Thursday, May 31, 2012

Cain and Abel: Password Cracking

Cain and Abel is a Password recovery and Cracking tool using Dictionary, Bruteforce and Cryptanalysis on Windows Operating Systems.

Step 1: Open Cain and Abel, click on "Cracker". On the left column we can see different Cracking Techniques. Select the Cracker which you are interested in, here,  "LM & NTLM Hashes".

Step 2: After selecting "LM & NTLM Hashes", you can see + sign getting highlighted. Click on it. We can see different users present on this machine.

Step 3: Select the user for which you want to know/crack the password. We have different Password Cracking Techniques like Dictionary Attaks, Bruteforce Password guessing, Cryptanalysis Attacks etc. One you select the type of Cracking, go for "LM Hashes" or "NTLM Hashes"

Step 4: Below screenshot shows while cracking is going on.

Step 5: Screen shot showing the cracked password. Passwords are divided into two blocks of 7 characters each. On each block we calculate the LM Hash which is of 8 byte . "T" is the character present in password,  part of second block of hash. "IAMGREA" are characters present in password, part of first block of hash.

Step 6: Cracked Screen shot. Final. Enjoy !!!
Username: praveen
Password: iamgreat

Enjoy Cracking Passwords !
Strictly for educational purposes!!! Have Fun ;-)

The method described above is an offline cracking of passwords. You can crack  passwords online but chances of getting caught may be very high by Perimeter security devices(IDS, IPS, Web Gateways etc).

Read below article which explains how to build an open source IDS/IPS, Snort.

For sample Snort Rule/Signature structure

Wednesday, May 9, 2012

Installing SNORT as IPS, building from Source

Install below libraries from source in given order by running commands "configure", "make" and "make install".
At the point of writing this article above tar/zip files were the latest available.

By default most of the packages install at /usr/local so forcing them to install in /usr. For example if you install libpcap-1.2.1 by just running ./configure and check the running version, it may show u as libpcap-0.9.4. To overcome the issue we are building with below argument
./configure –enable-ipv6 –prefix=/usr

--enable-ipv6              will enable sniffing IPv6 packets

When DAQ (Data Aquisition) module is successfully configured we get below output
DAQ Output after ./configure –enable-ipv6 --prefix=/etc

Build AFPacket DAQ module.. : yes
Build Dump DAQ module........ : yes
Build IPFW DAQ module......... : yes
Build IPQ DAQ module............ : no
Build NFQ DAQ module........... : yes
Build PCAP DAQ module......... : yes

IPQ is obsoleted so didn't install it

Snort Configuration Command
./configure --libdir=/usr/lib --includedir=/usr/include --enable-ipv6 --enable-gre --enable-targetbased –enable-ipfw –enable-dynamicplugin --enable-decoder-preprocessor-rules --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-zlib

Fore developing preprocessor plugins you can add

Aditionally you might need dpx-1.4.tar.gz.

Errors seen while starting Snort:
For snort_dynamicrules not found error, create /usr/local/lib/snort_dynamicrules and copy .so files there,
For white_listing.rules, black_listing.rules files missing errors create those files and comment out reputation preprocessor from snort.conf.

#/home/praveen/snort- -V
,,_ -*> Snort! <*-
o" )~ Version IPv6 GRE (Build 121)
'''' By Martin Roesch & The Snort Team:
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.2.1
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.3

Starting snort with -Q option will make it run as IPS.

You can refer similar article from

For Snort Preprocessors you can refer below link

For sending Snort alerts to Syslog server

For detailed description of various concepts refer SnortTM Users Manual.

Thursday, May 3, 2012

Mac OS X Infector and Research Resources/Links

These are the links/resources collected by one of my friends Sandeep for his research purposes, shared with me. Most of it is worth the read. Hope this helps someone somewhere gain some knowledge........ !!!

HTE -- File manipulator

Mach-O filetype and infection methods

Same idea, different author

Method Swizzling (you can remap the function name pointer to binary code mapping on OS-X)

Class Posing!

OS-X Tools:
otool -- Object File Displaying Tool

gdb -- GNU Debugger (part of GCC)

gas -- host spoofing manager

libtool -- Create Libraries

file -- File Typer

ktrace -- Kernel Trace Logging for a process
System Calls, Name Translations, Signal Processing, I/O

dtrace -- Debugger/Tracer in 10.5+

kdump -- Kernel Dump Reader

class-dump -- Examines Objective-C Runtime data for MachO files.

Summary of other useful tools:

Other interesting links are most welcome. I can update the post if there are any interesting links.