NTFS, not to clone Windows. Therefore ntfsclone can be used as a very fast
and absolutely reliable building block for Windows cloning, but itself it's not

Resources/Good Reading:

Friday, August 27, 2010

Advanced tcpdump Kung-Fu

So i was messing with tcpdump again and needed a quick refresher on filters. I went back to one of my blog posts and some other resources i found on google and quickly got up to speed. I wanted to take things a little it further however and looked to get creative.

I started out by filtering icmp packets. I wanted to only see ping request packets coming to me. So i created the filter as follows:

# tcpdump -ni eth0 'icmp and (icmp[0] = 0x08)'

I then only wanted to extract the ip address of the host sending those icmp requests

# tcpdump -lni eth0 'icmp and (icmp[0] = 0x08)' cut -d " " -f 3 //Note that the '-l' option must be included to make stdout line buffered

With this information, i imagined taking things a lil further. What i then wanted to do was to block any machine that was sending icmp echo requests. I then remembered that honeyport script that was in a recent pauldotcom segment (I also blogged about it recently as well. Its really kool).

So the script went like this:

while [ 1 ];
do IP=`tcpdump -c 1 -lni eth0 'icmp and (icmp[0] = 0x08)' cut -d " " -f 3`;
echo -e "\n${IP} is pinging you.";
echo -e "Blocking IP: ${IP}";
iptables -A INPUT -p tcp -s${IP} -j DROP;
iptables -A INPUT -p icmp --icmp-type 8 -s ${IP} -j DROP && echo -e "Blocked...\n";

Then give the script file executable rights then let her rip.

The next small project i did was filtering out traffic coming from the server, but only the data that has the tcp flags PUSH or ACK set. I was using the edna music server for demonstration purposes and it defaults to port 8080.

So in one terminal i had my tcpdump sniffer set up like this:

# tcpdump -w dump.pcap -s0 -ni eth0 'tcp adn src port 8080 and ((tcp[13] = 0x18) or (tcp[13] = 0x10))'

So the idea behind this is that when a client connects, request a song and streams it, i can be the man in the middle just pulling the data that is sent back to the client in a stealthy manner. When you're finished with your sniffing session you can combine some command line tools to retrieve your data

# tcpflow -C -r dump.pcap strings grep "Content-Type" cut -d " " -f 2 sort //this gives you a list of the content types that were sent to the client. Note that -C prevents tcpflow from outputting the different streams into files, instead just displays the data on standard out.

# tcpflow -C -r dump.pcap more -d // after you issue this command you can hit the h key to get helpfull commands. The "/" is a common option used when you want to do regex searches through the data

Just another kool thing you can do on the fly to see the URLs that are being requested

# tcpdump -lni eth0 'dst port 53'cut -d " " -f 8

If you wanted the ip addresses of the clients as well, you can have another tcpdump window running simultaniously along with the above (Have then running side by side, line by line so interpretation is more efficient)

# tcpdump -lni eth0 'dst port 53' cut -d " " -f 3

Wednesday, August 18, 2010

WPA rainbow tables with cowpatty and aircrack-ng suite

No introduction necessary. If you do not know what a rainbow table is then you will just have to use google or read some of my previous posts.

[using cowpatty suite]
# ./ genpmk -f wordlist.lst -d hash_tables.lst -s "linksys" //Generates a salted rainbow table using the wordlist file and the ssid name "linksys"

# ./cowpatty -d hash_tables.lst -s "linksys" -r wpa.pcap //command to crack the WPA key using the rainbowtable and the pcap file

[using aircrack-ng suite]
# airolib-ng table.db --import essid ssids.lst // creates a new database and imports the ssids to be used as salts
# airolib-ng table.db --import passwd wordlist.lst //imports the wordlist/passwords into the database
# airolib-ng table.db --batch //performs all the necessary processing of the essid and password combination
# airolib-ng table.db --verify //verifies the integrity of the ssid/password pairs

# aircrack-ng -r table.db wpa.pcap //command to crack the WPA key using the rainbowtable and the pcap file

Monday, August 16, 2010

Cracking challenge and response lm/ntlm hashes

The Challenge and response hashes that i'll be cracking occur over protocols such as SMB/CIFS on Windows systems. When a user tries to access a remote share, he must first try to authenticate with that remote system. The client says "hello, i would like to communicate with you"; the server responds with a challenge which composes of random data; the client then takes this challenge and uses it to encode its user's lm/ntlm hash then sends the results back to the server; The server then uses the same random challenge and the response sent back by the client to derive the lm/ntlm hash of the user then compares this to its SAM database to see if this user is a valid user on the server.

