Compiling wepattack on backtrack4


I encountered various errors when compiling wepattack. This download does not come with a makefile that is compatible with the ubuntu distro that backtrack uses. First of all make sure that the wlan directory that you get when untarring the .tar.gz archive has execute permissions set to it.

$ cd WepAttack-0.1.3/src
$ chmod +x wlan

Once this is done “permission denied” errors should go.

/Desktop/WepAttack-0.1.3/src$ make
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o wepattack.o wepattack.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
wepattack.c: In function ‘loop_packets’:
wepattack.c:141: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:146: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:151: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:156: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c: In function ‘clean_up’:
wepattack.c:184: warning: format ‘%d’ expects type ‘int’, but argument 3 has type ‘long int’
wepattack.c: In function ‘main’:
wepattack.c:309: warning: format ‘%d’ expects type ‘int’, but argument 2 has type ‘long int’
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o rc4.o rc4.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o wepfilter.o wepfilter.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o log.o log.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o modes.o modes.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
modes.c:25:30: error: wlan/wlan_compat.h: Permission denied
modes.c:26:28: error: wlan/p80211hdr.h: Permission denied
modes.c: In function ‘generate_rc4_key’:
modes.c:51: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c: In function ‘process_rc4_key’:
modes.c:68: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c: In function ‘mode_keygen’:
modes.c:125: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c:127: warning: incompatible implicit declaration of built-in function ‘strcpy’
modes.c: In function ‘mode_wep’:
modes.c:145: warning: incompatible implicit declaration of built-in function ‘memcpy’
make: *** [modes.o] Error 1

The following patch file will take care of most errors and you should be able to get Wepattack compiled properly:

diff -aur WepAttack-0.1.3/src/Makefile WepAttack-patched/src/Makefile
--- WepAttack-0.1.3/src/Makefile 2002-10-23 09:11:36.000000000 -0400
+++ WepAttack-patched/src/Makefile 2010-09-26 04:54:20.000000000 -0400
@@ -6,23 +6,23 @@
-CFLAGS=-fno-for-scope -c -D__LINUX_WLAN__ -D__I386__
+CFLAGS= -c -D__LINUX_WLAN__ -D__I386__
# Libraries to link against
-LIBS= -lpcap -lz -lcrypto
+LIBS= -lpcap -lz -lcrypto
# Install path for wepattack

wepattack: wepattack.o rc4.o wepfilter.o log.o modes.o misc.o verify.o keygen.o
- $(LD) $(LDFLAGS) -o $@ wepattack.o rc4.o wepfilter.o log.o\
- modes.o misc.o verify.o keygen.o $(LIBS)
+ $(LD) $(LDFLAGS) $(INCLUDEDIR) -o $@ wepattack.o rc4.o wepfilter.o log.o modes.o misc.o verify.o keygen.o $(LIBS)

wepattack.o: wepattack.c wepattack.h
$(CC) $(CFLAGS) -o $@ wepattack.c
@@ -46,7 +46,7 @@
$(CC) $(CFLAGS) -o $@ keygen.c

modes.o: modes.c modes.h
- $(CC) $(CFLAGS) -o $@ modes.c
+ $(CC) $(CFLAGS) $(INCLUDEDIR) -o $@ modes.c

misc.o: misc.c misc.h
$(CC) $(CFLAGS) -o $@ misc.c
diff -aur WepAttack-0.1.3/src/modes.c WepAttack-patched/src/modes.c
--- WepAttack-0.1.3/src/modes.c 2002-10-24 09:15:19.000000000 -0400
+++ WepAttack-patched/src/modes.c 2010-09-26 04:55:22.000000000 -0400
@@ -29,6 +29,7 @@
#include "wepattack.h"
#include "wepfilter.h"
#include "verify.h"
+#include "string.h"

static rc4_key gen_key;
static unsigned char decrypted_stream[2400];
Only in WepAttack-patched/src: wepattack
diff -aur WepAttack-0.1.3/src/wepattack.c WepAttack-patched/src/wepattack.c
--- WepAttack-0.1.3/src/wepattack.c 2002-10-24 09:14:29.000000000 -0400
+++ WepAttack-patched/src/wepattack.c 2010-09-26 04:41:18.000000000 -0400
@@ -36,7 +36,7 @@
#include "config.h"
#include "modes.h"
#include "misc.h"

wlan_packet_list* current_packet;

