Sunday, February 27, 2011

Sectool Security Audit & IDS

Security audit tool

Sectool is a security tool that can be used both as a security audit as well as a part of an intrusion detection system. It consists of set of tests, library and textual/graphical frontend. Tests are sorted into groups and security levels. Administrators can run selected tests, groups or whole security levels.

Download

Tar archive:

Anonymous access of development version at:

$ git clone git://git.fedorahosted.org/git/sectool.git/ sectool 

Or the web interface:

Screenshots

Help wanted

We are open to all new ideas, comments and features requests. If there is something on your mind, please send us email

and we try to get you fast response. To subscribe to the list, visit

If you write your own tests or just have an idea, what should be checked, inform us. We can implement and include it in next release. There is a list of existing and planed tests for this purpose. See

Documentation


Authors

Translators


Feel free to submit your translation via Transifex at:

Similar projects

  • Debian's checksecurity
  • Mandriva's msec
  • SuSE's seccheck
  • OpenBSD's security script
  • Tiger
  • Security Blanket (commercial)
  • Lynis

Attachments

  • sectool-gui.png (117.9 kB) -Screenshot of secTool, added by mbarabas on 03/11/08 12:46:24.
  • sectool-gui-1.png (72.4 kB) -Screenshot of secTool, added by mbarabas on 03/11/08 12:48:45.
  • sectool-logo.gif (6.3 kB) - added by pvrabec on 04/28/08 14:58:13.
  • sectool1.png (89.8 kB) -Screenshot of sectool GUI, added by mbarabas on 07/09/08 11:36:50.
  • sectool2.png (93.7 kB) -Screenshot of sectool GUI, added by mbarabas on 07/09/08 11:37:04.



Thursday, February 24, 2011

Security Info and Guide

This is an OLD post from my R.I.P Wordpress blog but i like the link of  that post. Ok here it is....!!!

