admin
Comments Off on CMIYC 2020

If you don’t know what this is….move along. ACTo get started I ran rockyou.txt list using my AllRules.rule just to crack a few and see what we are dealing with. This was the first:$5$4rm$XO0sNLIHhyJYLzKvGIXBTiK5F9LQI0G9iaWiFSlUv96:Dallas214Then there was an Okland and Phoenix one that was similar, a quick google search identified that the 3 digits on the end are area codes! Looks like we have a list of cities and area codes!Hash.Type……..: sha256crypt $5$, SHA256 (Unix)AKA: “-m 7400” Grabbed some lists of cities and area codes from here:https://simplemaps.com/data/us-cities – just downloadedhttp://jordonmeyer.com/text-list-of-us-cities/ – used cewl and copy/paste (cewl would lose city names with spaces in them)https://www.50states.com/areacodes/ (didn’t really use yet)https://www.lincmad.com/cities.html used cewl and copy/pastehttps://www.nationalnanpa.com/reports/reports_cocodes_assign.html used cewl and copy/pastehttps://www.bennetyee.org/ucsd-pages/area.html cewl and copy/pastehttps://github.com/ravisorg/Area-Code-Geolocation-Database just downloaded the csv file then formatted it for use Helpful notes:had to uppercase first letter of words, could use the hashcast “E” rule which does that but wanted to pre-process the […]

admin
Comments Off on Ping a mac address

Those familiar with the *nix world know of the application arping….however….you may not be familiar with the fact that there are 2 different versions of this program. One version will essentially return the mac address of the IP address you tell it. To me, there are so many other ways to get this information it makes that a less than ideal tool…..you can look at your arp table, can do nmap scan, packet captuer, lots of tools to do this. The other version, and the one I prefer, will actually ping the mac address. If I am on the same broadcast domain and just want to ping the mac address to make sure it is also on the same broadcast domain, or if there is an issue with dhcp or config. For some reason I run into this need a lot….anyway, I use this arping by ThomasHabets: https://github.com/ThomasHabets/arping

admin
Comments Off on A good firm Handshake

So…I have been radio silent….mostly because of work. But I have been in search of a lot of WPA handshakes. You can get the picture of the process from previous posts. I will provide more details, and probably a good write up at some point. Hopefully it won’t be stolen and used as someone else’s work like one of my previous research projects……Cut throat industry I guess…LOL Anyway, as of right now I have 407 handshakes processed with my first pass on them, and about 135 of those are cracked. I have been using basically only specific wordlists that you can just get online, again, you will see a lot of those in previous posts….recap in the writeup I am sure. Observations…..well, people are bad with WPA passwords, part of the reason why is they actually share them with other people; at least more often than they would their email […]

admin
Comments Off on Truck Raspberry Pi Kali – for using besside-ng

Story: I wanted a mobile besside-ng instance running in my truck, why? because I can! First I image kali for raspberry pi to an SD card, and I am not going full headless on this install so be aware of that, although I might be able to now that I think of it…..Hold my zipfizz! (I don’t drink beer or soda) dd if=kali-linux-2019.3-rpi.img of=/dev/sdc status=progress bs=1M I am going to run two wifi devices on this kali, which gets interesting with power…so I hope you already have that figured out. In my example I am running an older raspberry pi device with two lower power usb wifi devices, but I am using a special usb cable that supplements the power to the devices – make sure you don’t just plug both ends into the raspberry pi…… now mount the SD card mount /dev/sdc2 /mnt/ now we want to copy a […]

admin
Comments Off on Build a Pwnagotchi…or two

Still looking at wifi cracking, updating myself on stuff and finding that much of what I taught back in 2015 is still relevant, especially when we tie in the password audit fundamentals…. Anyway, in the process of things me and some friends found pwnagotchi These are fun, almost toys, that help people understand a little bit about wifi networks all around us, and capturing handshakes. I have found that the 2.4ghz wifi on the pi-zero is perfect, and with the screen and a 3d printed case you are in pwnagotchi heaven. Here is my config: main: name: ‘pwnagotchi’ whitelist: – ‘mynet1’ – ‘mynet2’ plugins: grid: enabled: false report: false exclude: – ‘mynet1’ – ‘mynet2’ auto-update: enabled: true AircrackOnly: enabled: true memtemp: enabled: true ui: display: enabled: true type: ‘waveshare_2’ I like to use the AircrackOnly plugin so I get more of the handshakes I have a solid method to crack, […]

