Archive for the 'Hacking' Category
This post is the reason I posted my previous blog entry on installing the Metasploit framework on my Apple MacBook. Chris sent me a link to this movie showing someone exploiting a vulnerability in Microsoft’s Windows. The .ANI Header Stack Overflow vulnerability allows a remote attacker to send a malicious e-mail to an unsuspecting user with an unpatched Windows machine and gaining remote shell access.
After Metasploit was installed on my MacBook, I followed the steps in the movie as they were shown and it worked like a champ. The recipient of the e-mail has to be viewing the e-mail in HTML. I was only able to exploit this vulnerability when using Microsoft Outlook or Microsoft’s Outlook Express e-mail client’s when the client was setup to view messages in HTML. Either way, I gained access to one of my own machines using this exploit and it showed me just how easy it would be for someone with malicious intent to really wreak havoc on a novice or unsuspecting user.
I am impressed at the whole concept behind the Metasploit framework for exploiting known vulnerabilities and delivering payloads with basically the push of a button. The interface and command logic is easy to understand, for this exploit anyway, and I look forward to learning more about the framework, the exploits, and the payloads in the near future.
Until next time…
I have known about the Metasploit framework for quite some time but have never really known how to use it or taken the time to learn. Recently, Chris inspired me to try it by showing me a movie explaining how to exploit a vulnerability in Microsoft Windows related to the .ANI Header Stack Overflow Vulnerability (more on this in my next post).
Before I could begin working with this nifty little exploit in Metaspolit I had to get the framework installed on my MacBook. Metasploit is a suite of Ruby scripts and will run on virtually any Unix based operating system and Windows (with some minor tweaking). I checked the MacPorts for Metasploit and it was available as a port install but the latest version in the ports tree was 2.7. I needed at least version 3.0, and later determined I needed a development version, version 3.1, from the trunk to get the exploit I was after.
The first thing I did was upgrade my Subversion client on Mac OS X. I got the universal binary from here and installing and upgrading my Subversion was pretty painless. It installed like most other Mac applications from a package.
Lately, Chris and I have been rekindling our love of wireless technologies. We’ve been doing some wardriving and have also been messing around with WEP and WPA cracking again (See the notice at the bottom of this page). Chris has been able to successfully crack his WEP keys before using the tools available in the Aircrack Suite on Linux, Debian to be more specific. Now, me on the other hand, I’ve never been able to crack my WEP key.
My first attempts were flawed because I was never able to successfully patch the drivers for my ORiNOCO Classic Gold PCMCIA card under Fedora Core Linux. I needed to patch my drivers so I could put my card into monitor mode for use with Kismet or the Aircrack Suite.
Once I came back to the *NIX (Unix/Linux) world and reentered the game with FreeBSD, my Orinoco Classic Gold card was fully supported. I could put the card into monitor mode and what not but for some reason I could never get it working with Kismet. I then moved to a Linksys WPC55AG ver. 1.1 PC Card which uses an Atheros chipset and therefore was supported with the the ath driver under FreeBSD. Now Kismet was happy, but guess what?! The full set of tools included in the Aircrack Suite wasn’t completely ported to FreeBSD… Tough break!
Here it is 2007 and I’m sporting a 13″ Apple MacBook. The best commercially supported Unix on the market, in my opinion. I’ve blogged about it before and I’ll reiterate it here again that KisMAC is an extremely nice application for keeping your eye on wireless activities. Well, I recently found out that its also an extremely powerful tool for attempting to crack WEP keys and that it also supports my newly acquired D-Link DWL-122 wireless USB stick for performing such tasks.
I have made two attempts to crack my APs WEP key and both have failed miserably. I’m not sure what is happening, but once I have gathered almost 30k packets and am injecting weak IV packets back into the mix, the application kind of locks up. It doesn’t lock up completely as it is still capturing data and injecting packets, but every option in the drop down menus of the application become disabled/grayed out. It makes it kind of hard to do anything else with the application since your hands are tied and you can’t even save your data, attempt a crack of some sort, or even exit the application properly.
So, I have ordered another KisMAC supported USB wireless NIC. I purchased 4 (I couldn’t pass up the price they were being sold at on eBay and they’re supported on Linux as well as Macintosh) Ashton Digital WRUB 2011i NICs. I only bought two items off of eBay but there are two NICs in each box. Hopefully, this is better supported in KisMAC as I read some documentation about some issues with the DWL-122… after I bought it of course.
Hopefully, once these new NICs arrive I will finally be able to crack my WEP key for the first time. I look forward to the day when I am able to do this on a platform of my choice and I don’t have to break down and run Debian like Chris just to be cool and crack my WEP key! Of course, there’s always virtual machines… Maybe I could run Debian in Parallels on my MacBook and crack WEP that way… It’d still be done “from a Mac”, right?!
Until next time…
Notice: No, we’re not trying to crack our WEP keys so we can learn to do something malicious to anyone else’s network. We’re merely interested in the technologies involved in cracking such keys and the fact that the “security” vendors are selling us is so easily penetrable. Its research ladies and gentlemen. That’s it!
I have been working at our DR site most of the week preparing hardware and configs for a DR test we are performing this weekend. As I was sitting here in frustration this afternoon waiting for a server to boot up, I decided to browse through the bash.org quotes and see what was going on. When I stumbled upon quote #742386 I started laughing out loud. On a day like today, when things are extremely stressful, this really brightened my spirits. Below is the quote:
<HaX.1337> U're all lame as hell here!!!!! I can hack u all in no time! just tell me your ip and u're dead!
<Maler.home> try mine
<Maler.home> 127.0.0.1
*** Signoff: HaX.1337 (Connection reset by peer)
<Damz|dispute> wow. never thought such a retard nick can get his hands on something actually working xD
I think this is hilarious because this “super 1337 hacker”, better known as a “script kiddie”, found a script that would supposedly bring a remote host down some how. How?! It really doesn’t matter. The funny thing is that he really wasn’t that smart. When he asked for an IP address from the others in the room, “Maler.home” gave him 127.0.0.1. This is the address that every operating system (that I’ve seen anyway… there may be exceptions) assigns to itself, also known as a local loopback address. When the script kiddie ran his nifty hacktool against 127.0.0.1, guess what?! He owned himself, crashed his machine, and was disconnected from the IRC channel. That is too good! I just thought I would share!
On another note, if you don’t check out bash.org, I suggest you take a look at the site and the many different IRC quotes on their. Most of them are extremely hilarious!
Until next time…
Flickr Updates
