Odo Beauty Care Limited
Welcome to our first Odo Head Spa Salon located at
9F Pennington Com Bldg., 17 Pennington
Street, Causeway Bay
(Near to Regal Hotel, Hong Kong and above 7-11)
香港铜锣湾边寧顿亍 17号
边寧顿商业大厅厦电梯 9字
鄰近香港富豪酒店,7-11 樓上
TEL: 9010-1586 English and Japanese only (英/日语)
Email: info@odo.com.hk
BY APPOINTMENT ONLY
完全予約制
敬请电約
We are living in the era of fourth industrial revolution(4IR), where Artificial intelligence has a significant role to play. This 4IR technology embedded within societies and even into the human body. From Computer enthusiasts to common people, everyone should be aware and learn this breakthrough technology.
We think about gigantic Robots from Transformers when we hear about Artificial Intelligence(AI) which is a fiction in the past but a fact today, capable of transforming the whole tech world. The field of AI consists of more than Robots such as personal assistants, self-driving cars, apprenticeship learning, behavior cloning and so on. To learn about this advanced technology, thanks to the online learning resources which offers great content to get started with artificial intelligence.
Here are the 5 free e-learning courses on Artificial Intelligence
1. UC Berkeley CS188 Intro to AI
Get started with UC Berkeley AI course, this course is absolutely for beginners who are unaware of Artificial intelligence. It doesn't need any prior computer knowledge to know about AI. UC Berkeley allows anyone to learn this course for free. This course is systematically presented and consists of the following:
Course Schedule
Complete sets of Lecture Slides and Videos
Interface for Electronic Homework Assignments
Section Handouts
Specs for the Pacman Projects
Source files and PDFs of past Berkeley CS188 exams
Form to apply for edX hosted autograders for homework and projects (and more)
Contact information
Aside from this, you can also browse the following courses as well from UC Berkeley that are part of AI course:
Machine Learning: CS189, Stat154
Intro to Data Science: CS194-16
Probability: EE126, Stat134
Optimization: EE127
Cognitive Modeling: CogSci131
Machine Learning Theory: CS281A, CS281B
Vision: CS280
Robotics: CS287
Natural Language Processing: CS288
2. Artificial Intelligence: Principles and Techniques
This course is offered by Stanford with great content that includes topics, videos, assignments, projects, and exams. The whole course mainly focuses on the complex real-world problems and try to find similarity between web search, speech recognition, face recognition, machine translation, autonomous driving, and automatic scheduling. Here you will learn the foundational principles of AI and implement some the AI systems. The goal of this course is to help you tackle the real-world situations with the help of AI tools. So, it is the best for the beginner to get started with AI.
3. Learn with GOOGLE AI
Who will dislike the course from Google? absolutely no one. This company is one of the early adopters of AI has a lot to offer to learners. Learn with Google AI is an education platform for people at all experience levels, it is free to access and browse content. The education resources provided by Google is from the machine learning experts of the company. These resources are the collections of lessons, tutorials, and Hands-on exercises that help you start learning, building, and problem-solving.
4. MIT 6.S094: Deep Learning for Self-Driving Cars
This course gives the practical overview of Deep Learning and AI. It is the course for beginners, also for the people who are getting started with Machine Learning. The course also offers a lot of benefits to the experienced and advanced researchers in the field deep learning. This MIT's course takes people into the journey of Deep Learning with the applied theme of building Self-Driving cars. However, the course also offers slides and videos to engage the learners.
5. Fundamentals of Deep Learning for Computer Vision
This course is offered by Nvidia and Nvidia Deep learning Institute. Computer Vision is one of the disciplines of AI that acquire, analyze, process, and understand images. The course is completely free and everyone who is enthusiast about AI can access and learn the course. It is a hands-on course that able to provide basics of deep learning and deployment of neural networks. With this. you will also learn the following:
Identify the ingredients required to start a Deep Learning project.
Train a deep neural network to correctly classify images it has never seen before.
Deploy deep neural networks into applications.
Identify techniques for improving the performance of deep learning applications.
Assess the types of problems that are candidates for deep learning.
Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let's change that!
This Post is for the people that:
Have No Experience With Cybersecurity (Ethical Hacking)
Have Limited Experience.