admin
Comments Off on UPDATE – Netgear default WPA password..and others

So, I did my work on building those netgear wordlists and cracking rules…and then I fine tuned my google-fu and found “another way” actually a better way really….. Here are a few good links but the essence is that all these wifi router people have specific process to generate default WPA passwords for their devices, and some smart people have figured them out. Netgear seems to follow a process, if your default SSID is NETGEARXX where XX is a number then the common password layout is adjective + noun + 1 to 3 digit number….Here are the links to check out: https://hashcat.net/forum/printthread.php?tid=6170https://github.com/wpatoolkit/Adj-Noun-Wordlist-Generatorhttps://github.com/3mrgnc3/RouterKeySpaceWordlistshttps://xiaopan.co/forums/threads/netgearxx-wordlist.6571/

admin
Comments Off on SIOCSIFFLAGS: Operation not possible due to RF-kill

Easy enough fix…keep in mind I usually am running Kali linux but this will get many other distros and get you probably 90% there on others. rfkill list all # rfkill list all0: hci0: Bluetooth Soft blocked: yes Hard blocked: no 1: phy0: Wireless LAN Soft blocked: yes Hard blocked: no 2: phy1: Wireless LAN Soft blocked: yes Hard blocked: no now do this to actually turn the block off: rfkill unblock wifirfkill unblock all now you can list it again to make sure, you may need to reboot as well # rfkill list all0: hci0: Bluetooth Soft blocked: no Hard blocked: no 1: phy0: Wireless LAN Soft blocked: no Hard blocked: no 2: phy1: Wireless LAN Soft blocked: no Hard blocked: no

admin
Comments Off on Observation – netgear default wifi

I was having a discussion with a friend of mine on netgear default password for wifi, you know the ones they put on a sticker on the bottom….or top….of a netgear router. More than just Netgear are doing this but that was the one we were particularly discussing. Anyway, we discovered, or I guess it could be just a theory right now because we don’t have enough information actually, that the password consists of two words and a 3 digit number. More specifically it appears to be made of two word, 6 or 7 character words, with the number. So…I thought to myself….what would it look like to build a word list of just using all the English dictionary 6 character words, combine them, then use a hashcat rule to append every combination of 3 digit number on the end? So that is what I made. I looked around on […]

admin
Comments Off on aircrack – get dem handshakes

So, I updated a 2 year old kali laptop to do some handshake capturing and so… here are a few notes: service NetworkManager stop ifconfig wlan0 down iwconfig wlan0 mode monitor ifconfif wlan0 up airodump-ng wlan0 –output-format pcap -w ch7-wlan0 -c 7 Here we are using wlan0 – must be in monitor mode, and we are outputing the format to be pcap, we are naming the file ch7-wlan0 and capturing on channel 7. Now we run until we see we have captured some Handshakes, we break out and lets say we want to crack them in hashcat….we need to convert them to hccapx files so we use the hashcat-utils tools, something like this: root@kali:~# ./hashcat-utils-1.8/bin/cap2hccapx.bin ch7-wlan0-01.cap ch7-wlan0-01.hccapx Now we can use the ch7-wlan0-01.hccapx file in hashcat to do some cracking…like this: root@kali:~# hashcat -a 0 -m 2500 ch7-wlan0-01.hccapx /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

admin
Comments Off on Password cracking challenges – thinking another way

I was playing with the Saintcon 2019 password cracking challenges and I was over thinking this particular challenge…..Luckily someone else shared their ideas which really helped me. https://www.openwall.com/lists/john-users/2019/10/29/1 Basically the one I am referring to is a password challenge that was paying respects to Ken Thompson and his recently cracked vintage password that was based on a chess move. Given the following hash, just by looking at it and comparing it to hashes you can see it is bcrypt: $2b$10$YGtiAZYewmJE0Yh7O9E4AO49nQA2s4lhwDvWE./IOTyTQ.sgkGbuC with the examples of the password being:2. Nf3 Nc639. Qxh5 Bf6 I originally was building some python code using common chess python library to generate all the possible moves…however lots of flaws in this thinking because there are a LOT of possible moves and the code was giving me a headache as it continued to grow…and grow… Luckily it was pointed out the pattern…from here:https://en.wikipedia.org/wiki/Deep_Blue_versus_Kasparov,_1997,_Game_6. one or two numbers followed […]