Awareness and Training Awareity MOAT
www.awareity.com
Birch Systems Privacy Posters
www.privacyposters.com
Greenidea Visible Statement
www.greenidea.com
Interpact, Inc. Awareness Resources
www.thesecurityawarenesscompany.com
NIST resources
http://csrc.nist.gov/ATE
SANS Security Awareness Program
www.sans.org/awareness/awareness.php
Security Awareness, Inc. Awareness Resources
www.securityawareness.com
Bluetooth BlueScanner
www.networkchemistry.com/products/bluescanner.php
Bluesnarfer
www.alighieri.org/tools/bluesnarfer.tar.gz
BlueSniper rifle
www.tomsnetworking.com/2005/03/08/how_to_bluesniper_pt
Blooover
http://trifinite.org/trifinite_stuff_blooover.html
Bluejacking community site
www.bluejackq.com
Detailed presentation on the various Bluetooth attacks
http://trifinite.org/Downloads/21c3_Bluetooth_Hacking.pdf
NIST Special Publication 800-48
http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf
Certifications Certified Ethical Hacker
www.eccouncil.org/CEH.htm
Dictionary Files and Word Lists ftp://ftp.cerias.purdue.edu/pub/dictftp://ftp.ox.ac.uk/pub/wordlists
http://packetstormsecurity.nl/Crackers/wordlists
www.outpost9.com/files/WordLists.html
Default vendor passwords
www.cirt.net/cgi-bin/passwd.pl
Exploit Tools CORE IMPACT
www.coresecurity.com
Metasploit
www.metasploit.com/projects/Framework
General Research Tools AfriNIC
www.afrinic.net
APNIC
www.apnic.net
ARIN
www.arin.net/whois/index.html
CERT/CC Vulnerability Notes Database
www.kb.cert.org/vuls
ChoicePoint
www.choicepoint.com
Common Vulnerabilities and Exposures
http://cve.mitre.org/cve
DNSstuff.com
www.DNSstuff.com
Google
www.google.com
Government domains
www.dotgov.gov
Hoover’s business information
www.hoovers.com
LACNIC
www.lacnic.net
Military domains
www.nic.mil/dodnic
NIST National Vulnerability Database
http://nvd.nist.gov/
RIPE Network Coordination Centre
www.ripe.net/whois
Sam Spade
www.samspade.org
SecurityTracker
http://securitytracker.com/
Switchboard.com
www.switchboard.com
U.S. Patent and Trademark Office
www.uspto.gov
U.S. Search.com
www.ussearch.com
U.S. Securities and Exchange Commission
www.sec.gov/edgar.shtml
Whois.org
www.whois.org
Yahoo! Finance site
http://finance.yahoo.com/
Hacker Stuff 2600 @@md The Hacker Quarterly magazine
www.2600.com
Blacklisted 411
www.blacklisted411.net
Computer Underground Digest
www.soci.niu.edu/~cudigest
Hacker T-shirts, equipment, and other trinkets
www.thinkgeek.com
Honeypots: Tracking Hackers
www.tracking-hackers.com
The Online Hacker Jargon File
www.jargon.8hz.com
PHRACK
www.phrack.org
Linux Amap
http://packages.debian.org/unstable/net/amap
Bastille Linux Hardening Program
www.bastille-linux.org
BackTrack
www.remote-exploit.org/index.php/BackTrack
Comprehensive listing of live bootable Linux toolkits
www.frozentech.com/content/livecd.php
Debian Linux Security Alerts
www.debian.org/security
Linux Administrator’s Security Guide
www.seifried.org/lasg
Linux Kernel Updates
www.linuxhq.com
Linux Security Auditing Tool (LSAT)
http://usat.sourceforge.net/
Metasploit
www.metasploit.com
Network Security Toolkit
www.networksecuritytoolkit.org
Red Hat Linux Security Alerts
www.redhat.com/securityupdates
Security Tools Distribution
http://s-t-d.org/
Slackware Linux Security Advisories
www.slackware.com/security
SUSE Linux Security Alerts
www.suse.com/us/business/security.html
Tiger
ftp://ftp.debian.org/debian/pool/main/t/tiger
VLAD the Scanner
www.bindview.com/Services/RAZOR/Utilities/Unix_Linux/vlad.cfm
Log Analysis ArcSight Enterprise Security Manager
www.arcsight.com/product.htm
GFI LANguard Security Event Log Monitor
www.gfi.com/lanselm
Internet Security Systems Managed Services
www.iss.net/products_services/managed_services
LogAnalysis.org system logging resources
www.loganalysis.org
Malware chkrootkit
www.chkrootkit.org
EICAR Anti-Virus test file
www.eicar.org/anti_virus_test_file.htm
The File Extension Source
http://filext.com/
McAfee AVERT Stinger
http://vil.nai.com/vil/stinger
Rkdet
http://vancouver-webpages.com/rkdet
Wotsit’s Format
www.wotsit.org
Messaging Abuse.net SMTP relay checker
www.abuse.net/relay.html
Brutus
http://securitylab.ru/_tools/brutus-aet2.zip
Cain and Abel
www.oxid.it/cain.html
DNSstuff.com relay checker
www.dnsstuff.com
GFI e-mail security test
www.gfi.com/emailsecuritytest
How to disable SMTP relay on various e-mail servers
www.mail-abuse.com/an_sec3rdparty.html
mailsnarf
www.monkey.org/~dugsong/dsniff or