Those That Just Can't Get A Break
OK, let's dive into the post and suggest some ways that you can get ahead in Cybersecurity.
I receive many messages on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. Its time to change the color of your hat 😀
I've had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have.
If you have no experience don't worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.
Let's get this party started.
What is hacking?
Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.
Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s)
There's some types of hackers, a bit of "terminology". White hat — ethical hacker. Black hat — classical hacker, get unauthorized access. Grey hat — person who gets unauthorized access but reveals the weaknesses to the company. Script kiddie — person with no technical skills just used pre-made tools. Hacktivist — person who hacks for some idea and leaves some messages. For example strike against copyright.
YardStick One Unleashed, Automating RF Attacks In Python - An RFCat Primer
I decided to dive into our current device a bit more before moving on to a new device, and really ramp up the skillsets with RFCat and the Yardstick.So for this blog you will need our previous Target and a Yardstick One. We will be hacking everyting using only the Yardstick and Python.
So last time we scanned for signals with GQRX and a Software Defined Radio device. We took the demodulated wave forms in Audacity and discerned what the binary representation of our wave forms were by decoding them manually. We then transferred those into a hex format that our yardstick understood.However there is a way to do everything with our Yardstick. It will require a bit more understanding of the RFCat library, and a bit of python.
This blog will be your RFCAT primer and coding tutorial, but don't be scared with the word "Programming" I will be using simple code, nothing complicated.So if your a programmer, tune out any coding explanation and understand RFCat, if your not a coder, then use this as a jumping point to start making some quick python scripts for hacking.
Video Series PlayList Associated with this blog:
The first thing we did in our last blog after looking up the frequency was to open up GQRX and check if we can see our devices signals. As it turns out you can actually do this in python with RFCat. Which is really convenient if you left your Software Defined Radio dongle at home but happen to have access to a Yardstick.
RFCat as a Spectrum Analyzer:
In order to use RFCat as a spectrum analyzer we need to make sure we have RFcat installed and a few prerequisites such as python and PySide modules.I actually did this inside of an Ubuntu VMware because Pyside was giving me issues on OSX and I didn't feel like trying to fix it. So If you spin up an ubuntu vm you can do the following to get things up and running..
Install Spectrum Analyzer PreReqs:
sudo pip install PySide
sudo apt-get install ipython
Plug in your adapter and type in the following:
rfcat -r
d.specan(315000000)
You will then see the below output of RFCat Specan running in the 315 MHz range.
Click our doorbell, or trip the motion sensor and you will see a frequency spike as shown in the second picture.
This is similar to what you saw in GQRX but all with your Yardstick and the Python RFCat library.
So everything seems to be working and we can see our devices transmitting on the 315MHz frequency.Unfortunately we have no record button on Spescan. This leaves us to dive a little deeper into RFCat. We will see what RFCat can do for us in the recording and sniffing capacity.
Sniffing RF Data With The YardStick and Python:
In RFCat there is a simple listening command in our interactive session which will give us an idea of what is being transmitted and in what type of data format we are recieving. When using GQRX we received a WAV file, but what does RFCat give us?One thing I have realized over the years is programming is all about dealing with data in various formats and figuring out how to parse and use it in various implementations. So the first thing we have to figure out is what kind of data we are dealing with.
Lets hop back into RFCat and set a few parameters so the yardstick knows to listen on 315MHz and to use ASK modulation.The settings below should all be familiar from our last blog with an exception of "lowball" which configures the radio to use the lowest level of filtering. We basically want to see everything but may experience some noise by not filtering it out.. For example before you hit your doorbell button you may see random FF FF FF FF data outputted to the screen.
Below is the cmdline input needed and some example output. After all of our settings are in place we can use RF.listen() to start listening for everything in the 315000000 frequency range and have it output to the screen.
After you set it up, you can press the button on your doorbell and you will receive the following output. We have lots of zeros and what might be some hex output.