@@ -181,7 +181,7 @@

// calculate elapsed time
duration = difftime_us(&t_val_start, &t_val_end);
- printf("\ntime: %f sec\twords: %d\n\n", duration, word_count);
+ printf("\ntime: %f sec\twords: %ld\n\n", duration, word_count);

// write ucracked packets to logfile
@@ -306,7 +306,7 @@

// print out each 10'000 key
if ((word_count % 10000) == 0)
- printf("key no. %d: %s\n", word_count, key);
+ printf("key no. %ld: %s\n", word_count, key);

// main loop to process key in modes on every packet

Copy the above patch in to a file called wepattack.patch. Copy wepattack.patch into the WepAttack-0.1.3 directory and patch it as follows:

$ patch -p1 <wepattack.patch
$ cd src
sudo make install

You should be able to get wepattack installed!


Converting Java Key Store into X.509 certificates


Web services security has been very much talked about in the recent times. Especially, with the Service Oriented Architecture (SOA) gaining increasing importance. One of the interesting ways to protect these web services encapsulated in SOAP (Simple Object Access Protocol) is using digital client-side authentication certificates. Programmers typically use Java Key Store (.JKS) files to establish connectivity to these applications. However, if we want to create a custom client using some scripting it creates an issue as we tend to use languages such as perl, bash, etc. to create connectivity. So I ran into this excellent tool called KeyTool IUI. This tool helps you import the Java Key Store (Tools -> Keystore Manager -> JKS Keystore) and export it in the PKCS#12, X.509 PEM, and DER formats. You can further use OpenSSL to change the formats as you please or separate out the components of the certificates.
You could even take these certificates in X.509 or PFX formats and convert into JCEKS, JKS formats! Pretty cool huh? 🙂 Nice software!


DefCon CTF Quals GrabBag 300 Writeup


The question was:
Question: This is semi-real. 🙁
Password: 5fd78efc6620f6

When you would connect using netcat you would see a 9 numbers and a user PIN. This would repeat thrice and then you would have to choose the right pin for the fourth pair 6×6 matrix of numbers. My first reaction was either the PINS were constant or they were following a pattern. So I wrote up this quick python script to solve this puzzle which helped me understand the problem also.

import socket, re, threading, time
lookupdict = []