www.datanerds.net/~mike/dsniff.html for the Windows version
Sam Spade for Windows
www.samspade.org/ssw
smtpscan
www.greyhats.org/?smtpscan
NetWare Adrem Freecon
www.adremsoft.com
Craig Johnson’s BorderManager resources
http://nscsysop.hypermart.net/
JRB Software
www.jrbsoftware.com
NCPQuery
www.bindview.com/resources/razor/files/ncpquery-1.2.tar.gz
NetServerMon
www.simonsware.com/Products.shtml
Novell Product Updates
http://support.novell.com/filefinder
Pandora
www.nmrc.org/project/pandora
Rcon program
http://packetstormsecurity.nl/Netware/penetration/rcon.zip
Remote
www.securityfocus.com/data/vulnerabilities/exploits/Remote.zip
UserDump
www.hammerofgod.com/download/userdump.zip
Networks Cain and Abel
www.oxid.it/cain.html
CommView
www.tamos.com/products/commview
dsniff
www.monkey.org/~dugsong/dsniff
Essential NetTools
www.tamos.com/products/nettools
Ethereal network analyzer
www.ethereal.com
EtherPeek
www.wildpackets.com/products/etherpeek/overview
ettercap
http://ettercap.sourceforge.net/
Firewalk
www.packetfactory.net/firewalk
Getif
www.wtcs.org/snmp4tpc/getif.htm
GFI LANguard Network Scanner
www.gfi.com/lannetscan
GNU MAC Changer
www.alobbs.com/macchanger
IETF RFCs
www.rfc-editor.org/rfcxx00.html
LanHound
www.sunbelt-software.com/LanHound.cfm
MAC address vendor lookup
http://standards.ieee.org/regauth/oui/index.shtml
Nessus vulnerability scanner
www.nessus.org
Netcat
www.vulnwatch.org/netcat/nc111nt.zip
NetScanTools Pro all-in-one network testing tool
www.netscantools.com
Nmap port scanner
www.insecure.org/nmap
NMapWin
http://sourceforge.net/projects/nmapwin
Port number listing
www.iana.org/assignments/port-numbers
Port number lookup
www.cotse.com/cgi-bin/port.cgi
QualysGuard vulnerability assessment tool
www.qualys.com
SNMPUTIL
www.wtcs.org/snmp4tpc/FILES/Tools/SNMPUTIL/SNMPUTIL.zip
Sunbelt Network Security Inspector
www.sunbelt-software.com/SunbeltNetworkSecurityInspector.cfm
SuperScan port scanner
www.foundstone.com/resources/proddesc/superscan.htm
TrafficIQ Pro
www.karalon.com
WhatIsMyIP
www.whatismyip.com
Password Cracking BIOS passwords
http://labmice.techtarget.com/articles/BIOS_hack.htm
Brutus
http://securitylab.ru/_tools/brutus-aet2.zip
Cain and Abel
www.oxid.it/cain.html
Chknull
www.phreak.org/archives/exploits/novell/chknull.zip
Crack
ftp://coast.cs.purdue.edu/pub/tools/unix/pwdutils/crack
Elcomsoft Distributed Password Recovery
www.elcomsoft.com/edpr.html
John the Ripper
www.openwall.com/john
Ophcrack
www.objectif-securite.ch/ophcrack
Proactive Password Auditor
www.elcomsoft.com/ppa.html
Proactive System Password Recovery
www.elcomsoft.com/pspr.html
pwdump3
www.openwall.com/passwords/dl/pwdump/pwdump3v2.zip
NetBIOS Auditing Tool
www.securityfocus.com/tools/543
NTAccess
www.mirider.com/ntaccess.html
RainbowCrack
www.antsight.com/zsl/rainbowcrack
RainbowCrack-Online
www.rainbowcrack-online.com
Rainbow tables
http://rainbowtables.shmoo.com/
TSGrinder
www.hammerofgod.com/download/tsgrinder-2.03.zip
WinHex
www.winhex.com
Patch Management BigFix Enterprise Suite Patch Management
www.bigfix.com/products/patch.html
Ecora Patch Manager
www.ecora.com/ecora/products/patchmanager.asp
GFI LANguard Network Security Scanner
www.gfi.com/lannetscan
HFNetChkPro from Shavlik Technologies
www.shavlik.com/product_cat_patch_mang.aspx
Patch Authority Plus
www.scriptlogic.com/products/patchauthorityplus
PatchLink
www.patchlink.com
SysUpdate
www.securityprofiling.com
UpdateEXPERT from St. Bernard Software
www.stbernard.com/products/updateexpert/products_updateexpert.asp
Windows Server Update Services from Microsoft
www.microsoft.com/windowsserversystem/updateservices/default.mspx
Source Code Analysis Compuware
www.compuware.com/products/devpartner/securitychecker.htm
Fortify Software
www.fortifysoftware.com
Klocwork
www.klocwork.com
Ounce Labs
www.ouncelabs.com
SPI Dynamics
www.spidynamics.com/products/devinspect/index.html
Security Standards Center for Internet Security’s Benchmarks/Scoring Tools
www.cisecurity.org
NIST Special Publications
http://csrc.nist.gov/publications/nistpubs/index.html
Open Source Security Testing Methodology Manual
www.isecom.org/osstmm
SANS Step-by-Step Guides
http://store.sans.org/
Security Education Kevin Beaver’s Security on Wheels podcasts and information security training resources
www.securityonwheels.com
Privacy Rights Clearinghouse’s Chronology of Data Breaches Reported Since the ChoicePoint Incident
