Information Systems Auditing

TP-Link WR703N Custom Pwn Plug

admin — Mon, 19 Nov 2012 19:44:50 +0000

I was wandering the aisles of Fry’s Electronics and spotted a display of Westinghouse Outlet Valet’s for under $10. The second I saw this I knew I my TP-Link wr703n was destined to be stuffed into it. I also picked up an Inland USB Hub because I know it has the smallest foot print of any hub I’ve seen. I’ve actually been able to place it under the wr703n board in the original housing. I also picked up a Kingston 16GB micro SD card which comes with a small footprint USB reader. Couple that with a Samsung OEM wall charger I had and we got the makings of a computer hiding in plain sight.

I created a Coppermine Photo Gallery album with some pictures I took of the device as it was being made.

Westinghouse Outlet Valet

Inland USB Hub

TP-Link WR703N

Inside of Outlet Valet

When you open up the Westinghouse Outlet Valet you see that there is plenty of room to fit the WR703N once we replace the 120v AC to 5v DC converter with the much smaller Samsung OEM wall charger. Here are some additional images of the internals of the outlet valet plus size comparisons between the power converters.

Image 1

Image 2

Image 3

To open up the Samsung OEM converter I carefully removed the font panel (usb port side) using a guitar pick (from a cell phone repair kit) and a small flat head screw driver. The front is held in place by clips (no glue). To get the circuit out I tapped on the prongs. The prongs aren’t even soldered to the circuit but rest on the board as it is packed into the small enclosure.

Remove Connectors

The USB ports and RJ45 port are removed from the WR703N circuit board using a solder sucker and desoldering braid/wick. As highlighted with the image on the right I even drilled out two points keeping the RJ45 in place.

WARNING: Be super careful removing the micro-usb that powers the board as to not remove the pads that you want to solder. These two key pads are GND and PWR which are the two outside pins. I removed it as I had trouble soldering the wires with the port in the way. So you may consider this step optional.

Board Underside

Solder Points

After the connectors are removed I attach the USB hub by soldering the wires to the underside of the board. See which color wire goes to which point in the image to the right in the above paragraph. I solder a ribbon cable to the pins that communicate with the RJ45 jack. Only thing you have to remember with the RJ45 is the ribbon lines up with the pins but that is pretty simple. (NOTE: I had to desolder two pins on the connector because it was upside down )

The image to the left shows the solder points for serial port communication. The socket I chose to use for serial communication is a 3.5mm jack. This is great for adding the serial connector to the original WR703N case. I got the idea from this site. I picked up the parts from the local Radioshack. One item I did to mount the 3.3mm jack to the original WR703N case (and subsequently the Outlet Valet) was drill the hole with a 3/8 inch spade bit. I used the bit to obviously drill the hole for the 3.5mm jack to fit but at the same time I shaved away some of the plastic around the hole to create a recessed area where the nut on the socket can hold it in place without using glue. This is so I can remove the whole mess of solder, glue, and wires from the case when I need to make modifications. I placed the port at the topof the Outlet Valet.Here is an image of the socket and jack and which wire gets soldered where.

Modifying USB Hub

The main modification needed to be completed for the USB hub is the removal of the case and the rubber around with wires and USB ports. The image details what changes are made. The original solder points on the hub circuit board are not modified though you may want to touch them up or add more glue. Looking at the shoddy work I’m surprised the hub functions properly. Three of the USB ends are stripped of all rubber and the wires cut. One port has most of the casing left on the wires to keep it neat. Click on the image to the left see where each port is soldered. The circuit board is hot glued to the bottom of the wr703n board.

Here is what it looks like completed.