Destroy ficti0n$rfcat -r
>>> d.setFreq(315000000)
>>> d.setMdmModulation(MOD_ASK_OOK)
>>> d.setMdmDRate(4800)
>>> d.setMaxPower()
>>> d.lowball()
>>> d.RFlisten()
Entering RFlisten mode...packets arriving will be displayed on the screen
If you hit "ENTER" in your terminal you will stop receiving packets and drop back into a python interactive terminal. If we take a look at the repeating pattern in the above output, it looks like some random patterns and then a repeating pattern of, 84e708421084e738.If we convert that to binary we can compare with what we decoded WAV from our previous blog.
Since we are already in a python terminal you can type the following to see the binary representation:
Lets break that up into 8 bit bytes and compare it to our previous blogs binary, hmm its lot different then what we originally decoded the signal to be:
If we take the above capture data and format it correctly for RFcat with the replay code from the last blog. When we send it over, it does indeed ring the doorbell, thats interesting. A completely different value in both hex and in binary and still we get a doorbell to ring. So the variance we talked about last time extends a bit more. Below is the code with the new hex from the capture data:
I will also take a minute to note something before we continue. I had a little trouble at first when using a telescopic antenna in RFcat and the YardStick.So I will list those issues below as notes for you to play with if you run into random looking captures when pressing your doorbell button.
When using a telescopic antenna closed I had almost repeating output with some random bits flipped
When extending the antenna it went crazy output with random noise
I then used a small rubber ducky antenna and got the repeating output shown above.
What we have done so far:
So above, we managed to figure out the following all in RFCat
Verify the frequency with RFCat
How can I listen for it and capture a transmission with RFCat
How can I send this transmission with RFCat
We have basically eliminated the immediate need for the graphical tools that we were using in the last blog. Not to say that they are not useful. They absolutely are, and we should use them often and know how to work with all kinds of formats and understand everything.. However, if we are living in a reality that all we have is a Yardstick and no other tools. We are not helpless and we can still kick some serious RF butt.
Now we are going to take this a bit further so we can learn some more about RFCat, Python and mistakesI made when trying to automate this stuff. I found some interesting quirks I had to work through and I would like to save others some time who are also in the learning process as I am.
Using RFrecv() for Listening:
Ok first thing I learned is that RFListen() is not all that useful when it comes to automating this stuff. I tried to set its output to a variable but that did not seem to work.. So instead we will be working with another feature that lets us listen and that is RFrecv().If we fire up our RFCat in the terminal again we can give that a try:
Destroy:~ ficti0n$ rfcat -r
>>> d.setFreq(315000000)
>>> d.setMdmModulation(MOD_ASK_OOK)
>>> d.setMdmDRate(4800)
>>> d.setMaxPower()
>>> d.lowball()
>>> d.RFrecv()
Traceback (most recent call last):
File "", line 1, in
File "/Library/Python/2.7/site-packages/rflib/chipcon_nic.py", line 1376, in RFrecv
data = self.recv(APP_NIC, NIC_RECV, timeout)
File "/Library/Python/2.7/site-packages/rflib/chipcon_usb.py", line 664, in recv
raise(ChipconUsbTimeoutException())
ChipconUsbTimeoutException: Timeout waiting for USB response.
OK thats not cool we are getting a weird error if we don't get a signal right away regarding ChipconUsbTimeoutException.
No problem since we are in a python terminal we can just capture this exception and pass it, then continue with sniffing.This is done with a Try/Except block.
try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
...
That looks a little better, I am no longer receiving errors, but lets put this in a loop so we are continuously listening with RFrecv() and press our doorbell so we can capture our doorbell signal.Below is the output of a random signal that came in followed by our doorbell.. but its all kinds of crazy looking and a bit hard to read:
try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
...
while True:
... try:
... d.RFrecv()
... except ChipconUsbTimeoutException:
... pass
Lets try to fix the output a little and make it more readable by encoding it before we view it. Open up your text editor and use the following code.What we are doing here is simply setting up our listener as we did before and then setting it to a variable we can use.
Line 12: Setting our RFrecv() output to the variable y and z. The y variable is the output that we want
Line 13: We will wrap the y variable with an encode function to encode it with a HEX encoding.
Line 14: After that we just print it out.
When we run this script from the command line we will get a much nicer output shown below, much like we did with the RFlisten function above. The big difference being that our data is now set to the variable "capture"on line 13 and we can do what we want with that data. For example we can directly replay that data rather then manually performing the actions.