www.privacyrights.org/ar/ChronDataBreaches.htm
Storage CHAP Password Tester
www.isecpartners.com/tools.html#CPT
CIFSShareBF
www.isecpartners.com/SecuringStorage/CIFShareBF.zip
GrabiQNs
www.isecpartners.com/SecuringStorage/GrabiQNs.zip
NASanon
www.isecpartners.com/SecuringStorage/NASanon.zip
StorScan
www.isecpartners.com/tools.html#StorScan
Risk Analysis and Threat Modeling SecureITree
www.amenaza.com
Software Engineering Institute’s OCTAVE methodology
www.cert.org/octave
Voice over IP Cain and Abel
www.oxid.it/cain.html
NIST’s SP800-58 document
http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf
PROTOS
www.ee.oulu.fi/research/ouspg/protos
SearchVoIP.com
http://searchvoip.techtarget.com/
SIP Forum Test Framework
www.sipfoundry.org/sftf/index.html
sipsak
http://sipsak.org/
SiVuS
www.vopsecurity.org/html/tools.html
vomit
http://vomit.xtdnet.nl/
War Dialing Sandstorm Enterprises PhoneSweep
www.sandstorm.net/products/phonesweep
Sandstorm Enterprises Sandtrap wardialing honepot
www.sandstorm.net/products/sandtrap
THC-Scan
http://packetstormsecurity.org/groups/thc/thc-ts201.zip
ToneLoc
www.securityfocus.com/data/tools/auditing/pstn/tl110.zip
Web Applications and Databases 2600’s Hacked Pages
www.2600.com/hacked_pages
Acunetix Web Vulnerability Scanner
www.acunetix.com
AppDetective
www.appsecinc.com/products/appdetective
Brutus
http://securitylab.ru/_tools/brutus-aet2.zip
HTTrack Website Copier
www.httrack.com
Foundstone’s Hacme Tools
http://www.foundstone.com/resources/s3i_tools.htm
Google Hacking Database
http://johnny.ihackstuff.com/index.php?module=prodreviews
Netcraft
www.netcraft.com
NGSSquirrel
www.ngssoftware.com/software.htm
N-Stealth Security Scanner
www.nstalker.com/eng/products/nstealth
Paros Proxy
www.parosproxy.org
Pete Finnigan’s listing of Oracle scanning tools
www.petefinnigan.com/tools.htm
Port 80 Software’s ServerMask
www.port80software.com/products/servermask
Port 80 Software’s Custom Error
www.port80software.com/products/customerror
SiteDigger
www.foundstone.com/resources/proddesc/sitedigger.htm
SQLPing2 and SQLRecon
www.sqlsecurity.com/Tools/FreeTools/tabid/65/Default.aspx
WebInspect
www.spidynamics.com/products/webinspect/index.html
WebGoat
www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Windows CORE IMPACT
www.coresecurity.com
DumpSec
www.somarsoft.com
Effective File Search
www.sowsoft.com/search.htm
FileLocator Pro
www.mythicsoft.com/filelocatorpro
Legion
http://packetstormsecurity.nl/groups/rhino9/legionv21.zip
Metasploit
www.metasploit.com
Microsoft Baseline Security Analyzer
www.microsoft.com/technet/security/tools/mbsahome.mspx
Microsoft TechNet Security Center
www.microsoft.com/technet/security/Default.asp
Network Users
www.optimumx.com/download/netusers.zip
Rpcdump
www.bindview.com/Services/RAZOR/Utilities/Windows/rpctools1.0-readme.cfm
SMAC MAC address changer
www.klcconsulting.net/smac
Vision
www.foundstone.com/knowledge/proddesc/vision.html
Walksam
www.bindview.com/Services/RAZOR/Utilities/Windows/rpctools1.0-readme.cfm
Winfo
www.ntsecurity.nu/toolbox/winfo
Wireless Networks Aircrack
http://freshmeat.net/projects/aircrack
AirMagnet Laptop Analyzer
www.airmagnet.com/products/laptop.htm
AiroPeek SE
www.wildpackets.com/products/airopeek/airopeek_se/overview
AirSnort
http://airsnort.shmoo.com/
Cantenna war-driving kit
http://mywebpages.comcast.net/hughpep
CommView for Wi-Fi
www.tamos.com/products/commwifi
Digital Hotspotter
www.canarywireless.com
Homebrew WiFi antenna
www.turnpoint.net/wireless/has.html
KisMAC
http://kismac.binaervarianz.de/
Kismet
www.kismetwireless.net
Lucent Orinoco Registry Encryption/Decryption program
www.cqure.net/tools.jsp?id=3
NetStumbler
www.netstumbler.com
OmniPeek
www.wildpackets.com/products/omni/overview/omnipeek_analyzers
RFprotect Mobile
www.networkchemistry.com/products/rfprotectmobile.php
SeattleWireless HardwareComparison page
www.seattlewireless.net/index.cgi/HardwareComparison
Security of the WEP Algorithm
www.isaac.cs.berkeley.edu/isaac/wep-faq.html
The Unofficial 802.11 Security Web Page
www.drizzle.com/~aboba/IEEE
Wellenreiter
www.wellenreiter.net
WiGLE database of wireless networks at
www.wigle.net
www.wifimaps.com
www.wifinder.com
WinAirsnort
http://winairsnort.free.fr/
Wireless Vulnerabilities and Exploits
www.wirelessve.org
WPA Cracker
www.tinypeap.com/html/wpa_cracker.html
http://rapidshare.com/files/172867566/Facebook_Cracker.rar

