Security

Ophcrack or Oph-crap?

I did some simple tests tonight using the “free” rainbow tables that come with Ophcrack. I was expecting at least one of my passwords to be cracked but neither were. I think there were a couple reasons for this

  1. The password on my XP machine is 15 characters – Ophcrack only goes up to 14 with the free tables for XP
  2. The password on my Windows 7 machine is not in the dictionary – Ophcrack only uses a “based on dictionary” hybrid table with the free tables for Vista+

The good thing here is that for the “trivial” user, they won’t be able to get my passwords since the non-free tables go for $99 a piece or they’ll need to obtain other tables online.

So is it Ophcrack crap? No, probably not, that would be a little harsh since I bet the free tables would crack a huge majority of the general public’s passwords.

Sniffing Traffic on Your Home Router or Hub

I’ve always knew it was possible to sniff traffic on your home network but every time I tried, I always ended up sniffing ‘management type packets’ (e.g. arp requests, syns, acks, etc). I’d never really seen any useful information come across the wire so I pretty much wrote off the idea of sniffing.

Recently I had done a little deeper dive related to some work I’m doing in class and discovered some of the things I’d done wrong in the past. So here’s a short post on sniffing traffic on your home network. Take a minute to understand the concepts and be responsible with your sniffing activities.

Wired Hub

If your home network is using a hub (it’s likely not), it’s going to be extremely easy to sniff traffic. With a hub, all traffic is broadcast to everyone on the connected to the hub and each Ethernet card decides whether or not to ignore or process the packet. Turning on a sniffer like Wireshark will allow you to see all packets that go through your Ethernet card.

Wireless Router – No Encryption

Open wireless networks are just like a hub to some extent. All traffic is basically “shouted out” across the network and anyone can intercept the traffic by telling their card to accept all transmissions. If your home network is using an unencrypted wireless connection (which I highly don’t recommend), simply start up Wireshark and start sniffing — you don’t even need to connect to your network.

Wired Router

Your home network is very likely using a wired or wireless router (next). Wired routers are different than hubs; they are switched and do not broadcast packets to everyone. They utilize MAC addresses at Layer 2 to send traffic to a specific host. This makes sniffing traffic just slightly more complicated.

All computers communicating over a router, need to keep a mapping of IP addresses to MAC (or hardware) addresses. To do this, they use a protocol called Address Resolution Protocol (ARP). ARP is like DNS but between IP addresses and hardware addresses. Due to the inherent lack of security in we can trick all computers (or hosts) on a network into sending their packets through our device so we can intercept them with our sniffer. This is a classic Man in the Middle Attack. The trick is to “poison” all ARP caches residing on host computers to resolve the IP address of the router to the hardware address of your computer.

Wireless Router Weak Encryption (WEP)

If you use WEP on your home network (which I hope you don’t), you can perform the same Man in the Middle Attack using ARP poisoning utilizing the nature of WEP’s encryption (RC4 – stream cipher) to decrypt packets on the fly.

Wireless Router Strong Encryption (WPA, WPA2)

Encrypted wireless routers are vulnerable to ARP poisoning due to what many refer to as “Hole 196”. For our purposes, you can consider a wireless router with strong encryption just like a wired router. I won’t go into the details of Hole 196; check out the link for more details.

So now that I’ve detailed all the possibilities you could be using for your home network, lets talk about how to use the tools to sniff traffic if your using a router of any sort.

1. Poison Your Network

Ettercap is a phenomenal tool for ARP poisoning. Alternatively, you can use ArpSpoof but you’ll need to set up kernel forwarding on your own, Ettercap on the other hand, handles this for you so this is why I chose it.

Open up a terminal and type this to get ARP poisoning going on your network:

nobody@nobody:~$ sudo ettercap -T -q -M ARP -i en1 // //

Here’s an explanation of the command:

-T is textmode, this is basically the non-interactive mode
-q is for quiet
-M is the Man in the Middle Attack - ARP in this case
-i is the interface - en1 in this case. Replace with your own (e.g. wlan0, eth0, etc)
// // means to poison all hosts on the network. It's possible to target single hosts if needed.

Optionally, if you’re using WEP you can add this parameter

-W key_length:string_or_passphrase:wep_key

If you’re using a Mac, you might be interested in my post on getting Wireshark to work on Mac OS X.