Parsing and replaying data:
This actually took me a bit of time to figure out, so we need to do a few things to get this to work:
We need to parse out the data from the surrounding 0s
We need to convert it to a format we can send (tricker then it sounds)
We need to add padding and send that data over (We know how to do this already)
Parsing Data:
So with this I first tried all kinds of regular expressions, but for some reason the inverse of more then 3 zeros in a row does not seem to work. I am no regex master but that seemed like it should be working. I then tried a few creative solutions reducing repeating zeros down to pairs that I could split on with string functions. This actually worked well but then my buddy showed me this which was more efficient:
re.split ('0000*', capture)
All this is doing is using the regex library to parse on a set of 4 or more zerosand return whats left in a list of useable hex data for sending.So lets add that into our code and give it a try to see what we get back. I made the following code changes:
Line 2: Import the Regex library
Line 11: We defined the capture variable so we can access it outside of the Try Block and the loop
Line 21: We created a payloads variable and created a list from the capture file of non 0000 blocks
Line 22: We print out our list of useable payloads which can been seen in the below output
Data Format Woes:
So we have data in a list we can pull from, thats awesome but I ran into a few issues. I first tried to parse this data into the \x format we normally used when sending our attack payloads manually, but that actually does not work. Reason being that if I use a code snippet like the following to convert this data into the right format everything looks ok and something like this \x84\xe7\x08\x42\x10\x84\xe7.But it won't actually work when I send it with RFCat. For some reason when you paste in your own hex its in a different format then if you programmatically create hex like below. You don't really need to understand the code below, just know it takes our payload and creates the hex in a visual format to what we used in the last blog:
DON'T USE THIS.. IT WONT WORK!!!
for payload in payloads:
formatted = ""
if (len(payload) > 6) and (len(payload) % 2 == 0):
print "Currently being formatted: " + payload
iterator = iter(payload)
for i in iterator:
formatted += ('\\x'+i + next(iterator))
else:
continue
Formatted Hex Vs Manually Pasted Hex
So lets compare the outputs of our manually created Hex String versus what we get when we format with the above code
Below is the output of the following:
Your encoded capture
Your parsed payloads in a nice list
Your payload being processed into hex.
But this is where things go wrong, you then have :
Your nicely formatted Hex created by your code above (Yay for us)
Then you have your manually pasted in hex from your original attack payloads as unprintable characters(What?)
You can clearly see there is a major difference between when we manually paste in our hex like we did in the last blog and when we create it from our capture file.This led to another sleepless night of researching whats going on. I did a bunch of troubleshooting until I found some code on the RFcat site and saw it using the BitString library and something called BitArray.The examples for this library were using binary data instead of hex and then converting it.
BitString BitArray Formating FTW:
If you remember above we created binary input with some python, so lets use that code in our current program template and then feed it into byteArray and see what happens. We can install bitstring with the following:
Install Bitstring:
sudo pip install bitstring
Our New code using BitString:
Line 2: I imported bitstring
Line 25: I added a for loop to go through our payload list one by one
Line 27: I convert our current payload to binary
Line 28: I take that binary and I feed it into bitstring to fix the formatting issues
Lines 29-30:Print out our binary and our new data that match our manually pasted data format, shown below
With these conversions the data above looks like its correct to attack our target devices. I know this seems like a lot of steps, but honestly this is only 50 lines of code in all to automate our replay attacks in a simple way.It is also very easy if you know what your doing and don't spend all of your time figuring it out like I did. You just need to understand how to work with the types of data each component understands.
With this latest code update we are ready to send our code with a simple modification to our RFxmit line from the last blog. We will now change RXxmit to take our formatted variable and then append our padding:
Below is our full code to automate this attack, with a few changeups, but not many.. Really all I did was add some conditional statements to limit our data to longer payloads that are divisible by 2 since our hex takes 2 string characters for example \x41 is the string character 4 and 1.I originally did this for the iterator code which required the proper amount of characters but decided to leave it since it makes sense anyway.I also set it so that if there is a capture it breaks out of the loop. This way we are not continuously attacking every transmission we see. Instead for our testing we can hit our doorbell, replay all the values before our script finishes and exits.