Final Product

Mobile Devices and Airbase-ng Attacks

admin — Thu, 11 Oct 2012 00:32:19 +0000

I don’t feel that this issue gets enough coverage so I am adding my voice to the mix in the hopes that someday the makers of our popular mobile operating systems will FIX THE ISSUE! What I’m going to discuss is a wireless association vulnerability that was first discovered by Max Moser (site here and his full disclosure) way back in 2004 for Windows XP. Using airbase-ng (part of the Aircrack-ng suite of tools) this same attack works against the latest versions of iOS5 and iOS6 (iPhone and iPad), Blackberry OS, and Android. Apple’s iOS, from AT&T Wireless, even comes with a helpful default profile so you can attack a device right out of the box (see Tweet by HD Moore). The only mobile OS that does not have this issue is Windows 8 on the new Nokia phones. I don’t know a soul that has one of these phones so I hung out in an AT&T Wireless store to conduct my testing. Those Microsoft devices will not associate with any Airbase-ng APs that mimic APs from the device’s probe packets. Some individuals have tried to tell the world about this issue. A great Youtube video was created by Jeffery Wilkins demonstrating this issue. Vincent Costagliola at patctech.com wrote this article mentioning the same issue.

My testing has shown that an iPhone will connect to airbase-ng even if it is already connected to a WPA encrypted access point. Just as described by Max Moser in 2004.

My Custom Power Pwn

admin — Sat, 04 Aug 2012 16:52:08 +0000

See the Security Bsides Atlanta talk (when it gets posted) at http://www.securitybsides.com/w/page/58266249/BSidesATL-2012. Powerpoint slides can be found here.

The people over at PwnieExpress are coming out with a neat device called the Power Pwn. This device follows up on the Pwn Plug and the PwnPhone (Nokia N900). With my experience as a penetration tester and junior hardware hacker I’ve been working on my own “pwn” hardware. I have a Nokia N810 as well as an Alix 6f2 (PCEngines.ch). I purchased an APC BE650R Battery Backup Power Strip off of Ebay and gutted the inside to fit the Alix board. I integrated the Alix connectors for the serial, ethernet, and external antenna connectors with the existing APC coax, rj45, and rj50 ports. The setup has an internal Xpal portable netbook charger that can run the Alix board for over 4 hours. However, the main power to the board is integrated with the APC power strip. Plugging in the APC will run power to the Xpal battery which in turn powers the Alix. Four of the eight plugs on the APC are also functional. I created a simple DB9 to RJ45 adapter for the serial connection so I can properly configure the device before use. Since the Xpal battery powers it for 4 hours I have plenty of time to get it configured and to its final pwnage destination. I didn’t take any photos of the gutting of the APC but it involved a lot of dremel, plastic nipper, and xacto knife work. I do have photos of everything fitting together. The only missing item is the internal RP-SMA to female F pigtails. But as you can see in the photos you can fit some rubber duck antennas inside the APC with no problems. Also, the best part about the Alix 6f2 is that you can add a mini-pci express GSM card for out of band cellular access to the device. You don’t see the card installed on the Alix in the pictures. I currently have the card in a Mini PCI-E WWAN to USB Adapter for testing.

The software I run on the PCEngines Alix is Debian-for-Alix where I contributed to the wiki with instructions on how to install all the tools.

Below are some images with arrows pointing to key features of my device.

Updated Images / Additional Work

Maemo – Diablo – PHP5 – mime-support error

admin — Thu, 12 Jul 2012 13:49:26 +0000

I receive this error when trying to install PHP on my Nokia n810 device. php5-cli: Depends: mime-support but it is not installable. This is with a fresh flash and I only add the Diable Extras-Devel from repository.maemo.org so I have access to the PHP packages. I have no idea what is going on but I’m creating this post in case anybody else comes across a damn mime-support issue.

My hildon-application-manager.list is as follows:

deb http://catalogue.tableteer.nokia.com/certified/ diablo user
deb http://catalogue.tableteer.nokia.com/non-certified/ diablo user
deb http://catalogue.tableteer.nokia.com/updates/diablo-2/ ./
deb http://repository.maemo.org/extras/ diablo free non-free
deb http://repository.maemo.org/extras-devel/ diablo free non-free

Here is the full error when I try to install PHP from the command-line.