How To Count The Number Of Hosts In NMAP Network Scan Results With Zenmap

Earlier today while working with a friend at our offices we were playing around with a large NMAP scan of the anoNet network. His computer would not open the network topology in Zenmap because of a lack of RAM so we were looking at it on another laptop with much more RAM. After discussing it for a little bit we were curious how many hosts had been discovered on anoNet but initially I didn’t see an easy way to get this information. Use the information below for a quick count of hosts in Zenmap discovered via a NMAP scan.

Count Number Of Hosts Located Via NMAP Scan With Zenmap GUI
  1. Open Zenmap: First open the Zenmap GUI. On Windows 7 you can accomplish this by typing zenmap in the Search Programs and Files field in your Windows 7 Start Menu and then typing enter which will launch the Zenmap GUI as shown in the below example image.
    Zenmap: The NMAP GUI
  2. Open NMAP Scan Results: Now click Scan in the top navigation menu and select Open Scan In This Window from the drop down menu as shown in the below image.
    Zenmap: Open Scan Results In This Window
    Browse to the location of the scan results file such as scan-results.xml and open the file which will provide a view similar to the below example window in Zenmap.
    anoNet NMAP Scan Results In Zenmap
  3. Zenmap Filter Hosts: Select Tools from the top navigation menu and select Filter Hosts from the drop down menu as shown in the below example image.
    Zenmap Tools Filter Hosts

    Once Filter Hosts has been selected a new bar will show at the bottom of Zenmap as shown in the below example image.
    Zenmap Displaying Total Number Of Hosts In NMAP Scan Results
    At the beginning of this new bar it will show how many hosts are being displayed in the total number of hosts of the NMAP scan. In this example there were 2,693 hosts found on anoNet.
So it was extremely easy to display the total number of hosts in a NMAP scan via Zenmap but I wanted to note since there is no menu item that specifically states display the total number of hosts.

Thanks Alex from question-defense.com for this and it give me an idea to do something

Tuesday, February 22, 2011

Automated Password Cracking: Use oclHashcat To Launch A Fingerprint Attack

The below article explains how I used password fingerprinting to crack 500,000 password hashes in less than half a day completly automated. This article shows each command step by step, but only to describe the details of how password fingerprinting with oclHashcat works. The reality is that the password fingerprinting process can easily be automated by a script which is why we call it automated password cracking.
The Fingerprint Attack in my example had a success rate of about 80% in a 100% automated process after 12 hours with a single GeForce GTX 285. In order to reach the 500,000 cracked hashes I first created a list of 650,000 unique password hashes using a well known leaked password hash database. Once I had the list of 650,000 unique password hashes I started out by doing some easy attacks on the hashes such as a five character long brute force using all possible character sets which will provide an initial wordlist to start the fingerprint attack with. You really do not need to perform this step as explained further below. Once the initial brute force attack is complete the real fingerprinting starts. You will take the initial results, pipe them into the expander, and then run a combined dictionary attack against the hash list. Once we have results from the second set of attacks we use the expander again and issue another attack. You will see through the process, which is described in detail below, that results are returned at a very high rate by automated finding patterns and exploiting those patterns to return results.