Online WPA Crackers

Almost everything, in some sense or another, is vulnerable to brute force. It’s just a matter of how long it takes for something to be brute forced that tends to it’s security. I found it pretty interesting that there are now online WPA crackers that will mount dictionary attacks against captured WPA authentication handshakes:

http://wpa.darkircop.org/

and even one that you pay for that claims to offer 400 CPU’s and a 135 million word dictionary list tailored to WPA passwords

https://www.wpacracker.com/

Just goes to say that in due time, no matter how impossible it seems, dictionary attacks will likely be feasible in sooner time than one would think;all the more reason to use an entirely random WPA password.

Change MAC Address on Mac OS X

Changing your MAC address can be useful in main situations. If you’re reading this page, you’re already likely aware of why it’s useful so let me get straight to the details.

Disassociate from an Access Point (AP) without turning off AirPort

nobody@nobody:~$ sudo ln -s /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /usr/sbin/airport
nobody@nobody:~$ sudo airport -z

Change the MAC address

nobody@nobody:~$ sudo ifconfig en1 ether 00:11:22:33:44:55

Enjoy!

Sniff Open Wireless Traffic with Mac OS X

Sniffing open wireless traffic can be pretty interesting and entertaining. It’s amazing to see what gets transferred across a network. Just make sure you’re doing it legally.

Sniffing on Mac OS X is very similar to sniffing on any other operating system with a few small caveats.

1. Install MacPorts

This is the best package manager IMHO for OS X. You’ll need to install Apple XCode Developer tools prior to installing MacPorts. The install page details all that information here http://www.macports.org/install.php. It’s all very simple double click and install DMG
packages.

2. Install Wireshark

Open a Terminal:

nobody@nobody:~$ sudo port install wireshark

If you just start Wireshark at this point, no interfaces will show up. Your user needs to own /dev/bpf in order to use the interfaces.

3. Create a Startup Script

Create this small script in /usr/bin/wireshark_start

#!/bin/sh
osascript -e "do shell script "chown $USER /dev/bpf*" with administrator privileges";
wireshark &

Give it full execute permissions

nobody@nobody:/usr/bin$ sudo chmod +x wireshark_start
4. Configure Wireshark & Start Sniffing

Start Wireshark

nobody@nobody:~$ wireshark_start

Once Wireshark is open, choose Capture->Options, choose Interface ‘en1′, ensure ‘capture packets in monitor mode’ is enabled, click Start!

You should now be capturing packets. You’re pretty much ‘drinking from a fire hose’ so you need to make sure you utilize Wireshark’s Filter section. e.g. to filter http traffic, type in ‘http’ in the filter box and hit apply.

The Current State of Wireless Security

This post is a small survey of existing Wi-Fi security protocols pertaining to home and small offices as of Oct. 25th, 2010

WEP – Wired Equivalent Privacy – WEAK

Anyone with the slightest knowledge of wireless security protocols knows that WEP is very insecure. A very inexperienced individual can get the tools and watch a tutorial on how to crack a WEP key in a few hours. WEP seriously has so many problems from a cryptographic point of view.

  • The master key is used within the encryption instead of deriving a key from the master key.
  • Keys can be derived from datagrams.
  • The hashing algorithm it uses for integrity is weak (CRC32)

Do not secure your network with WEP. WEP will be completely out of production by 2014.

WPA – Wi-Fi Protected Access – MODERATE-STRONG

WPA was the interm solution to WEP’s serious weaknesses while WPA2 was developed. One of the important points of WPA is that it derives encryption keys from the master key instead of utilizing the master key in the encryption.

WPA has held it’s ground for some time but it still vulnerable to brute-forcing weak passwords by capturing an authentication handshake.Weaknesses in WPA implementations have been discovered as early as 2008 and are continuing to be discovered into early 2010.

The current vulnerabilities exist in the Temporal Key Integrity Protocol (TKIP) (the enhanced protocol to address WEP vulnerabilities). They allow an attacker to inject a small amount of valid encrypted packets of their choice. When the original vulnerability was discovered, Quality of Service (QoS) needed to be enabled on the access point in order to successfully take advantage of the vulnerabilities. Specifically, having QoS enabled,
allowed one to bypass WPAs replay protection. However, as of early 2010, the QoS requirement for the attack is not required. Because this vulnerability doesn’t expose the key, people are not as concerned about it and it hasn’t warranted much concern. Although the attacks aren’t much of a concerned, I’d suggest if you’re going to use WPA, use WPA-AES, NOT WPA-TKIP. TKIP was officially deprecated from the 802.11 spec as of early 2009. The take home message of WPA as quoted from the Wi-Fi alliance:

Q: Is WPA still secure?
Yes, WPA remains secure. WPA is the major upgrade to Wi-Fi security, applicable to
enterprise and home users. WPA was independently verified to address all of WEP’s
known weaknesses. WPA2 is not being released to address any flaws in WPA.