Nokia-N810-43-7:~# apt-get install php5-cli
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.

Since you only requested a single operation it is extremely likely that
the package is simply not installable and a bug report against
that package should be filed.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
  php5-cli: Depends: mime-support but it is not installable
E: Broken packages

Then I try this…

Nokia-N810-43-7:~# apt-get install mime-support
Reading package lists... Done
Building dependency tree
Reading state information... Done
Package mime-support is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
E: Package mime-support has no installation candidate

To solve this issue I manually downloaded the mime-support deb package from repository.maemo.org/pool/.

Nokia-N810-43-7:~# wget http://repository.maemo.org/pool/diablo/free/m/mime-supp ort/mime-support_3.28-1_all.deb
--09:40:41--  http://repository.maemo.org/pool/diablo/free/m/mime-support/mime-s upport_3.28-1_all.deb
           => `mime-support_3.28-1_all.deb'
Resolving repository.maemo.org... 23.66.230.19, 23.66.230.24
Connecting to repository.maemo.org|23.66.230.19|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 28,804 (28K) [application/x-debian-package]

100%[====================================>] 28,804        95.23K/s

09:40:41 (95.00 KB/s) - `mime-support_3.28-1_all.deb' saved [28804/28804]

Nokia-N810-43-7:~# dpkg -i mime-support_3.28-1_all.deb
Selecting previously deselected package mime-support.
(Reading database ... 16605 files and directories currently installed.)
Unpacking mime-support (from mime-support_3.28-1_all.deb) ...
Setting up mime-support (3.28-1) ...
Nokia-N810-43-7:~# apt-get install php5-cli
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libmagic1 libpcre3 php5-common
Suggested packages:
  file php-pear
The following NEW packages will be installed:
  libmagic1 libpcre3 php5-cli php5-common
0 upgraded, 4 newly installed, 0 to remove and 5 not upgraded.
Need to get 3097kB of archives.
After unpacking 7594kB of additional disk space will be used.
Do you want to continue [Y/n]? y
WARNING: The following packages cannot be authenticated!
  libpcre3 libmagic1 php5-common php5-cli
Install these packages without verification [y/N]? y
Get:1 http://repository.maemo.org diablo/free libpcre3 6.7-1osso1 [164kB]
Get:2 http://repository.maemo.org diablo/free libmagic1 4.12-1osso [232kB]
Get:3 http://repository.maemo.org diablo/free php5-common 5.2.6-3maemo4 [219kB]
Get:4 http://repository.maemo.org diablo/free php5-cli 5.2.6-3maemo4 [2481kB]
Fetched 3097kB in 9s (325kB/s)
Selecting previously deselected package libpcre3.
(Reading database ... 16631 files and directories currently installed.)
Unpacking libpcre3 (from .../libpcre3_6.7-1osso1_armel.deb) ...
Selecting previously deselected package libmagic1.
Unpacking libmagic1 (from .../libmagic1_4.12-1osso_armel.deb) ...
Selecting previously deselected package php5-common.
Unpacking php5-common (from .../php5-common_5.2.6-3maemo4_armel.deb) ...
Selecting previously deselected package php5-cli.
Unpacking php5-cli (from .../php5-cli_5.2.6-3maemo4_armel.deb) ...
Setting up libpcre3 (6.7-1osso1) ...
Setting up libmagic1 (4.12-1osso) ...
Setting up php5-common (5.2.6-3maemo4) ...
Setting up php5-cli (5.2.6-3maemo4) ...

All I want to do is parse some damn XML files. I gave up on getting Perl to work and I don’t know any Python. PHP from the command-line with SimpleXML just works.