Note: I sent similar code to a friend and had him run it against a black box real world target. He had permission to attack this target via the owner of a facility and it worked flawlessly. So although a doorbell is a trivial target. This same research applies to garages, gates, and any other signal not using protection mechanism such as rolling code, multiple frequencies at once etc.
Also note that when you run this, almost all of the payloads in your list will ring the doorbell which is why I put a timing variable before the sending command. This way your doorbell isn't overburdened. I already broke a few of these devices during testing LOL.
I have since modified this code to be more effective, and have additional features and more niceties, I will release that code when its ready.. For now enjoy the below code and hit me up with any questions or comments.
I hope this blog is helpful in demystifying RFCat in order to successfully perform/automate attacks with only Python and your Yardstick One. This is essentially a few nights of my research posted here for everyone to learn from. Because it was a pain to find useful information, and I would like to save other people a lot of sleepless nights. I am by no means the master of RF or RFCat, there is tons more to learn. Up next I will get back on track with a real world attack against a device and creating our own keyfobs to replay our attacks in the future.
Mentor classes are special, 10 week-format SANS classroom sessions that give the students time to absorb and master the same material with the guidance of a trained security professional.
Students receive all the same course materials used at SANS conferences and study at a more leisurely pace, so students will have:
Hardcopy set of SANS course books
Mentor Program study materials
Weekly Mentor led sessions
Prior to the weekly Mentor-led classroom sessions, students study SANS course material at their own pace. Each week, students meet with other professionals in their hometown area and the SANS mentor, who leads topical discussions pointing out the most salient features of the weekly material studied, provides hands-on demonstrations, and answer questions. The Mentor's goal is to help student's grasp the more difficult material, master the exercises, demonstrate the tools and prepare for GIAC certification.
On SANS SEC575, we will learn about mobile device infrastructures, policies and management, we will see the security models of the different platforms, like the data storage and file system architecture. We will also see how to unlock, root and jailbreak mobile devices in order to prepare them for data extraction and further testing. In the second half of the course, we will learn how to perform static and dynamic mobile application analysis, the usage of automated application analysis tools and how to manipulate application behavior. Last but not least, we will see how to perform mobile penetration testing that includes fingerprinting mobile devices, wireless network probing and scanning, attacking wireless infrastructures, using network manipulation attacks and attacks against mobile applications and back-end applications.
Intro: I have been on a number of wireless engagements again lately and much like the wireless blog i wrote over a year ago i am trying various combinations of techniques and tools in conjunction to gain access to networks. I will show a range of tools and techniques mostly as a reminder to myself. The format will be scenario based on what i have been seeing while testing. Some of these tools include JTR/Hashcat with specialized rulesets, mdk3 for SSID/MAC bruteforcing, evil access points for bypassing guest networks, DNS redirection/tunneling as well as radius-wpe attacks etc... This will be a 2 part blog, first blog being more Pre-Auth attacks and the second blog being more client attacks.
Finding Hidden SSID's and Limited user network attacks: Recently i have been on a lot of tests where administrators think its a wonderful idea to hide their SSID's. Administrators feel that if they hide their SSID's they are magically secure. While Cloaked SSID's may pose a slight problem it's not a security feature. Especially when hiding WEP encrypted networks. One issue that keeps coming up is hidden networks with NO clients thus no probe request/response traffic available to passively capture an SSID. Without clients you can't de-authenticate and force reconnections requests with SSID's. To top that off administrators are also running another trivial security feature known as MAC filtering. While MAC filtering is also easy to bypass, again there are no clients on the network so we must come up with strategies to figure out both the SSID's and the possible client MAC addresses. Lets start by addressing the SSID issue. SSID's can generally be seen in the Beacon traffic. However, if MAC cloaking or hidden SSID's are enabled on your access point they are stripped from the beacon traffic. Striping the beacons of SSID's is usually not a problem if there are clients looking to join the network. As the SSID's must be sent in probe traffic to successfully inquire about joining the network, and SSID's are than easily obtained. Thus why tools like kismet can passively discover the correct SSID given a bit of time and a few clients probing for the hidden network. But, what happens if there is no client traffic? So the actual scenario i was presented with recently was a Cloaked SSID on a limited use network running WEP, which had a MAC filtered client device. This device would attach to the network once a day for a limited amount of time. So the first piece of the puzzle would be figuring out the SSID for later use then tackling the rest of the problem.