def process_array_pin(fs,s):
	i = 6
	temp = ''
	pin = ''
	while i > 0:
		line = fs.readline()
		#print line
		#re.match(".{11}(.).{12}(.).{12}(.)", line).group(1)
		test = re.split(' ',line)
		#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]
		i = i - 1
			temp += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]
		except IndexError:
			#i = 15
			#while i > 0:
			#	print fs.readline()
			#	i = i - 1
			#i = 15
			#while i > 0:
			#	print fs.readline()
			#	i = i - 1
	line = fs.readline()
		pin = re.match("..........User entered: (.*)", line).group(1)
	#pin = fs.readline()
	#print 'Line: '+line
	#print 'Pin is : '+pin
	strpin = re.sub(' ','',pin)
	#strpin = re.split(' ',pin)
	#lookupdict[temp] = strpin
	print 'Pin for : ' + temp+' is '+strpin+'\n'
	return temp,strpin
def play():
	global fs, s
	s = socket.create_connection(('', 10435))
	fs = s.makefile()
	print fs.readline()
	print fs.readline()
	print fs.readline()
	answer = []
	numTimes = 0
	while numTimes < 5:
		j = 3
		while j > 0:
			test = process_array_pin(fs,s)
			j = j - 1
			if j > 0:
				numlines = 3
				while numlines > 0:
					numlines = numlines - 1
		pindigits = list(lookupdict[1])
		#print pindigits
		pinpos = 0
		for num in pindigits:
			i = 0
			start = 0
			end = len(lookupdict[0])
			while i < lookupdict[0].count(num):
				indofinterest = lookupdict[0].find(num,start,end)
				#print 'index of interest '+str(indofinterest)
				if lookupdict[2][indofinterest] == lookupdict[3][pinpos]:
					if lookupdict[4][indofinterest] == lookupdict[5][pinpos]:
				i = i + 1
				start = indofinterest+1
			pinpos = pinpos + 1
		#print answer
		# Get question
		i = 6
		temp1 = ""
		while i > 0:
			line = fs.readline()
			#print line
			#re.match(".{11}(.).{12}(.).{12}(.)", line).group(1)
			test = re.split(' ',line)
			#print test[1],' ',test[3],' ',test[5],' ',test[7],' ',test[9],' ',test[11]
			temp1 += test[1]+test[3]+test[5]+test[7]+test[9]+test[11]
			i = i - 1
		print "Question : " +temp1+'\n'
		answerstr = ''
		count = 0
		for i in answer:
			answerstr += temp1[i]
			#print temp1[i],
			count = count + 1
			if count < 4:
				answerstr += ' '
				answerstr += '\n'
		print "Answer : "+answerstr
		output = fs.readline()
		#output = fs.readline()
		print output
		if output.find('Sun') > -1:
			output = fs.readline()
			a = 10
			while a > 0:
				print fs.readline()
				a = a - 1
			#output = fs.readline()
			#print 'Inside else\n'
			#if output.find('NOVA') > -1:
			#	print 'NOVAFOUND!!!!!\n'
			print 'Sent last\n'
			a = 100
			while a > 0:
				print fs.readline()
				a = a - 1
			#print fs.readline()
		del answer[:]
		del lookupdict[:]
		del pindigits[:]
		numTimes += 1
#for i in range(2000):

The above file reads the numbers, filters out the formatting that adds color to the digits and picks out the indices that would be chosen as the key.

So to solve this, each pattern of digits had fixed matrix positions that would be chosen as the pin. Once you successfully solve the puzzle four time you are presented with an ATM screen as follows:

 ***NOVABANK ATM menu***

 Balance: $9238740982570237012935.32

 1) withdraw
 2) deposit
 3) transfer
 4) exit


The real part is the balance i.e., 9238740982570237012935.32 is the answer. It took me various attempts to solve this one because the answer was for some reason not being accepted by the scoreboard until my teammate submitted it at which time it worked.

This was a really cool problem. Thanks DDTEK.


Setting up a Windows 7 Kernel Development Environment


If you are writing some Ring0 (or privileged mode code), say something like device drivers in Windows you’d probably be better served with a separate development machine and a deployment machine. This helps you to write poor code and still not lose hair because your development machine blue screens! 🙂

My setup was using a Windows 8.1 development machine and a Hyper-V based Windows 7 machine for debugging. You will need to execute different tasks on the “guest” (Hyper-V based Windows 7 virtual machine) and some other tasks on the development machine.  I followed many of the things from the MSDN blog post here

On your guest machine you would want to setup a named pipe and setup debug settings. To do that this is what you need to do:

Setup a virtual com port in the Hyper-V Settings (File -> Settings) , this port will be used to communicate from the host machine to the guest to communicate the Kernel debugging commands.


Now make sure that your target guest machine is configured to “listen” those commands.  Inside the guest VM, start a command shell (cmd.exe -> Run as Administrator).



Configure the bcdedit commands so that the machine can now be debugged.  Right after the 2nd command, reboot your Virtual Machine.



With the VM now configured to listen the debug commands via the COM1 port, and the debug mode on in the bootup settings, now start the WinDbg x64 on the host (using “Run as administrator”; you need administrative privileges for communication via Serial port).  In your kernel debugger on the host or the development machine (I’m assuming that these are both on the same physical hardware here).  Click on File -> Kernel Debug and you should see the following screen in the WinDbg window:


Hit Ctrl+Break or Debug -> Break and you will see something like this:


Just remember that when you break in the debugger, your guest in Hyper-V should become “unresponsive”.  The only thing is that it is not really unresponsive, its just being debugged.  Just to make sure, that you have the symbols package that is quite useful for debugging run the following command:

!process 0 0

If you see something like the following screen show up:


The following error means that the symbols are not defined.  Symbols help the debugger give more information about the commands that you are going to execute in the debugger.

NT symbols are incorrect, please fix symbols

To fix this, use the following commands:

kd> .sympath SRV*c:\symcache*http://msdl.microsoft.com/download/symbols
kd> .symfix
kd> .symfix c:\symcache
kd> !sym noisy
kd> .reload /o

Then again try the command: !process 0 0 and see if you get a good response.  A good response looks like the following:


With this you should be good to go! Happy debugging and writing cool Ring0 code.




Brand New Day


It’s a brand new day with no novelty! Back to the lab today trying to now get access to the packet data to calculate the hash values. I suspect that inside netfilter’s sk_buff structure there’s an unsigned char* data field. This probably is exactly what I need to get the hash values. There’s this awesome link which has great information about sk_buff structure. The unsigned int len; has the size of the complete input data including the headers. I guess if this len value == size of the actual data for the IP header (which could be TCP header / UDP header / ICMP header) then if we are using chunks of this data to find hashes then the following algorithm could be used:

no_of_chunks = len / BYTE_SIZE_FOR_SIGN;

addendum = len % BYTE_SIZE_FOR_SIGN;

for (int i = 0; i < no_of_chunks; i++)
(i+1)*BYTE_SIZE_FOR_SIGN - 1 ,0));
no_of_chunks*BYTE_SIZE_FOR_SIGN+addendum, 0)

This are my initial thoughts let’s see how it works out!

Rajat’s Homepage


Nmap and DNS resolution Timeouts


I think Nmap is by far the best portscanner around if you want to do some serious port-scanning. Nmap performs a DNS resolution by default. This is good for obtaining the fully qualified domain names (FQDN), however, in some cases when you are scanning huge networks spanning several class Bs, it can have a significant effect on the duration of the scan.
Although using the -n parameter can completely stop nmap from performing any resolutions, but sometimes there’s that fine granularity that you need, i.e., you want to perform name resolutions but not if it exceeds a certain amount of time. I have to say that I wouldn’t have even craved for such an idiosyncratic feature, had it not been for nmap. Fyodor has been awesome enough to provide fine-grained control over port-scanning to your heart’s content.
So I opened up the nmap code, trying to figure out if I could fine tune that feature myself and I was not at all surprised that there were several comments in the code that would give you the impression that the authors of nmap have been considering this feature.
At this time it seems that the timeouts for the DNS servers are being read out of an arrayname:
static int read_timeouts[][] in nmap_dns.cc.
The way the code works is, this array has retransmission timeouts. Each row of this array represents what retransmission timeouts that nmap will follow depending on the number of DNS servers provided.

In nmap 4.76, therefore, if you specify one DNS server (or only one entry exists in /etc/resolv.conf) nmap will wait 4000ms, then another 4000ms followed by 5000ms before giving up. But if you do specify two DNS servers, then for the first DNS server the timeouts are 2500ms followed by 4000ms and then the same is tried for the 2nd entry in the DNS servers. Therefore, it seems that nmap will wait 13 seconds at max before giving up on the DNS resolution of a host. Imagine scanning a class B and having to wait 13 seconds for each of the hosts to resolve. It would be a significant overhead.

Of course, one can find other things to do if the IP address space is not DHCP, e.g., starting a separate list scan (-sL) and a portscan (with -n) simultaneously so that the DNS resolution timeouts do not result in a major impact as far as the portscanning itself is concerned.
There could be pros and cons to this as well which I may have failed to consider. But at this time it seems that it might be the most judicious approach.


Using awk with bash variables


I wanted to use variables in a bash script’s for loop inside awk’s print statement.
Here’s an easy way to do it – enclose the bash variable within "’"

Here’s a sample scripts to take a list of IPs and do a DNS lookup and generate a CSV:

for ip in `cat ips.txt`
host $ip|grep -v NXDOMAIN|sed 's/\.$//g'|awk '{print "'"$ip"'"","$NF}'