John the Ripper w/ Jumbo Patch – now with GPU support

admin — Fri, 06 Jul 2012 02:50:20 +0000

JtR 1.7.9 with Jumbo 6 now offers GPU support for computationally intensive (slow-hash) password encryptions like WPA-PSK. This POST will detail compiling JtR with OpenCL support. I have an really old ATI Radeon HD card but it works with OpenCL so here goes. This compile works for Ubuntu LTS 12.04 and 10.04. You should read the doc file README.opencl for notes for more info on how to compile JtR with OpenCL support.

For additional information you can read the JtR documentation and wiki from Openwall.

OpenSSL is needed. This can be installed through your package manager or may already be installed. Remember to install the development package (libssl-dev or libssl-devel). I like the latest and greated so instructions on download and compile are included below.

Download and install the latest OpenSSL

$ wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
$ tar zxf openssl-1.0.1c.tar.gz
$ cd openssl-1.0.1c
$ ./config --openssldir=/usr/local
$ make
$ sudo make install

Identify your Graphics Card

$ sudo lshw -C video

Download the AMD/ATI drivers (http://support.amd.com/us/gpudownload/Pages/index.aspx)
NOTE: you may have to uninstall the old driver or use the –force option.

$ wget http://www2.ati.com/drivers/linux/amd-driver-installer-12-4-x86.x86_64.run
$ sudo sh amd-driver-installer-12-4-x86.x86_64.run

I selected option 1. Install Driver 8.961 on X.Org 6.9 or later

Download the AMD SDK for OpenCL (http://developer.amd.com/sdks/AMDAPPSDK/downloads/Pages/default.aspx)

$ wget http://developer.amd.com/Downloads/AMD-APP-SDK-v2.7-lnx32.tgz
$ tar zxf AMD-APP-SDK-v2.7-lnx32.tgz
$ sudo ./Install-AMD-APP.sh

32-bit Operating System Found…
Starting Installation of AMD APP….
SDK package name is :AMD-APP-SDK-v2.7-RC-lnx32.tgz
Current directory path is : /home/edge/source
Untar command executed succesfully, The SDK package available
Untar command executed succesfully, The ICD package available
Copying files to /opt/AMDAPP/ …
SDK files copied successfully at /opt/AMDAPP/
AMD Catalyst OpenCL Runtime is available hence skiping OpenCL CPU Runtime Installation Installation
ln: creating symbolic link `/usr/lib/libOpenCL.so’: File exists
Updating Environment vairables…
32-bit path is :/opt/AMDAPP/lib/x86
Environment vairables updated successfully
/sbin/ldconfig.real: Can’t stat /lib/i486-linux-gnu: No such file or directory
/sbin/ldconfig.real: Can’t stat /lib64: No such file or directory
AMD APP installation Completed
>> Reboot required to reflect the changes
>> Please ignore the ldconfig errors, Expected behaviour
>> Please refer the ‘AMDAPPlog file’ in the same directory
>> Refer the README.txt in the same directory for more info

Now with the prerequisites for compiling JtR with OpenCL support.

$ wget http://www.openwall.com/john/g/john-1.7.9-jumbo-6.tar.gz
$ tar zxf john-1.7.9-jumbo-6.tar.gz
$ cd john-1.7.9-jumbo-6/src
$ make linux-x86-opencl (if you manually obtained the header files)
$ make -I/opt/AMDAPP/include/CL linux-x86-opencl

JtR comes with some Perl scripts. You will need the following packages for the scripts to work.

$ sudo apt-get install libnet-ldap-perl libcrypt-des-perl
For some reason libdigest-sha1-perl doesn't get identified by the sha-test.pl script.
$ wget http://search.cpan.org/CPAN/authors/id/U/UW/UWEH/SHA-1.2.tar.gz
$ tar zxf SHA-1.2.tar.gz
$ cd SHA-1.2
$ perl Makefile.PL
Checking if your kit is complete...
Looks good
Writing Makefile for SHA
Warning: overwriting endian.h
Do you want to use the original SHA or the new standard SHA-1?
Enter 0 for the original or 1 for the new standard. [1]
$ make
$ sudo make install

