WhyNot

Few days ago, I came back from HAR2009, an amazing event. In term of communication it was great, 10Gb/s Internet connection, Telephony system (DECT & analog line) provided by Eventphone and also a GSM network! Yes, GSM !!

I advice to listen GSM presentations which are very interresting.

It was also the time for me to meet lot of good people like my favorite Maltese hacker...

I would like to thanks Max, Sudoman, Jarlin and swo0p for all the fun with them during these days ;-)

It is been a while since I have posted anything and I apologize to everybody. I have been busy working on new ventures and getting slides ready for some upcoming talks like ITUnderground . I plan to drop some interesting posts in the near future so stay connected ;-)

As past years, it has been a very nice conference with very good talks. I'm very busy actually so I can't do a review of each talk but promise I will do it in few weeks.

You can find my toolz and my presentation here

Last week, I had bad surprise! My USB drive where I had my Rainbow tables crashed :( I launched a "fsck" on it and all files have been move in "lost+found" directory and lost their name !!! Therefore, I passed some time to trying recover files. An previous adventure on forensic analysis was required to use a tool called ext3grep . It's very powerfull tool on ext3 file system (Just one thing that I must say about it. If you need to analyzed an image or a file bigger than 2 giga bytes you must use 64bits cpu)

So, first step, search blocks containing the string "md5_loweralpha" in the file name.

# ext3grep /dev/sdc1 --search md5_loweralpha
Running ext3grep version 0.9.0
Number of groups: 7453
Minimum / maximum journal block: 1551 / 4155397
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 12218309
55 = Fri Sep 19 15:29:15 2008
Number of descriptors in journal: 563; min / max sequence numbers: 56 / 239
Blocks starting with "md5_loweralpha-numeric-symbol32-space":Running ext3grep version 0.9.0
Number of groups: 7453
Minimum / maximum journal block: 1551 / 4155397
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 12218310
68 = Fri Sep 19 15:31:08 2008
Number of descriptors in journal: 563; min / max sequence numbers: 75 / 275
Blocks containing "md5_loweralpha-numeric-sym": 57541122 70502665 73269762 73269763 73269764 73269765

Next step list the content of each blocks identified below:

# ext3grep /dev/sdc1 ls block 73269764
Running ext3grep version 0.9.0
Number of groups: 7453
Minimum / maximum journal block: 1551 / 4155397
Loading journal descriptors... sorting... done
The oldest inode block that is still in the journal, appears to be from 1221831068 = Fri Sep 19 15:31:08 2008
Number of descriptors in journal: 563; min / max sequence numbers: 75 / 288
Group: 2236

Block 73269764 is a directory. The block is Unallocated

.-- File type in dir_entry (r=regular file, d=directory, l=symlink)
| .-- D: Deleted ; R: Reallocated
Indx Next | Inode | Deletion time Mode File name
==========+==========+data-from-inode+-+=========
0 1 r49086466 rrw-r- md5_loweralpha-numeric-symbol32-space#1-7_7_9000x40000000_#13.rt
1 2 r49086475 rrw-r- md5_loweralpha-numeric-symbol32-space#1-7_7_9000x40000000_#22.rt
2 3 r35258408 rrw-rr md5_loweralpha-numeric-symbol32-space#1-7_6_9000x40000000_#07.rt
3 4 r49086487 rrw-rr md5_loweralpha-numeric-symbol32-space#1-7_2_9000x40000000_#23.rt
4 5 r49086491 rrw-r- md5_loweralpha-numeric-symbol32-space#1-7_0_9000x40000000_#02.rt

Now, I have all informations that I need "inode numbers and name of files".

# mount /dev/sdc1 /mnt
# cp /mnt/lost+found/#49086466 MD5/md5_loweralpha-numeric-symbol32-space#1-7_7_9000x40000000_#13.rt

I encourage you to read this page for more info on Ext3grep.

I will present some technics to go outside citrix context at HACK.LU conference.

The last year I carried out a workshop on VoIP assessment and also talked about "Cisco Unified IP Phone Remote Eavesdropping". You can find my presentation here

Video of Cisco mobility abuse:


Video of Cisco URI abuse:


Video of Cisco URI for Wiretapping:


see you there!