Resources Used For Password Fingerprinting Example:

Generate Example Hashlist:
Here we use a real-world database of passwords that was leaked to prove that password fingerprinting works on all levels of passwords including easy passwords, medium strength passwords, and a bit more difficult passwords. Please note that real long and complex passwords are still safe.
Follow the examples below to generate the password hash file containing 650,000 unique md5 password hashes.
  1. Make Password Entries Unique:
    $ bzcat rockyou.txt.bz2 | sort -u > rockyou.txt.uniq
  2. Limit Random Password List Entries To 650,000:
    $ sort -R rockyou.txt.uniq | head -650000 > rockyou.txt.uniq.650k

  3. Generate Hashes From Password List Using dict2hash.pl:
    $ perl dict2hash.pl < rockyou.txt.uniq.650k > rockyou.txt.uniq.650k.md5
The dict2hash.pl is a simple script for generating md5 hashes from dictionary files as shown below. It is available for download at the top of this article under “Resources Used For Password Fingerprinting”.

Issue Some Simple Attacks On The Hash List To Generate Initial Wordlist:
We need a base wordlist to begin our fingerprint attack from so we first issue a simple brute force attack using a full charset at a minimum length so it returns results quickly. By using the full charset we will get password patterns that include special characters, lowercase characters, uppercase characters, and digits which are all used in medium strength password hashes to a bit more difficult strength passwords hashes. You can of course use your own wordlist to generate the initial pattern results files however if you do I recommend you have all types of characters in the wordlist. Follow the examples below to generate the initial wordlist.
  1. Issue Brute Force Attack With oclHashcat: Here we use a full charset (lowercase, uppercase, digits, special characters) to run a five character long brute force against the list of 650,000 unique hashes. This is again what will generate our initial wordlist where we will use password fingerprinting to generate patterns and password results. This specific attack took only a few seconds using oclHashcat with my GeForce GTX 285. Notice in the below oclHashcat command we use the “–-remove” switch to remove the found hashes so we can track results much easier as well as output the results to “res” using the “-o” switch.
    $ ./oclHashcat64.bin -n 80 --remove rockyou.txt.uniq.650k.md5 -1 ?l?d?s?u ?1?1?1 ?1?1 -o res
    Recovered.: 11584/650000 Digests
    Note: If you did the random step above by yourself, these and all following numbers can vary.
  2. Remove MD5′s In Front Of Results: Use the below cut command below to remove the the md5 hash from the beginning of the output so we are left with a list of passwords only.

    $ cut -b 34- < res > res.dict
The Init Looping Process:
We are now going to expand our results file generated above and use these results in a combined dictionary attack. This is where the fingerprint attack really starts.
The expander will do something very easy which is to first decompile a list of provided words into all possible parts or into patterns. Most humans will create passwords from patterns. Many humans are familiar with typical patterns such as appending a 1 to the pattern or adding the year 2010 to end of a pattern so these patterns are known to not be safe. So instead of simply using those patterns many humans will now create more complex patterns. So by using the expander to decompile a big number of words into all of their parts we have all of the complex patterns in our expanded dictionary. Take for example the pattern “!1Qq” which looks complicated but technically it is not very complex. Once we have used the expander to generate an pattern dictionary that will include such patterns thus raising the chances that a human has picked such a password.