WRT54GL is Not Dead

admin — Mon, 23 Apr 2012 16:27:01 +0000

Well the WRT54GL is not dead for me. Due to it’s popularity this venerable wireless router has been documented across the Internet on how to software and hardware hack it. Tinkering with this devices is a great way to learn about embedded Linux, cross-compilation, soldering, and serial communication. I continue to search for new ways to play with this router (I plan on adding some USB ports once my 12v/5v power supply arrives!). The reason I’m documenting my experiences is because I haven’t seen many tutorials where the device has a GPS module. I’ve seen some documentation on connecting a GPS device (Garmin) to a serial port. Mine goes the extra step and includes a module in the router for a nice compact wardriving box. I’m even able to set the date and time on the device after a GPS lock is obtained. So I’m going to put together a tutorial on the GPS module and the version of Openwrt, Kismet, and GPSd I used to allow this device to be a self contained wardriving box.

Compiling Wireless Tools for Nokia N810

admin — Mon, 23 Apr 2012 00:51:11 +0000

This tutorial will help you configure the Scratchbox environment to compile the latest svn of aircrack-ng, latest stable kismet, and reaver 1.4 for the Nokia n810. A lot of love is getting sent to the N900 but the n8x0 series of devices are still great for wireless testing. With this tutorial you will be not only to compile the software but create Debian packages for easy installation on your Nokia device. Of important note were the errors I encountered while compiling aircrack-ng. The error had not been documented on the Internet. Trust me I Googled my heart out. Everyones solution was update the linux kernel headers. Well in this case that wasn’t possible. I’m not a Linux programmer but I figured out how to edit the header file to make the changed needed to get Aircrack-ng to compile.

Install and Configure Scratchbox for Diablo

Visit http://maemovmware.garage.maemo.org/2nd_edition/ and download the Maemo SDK Virtual Image. It will bring you http://tablets-dev.nokia.com/maemo-dev-env-downloads.php to download the virtual image. As of this tutorial the image for Desktop Ubuntu Lucid Lynx is still supported by Ubuntu. It is an Long Term Service release that will be good until 2013.

Download : Maemo_Ubuntu_Lucid_Desktop_SDK_Virtual_Image_Final.7z

Extract the image from the compressed 7z archive and boot it with your preferred Virtual Emulator (VMWare, VirtualBox, etc). How to use Virtual Image software is beyond the scope of this document. I used Virtualbox (http://www.virtualbox.org/manual/ch01.html) and make some references to it throughout the tutorial.

First thing you should do after you boot your image is update the software and install the Virtual Emulator software/drivers. Username and password are maemo/maemo. For example, I use VirtualBox and I will install the Guest Additions. Note, install the latest guest additions and not what comes with the SDK image.

To update the OS open a terminal session and preform these two commands.

$sudo apt-get update
$sudo apt-get upgrade

In the maemo user home directory Desktop folder are the scripts and programs to install and configure the cross-compilation platform for Maemo 4 OS2008 Diablo. The SDK comes preconfigured with Maemo 5 Fremantle OS environment. That environment is for the Nokia N900 Internet phone.

(NOTE: I prefer to SSH into the image from my Windows 7 host computer using Putty. This makes it easier to copy and paste commands in this tutorial)


$cd ~/Desktop/DiabloSDKInstall
$sudo ./maemo-scratchbox-install_4.1.2.sh -s /opt/scratchbox
$./maemo-sdk-install_4.1.2.sh -d -s /opt/scratchbox

.
.
.
.
.
This offer is valid for a period of three (3) years.

The exact license terms of GPL, LGPL and said certain other licenses, as well
as the required copyright and other notices, permissions and acknowledgements
are reproduced in and delivered to you as part of the referred source code.

--------------------------------------------------------------------------------

Press Enter to accept (Crtl+C to cancel).

The process downloads and installs a lot of files.  When it is finished you will see

Installation was successful!
----------------------------

IMPORTANT! Please read this.