From HSC web site, patch is provided to generate rainbow tables with French characters.

lm_fr#1-7_0_100x100_test_fr.rt:
1600 bytes read, disk access time: 0.00 s
verifying the file...
searching for 1 hashes...
plaintext of e40a7944dbde6dae is <80>
cryptanalysis time: 0.00 s

result
---
test hex:e7

It's working well, so Iet's go!! you can find my charset here

In the following you will find a status of my Rainbow tables:

LM:
lm_alpha_num (Done) 611M
loweralpha-num_symbol14-space_1-7 (Done) 18G
all_without_space_1-7 (Done) 120G
lm_fr_all (0%)

NTLM:
loweralpha-numeric-symbol32-space_1-7 (Done) 120G
loweralpha-numeric_1-8 (Done)
loweralpha_1-9 (Done) 1.1G
mixalpha-num_symbol32-space_1-6 (Done) 16G

MSCash:
Administrator_mixalpha_num_symb14_1-7 (40%)
Administrator_ALL_1-6 (Done) 9G
Administrateur_ALL_1-6 (Done) 9G
Administrator_num_1-11 (Done) 4,2G
Administrator_loweralpha_num_1-8 (Done)
admin_ALL_1-6 (30%)
test_mixalpha_num_symbol14_1-6 (Done) 3G

MD2:
loweralpha_1-8 (Done) 489M

MD5:
numeric_only_1-11 (Done) 2G
loweralpha_1-9 (Done) 21G
loweralpha-num_1-8 (Done) 50G
loweralpha-num-symbol32-space_1-7 (45%) 50G
mixalpha-num_symbol32-space_1-6 (Done) 4G

SHA1:
loweralpha-num-symbol32-space_1-7 (03%) 50G
mixalpha-num-symbol32-space_1-6 (Done) 16G
mixalpha-num_1-7 (Done) 50G

CiscoPix:
mixalpha-numeric-symbol32-space_1-6 (Done) 16G

NetScreen:
user_admin_loweralpha-num-sym14_1-7 (Done) 13G
user_root_loweralpha-num-sym14_1-7 (Done) 13G
user_netscreen_loweralpha-num-sym14_1-7 (Done) 13G

Oracle:
user_oracle_alpha-num_1-7 (Done) 7,6G
user_dba_alpha_1-8 (Done) 1,5G
user_sys_alpha_num_1-7 (Done) 7,6G
user_system_alpha_num_1-7 (Done) 7,6G
user_sys_alpha_1-8 (Done) 1,5G

listener_oracle_alpha-num_1-7 (Done) 7,6G

WPA_PSK:
Cowpatty WPA PSK table (Done) 33G

Adam Boileau has provided a tool Winlockpwn abusing of Firewire on Windows. With this tool, an attacker can have read/write access to the memory. I tried to use it on my french localised Windows system but the exploit did not work. Therefore, with my colleagues we tried to understood how the exploit was actually working!

Different attacks are allowed and we chose to use the "WinXP SP2 msv1_0.dll technique"









The above function patches the following dll so any password is accepted




To play with winlockpwn to french box you must change the memory values range

Some days ago my colleague came back to an article named "Owned by a serial Port" by Nicolas Ruff. Therefore I tried to perform this attack and I leave you view the details in this video:

I assisted to the French security conference SSTIC. Like the others years, this security conference was been really interesting. I will not write my feedback on each presentation because I am too lazy to do that but you can find this one on the blog of sid or rogue (in french).

It's really too bad that the french law forbid the providing of security tools because lot of them has been presented and seem to be good but could not be public.

But the SSTIC it's also that:

Recently, I had need to qualify Wireless PDA. Registry Access has been obtained on the PDA, therefore I tried to extract sensitives informations from it. I remembered a tool (from Aircrack) which could extract WEP keys/ WPA PMK on windows XP. It's named wzcook.

Then, after to have extract the wireless configuration from the registry, just create a wpa-psk.conf like this:

network={
ssid="my_essid"
#psk="pre-shared key in clear text"
psk=5c9597f3c824590(wzcook value)7ea71a89d9d39d08e
}

Now, I'm trying to compile "wzcook" for Windows CE and mobile and maybe it could work also.

I came back from PH-neutral ,run by Phenoelit, where I could meet really interesting people. I would to thanks everyone with who I could talked and of course "Big up" to DJ Vela and Mumpi for the ping-pong DJ set ;-)

Last week, I had can follow Oracle Anti-Hacker training by Alexander kornbrust.

It was very interesting and frightening!! Interesting, because the training cover a large aspect of Oracle and frightening, because Oracle is very complex and there are lot of interactions between Oracle and applications; Oracle and host system. Applications procedures come with own sql injections and allow an intruder (malicious employee) to obtain a DBA privilege. If DBA right is obtained it's often possible to launch system commands and owned the box.

I has been particularly enjoy to understand how the listener password are made... The trainer explained that the password's listener use the username "arbitrary". I thus launched the generation of this rainbow tables on my cluster ;-)

Thanks Alexander for your training :-D

During an ElseNot update, I received an interesting pop up from TechNet !!