We start with a nice little tool called MDK3 which can be used to send out mass SSID requests in either dictionary style or bruteforce in order to determine an SSID. Lets start with the simple syntax then get into some more fine tuned strategies for determining SSID's based on the mind of the sysadmin.
There are 2 modes i have been using, one is dictionary mode and the other bruteforce mode, i would always start with dictionary because its faster. If a dictionary gives no resultes then move to bruteforce techniques. Also have your Airodump-ng/Kismet running during the attack and if the SSID is found it should apear in there as well as your MDK3 results window. You can get your target BSSID value from airodump along with useful information sometimes regarding length of a hidden SSID value which can be used in fine tuning bruteforcing. MDK3 will automatically pick the correct length and then begin bruteforcing based on that length value:
Below is an example of SSID Length Output: CH 6 ][ Elapsed: 8 s ][ 2012-03-01 21:08 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
You will notice example output above says that one SSID is of length 12 and another is of length 1, these are the SSID perceived length values based on values in the packet capture. Not always accurate because these values are just Null place holder values and not always set accurately. Essentially one SSID packet above has a one null value while the other packet has 12 null values as placeholders. If a length of 1 is present you may have to start at 1 and go through the whole range of brute forcing. If the length is known then you can start and end at 12 in this case shortening the full bruteforce time considerably.
Attack Modes and Info: Dictionary Mode: ./mdk3 [Interface] p -c 1 -t [BSSID] -f [dictionary] -s 100
Bruteforce mode: ./mdk3 [Interface] p -c 1 -t [BSSID] -b u -s 100
Above Switch mappings are defined as the following: b = bruteforce also can add a character set b [charset] s = packet speed c = channel f = ssid dictionary file
I first tried a regular dictionary attack of common words: ficti0n:# mdk3 mon0 p -c 1 -t 00:01:55:B1:A3:A5 -f english.txt channel set to: 1 SSID Wordlist Mode activated! Waiting for beacon frame from target... Sniffer thread started Found SSID length 1, usually a placeholder, no information about real SSIDs length available. Trying SSID: Packets sent: 1 - Speed: 1 packets/sec Got response from 03:F0:9F:17:08:32, SSID: "Secure_Access" Last try was: (null) Trying SSID: beauty Packets sent: 167 - Speed: 166 packets/sec Got response from 03:F0:9F:17:08:33, SSID: "Guest_Access" Last try was: (null) Trying SSID: bianca Trying SSID: winnie Trying SSID: isabella Trying SSID: sierra Trying SSID: 00000000 Trying SSID: dancer1 Packets sent: 32507 - Speed: 376 packets/sec Got response from 00:3B:10:47:33:32, SSID: "wow"
I began with a dictionary against a network address i got from my initial airodump-ng. On my first MDK3 run i found one new access point named "wow" but i didnt find the target AP's SSID. If you look at the above MDK3 output there are 2 other networks with similar formats which may reflect our target networks format. Below you will see a similar format.
Guest_Access
Secure_Access
Creating a Custom dictionary based on observations: If the target company has a repeating SSID format we can create our own dictionary file. According to the above output the format is [Word]_Access, we can take advantage of this by creating a new list with python using the company format. Break open your python editor and create a quick script to parse the english dictionary in the proper format for our attack by uppercasing every dictionary word and appending the word "Access".
I then ran MDK3 again with my modified list. When this was done I then was able to get a response from MDK3 and determine the SSID of the target network, shown below.
Got response from 00:01:55:B1:A3:A5, SSID: "Secret_Access"
Luckily i didn't have to resort to a true bruteforce attack although the format is shown above for completeness.