You now have the maemo 4.1.2 diablo installed on your computer.
You can now start your maemo SDK session with /opt/scratchbox/login and
then select your target with 'sb-conf select DIABLO_ARMEL' for the
armel target or 'sb-conf select DIABLO_X86' for the i386 target.

If you have any problems with targets' package databases, you can try
running 'fakeroot apt-get -f install' on your scratchbox target.
This command will try to fix any problems with the package database.

Happy hacking!

Install the Maemo SDK Nokia Binaries.


$./maemo-sdk-nokia-binaries_4.1.2.sh

.
.
.
Do you accept all the terms of the preceding License Agreement?
Please reply with 'I accept' if you do.
> I accept
Thank you.

Extracting files...

Nokia binaries repository has now been extracted to a directory under
your scratchbox home path. Add the following line to maemo 4.1.2 diablo
scratchbox targets' /etc/apt/sources.list files to make the repository
visible to Debian apt tools:

deb file:/home/maemo/maemo-sdk-nokia-binaries_4.1.2 diablo explicit

Run 'apt-get update' inside scratchbox to read package index files.

NOTE:  This line goes in the sources.list file when you are logged into scratchbox

$sudo apt-get install vim
$sudo /opt/scratchbox/sbin/sbox_adduser maemo yes
The user `maemo' is already a member of `sbox'.
Scratchbox user account for user maemo added
$sudo /opt/scratchbox/sbin/sbox_ctl start
$ /opt/scratchbox/login
Welcome to Scratchbox, the cross-compilation toolkit!

Use 'sb-menu' to change your compilation target.
See /scratchbox/doc/ for documentation.

[sbox-DIABLO_ARMEL: ~] >vim /etc/apt/sources.list
Add the new repository to the APT sources.list
[sbox-DIABLO_ARMEL: ~] >apt-get update
[sbox-DIABLO_ARMEL: ~] >mkdir source
[sbox-DIABLO_ARMEL: ~/source] >exit
$sudo apt-get install subversion libapr1 libaprutil1 libsvn1 vim

Compile and Package Aircrack-ng

These steps will download the latest version of Aircrack-ng and modify the Maemo Linux header files so the software will compile.


$cd /opt/scratchbox/users/maemo/home/maemo/source
$svn co  http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng-4.20.2012.svn
$ /opt/scratchbox/login
[sbox-DIABLO_ARMEL: ~] >cd source/aircrack-ng-4.20.2012.svn
[sbox-DIABLO_ARMEL: ~/source/aircrack-ng-4.20.2012.svn] >make

Click here for compile output including the error messages

The compilation first breaks when trying to compile aireplay-ng. The beginning of the error is this:
gcc -g -W -Wall -O3 -D_FILE_OFFSET_BITS=64 -D_REVISION=-1 -Iinclude -c -o aireplay-ng.o aireplay-ng.c In file included from /usr/include/linux/cpumask.h:86, from /usr/include/linux/interrupt.h:10, from /usr/include/linux/rtc.h:14, from aireplay-ng.c:39: /usr/include/linux/bitmap.h: In function `bitmap_zero':
After some research, okay, A LOT of research (Googling), it appears that #include should not be in rtc.h. I’ve found references to a kernel bug on the Internet. I am specifically creating this tutorial because this error alone wasted a lot of my time and I want to help someone else down the road.


[sbox-DIABLO_ARMEL: ~/source/aircrack-ng-4.20.2012.svn] >vim /usr/include/linux/rtc.h

Line 14 goes from this #include to this /*#include */
Save the file and try to compile again.


[sbox-DIABLO_ARMEL: ~/source/aircrack-ng-4.20.2012.svn] >make

SUCCESS!!! Okay, so you know it compiles. Best thing to do is make a Debian package so we are going to “start over” compiling aircrack-ng


[sbox-DIABLO_ARMEL: ~/source/aircrack-ng-4.20.2012.svn] >make clean

NOTE: If you like to have your aircrack-ng binaries in /usr/(s)bin instead of /usr/local/(s)bin then modify the common.mak file. Line 73, set prefix to /usr (or whatever you prefer).