I don't know how these informations are used but I dislike this kind of things

From ESEC Blog, I could find the hash function of Netscreen password. Therefor, we decided with my colleague to write(sylvain, not me of course ;-) ) the rainbow crack patch to generate tables.

$ ./rcrack netscreen_test#1-3_0_10x100_snk.rt -h 6e4a2f364d4e727a49314b4c6371444f5573504b4e434e744a424c326c6e
netscreen_test#1-3_0_10x100_snk.rt:
1600 bytes read, disk access time: 0.00 s
verifying the file...
searching for 1 hash...
plaintext of 6e4a2f364d4e727a49314b4c6371444f5573504b4e434e744a424c326c6e is abc
cryptanalysis time: 0.00 s

statistics
---
plaintext found: 1 of 1 (100.00%)
total disk access time: 0.00 s
total cryptanalysis time: 0.00 s
total chain walk step: 15
total false alarm: 72
total chain walk step due to false alarm: 401

result
---
6e4a2f364d4e727a49314b4c6371444f5573504b4e434e744a424c326c6e abc hex:616263

It's working well, so I started on my cluster the generation of tables. In the following you will find a status of my Rainbow tables.

LM:
lm_alpha_num (Done) 611M
loweralpha-num_symbol14-space_1-7 (Done) 18G
all_without_space_1-7 (Done) 120G

NTLM:
loweralpha-numeric-symbol32-space_1-7 (Done) 120G
loweralpha-numeric_1-8 (Done)
loweralpha_1-9 (Done) 1.1G
mixalpha-num_symbol32-space_1-6 (Done) 16G

MSCash:
Administrator_mixalpha_num_symb14_1-7 (15%) 1T
Administrator_ALL_1-6 (Done) 9G
Administrateur_ALL_1-6 (Done) 9G
Administrator_num_1-11 (Done) 4,2G
Administrator_loweralpha_num_1-8 (Done)
admin_ALL_1-6 (10%)
test_mixalpha_num_symbol14_1-6 (Done) 3G

MD2:
loweralpha_1-8 (Done) 489M

MD5:
numeric_only_1-11 (Done) 2G
loweralpha_1-9 (Done) 21G
loweralpha-num_1-8 (Done) 50G
loweralpha-num-symbol32-space_1-7 (45%) 50G
mixalpha-num_symbol32-space_1-6 (Done) 4G

SHA1:
loweralpha-num-symbol32-space_1-7 (03%) 50G
mixalpha-num-symbol32-space_1-6 (Done) 16G
mixalpha-num_1-7 (Done) 50G

CiscoPix:
mixalpha-numeric-symbol32-space_1-6 (Done) 16G

NetScreen:
user_netscreen_mixalpha-num-symb32-space_1-6 (1%)

Oracle:
user_oracle_alpha-num_1-7 (Done) 7,6G
user_dba_alpha_1-8 (Done) 1,5G
user_sys_alpha_num_1-7 (Done) 7,6G
user_system_alpha_num_1-7 (Done) 7,6G
user_sys_alpha_1-8 (Done) 1,5G

WPA_PSK:
Cowpatty WPA PSK table (Done) 33G

if somebody read these lines and that it has another rainbow patch (Ms office for example) send me a email !

• About WEP

A new tool to crack WEP keys has been published in few days ago.
It's named aircrack-ptw. This tool allow to decrypt 104 bits wep key with less 100000 packets against 600000 on aircrack-ng

I tried today and it seem to work well...

This is aircrack-ptw 1.0.0
For more informations see http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/
allocating a new table
bssid = 00:0C:41:BB:50:BB keyindex=0 stats for bssid 00:0C:41:BB:50:BB keyindex=0 packets=31822
Found key with len 13: B5 11 E0 51 F0 F5 E2 CA DD 33 07 1B 39

• About WPA-PSK

In order to supplement this post, I will talk about WPA-PSK attacks. At the Shmoo conference in 2006, WPA-PSK attack with Rainbowtables has been presented... I know it's not new!!!

For the WPA-PSK tables it's impossible to create a lookup table for all possible keys. Because the seeding of the algorithm with the SSID and SSID length meant that we'd have to compute all possible keys against all possible SSID's, the storage space required for this was well beyond the capabilities to provide or even calculate.

So You must generate Rainbow tables for a specified SSID like Oracle table with a specified user account.

Information is provided on this site and It's possible to download WPA-PSK Rainbow tables by torrent

Cain support also this attack

Reference:

http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/ aircrack-ptw
http://www.renderlab.net/projects/WPA-tables/

More information in French to Sid's Blog les-clous-sont-la-mais-vous-aviez-oublie-la-couronne