MDK3 MAC address Bruteforce: The next issue is that of determining a valid MAC address on a network without any known clients, this can also be done with MDK3 and bruteforce mode. I would suggest looking at other client MAC addresses on the guest or corporate networks as a starting point. Then use those vendor startpoints as your bruteforce values. So if for example you know a bit about the company based on other network MAC values you can use this knowledge in your brute forcing with the -f switch. Below is a basic command ouput for bruteforcing MAC address filters.
ficti0n:# mdk3 mon0 f -t
Trying MAC 00:00:22:00:00:00 with 100.0000 ms timeout at 0 MACs per second and 0 retries
Trying MAC 00:00:22:00:00:00 with 100.0000 ms timeout at 0 MACs per second and 1 retries
Packets sent: 2 - Speed: 1 packets/sec
Found a valid MAC adress: 00:00:22:00:00:00
Have a nice day! :)
Mdk3 -fullhelp output: -------------------------------------------------------------- MAC filter bruteforce mode This test uses a list of known client MAC Adresses and tries to authenticate them to the given AP while dynamically changing its response timeout for best performance. It currently works only on APs who deny an open authentication request properly -t Target BSSID -m Set the MAC adress range to use (3 bytes, i.e. 00:12:34) Without -m, the internal database will be used -f Set the MAC adress to begin bruteforcing with (Note: You can't use -f and -m at the same time)
I wasn't aware of the above technique at the time of testing but i did give it a try on a local Access Point and found a useable mac address under contrived scenarios. So this was worth noting as I found almost zero mention of it when searching around. Also note that some access points do not properly handle the authentication scenarios in which case the above technique will not work correctly. Usually the user sends an auth request and then the AP sends an auth response denoting success or failure along with an error code, but MAC filering is not part of the normal standard so results will vary regarding error codes. This is AP functionality independent. When it does work it gives you a little smily face and says it found a useable MAC address [SHOWN ABOVE] . Unfortunately in my penetration test I was stuck waiting for a client to come online to get a useable MAC address. Below are a few ideas for the rest of the scenario.
Depending on the location and use of the limited connectivity device there are a few options available for retrieving the WEP key. Networks with hidden SSID's have clients who are always probing for hidden networks whether onsite or remote. You could attack a client directly via a Cafe Latte attack. A Caffe Latte attack woud attack a client with a fake access point and gratuitas ARP requests to discover the WEP key of "Secret_Access" by flooding the client with ARP requests it responds to, generating enough traffic to derive the WEP key. This technique is useful now that you know the SSID, especially if the device is being used at the local coffee shop. I will take a look at this attack in the next blog when focusing on client based attacks.
Caffe Latte was not a good option for me because the device appears online for a short period of time and might not be available either offsite at a coffee shop or even locally long enough to generate enough traffic to crack the network. In this test I however didn't have enough time to see client actually get online but had I see the client get online I would have noted his MAC address and then configured a chop chop or fragmentation attack against the network whether the client was available or not all i would really need is one data packet. I will not illustrate this whole technique as it is fully covered in the following link Cracking WEP with no Clients.
Cracking Radius /PEAP/TTLS Hashes: (Post EAP Attack) This is about attacking hashes from WPE Radius attacks, but just as a reference before we start here is a quick radius attack setup guide without going into to much detail.
Tail your log file so you can see incoming credentials 'tail -f /usr/local/var/log/radius/freeradius-server-wpe.log
Setup an access point with similar settings as to what you are seeing in airodump or wireshark essentially this will be a WPA Enterprise with AES and a default secret of 'test' which is set in the WPE installed package by default so it can talk between the AP and the radius server. You will also need to run an ifconfig on your radius server box so you know what address to point the AP too.
Optionally you can use hostAP instead of a physical enterprise AP setup.
Use one of your local computers to connect to the FreeRadius wireless network and type in a fake username/password to grab an example hash. If you dont see your hash output in the logfile then double check all your ip addresses and insure your server is running. In a real attack you would wait for clients to attach to your Access point and the credentials will be forwarded to your FreeRadius-WPE server. Once this is done the fun begins and also where we will start in our attack scenario.
Formatting hashes: Your hashes can come in a few formats, they might come back as PAP responses in which case they will be plain text passwords. Plaintext PAP can sometimes be a result of mobile devices sending paswords. Otherwise your attack will result in MSChap password challenge/response hashes. Once you receive your MSChap hashes they have to be formated in a specific way in order to crack them. Here is an example hash and the proper format to use before trying to crack the hashes.