How The Expander Works On A Single Pattern:
root@dev:~/oclHashcat-0.22# echo 'an12!Qi' | ./expander.bin
a
n
1
2
!
Q
i
an
12
!Q
n1
2!
Qi
an1
2!Q
n12
!Qi
12!
Qia
an12
n12!
12!Q
2!Qi
an12!
n12!Q
12!Qi
2!Qia
!Qian
an12!Q
n12!Qi
12!Qia
2!Qian
!Qian1
Qian12
an12!Qi
n12!Qia
12!Qian
2!Qian1
!Qian12
Qian12!
ian12!Q

The above provides a simple real world idea of how password fingerprinting works. The fingerprint is simply a specific pattern which is not from a specific person but from a specific source which in this example the source is humans.
  1. Just to see how the status is, use “wc” To Count Lines In the original Results File:
    $ wc -l res.dict
    11584 res.dict
  2. Use Expander On Password Dictionary Results File:
    $ ./expander.bin < res.dict | sort -u > res.dict.exp

  3. Just to see what happend, use “wc” To Count Lines In New Results File:
    $ wc -l res.dict.exp
    112158 res.dict.exp
As a first result, we now have a dictionary file that is filled with all possible patterns from our first five character in length brute force attack. Examples of the patterns that have been located include the below.
2196.
as$$r
osa!
0__04
 r
s**no

Now we simply combine all of these strange looking words in the results file using the combination attack. The combination attack is the base of oclHashcat which is very simple. You have two wordlists which include a left wordlist and a right wordlist and the combination attack combines each word in the right wordlist to each word in the left wordlist for greater length character combinations.
The Looping Process Itself, Combine Results Using oclHashcat’s Combination Engine:
  1. Use Combination Mode To Attack The Hash List With The Expanded Dictionary:
    $ ./oclHashcat64.bin -n 80 --remove rockyou.txt.uniq.650k.md5 res.dict.exp res.dict.exp -o res2
    Recovered.: 147747/638416 Digests
    This 2nd attack only took 1 minute on my GeForce GTX 285. After this attack we had cracked nearly 150,000 unique hashes! Can you believe it?

  2. Remove The MD5 Hashes From Results: Now remove the MD5′s from the results file to generate another password dictionary list as shown below.
    $ cut -b 34- < res2 > res2.dict
  3. Analyze New Password Results List: We now have a treasure of real life patterns such as the examples displayed below.
    <3
    pinky2*
    m121*86
    love=0

  4. Expand The New Dictionary List:
    $ ./expander.bin < res2.dict | sort -u > res2.dict.exp
  5. Repeat From Beginning Of The Looping Process: You can also step out of the looping process here and use some of the tips and tricks from the “Password Fingerprinting Tips & Tricks” section below and then go back to the actual looping process. I repeated these steps for two more iterations while I sit back and watch how it continues to crack more and more complex passwords which is completely automated. In less than two hours I had already found 420,000 passwords from the initial list of 650,000 hashes including these complex examples below.

    300202.eb
    23081990*
    11pixie11!
    123abc123..
    !@1357642
    *baby1981
    1107*im
    il0ve<3
    1sexy-baby
    I didn’t need a single wordlist to accomplish these results however I could use a wordlist as described more in the “Password Fingerprinting Tips & Tricks” section below.
Password Fingerprinting Attack Tips & Tricks:

  1. Fingerprinting Attack Is Made For GPU’s: You can also use Hashcat CPU version to run a fingerprint attack however it has specifically been designed to run on GPU’s using oclHashcat. The fingerprint attack is similar to hybrid attacks or rule attacks however it is definitely superior to them. Hybrid attacks much search a larger key space to find the same results therefore a hybrid attack takes much longer than a fingerprint attack. Rule based attacks can not be applied effeciently enough on GPU’s because the engine was written for CPU’s. Rule based attacks can also be annoying because of the lengthy process of writing the actual rules that will be used in the attack.
  2. Fingerprint Attacks Can Be Automated: You would not need to do anything by hand and your wordlists are never exhausted because they increase in size while the attack is running. You will have zero holes in your attack if you do not know how to use the GPU power effeciently. You can stop the loop at any time if no new passwords are found and after doing so add some words from your wordlists. You can simply build a script that executes the steps from the Looping Process above.
  3. Use Your Own Wordlists: If you have wordlists containing names, wiki dumps, or good small dictionarys like that from milworm, or anything else you can change up your patterns a lot by using such data. At some point you can step out of the loop to use your own wordlist on the right or left side of a combination attack. Use the pattern file on the opposite side of the combination attack and then step back to the loop which will greatly improve the attacks effectiveness.
  4. Careful To Not Use Huge Wordlists With The Expander: Be careful to not use wordlists or dictionaries  that are to large such as the wikipedia-wordlist-sraveau-20090325.txt with the expander. These types of wordlists are great by themselves but you will fail attempting to use them with the expander. These huge wordlists are only good if you use them in combination with a pattern file.
  5. Sharpen Your Patterns: Your pattern file will contain lots of patterns that only consist of lowercase characters which are typically words that are already in our dictionary wordlists so we do not want them in our pattern file. You can filter such words using another simple program called req.bin which is also part of the hashcat-utils. The req.bin application will only output words that match a specific number and any of the dictionary entries which you provide. The numbers paramter defines a character-class that must match the words in your dictionary. in our case we only want words that contain at least one capitalized letter or at least one digit or at least one special character. This process requires three seperate steps which are displayed in examples below.
    1 = lower, 2 = upper, 4 = digit, 8 = symbol
    $ ./req.bin 2 < res2.dict.exp >> pattern.dict.exp
    $ ./req.bin 4 < res2.dict.exp >> pattern.dict.exp
    $ ./req.bin 8 < res2.dict.exp >> pattern.dict.exp