[sbox-DIABLO_ARMEL: ~/source/aircrack-ng-4.20.2012.svn] >cd ..
[sbox-DIABLO_ARMEL: ~/source] >tar czvf aircrack-ng-4.20.2012.svn.tar.gz aircrack-ng-4.20.2012.svn/
[sbox-DIABLO_ARMEL: ~/source] >cd aircrack-ng-4.20.2012.svn
[sbox-DIABLO_ARMEL: ~/source/aircrack-ng-4.20.2012.svn] > dh_make -c gpl -e HIDDEN EMAIL -m -f ../aircrack-ng-4.20.2012.svn.tar.gz
Maintainer name : unknown
Email-Address   : HIDDEN EMAIL
Date            : Fri, 20 Apr 2012 11:22:26 -0400
Package Name    : aircrack-ng
Version         : 4.20.2012.svn
License         : gpl
Type of Package : Multi-Binary
Hit  to confirm:
Done. Please edit the files in the debian/ subdirectory now. You should also
check that the aircrack-ng Makefiles install into $DESTDIR and not in / .

You can modify the debian/control file to include more details about the utility and who you are (maintainer).
You can also modify it so the share files are not created to reduce the amount of space that is taken up on your device.

Add the following line below install-arch: (line 77) just above dh_install -s (line 87)
rm -Rf $(CURDIR)/debian/aircrack-ng/usr/share


[sbox-DIABLO_ARMEL: ~/source/aircrack-ng-4.20.2012.svn] >dpkg-buildpackage -rfakeroot -us -uc –B

You now have an Aircrack-ng Debian package!

Compile and Package Kismet

Note: The Maemo 4 kernel is too old for mac80211 or nl80211, even if you have libnl installed. That is why the latest svn of Kismet will not work. 2011-03-R2 will probably be the latest version of Kismet that will work on the n810.


[sbox-DIABLO_ARMEL: ~] > cd source
[sbox-DIABLO_ARMEL: ~/source] > wget http://www.kismetwireless.net/code/kismet-2011-03-R2.tar.gz
[sbox-DIABLO_ARMEL: ~/source] > tar zxvf kismet-2011-03-R2.tar.gz
[sbox-DIABLO_ARMEL: ~/source] > cd kismet-2011-03-R2
[sbox-DIABLO_ARMEL: ~/source/kismet-2011-03-R2] > dh_make -c gpl -e HIDDEN EMAIL -m -f ../kismet-2011-03-R2.tar.gz
[sbox-DIABLO_ARMEL: ~/source/kismet-2011-03-R2] >vim debian/rules

edit the configure options so that the config files will be in /etc/kismet and the binary will be in /bin (see below).
./configure --host=$(DEB_HOST_GNU_TYPE) --build=$(DEB_BUILD_GNU_TYPE) --prefix=/usr --sysconfdir=/etc/kismet --bindir=/bin --mandir=\$${prefix}/share/man --infodir=\$${prefix}/share/info --with-suidgroup=users CFLAGS="$(CFLAGS)" LDFLAGS="-Wl,-z,defs"
Also add the following lines below install-arch: (line 86) just above dh_install -s (line 96)
rm -Rf $(CURDIR)/debian/kismet/usr/share/man dh_install debian/manuf etc/ dh_install conf/kismet.conf etc/kismet dh_install conf/kismet_drone.conf etc/kismet


[sbox-DIABLO_ARMEL: ~/source/kismet-2011-03-R2] >vim debian/dirs

Add the directories etc and etc/kismet to the file


[sbox-DIABLO_ARMEL: ~/source/kismet-2011-03-R2] >vim conf/kismet.conf.in

Uncomment logprefix and set it to the following (line 13)
logprefix=/media/mmc1
add the ncsource line that works with the n810 (below line 31)
ncsource=wlan0:type=nokia810,fcs=true,validatefcs=true


