Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: Penetration Test

Cracking HALFLM

I was recently reading through Chris Gates post on capturing and cracking HALFLM hashes with Metasploit and thought I’d give it a quick run through. (I won’t be rehashing what Chris already covered here, so I suggest you pop over to his blog for a quick coverage of HALFLM and the rainbowtable cracking method).

Until I read the post I’d been using the SMB_relay attack to load up a meterpreter shell onto the remote target, but seeing as Microsoft have finally decided this is a bug worth patching, it’s time to move on to other attack vectors. SMB_relay will still be a good attack vector for some attacks, but the patch against reflective relays means it’s not going to always be available.

msfAll was going well with the walkthrough, I’d captured the hash from the target machine and had the HALFLM tables downloaded (halflmchall _alphanumeric #1-7_x_2400_ 1122334455667788). So after running the rcracki_mt_0.5.exe *.rti -h <First16Chars> was depressed to see that the first half wasn’t found (the tables are only alpha numeric after all). Not a problem I thought, and went back to Chris’ walkthrough to see the next step. That’s where it all went wrong. If you can’t find the first part of the hash, then the rest of the walkthrough isn’t going to help. I had a little hunt around the big WWW and like any good Googler I found some hints on what other tools could do a brute force or password guessing attack aginst the HALFLM format. I picked CAIN and set about trying to manually tell it what the username, LM hash and challenge were, without much luck. Cain can sometimes be stubborn on the input formats and you can’t manually tell it what should go where. I went back to the Metasploit smb capture module and had a closer look at the set options to see what I could do. Here I found the option to output captured the hashes straight into a format readable by Cain&Able (set PWFILE cain_hashdump.txt) instead of to the screen in a generic format.

After performing the SMB capture again, the file cain_hashdump.txt was created, allowing me to directly import it into CAIN (along with the challenge this time).

For those that may have already captured the HALFLM hash and need to import this into CAIN, the format of the dump output from Metasploit is as follows .:

USERNAME:DOMAIN:1122334455667788:LMHASH:NTHASH

Clipboard02

The 1122334455667788 in the middle tells Cain what challenge was used by the Metasploit module. In this case Metasploit is hard coded to use \x11\x22\x33\x44\x55\x66\x77\x88 as the challenge string.

Hope you find this useful, and remember to checkout the Carnal0wnage blog for the RainbowTable method, as well as lots of other Metasploit hints, tips and examples.

Advertisements

DECT Interception

dect_cli

dect_cli

I’ve been playing about with the com-on-air and tools from dedected for a few weeks now. Results are mixed, as those who’ve sat through eth few demos I’ve run can certainly attest to. Things are still in the early phases for the dedected tools and as much as I love what’s already there, it’s not really ready for the mainstream yet. Don’t get me wrong, whats been done is already amazing work, but for the penetration testers amongst you wanting to grab a com-on-air card from ebay and starting running tests, things aren’t always going to be 100%. Still, it makes managers sit up and pay attention if demonstrated correctly.

As an example of the issues, I’ve build the drivers and tools from source on 3 or 4 systems now (Fedora, Debian, and Backtrack 3 and 4). Compiling resulted in mixed results (some compile errors) and random capture failures (just capturing static as if the course was encrpyted). You’ll also probably get a few kernel panics before you learn to respect the driver and not expect hotswap support just yet. After one too many hit and miss captures from the compiled versions, I opted to go for the Chaox-ng boot USB which includes everything (yes I do mean everything) built in. I find that this USB boot option just adds to the effect when it comes to demos. You turn up with a PCMCIA card and a 1 GB USB stick. That and any laptop will do the job.

Wireshark SVN

Wireshark SVN

The Chaox-ng distro includes the drivers and tools compiled to perfection (no capture issues here). The latest version also includes the SVN version of Wireshark (with DECT PCAP support). Kismet newcore is compiled in with the DECT plugin if you want to play about with this as well. About the only thing missing is the Metasploit auxiliary modules, but that always was just a Proof of Concept and not very functional. Personally I stick to using the ‘dect_cli’ tool (alongside pcapstein, pcap2chan and Wireshark). For those that are interested I’ve uploaded a few packet captures for you to take a look at.