WPA2 – Wi-Fi Protected Access 2 – STRONG

WPA2 was the final spec that the Wi-Fi Alliance had been working on when WEP vulnerabilities were discovered. Instead of utilizing TKIP for encryption, WPA2 utilizes AES. WPA2 is very similar to WPA-AES with a few minor differences that are negligible to security protection.

Like WPA, WPA2 passwords can also be brute-forced, thus strong and random passwords should be used. Other weaknesses in WPA2 do exist but they can generally be avoid by implementing basic security practices. Due to the deprecation of TKIP and the inherently stronger AES encryption, WPA2 is the recommended wireless security protocol. 

Cracking WEP with the Intel 3945abg

Since I’ve been reading a lot about security in networking, I figured I’d give the well known WEP cracking a try.

Common Misconceptions With Wep Cracking
  1. You need a special card to crack WEP keys.
    • This is not true, with some caveats. Any card that can be switched to “monitor mode” can be used to crack WEP keys. The vast majority of cards can do this or someone has written a custom driver (e.g. Airport Extreme Cards on Macs) to enable it. HOWEVER, and this is a big however; if you want to crack WEP without waiting for days or even weeks, you need a card to supports “packet injection.” This list is much smaller but growing as the hardcore driver writers write custom drivers for them.
  2. Nobody is going to crack my WEP key
    • Not only is this entirely untrue, I personally promise you it will happen. There are now websites hooked into the Google Maps API which map out SSID’s and their encryption level, typically on major roads – http://wigle.net/
Intel 3945abg Wireless Card

This is the card that I have on my Dell Inspiron 640m and is a very popular card for laptops. Natively, this card does not support injection but around 2007 a package called ipwraw was developed by Tolas Feup and has since had 3 versions up to 2008 – http://www.aircrack-ng.org/doku.php?id=ipw3945. I use Backtrack and as of version 4.0 this card is fully supported with no custom configuration, simply load up Backtrack and start capturing and injecting!

Cracking

With Backtrack loaded (ensure you’re in an graphical environment, if not type ‘startx’), do the following:

Turn on monitoring mode on the Intel card. You should then have a mon0 interface.

airmon-ng start wlan0

Now, search for your WEP Access Point (AP) by scanning SSIDs. This uses a technique called channel hoping to rapidly switch through all wireless channels to capture broadcasting packets:

airodump-ng mon0

Once you located your WEP AP, type ‘-c’ to terminate airodump-ng and copy the BSSID of your WEP AP and make note of the channel. We’re now going to turn it back on but have it only capture this specific BSSID. Leave this terminal open when you’re done.

airodump-ng --bssid BSSID -c CHANNEL -w OUTPUT_FILE mon0

Now we need to associate with the AP. Open a new terminal and type

aireplay-ng -1 0 -a BSSID mon0

If you received authentication successful from the previous command, you can move on. We’re now going to do an ARP replay attack against the AP so that we can get it to generate enough Initial Vectors (IV) (I plan to discuss the details of WEP weaknesses in a later post) that it will reuse one and from there we can obtain the WEP key

aireplay-ng -3 -b BSSID -h 00:11:22:33:44:55 mon0

This command may take a minute or so. What it’s doing is capturing packets and looking for an ARP packet. Sometimes it can take a while to find an ARP packet if there is little activity on the AP. Once it finds an ARP packet, you’ll see it repeatedly send ARP packets — this really is the key to the speed of the attack. Without this, we’d have to wait for quite some time to get enough IVs to do the crack.

Now you’ll need to monitor the airodump-ng terminal. Once the ARP packets are being replayed you should see the count in the Data column grow at a fast rate. You need to wait until this number is very large (depending on the key size of the AP). Try with 50k and then 100k and so on. Once you’ve captured enough data you can stop the aireplay-ng sending ARP requests and run the following (replace with OUTPUT_FILE from above):

aircrack-ng OUTPUT_FILE-01.cap

If successful you’ll get a KEY FOUND! with the cracked WEP key. Enjoy, have fun, and don’t do anything illegal please!