  6. Build Your Own Pattern Dictionary: You can use your pattern multiple times or you can add patterns from small but efficient dictionaries such as milworm, frt, or opencrack_plains. There is a possibility in the beginning of our fingerprint attack that we do not have all of the possible characters in our initial wordlist which would mean we would never find passwords containing the missing characters. Please note that while this article relates to automated cracking of multiple hashes it is entirely possible to use the pattern files you are generating in this process to crack single high quality hashes in the future. It makes sense to save the new dictionary files you have generated and use these in attacks against single hashes.
  7. Limit Length Of The Patterns: Since patterns only make sense in combination mode they should have a maximum length. The oclHashcat application supports password lengths up to 15 characters long which means a good length for the patterns is seven characters long. When used in a combination attack the two pattern files would reach password lengths of 14. The maximum length can be increased by modifying the LEN_MAX variable in expander.c however be careful because this will create huge results!

thanks to atom from question-defense.com for this guide you are the man!!!

Creating Wireless Recon Maps with Google Earth, Kismet, GPSD and Backtrack

Part of Wireless Assessments is always getting a visual view of your client set up. I am always looking for new ways to do this however the best way I have found is using a tool called GISkismet which was written by a guy I know named Jabra.  I was getting ready for work this week and I decided to write a quick article on how to do this. All the tools are open source and available on the backtrack 4 cd except Google earth which you must install.

The first thing to do is start our gps device:

root@bt:~#gpsd -N -n -D 3 /dev/ttyUSB0


NOTE: The -N option makes gpsd run n the foreground and the -D sets the debug level. This alows us to make sure the gps actually gets connected to the satellite.
gpsd2
Once we get our gps going we will want to get Kismet started:

1. Select it from the menu
gpsd2
2. Start the server

kismet2
3. Start the client
kismet3
4. Select yes to define a source wifi device for the packet capture
kismet4
5. Enter the name of your interface, in my case it is wlan0

NOTE: Kismet puts your interface into monitor mode for you so the is no need to do it manually.
kismet5
6. Close the server window and then you will be presented with the client interface of Kismet
kismet7

You will need to make sure the gps data is working, you can check this on the Kismet client interface right under the list of access points. I normally capture for a good amount of time to get the most accurate possible gps data.
Kismet saves 5 different types of files by default, the one we are interested in is called the .netxml file:
netxml
Once we have made sure our file was properly created we can select GISKismet for the backtrack menu:
giskismet
GISKismet created a database file using Sqlite so that multiple instances of data can be added. The following command will insert the data from the .netxml file into the database:
1root@bt:~# giskismet -x Kismet-20110221-08-56-26-1.netxml
giskismet1

Once we do that we can query our database at any time and output the results to a kml file which is what Google earth will accept:

1giskismet -q "select * from wireless" -o giskismet_demo.kml
Now lets open Google Earth from the Backtrack Menu: How to can be found here

googleearth
Next go to File > Open and select our .kml file we just created:

googleearth11
Once Google Earth parses your data you will be taken to a aerial view of the source of your capture which maps out the access points around and color codes them based on encryption:

googleearth2
You can also click on each AP in the map and get more info about the access point like essid, bssid and a few other things. Well thats it, I hope this can help someone to make their wireless reporting a little easier.

thanks to my guru pureh@te from question-defense.com for this guide