Plantronics CS60 Captures (Encrypted B-Channel)

Siemens GIGASET (Unencrypted B-Channel)

  • German Test Call (pcap) — HERE
  • German Test Call (g721, wav) — HERE
kismet-newcore

kismet-newcore

The Plantronics PCAP’s are interesting to look at and see how the communications between the base unit and headset are handled. At this point I’ve not looked too much into the encryption implmented. From a couple of test calls the Plantronics appears to initiate the call and then encrypt a fraction of a second after the call begins. I’m leaning towards a standard implementation of DSC (DECT Standard Cipher) instead of a propriatary Plantronics implementation. Pity, as I was hoping for something in the pairing process that would signal a handshake and key creation process. I’ll leave the encyption work to people much smarter than me however. I just like to play with the new toys 😉

DSAA (DECT Standard Authentication Algorithm) has already been reversed (see details here and the paper on the subject here). So next up will be the DSC hopefully. We’ll have to see how much longer the “Security through obscurity” of DECT works. I hope, for their sake, that they’ve implemented defence-in-depth 😉

Volatility as a penetration testing tool

volatilityWhat is Volatility ? Volatility is a Python based memory forensics framework designed for analyzing and extracting data from Windows XP Service Pack 2 systems. I’ve played a little with Volatility in the past, but due to my overall lack of forensics work, I’ve not had a chance to really use most of the features. However after hearing about the latest plug-ins from Moyix I wanted to take a look myself. If you’ve not already had a chance to listen to the latest Pauldotcom episode, then you’re really missing out on a treat. In the technical segment they talk you through using MDD to image a system after exploitation (using Metasploits Meterpreter as an upload/download tool for MDD and the memory dump), and then using Moyix’s Volatility plug-ins to extract hash information directly from the SAM. I’ve run through the process (detailed on the ForensicZone blog in some detail) using one of NIST’s demo images and the results are good. It’s not always going to work, as a number of the NIST images give an error. From some quick research this is because the information no longer existed in RAM when the image was done. This could be due to a number of reasons.

Although there are easier ways to extract hashdumps when using Metasploit’s Meterpreter, the process is an interesting use of Volatilitiy’s forensic tools for penetration testing. I’ll be sure to try this out on my next engagement.

Pauldotcom Episode 142 Show Notes –> http://pauldotcom.com/wiki/index.php/Episode142

The Volatility Framework –> https://www.volatilesystems.com/default/volatility

NIST Memory Samples –> http://www.cfreds.nist.gov/mem/memory-images.rar

Building the ultimate pen-test reference library

booksI’ve been working to build up a good quality reference library of Security books for about 2 years now. Ever since I left my job as a Server Administrator to begin learning about security. Some books have been a bit of a letdown (like the Hacking VoIP exposed book) and others have been a great addition to the collection (like XSS Attacks, or the web Application Hackers Handbook). Moving this small home reference library between home and work has started to become a real problem though. You never have the right book in the right place at the right time. It’s Murphy’s law. So, I’ve begun the quest to setup a comprehensive reference library at work for all those special occasions when you just have to know that obscure Python syntax.

With this in mind I’ve started the list of desired titles. Obviously there’s no way I can add every possible title to this list, and some good books are just not suitable for a reference library. With that said, I hope this is at least a good start .:

  • Applied Cryptography
  • Web-Application Hackers Handbook
  • Database Hackers Handbook / Oracle Hackers Handbook
  • XSS Attacks
  • NMAP Network Scanning
  • Learning Python (3rd Edition)
  • A Book on C (for those Code Review moments)
  • TCP/IP Illustrated (vol.1-3)

To add to these titles, a subscription to the Safari online bookshelf seems like a good idea. Being able to directly search books for specific parameters, configuration options and commands is great thing. If this is beyond budget, then limited use of Google Books would be a possible solution.

There are some good titles that I’ve not listed here, mostly because once they’ve been read I don’t see them as a source of reference that I’ll use on a regular basis.

This list is far from complete, so if you have suggestions then feel free to post a comment. Without discussion, things wil never move forward.