Thursday, May 31, 2012

Cain and Abel: Password Cracking

Cain and Abel is a Password recovery and Cracking tool using Dictionary, Bruteforce and Cryptanalysis on Windows Operating Systems.

Step 1: Open Cain and Abel, click on "Cracker". On the left column we can see different Cracking Techniques. Select the Cracker which you are interested in, here,  "LM & NTLM Hashes".


Step 2: After selecting "LM & NTLM Hashes", you can see + sign getting highlighted. Click on it. We can see different users present on this machine.




Step 3: Select the user for which you want to know/crack the password. We have different Password Cracking Techniques like Dictionary Attaks, Bruteforce Password guessing, Cryptanalysis Attacks etc. One you select the type of Cracking, go for "LM Hashes" or "NTLM Hashes"


Step 4: Below screenshot shows while cracking is going on.


Step 5: Screen shot showing the cracked password. Passwords are divided into two blocks of 7 characters each. On each block we calculate the LM Hash which is of 8 byte . "T" is the character present in password,  part of second block of hash. "IAMGREA" are characters present in password, part of first block of hash.


Step 6: Cracked Screen shot. Final. Enjoy !!!
Username: praveen
Password: iamgreat


Enjoy Cracking Passwords !
Strictly for educational purposes!!! Have Fun ;-)

The method described above is an offline cracking of passwords. You can crack  passwords online but chances of getting caught may be very high by Perimeter security devices(IDS, IPS, Web Gateways etc).

Read below article which explains how to build an open source IDS/IPS, Snort.
http://darshanams.blogspot.in/2012/05/installing-snort-from-source-as-ips.html

For sample Snort Rule/Signature structure
http://darshanams.blogspot.in/2012/07/bittorrent-useragents-and-detection.html

Wednesday, May 9, 2012

Installing SNORT as IPS, building from Source

Install below libraries from source in given order by running commands "configure", "make" and "make install".
    pcre-8.30.zip
    libdnet-1.12.tgz
    libnetfilter_queue-1.0.1.tar
    libnfnetlink-1.0.0.tar
    libpcap-1.2.1.tar.gz
    daq-0.6.2.tar.gz
    snort-2.9.2.2.tar.gz
    snortrules-snapshot-2922.tar.gz
At the point of writing this article above tar/zip files were the latest available.

By default most of the packages install at /usr/local so forcing them to install in /usr. For example if you install libpcap-1.2.1 by just running ./configure and check the running version, it may show u as libpcap-0.9.4. To overcome the issue we are building with below argument
./configure –enable-ipv6 –prefix=/usr

--enable-ipv6              will enable sniffing IPv6 packets

When DAQ (Data Aquisition) module is successfully configured we get below output
DAQ Output after ./configure –enable-ipv6 --prefix=/etc

Build AFPacket DAQ module.. : yes
Build Dump DAQ module........ : yes
Build IPFW DAQ module......... : yes
Build IPQ DAQ module............ : no
Build NFQ DAQ module........... : yes
Build PCAP DAQ module......... : yes

IPQ is obsoleted so didn't install it


Snort Configuration Command
./configure --libdir=/usr/lib --includedir=/usr/include --enable-ipv6 --enable-gre --enable-targetbased –enable-ipfw –enable-dynamicplugin --enable-decoder-preprocessor-rules --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-zlib

Fore developing preprocessor plugins you can add
--enable-debug
--enable-debug-msgs

Aditionally you might need dpx-1.4.tar.gz.

Errors seen while starting Snort:
For snort_dynamicrules not found error, create /usr/local/lib/snort_dynamicrules and copy .so files there,
For white_listing.rules, black_listing.rules files missing errors create those files and comment out reputation preprocessor from snort.conf.

#/home/praveen/snort-2.9.2.2#snort -V
,,_ -*> Snort! <*-
o" )~ Version 2.9.2.2 IPv6 GRE (Build 121)
'''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
Copyright (C) 1998-2012 Sourcefire, Inc., et al.
Using libpcap version 1.2.1
Using PCRE version: 8.30 2012-02-04
Using ZLIB version: 1.2.3
#/home/praveen/snort-2.9.2.2#

Starting snort with -Q option will make it run as IPS.


You can refer similar article from
http://techminded.net/blog/using-snort-as-service-ips.html

For Snort Preprocessors you can refer below link
http://darshanams.blogspot.in/2010/06/snort-preprocessors-and-alerts.html

For sending Snort alerts to Syslog server
http://darshanams.blogspot.in/2011/05/snort-logging-alerts-to-syslog-server.html

For detailed description of various concepts refer SnortTM Users Manual.
http://www.snort.org/assets/140/snort_manual_2_8_6.pdf

Thursday, May 3, 2012

Mac OS X Infector and Research Resources/Links

These are the links/resources collected by one of my friends Sandeep for his research purposes, shared with me. Most of it is worth the read. Hope this helps someone somewhere gain some knowledge........ !!!


HTE -- File manipulator
http://hte.sourceforge.net/

Mach-O filetype and infection methods
http://felinemenace.org/~nemo/slides/mach-o_infection.ppt

Same idea, different author
http://vx.netlux.org/lib/vrg01.html

Method Swizzling (you can remap the function name pointer to binary code mapping on OS-X)
http://www.cocoadev.com/index.pl?MethodSwizzling

Class Posing!
http://www.cocoadev.com/index.pl?ClassPosing
http://www.stepwise.com/Articles/Technical/PosersAndCategories/index.html

OS-X Tools:
otool -- Object File Displaying Tool http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man1/otool.1.html

gdb -- GNU Debugger (part of GCC)
http://developer.apple.com/tools/gcc_overview.html

gas -- host spoofing manager
http://www.apple.com/downloads/macosx/development_tools/gasmask.html

libtool -- Create Libraries
http://developer.apple.com/mac/library/documentation/Darwin/Reference/ManPages/man1/libtool.1.html

file -- File Typer
http://linux.die.net/man/1/file

ktrace -- Kernel Trace Logging for a process
System Calls, Name Translations, Signal Processing, I/O

dtrace -- Debugger/Tracer in 10.5+
http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html

http://www.macosxhints.com/article.php?story=20071031121823710

kdump -- Kernel Dump Reader

class-dump -- Examines Objective-C Runtime data for MachO files.
http://codethecode.com/projects/class-dump/

Summary of other useful tools:
http://osxbook.com/book/bonus/ancient/whatismacosx/tools.html


Other interesting links are most welcome. I can update the post if there are any interesting links.