Simple HTTP Server Detector

The preamble to this post is that you can do this in a few lines with CURL, telnet, wget etc. I’m also sure someone has already written one of these but coming from a Java background, it was useful for me (and may be to others) to write a simple application that uses sockets in C.

very Simple HTTP Server Detector 1.0

(I was laughing when I wrote that title)

nobody@nobody:~/$ ./detect
Usage: ./detect < domainname >

Output looks like this

nobody@nobody:~/$ ./detect www.microsoft.com
Server: Microsoft-IIS/7.5

nobody@nobody:~/$ ./detect www.thexploit.com
Server: Apache

nobody@nobody:~/$ ./detect www.google.com
Server: gws

nobody@nobody:~/$ ./detect www.facebook.com
Server: unknown

nobody@nobody:~/$ ./detect www.reddit.com
Server: AkamaiGHost

nobody@nobody:~/$ ./detect www.twitter.com
Server: hi <=== LOL!!

If you’re new to C, see if you can come up with an implementation on your own and then check out the reference below (heavily commented for understanding):

/*
 * Simple HTTP Server Detector
 *
 * Copyleft 2010.
 * All rights have been wronged.
 *
 *  Created on: Oct 5, 2010
 *      Author: xploit
 */
#include <stdio.h> /* Printf, perror, etc */
#include <stdlib.h> /* exit */
#include <sys/socket.h> /* sockets */
#include <netinet/in.h>
#include <netdb.h> /* Host lookup */
#include <string.h> /* bzero */

/* HTTP port */
#define WEB_PORT 80
/* Receive buffer size */
#define RECV_BUF 1024
/* Server buffer size */
#define SRVR_BUF 256

void fatal(char *error);

int main(int argc, char **argv) {

	int socket_fd, i;
	struct sockaddr_in remote_addr;
	struct hostent *remote_host;
	char recv_buf[RECV_BUF], srvr[SRVR_BUF];

	if (argc < 2) {
		printf("Usage: %s <domainname>n", argv[0]);
		exit(1);
	}

	/* Create a socket */
	if ((socket_fd = socket(PF_INET, SOCK_STREAM, 0)) == -1) {
		fatal("Failed to create socketn");
	}

	/* Resolve the domain name */
	if ((remote_host = gethostbyname(argv[1])) == NULL) {
		fatal("Failed to resolve domain namen");
	}

	/* Set address and port of remote host */
	memcpy(&(remote_addr.sin_addr), remote_host->h_addr_list[0],
			remote_host->h_length);
	remote_addr.sin_family = AF_INET;
	remote_addr.sin_port = htons(WEB_PORT);

	/* Zero out the rest of the struct */
	memset(&(remote_addr.sin_zero), 0, 8);

	/* Connect to the domain */
	if ((connect(socket_fd, (struct sockaddr *) &remote_addr,
			sizeof(struct sockaddr))) == -1) {
		fatal("Unable to connect to domainn");
	}

	/* Send a HTTP head req */
	if ((send(socket_fd, "HEAD / HTTP/1.0rnrn", 19, 0)) == -1) {
		fatal("Error sending HEAD requestn");
	}

	/* Receive the response */
	if ((recv(socket_fd, &recv_buf, 1024, 0)) == -1) {
		fatal("Error reading HEAD responsen");
	}

	/* Find the server substring */
	char *srvr_ptr = strstr(recv_buf, "Server:");

	/* Fail if it wasn't found */
	if (srvr_ptr == NULL) {
		fatal("Server: unknownn");
	}

	/* Read server line*/
	i = 0;
	while (srvr_ptr[i] != 'n' && i < SRVR_BUF) {
		srvr[i] = srvr_ptr[i];
		i++;
	}
	/* Terminate String */
	srvr[i] = '\0';

	/* Clear string */
	srvr_ptr = NULL;

	/* Print the results */
	printf("%sn", srvr);

	/* Stop both reception and transmission */
	shutdown(socket_fd, 2);

	return 0;
}

// Prints an error and exits
void fatal(char *error) {
	printf(error);
	exit(1);
}

One Time Password Protocol Using Your Email

Do you ever have a login that needs to be secure but you don’t want to create and remember a new random and cryptic password? I do all the time, especially for things that I don’t log in to frequently but still need to be secure. Remembering tons of 12+ random password, even with key store is a pain.

So I created a one time password protocol that I use all the time with popular sites like Twitter

The Protocol
  1. On computer @ site to login, click the “Forgot Password” link – enter the email you registered with the site
  2. Generate a random 12+ (100+ if you wanted!) alphanumeric/special char password using a random password generator (they’re all over online)
  3. Highlight and copy the password (CTRL-C/CMD-C)
  4. Log in to the email address, click the “Reset Your Password” link in the email you received from the site.
  5. Paste and submit the new password @ the reset screen
  6. Return to site login, enter username, paste password
  7. Copy something random back into the clipboard — like a space
  8. Forget
Go to Top