admin

Apr 232015
 


Bypass 802.1x Port Security w/ Openwrt
Background
During an internal and wireless penetration I was unprepared for the port security in the environment. I had to travel internationally and the Statement of Work and Rules of Engagement did not detail the extent of the internal testing and what was to be tested. Penetration Testers know what it is like to conduct a “Penetration Test” when sales staff and client management setup the engagement. Needless to say I was upset at the delay only due to the time it would take to configure a device to bypass the port security when I only had a week onsite to conduct the testing. Luckily I had brought along my PCEngines Alix 62f (used previously in my Custom Power Pwn). I had brought it for the wireless testing as it was configured for wireless client attacks. Using the work done by Alva Lease ‘Skip’ Duckwall IV and presented at DEFCON 19 in 2011. I reconfigured the Alix to show the client how easy it is to bypass port security. Well I never want to encounter a similar situation again but I also don’t want to carry yet another device with me when traveling. Having the device be as small as possible while service multiple purposes would be ideal. That is why I’m using the GL-iNet with the Openwrt operating system for this project.

Version 2 of this tutorial builds off of version 1 but additional work is done to help you build an image that will allow you to bypass 802.1x port security without any post install customization (as shown in this previous post). Also some network recon tools are included as well.
Continue reading »

 Posted by at 10:27 am
Feb 112015
 

In 2013 I presented at the Rhode Island Bsides about the work I did with the TP-Link wr703n creating a “Super” Minipwner (real ingenious name). Below is the abstract for my talk.

The TP-Link WR703N is a low cost wireless access point that has replaced the venerable Linksys WRT54G as the most popular device to crack open and tinker with. Many project tutorials have sprung up on how to hack this device from a hardware and software perspective. One such project is the “minipwner” coined by Kevin Bong with his site www.minipwner.com. This talk builds off of that concept by trying to upgrade and implement as many features as possible while still keeping the original case. Why the original case? Because I said so. We double the RAM and flash storage, add a usb hub, usb sdcard reader storage, usb to Ethernet port, serial port over usb, and finally we have integration with the Teensy so you can run keyboard commands remotely over WiFi. I call this device the very original name of super-minipwner.

Super Minipwner

The TP-Link wr703n is a fun device to tinker with but I want to step it up a notch and use a device that already had two network ports. I always pined after the wr720n (the Chinese model) and even got my hands on one to play with. However, the RAM and Flash were the same as the wr703n and I didn’t want to ruin the device upgrading it. 4mb of flash storage and 32mb of RAM just isn’t going to cut it. Also the devices are harder to find and more expensive…and nobody is selling services on Ebay to upgrade the wr720n like the wr703n. Though if you asked him I bet he would. The router is also larger in size due to AC outlet plug.

Then the Openwrt forums started discussing the GL-iNet. I was hooked the moment I saw it. They took the wr703n and added everything a hacker could want. Two network ports, easy access to GPIO and Serial pins, 64mb of RAM, 16mb of flash, internal power header, and a connector for an external antenna. This all in the same dimensions of the wr703n. The new penetration testing device created using the GL-iNet will be documented in several parts.

Part 1 – Building Openwrt for the GL-iNet

Part 2 – Using Openwrt to Bypass 802.1x Port Security

Part 3 – Remote HID Attacks with a Teensy 2.0 – The Build
Part 3.1 – Remote HID Attacks with a Teensy 3.1 – The Build

Part 4 – Remote HID Attacks with a Teensy – Testing Your Build / Getting Started

Part 5 – Remote HID Attacks with a Teensy – Peensy Code

Jul 072014
 

The TP-Link WR703N Expander is an open source hardware extension to the TP-Link WR703N. It was created by Kean Electronics (http://www.kean.com.au/) and can be purchased from Seeed Studio (http://www.seeedstudio.com/).  I won’t go into the details of what the Expander includes and what you can do with it.  This article details how I created my own enclosure for the Expander since I don’t have a 3D printer and I didn’t want to purchase the enclosure from one of the 3D printer fabrication sites.

Continue reading »

Feb 052014
 

Install the latest John the Ripper 1.7.9 with the Jumbo 7 patch. Before downloading John you will need to install the CUDA development files. See this blog article for instructions on how to install the latest Nvida drivers for Ubuntu 13.10 and latest CUDA development files.
Continue reading »

Jan 212014
 

You can probably get by with leaving off that last part of the title and still succeed with this attack.  Today we will be making a Password Pwn Stew.  Add a little Ettercap (link), with a dash of Metasploit (link), a smidgen of password cracking with Rcrack (link) and Rainbowtables (link), and if required a pinch of Hashcat (link) to taste.  You will have yourself some tasty pwnage.

Note, your mileage may vary with this stew.  I’m not Martha Stewart.  Also the stew analogy ends here :-)
Continue reading »

Jan 022014
 

When you obtain a NetLM password hash with the known challenge of 1122334455667788 you are able to utilize the HALFLMCHALL rainbowtable to identify the first seven (7) characters of the password. The second half is left to identify. Tutorials exist (including my site, as well as here and here) on how to capture the NetLM hash using Metasploit. Metasploit comes with a Ruby script in the tools folder that will bruteforce the remaining characters of the password when you provide the complete NetLM hash and the first seven (7) characters of the recovered password. However, for passwords that are 11+ characters it is time prohibitive to bruteforce the remaining characters as show below.
Continue reading »

Jan 012014
 

Download the Rcracki_mt Linux binary from http://sourceforge.net/projects/rcracki/files/rcracki_mt/rcracki_mt_0.7.0/

$ sudo apt-get install p7zip links
$ cd ~/tools
~/tools$ links http://sourceforge.net/projects/rcracki/files/rcracki_mt/rcracki_mt_0.7.0/rcracki_mt_0.7.0_linux_x86_64.7z/download
~/tools$ p7zip -d rcracki_mt_0.7.0_linux_x86_64.7z
~/tools$ cd rcracki_mt_0.7.0_linux_x86_64/

Download the HALFLMCHALL Rainbowtables from https://www.freerainbowtables.com/tables/

$ mkdir -p RainbowTables/halflmchall
$ cd RainbowTables/halflmchall
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_0/halflmchall_alpha-numeric%231-7_0_2400x57648865_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_0/halflmchall_alpha-numeric%231-7_0_2400x57648865_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti.index
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_1/halflmchall_alpha-numeric%231-7_1_2400x56281894_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_1/halflmchall_alpha-numeric%231-7_1_2400x56281894_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti.index
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_2/halflmchall_alpha-numeric%231-7_2_2400x58928524_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_2/halflmchall_alpha-numeric%231-7_2_2400x58928524_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti.index
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_3/halflmchall_alpha-numeric%231-7_3_2400x58924114_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_3/halflmchall_alpha-numeric%231-7_3_2400x58924114_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti.index