Example Hash: mschap: Mon Feb 05 19:35:59 2012 username: test challenge: b3:f8:48:e9:db:02:22:83 response: 15:36:d7:e9:da:43:1f:5f:d2:4b:51:53:87:89:63:b7:12:26:7c:a8:f7:ea:9c:26 Formated for john:(username::::response:challenge) test::::1536d7e9da431f5fd24b5153878963b712267ca8f7ea9c26:b3f848e9db022283
Tool to automate this: (Tool Link) One of my friends wrote a python script that will take your freeradius-server-wpe.log as input and format out all of the hashes one per line.. The script output can be fed directly into John The Ripper(JTR).
JTR Cracking and Custom Rulesets: One way to crack these hashes is to use JTR with a bunch of dictionary attacks and if that fails procede from there with custom korelogic rulesets. Check out preceding link for more info on password cracking techniques which can be employed in addition to this blog. Below I will reiterate a few points on setting up JTR with custom rulesets from the Defcon challenge in 2010 based on the previous link and then how to parse them out and use them.
The first thing to note is that the format of the hashes you get from WPE will generally be considered NETNTLM within JTR so we will have to specify that as well as the wordlists we would like to use to start.
Dictionary attacking first: First go into your JTR directory and try to crack with some dictionaries of your choosing: ficti0n:# cd Desktop/Tools\ /john/run ficti0n:# ./john --wordlist=wordlists/wpa.txt --format=NETNTLM JohnFormat.txt
Loaded 1 password hash (NTLMv1 C/R MD4 DES [netntlm]) test (test) guesses: 1 time: 0:00:00:00 100.00% (ETA: Tue Mar 20 19:29:31 2012) c/s: 692441 trying: test
Custom Rules:korelogic rulesets (Link) If the cracking fails on all of your wordlists then try installing custom rulesets with the following sequence of commands meant do download and then append the rules to the current john file. The following command can also be found at the above Korelogic link. ficti0n:# wget http://contest-2010.korelogic.com/rules.txt ficti0n:# cat rules.txt >> john.conf
Once this is done you can directly specify any rule in the file similar to the following: ficti0n:# ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:KoreLogicRulesAppendNum_AddSpecialEverywhere johnFormat.txt
Or if you are time independent just let them all rip and go on vacation and check the results when you get back LOL ficti0n:# for ruleset in `grep KoreLogicRules john.conf | cut -d: -f 2 | cut -d\] -f 1`; do ./john --wordlist=wordlists/english.txt --format=NETNTLM --rules:${ruleset} JohnFormat.txt; done
Hashcat rulesets and building pasword files: Another way to build complex password files is to use tools like HashCat with supplied password rules and pipe it out to STDOut, either into a file or the STDIn of other cracking programs like John the Ripper. There is a rules folder in HashCat which has a number of rules provided by default.
Available Hashcat Rules: ficti0n:# ls best64.rule generated.rule passwordspro.rule T0XlC.rule toggles3.rule combinator.rule leetspeak.rule perfect.rule toggles1.rule toggles4.rule d3ad0ne.rule oscommerce.rule specific.rule toggles2.rule toggles5.rule
Creating Passwords with Hashcat and a dictionary: ficti0n:# ./hashcat-cli32.bin -r rules/passwordspro.rule ../wordlists/cain.txt --stdout
You can also pipe passwords directly into JTR from hashcat output but its really slow so I suggest you make a world list then load it up with --wordlist, but the example is shown below.
I hope someone finds my above notes useful, I am going to write up some client side attack stuff as well and post it up here... Let me know if you have any questions or need more clarification on anything covered in the blogs.
Odo Beauty Care Limited
Welcome to our first Odo Head Spa Salon located at
9F Pennington Com Bldg., 17 Pennington
Street, Causeway Bay
(Near to Regal Hotel, Hong Kong and above 7-11)
香港铜锣湾边寧顿亍 17号边
寧顿商业大厅厦电梯 9字
鄰近香港富豪酒店,7-11 樓上
TEL: 9010-1586 English and Japanese only (英/日语)
Email: info@odo.com.hk
BY APPOINTMENT ONLY
完全予約制
敬请电約