The server portion of such a system can be modified to respond with a static challenge instead of issuing a random challenge for every client request. By doing so, cracking via rainbow tables becomes favorable and wordlist/bruteforce attacks become viable as well. Because of the use of random challenges per client request to the server, cracking became very difficult as the challenge had to be known and then be incorperated into the cracking program. Having a static challenge thus solves this difficulty.

More information can be found on google and here

Metasploit can be used to capture these hashes and John the ripper can be used to crack them

# msfconsole
msf> use auxilliary/server/capture/smb
msf auxilliary(smb)> run

# ./john --format=netlm --wordlist=passwords.lst halmlmhashes.txt

The challenge and response hashes must be saved in the following format to be suitable for cracking using john:


Reesources/Good Reading:

Monday, August 9, 2010

Honeyport script

I was listening to a pauldotcom podcast (see www.pauldotcom.com), episode 204 and they had a very interesting tech segment called Honeyports on linux (see episode 203 as well for honeyports on windows). The basic idea behind this is the block a potential malicious person via his ip address from accessing your system. This can also work in some situations where an attacker is performing a TCP scan of your machine that actually goes through the entire 3 way TCP handshake and by doing so, trigger our Honeyport script and automatically add a firewall rule to restrict that IP address from further establishing any TCP communication to our machine.

The script is also very simple and elegant.

while [ 1 ] ;
echo "started" ;
do IP=`nc -v -l -p 2222 2>&1 1> /dev/null | grep from | cut -d[ -f 3 | cut -d] -f 1`;
iptables -A INPUT -p tcp -s ${IP} -j DROP ;

Good Stuff from John Strand and the pauldotcom crew for comming up with something so simple, yet so elegant and usefull.

Resources/Good Reading:

Sunday, August 8, 2010

Using Ophcrack from da command line

First off, you need some rainbow tables (Get the ophcrack tables to avoid compatibility issues) from http://ophcrack.sourceforge.net/tables.php.

You can also get the ophcrack program from that site as well.
I will be using BT4 which already has the ophcrack preinstalled.

unzip the rainbowtables into a folder.
Note: This here assumes you have your password hashes in the proper format as well. Programs such as pwdump6 and fgdump are good ones that produce compatible output for use with ophcrack.

# ophcrack -g -d path_to_rainbow_tables_dir/ -t path_to_rainbow_tables_dir/ -n 4 -f hashes.txt

'-d' - Path to rainbow tables
'-g' - do no run the GUI interface
'-t' - specify which table to use. Just putting the dir path to the table works for me
'-n' - number of threads to use
'-f' - path to hashes file obtained from programs like fgdump or pwdump

Of course you can always use the GUI by just typing 'ophcrack' from the command line.

Friday, August 6, 2010


Have those hashes and wanna crack em faster than any other open source password cracker out there? You would definitely want to take this tool for a spin. This tool is very comparable to John the ripper with a number of supported hashing algorithms and word mangling rules that you can throw at it. For more info, check out the authors website at http://hashcat.net.

You can generate your own hashes to crack: # echo -n "password" | openssl md5 > hash.txt

To crack SHA1 hashes using a wordlist:
# ./hashcat-cli.bin -a 0 -m 100 hashes.txt wordlist.lst //crack sha1 hashes in hashes.txt

To perform a bruteforce attack for the MD5 hash:
# ./hashcat-cli-bin -a 3 -m 0 --bf-pw-max=4 hash.txt //bruteforce the md5 hashes in hash.txt with a password length max of 4

# ./hashcat-cli.bin -h //for more help and options

Resources / Good Reading: