I encountered various errors when compiling wepattack. This download does not come with a makefile that is compatible with the ubuntu distro that backtrack uses. First of all make sure that the wlan directory that you get when untarring the .tar.gz archive has execute permissions set to it.

$ cd WepAttack-0.1.3/src
$ chmod +x wlan

Once this is done “permission denied” errors should go.

/Desktop/WepAttack-0.1.3/src$ make
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o wepattack.o wepattack.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
wepattack.c: In function ‘loop_packets’:
wepattack.c:141: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:146: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:151: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c:156: warning: incompatible implicit declaration of built-in function ‘strlen’
wepattack.c: In function ‘clean_up’:
wepattack.c:184: warning: format ‘%d’ expects type ‘int’, but argument 3 has type ‘long int’
wepattack.c: In function ‘main’:
wepattack.c:309: warning: format ‘%d’ expects type ‘int’, but argument 2 has type ‘long int’
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o rc4.o rc4.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o wepfilter.o wepfilter.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o log.o log.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
gcc -fno-for-scope -c -D__LINUX_WLAN__ -D__I386__ -o modes.o modes.c
cc1: warning: command line option "-fno-for-scope" is valid for C++/ObjC++ but not for C
modes.c:25:30: error: wlan/wlan_compat.h: Permission denied
modes.c:26:28: error: wlan/p80211hdr.h: Permission denied
modes.c: In function ‘generate_rc4_key’:
modes.c:51: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c: In function ‘process_rc4_key’:
modes.c:68: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c: In function ‘mode_keygen’:
modes.c:125: warning: incompatible implicit declaration of built-in function ‘memcpy’
modes.c:127: warning: incompatible implicit declaration of built-in function ‘strcpy’
modes.c: In function ‘mode_wep’:
modes.c:145: warning: incompatible implicit declaration of built-in function ‘memcpy’
make: *** [modes.o] Error 1

The following patch file will take care of most errors and you should be able to get Wepattack compiled properly:

diff -aur WepAttack-0.1.3/src/Makefile WepAttack-patched/src/Makefile
--- WepAttack-0.1.3/src/Makefile 2002-10-23 09:11:36.000000000 -0400
+++ WepAttack-patched/src/Makefile 2010-09-26 04:54:20.000000000 -0400
@@ -6,23 +6,23 @@
LD=gcc
#
# CFLAGS
-CFLAGS=-fno-for-scope -c -D__LINUX_WLAN__ -D__I386__
+CFLAGS= -c -D__LINUX_WLAN__ -D__I386__
#
#
# LDFLAGS
-#LDFLAGS=
+LDFLAGS=-L../run
#
#
# Libraries to link against
-LIBS= -lpcap -lz -lcrypto
+LIBS= -lpcap -lz -lcrypto
#
#
# Install path for wepattack
INSTDIR=/usr/bin

// main loop to process key in modes on every packet

Copy the above patch in to a file called wepattack.patch. Copy wepattack.patch into the WepAttack-0.1.3 directory and patch it as follows:

$ patch -p1 <wepattack.patch
$ cd src
make
sudo make install

You should be able to get wepattack installed!

Over this weekend I decided to download the Android source tree on my computer (Backtrack 4 R2). The BT4R2 is no longer supported by the Offsec/Backtrack guys (mutt, purehate, etc.).
To start off with I tried to follow the instructions listed here.
The first error I got was with Git, I was using a version earlier than 1.5.4. So I downloaded git version 1.7.4, compiled it and installed it. Then I got the error:
fatal: unable to find remote handler for 'https'
Too bad, I tried recompiling and what not, and I did have openssl…so what was the problem?
The problem was not having libcurl-devel library. So I downloaded the library and launched configure, make clean, make and make install to reinstall git. Now the error was gone.

On the step where I am supposed to execute the following:
$ repo init -u https://android.googlesource.com/platform/manifest
I got the following error:

Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python2.5/threading.py", line 486, in __bootstrap_inner
self.run()
File "/usr/lib/python2.5/threading.py", line 446, in run
self.__target(*self.__args, **self.__kwargs)
File "/home/user/bin/.repo/repo/subcmds/sync.py", line 182, in _FetchHelper
success = project.Sync_NetworkHalf(quiet=opt.quiet)
File "/home/user/bin/.repo/repo/project.py", line 926, in Sync_NetworkHalf
if alt_dir is None and self._ApplyCloneBundle(initial=is_new, quiet=quiet):
File "/home/user/bin/.repo/repo/project.py", line 1444, in _ApplyCloneBundle
exist_dst = self._FetchBundle(bundle_url, bundle_tmp, bundle_dst, quiet)
File "/home/user/bin/.repo/repo/project.py", line 1514, in _FetchBundle
size = r.headers['content-length']
File "/usr/lib/python2.5/rfc822.py", line 384, in __getitem__
return self.dict[name.lower()]
KeyError: 'content-length'
Exception in thread Thread-3:
Traceback (most recent call last):
File "/usr/lib/python2.5/threading.py", line 486, in __bootstrap_inner
self.run()
File "/usr/lib/python2.5/threading.py", line 446, in run
self.__target(*self.__args, **self.__kwargs)
File "/home/user/bin/.repo/repo/subcmds/sync.py", line 182, in _FetchHelper
success = project.Sync_NetworkHalf(quiet=opt.quiet)
File "/home/user/bin/.repo/repo/project.py", line 926, in Sync_NetworkHalf
if alt_dir is None and self._ApplyCloneBundle(initial=is_new, quiet=quiet):
File "/home/user/bin/.repo/repo/project.py", line 1444, in _ApplyCloneBundle
exist_dst = self._FetchBundle(bundle_url, bundle_tmp, bundle_dst, quiet)
File "/home/user/bin/.repo/repo/project.py", line 1514, in _FetchBundle
size = r.headers['content-length']
File "/usr/lib/python2.5/rfc822.py", line 384, in __getitem__
return self.dict[name.lower()]
KeyError: 'content-length'
Exception in thread Thread-4:
Traceback (most recent call last):
File "/usr/lib/python2.5/threading.py", line 486, in __bootstrap_inner
self.run()
File "/usr/lib/python2.5/threading.py", line 446, in run
self.__target(*self.__args, **self.__kwargs)
File "/home/user/bin/.repo/repo/subcmds/sync.py", line 182, in _FetchHelper
success = project.Sync_NetworkHalf(quiet=opt.quiet)
File "/home/user/bin/.repo/repo/project.py", line 926, in Sync_NetworkHalf
if alt_dir is None and self._ApplyCloneBundle(initial=is_new, quiet=quiet):
File "/home/user/bin/.repo/repo/project.py", line 1444, in _ApplyCloneBundle
exist_dst = self._FetchBundle(bundle_url, bundle_tmp, bundle_dst, quiet)
File "/home/user/bin/.repo/repo/project.py", line 1514, in _FetchBundle
size = r.headers['content-length']
File "/usr/lib/python2.5/rfc822.py", line 384, in __getitem__
return self.dict[name.lower()]
KeyError: 'content-length'
Exception in thread Thread-2:
Traceback (most recent call last):
File "/usr/lib/python2.5/threading.py", line 486, in __bootstrap_inner
self.run()
File "/usr/lib/python2.5/threading.py", line 446, in run
self.__target(*self.__args, **self.__kwargs)
File "/home/user/bin/.repo/repo/subcmds/sync.py", line 182, in _FetchHelper
success = project.Sync_NetworkHalf(quiet=opt.quiet)
File "/home/user/bin/.repo/repo/project.py", line 926, in Sync_NetworkHalf
if alt_dir is None and self._ApplyCloneBundle(initial=is_new, quiet=quiet):
File "/home/user/bin/.repo/repo/project.py", line 1444, in _ApplyCloneBundle
exist_dst = self._FetchBundle(bundle_url, bundle_tmp, bundle_dst, quiet)
File "/home/user/bin/.repo/repo/project.py", line 1514, in _FetchBundle
size = r.headers['content-length']
File "/usr/lib/python2.5/rfc822.py", line 384, in __getitem__
return self.dict[name.lower()]
KeyError: 'content-length'
Exception in thread Thread-5:
Traceback (most recent call last):
File "/usr/lib/python2.5/threading.py", line 486, in __bootstrap_inner
self.run()
File "/usr/lib/python2.5/threading.py", line 446, in run
self.__target(*self.__args, **self.__kwargs)
File "/home/user/bin/.repo/repo/subcmds/sync.py", line 182, in _FetchHelper
success = project.Sync_NetworkHalf(quiet=opt.quiet)
File "/home/user/bin/.repo/repo/project.py", line 926, in Sync_NetworkHalf
if alt_dir is None and self._ApplyCloneBundle(initial=is_new, quiet=quiet):
File "/home/user/bin/.repo/repo/project.py", line 1444, in _ApplyCloneBundle
exist_dst = self._FetchBundle(bundle_url, bundle_tmp, bundle_dst, quiet)
File "/home/user/bin/.repo/repo/project.py", line 1514, in _FetchBundle
size = r.headers['content-length']
File "/usr/lib/python2.5/rfc822.py", line 384, in __getitem__
return self.dict[name.lower()]
KeyError: 'content-length'
error: Exited sync due to fetch errors


Seems like this error is caused because the content-length http header is not sent by the repository. If you upgrade to Python 2.7.x you can resolve this error.
Now if you are compiling Python from source, it doesn’t come by default with SSL support. So to add SSL support you should edit the Python-2.7/Modules/Setup file and uncomment four lines:
_socket socketmodule.c
# Socket module helper for SSL support; you must comment out the other
# socket line above, and possibly edit the SSL variable:
SSL=/usr
_ssl _ssl.c \
-DUSE_SSL -I$(SSL)/include -I$(SSL)/include/openssl \
-L$(SSL)/lib -lssl -lcrypto
Of course, then you can do the standard steps to compile and install python:
$ ./configure
$ make
$ sudo make install

repo sync would work very well thereafter.

I’ve been struggling to find the best working version of John so that it can crack MS Cache outputs from Cachedump (of course, this functionality is now included in fgdump). Running fgdump gives two files host.pwdump and hostname.cachedump. I’ve found 127.0.0.1.pwdump and 127.0.0.1.cachedump files upon using fgdump without any parameters.
So now you have the Cached credentials but then comes the big problem of cracking those. So there’s the jumbo patch for john-1.7.2.
Following commands need to be executed to get this patch going:

$ tar zxvf john-1.7.2.tar.gz
$ cd john-1.7.2/
$ wget http://www.openwall.com/john/contrib/john-1.7.2-all-9.diff.gz
$ gzip -d john-1.7.2-all-9.diff.gz
$ patch -p1 <john-1.7.2-all-9.diff
$ cd src/
$ make linux-x86-sse2

You get some warnings upon compilations but the executable works very well.

Go ahead and get cracking:
$ cd run/
$ ./john –format=mscash

I like using dcfldd for creating the raw images, because it shows a nice status…it’s interesting to see progress.

dcfldd if=/dev/sda of=/mnt/sdb1/filename.dd hash=md5 md5log=hashfile.md5 conv=noerror,sync bs=4096

It’s the ‘bs’ (stands for bytesize) that makes the difference (…always does doesn’t it ;-).

Autopsy – The forensics browser always uses the ~/.autopsy as the base directory for storing the files from the cases. The following command is helpful in changing the directory in which the cases should be stored:

./autopsy -d /mountpoint/dirname

The exiftool is a cool application that can read meta-information to determine the different types of files.

On the recently concluded PlaidCTF (which was an awesome competition) by PPP there was a problem.  Here it goes:

Question: We managed to get the source code for an encryption service running at 54.234.224.216:4433.

I have listed the python source provided below:

#!/usr/bin/python
import os
import struct
import SocketServer
import zlib
from Crypto.Cipher import AES
from Crypto.Util import Counter

# Not the real keys!
ENCRYPT_KEY = '0000000000000000000000000000000000000000000000000000000000000000'.decode('hex')
# Determine this key.
# Character set: lowercase letters and underscore
PROBLEM_KEY = 'XXXXXXXXXXXXXXXXXXXX'

def encrypt(data, ctr):
    aes = AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr)
    return aes.encrypt(zlib.compress(data))

class ProblemHandler(SocketServer.StreamRequestHandler):
    def handle(self):
        nonce = os.urandom(8)
        self.wfile.write(nonce)
        ctr = Counter.new(64, prefix=nonce)
        while True:
            data = self.rfile.read(4)
            if not data:
                break

            try:
                length = struct.unpack('I', data)[0]
                if length > (1<<20):
                    break
                data = self.rfile.read(length)
                data += PROBLEM_KEY
                ciphertext = encrypt(data, ctr)
                self.wfile.write(struct.pack('I', len(ciphertext)))
                self.wfile.write(ciphertext)
            except:
                break

class ReusableTCPServer(SocketServer.ForkingMixIn, SocketServer.TCPServer):
    allow_reuse_address = True

if __name__ == '__main__':
    HOST = '0.0.0.0'
    PORT = 4433
    SocketServer.TCPServer.allow_reuse_address = True
    server = ReusableTCPServer((HOST, PORT), ProblemHandler)
    server.serve_forever()

The key on this challenge is to see that the stream encryption is being done on the compressed input. In the source provided, if the user input is similar to the secret value in the PROBLEM_DATA variable then the zlib.compress() function would show a reduced length ciphertext. This is somewhat (and I use the term loosely) similar to the CRIME vulnerability. The AES Counter mode RFC has the implementation details of the cipher. So I wrote the following script.

import socket
import sys
from itertools import *
import struct
def display(msg,numbytes):
	#print >>sys.stderr, 'received "%s"' % msg
	#print >>sys.stderr, 'bytes "%d"' % numbytes
	print >>sys.stderr, 'bytes %d ' % numbytes + msg.encode('hex')
# Create a TCP/IP socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Connect the socket to the port where the server is listening
server_address = ('54.234.224.216', 4433)
print >>sys.stderr, 'connecting to %s port %s' % server_address
sock.connect(server_address)
#mesage len = 20 lowercase and underscore letters
try:
	amount_received = 0
	nonce = sock.recv(8)
	amount_received += len(nonce)
	# Send data
	#strng = 'crime_some'
	#minciphlen = 1000
	#strng = 'crimes_pays'
	#strng = 'so_'
	#strng = 'crime_some_times_pays'
	#strng = 'somet_'
	strng = 'cr'
	minchar = ''
	ciphlen = 1000
	sampleset = 'hijklmnopqrstuvwxyz_abdefgc'
	#while True:
	strng = strng + minchar	
	minciphlen = ciphlen
	minchar = ''
	for s in map("".join,permutations(sampleset,1)):
		#message = nonce +  (strng + s)*10  #'\x00'*11 + s
		message = strng + s
		datalen = struct.pack('I',len(message))  # datalen = '\xe4\x00\x00\x00'
		sock.sendall(datalen)
		#print >>sys.stderr, 'sending '+ message
		sock.sendall(message)
		#print >>sys.stderr, 'message sent'
		amount_received = 0
		# Look for the response
		data = sock.recv(4)
		amount_received += len(data)
		ciphlen = struct.unpack('I', data)[0]
		#print >>sys.stderr, message + ' ' 
		amount_received = 0
		if ciphlen <= minciphlen:
			minciphlen = ciphlen
			minchar = s
			print str(ciphlen) + ' It is ' + strng + minchar
		data = sock.recv(ciphlen)
		#display(data,ciphlen)		
finally:
    print >>sys.stderr, 'closing socket'
    sock.close()

When you connect to the service it provides you the nonce, so I prepended the nonce to the plaintext. The above script shows the plaintext and the length of the cipher text. To start off with this, you start with a string of length 1, and see which is the smallest length response, that gives your first character. Then in the

strng

variable above, you add that character and run again, and the lowest length ciphertext tells you the next character and so on. I noticed that sometimes the output had a few characters with the lowest length. So I tried each of them and ended up with the following flag:

crime_sometimes_pays 

Cisco ASDM is quirky in the sense that if the right Java version is not found it will just puke with errors that make no sense. This is what my java log looks like:
Application Logging Started at Fri Aug 01 11:01:11 EDT 2010
---------------------------------------------
Local Launcher Version = 1.5.41
Local Launcher Version Display = 1.5(41)
Cannot read profile file C:\Documents and Settings\abcdef\.asdm\data\deviceinfo.conf.
OK button clicked
Trying for ASDM Version file; url = https://www.example.com/admin/
Server Version = 6.2(1)
Server Launcher Version = 1.5.41, size = 476672 bytes
Launcher version checking is successful.
invoking SGZ Loader..
Cache location = C:/Documents and Settings/abcdef/.asdm/cache
Exception in thread "SGZ Loader: launchSgzApplet" java.lang.NoSuchFieldError: b
at dac.setLevel(dac.java:65)
at dac.(dac.java:44)
at gd.(gd.java:78)
at f5.a(f5.java:117)
at com.cisco.dmcommon.util.DMCommonEnv.(DMCommonEnv.java:38)
at com.cisco.pdm.PDMApplet.updateProgress(PDMApplet.java:300)
at com.cisco.pdm.PDMApplet.init(PDMApplet.java:63)
at com.cisco.nm.dice.loader.r.run(DashoA19*..:409)
It happens because the ASDM launcher is not capable of running on newer JVMs. Since I had older JVMs, I went into Control Panel -> Java. Click on the Java tab, followed by clicking the “view” button. This will show you the current JVM being used. If you have older JVMs click on Find (you will have to select the folder where you suspect older JVMs to be…which in my case was c:\Program Files). If you don’t find an older JVM then just install an older version and it will work.

Jay Kelath and I will be presenting at ClubHack 2008. Our topic is “Snake in the Eagle’s Shadow: Blind SQL Injection” and it is about using Blind SQL Injection on Oracle, MSSQL (and possibly MySQL) to get content of remote databases and also using out of band mechanisms on Oracle database and blind sql injection to pilfer database information.
I’ve also written up a tool that I’ll be presenting with Jay to show how to exploit blind SQL injection to remotely download files. The technique I’m presenting is different from the time delay techniques as have been presented in the past using the waitfor delay statements. Traditionally, using the waitfor delay statement one can download database contents as was shown using tools such as Absinthe, SQLBrute, Blind SQL Brute Forcer. I just try to automate the “virtual” file downloading using BULK insert on MSSQL Server and download files. To do this you do not need any firewall allowances. The technique I use is if you can “infer” every byte of a file then you don’t need to download the file using a TCP connection, you can re-create the file yourself (you already know every byte of the file). The only limitation being that the data rates are pretty slow using this technique. However, since you do not rely on time delays it’s still faster than time delay techniques.