[sbox-DIABLO_ARMEL: ~/source/kismet-2011-03-R2] > wget –cd -N -P debian http://anonsvn.wireshark.org/wireshark/trunk/manuf
[sbox-DIABLO_ARMEL: ~/source/kismet-2011-03-R2] > dpkg-buildpackage -rfakeroot -us -uc -B

After everything is done you will bind the deb packages in the source folder

Parse Kismet NETXML for Aireplay-ng

admin — Thu, 05 Apr 2012 18:49:33 +0000

This post deals with gathering the information you need to use aircrack-ng to capture a WPA/WPA2 handshake for offline bruteforce attacks. When running aireplay-ng to send out de-authentication packets you need the MAC address of the Access Point and a Client that is associated with it. The way I would collect the information is run Kismet. With the older version of Kismet I would monitor the client (panel view) and select (copy/paste) the access point and client MAC. With the new version of Kismet you cannot select a MAC address. So I wrote myself a quick Perl script to parse the Kismet NETXML file to create output with the MAC addresses of AP and associated client pairs.


#!/usr/bin/perl
use XML::Simple;

$xs = XML::Simple->new( KeyAttr=>[] );
$data = $xs->XMLin($ARGV[0]);

for $wn (@{$data->{'wireless-network'}}){
  $channel = $wn->{'channel'};
  $bssid = $wn->{'BSSID'};
  
  if(ref($wn->{'SSID'}->{'encryption'}) eq 'ARRAY' && $wn->{'type'} eq 'infrastructure')
  {
    if(ref($wn->{'wireless-client'}) eq 'ARRAY'){
      for $wc (@{$wn->{'wireless-client'}}){
        if($wc->{'type'} eq 'tods'){
          print $bssid . " " . $wc->{'client-mac'} . "\n"
        }
      }  
    }
  }
}

I then use the file that was created in a simple Bash script to use aireplay-ng to knock all the clients offline. Of course you have airodump-ng listening for the WPA/WPA2 handshakes.


#!/bin/bash
set -x
AIREPLAY=/usr/local/sbin/aireplay-ng
WIFACE=$1
FILE=$2

while read bssid clientmac
do
    echo $x
    $AIREPLAY -0 1 -a $bssid -c $clientmac --ignore-negative-one $WIFACE
done < $FILE

Compiling Nmap for Android

admin — Wed, 29 Feb 2012 13:34:36 +0000

Compile Nmap for Android

This tutorial will show you how to compile the latest version of Nmap for your Android device starting with a standard Ubuntu install. I will offer instructions on how to obtain two versions of compiler that I’ve had success compiling software for Android. I will show the Android NDK and the free Lite ARM compiler from Mentor (formally Code Sorcery). Hopefully you can take this instruction to try and compile other tools for Android.

The build environment and instructions come from an auditor with strong technical skills but somebody who is not a programmer or developer so hopefully my view point can help other individuals who are also not developers. I’ve built cross-compile environments for Openwrt, Nokia Maemo, Familiar Linux (iPaq) in the past but always from piecing together instructions from multiple Google queries and forum searches. I’m creating this document so it will be helpful for somebody’s future Google search.

After the Ubuntu installation here are ALL the steps you can/should take to compile Nmap for Android. I like vim as my command-line editor. You can use which ever editor you prefer.

Here is a quick rundown of what is done. Everything (almost) is done from a terminal window.

I update all Ubuntu software and install all files and tools to compile software on Ubuntu
I download the software required to compile for Android
Setup the environment to compile for Android
I create a source folder in the home directory for downloading and compiling the software.
Download the software, patch, configure, and compile.
Install Android SDK Platform Tools to copy files to your phone
Copy files to the phone and set PATH environment variable.


$sudo -s
#apt-get update
#apt-get upgrade
#apt-get install vim build-essential
#cd /usr/local
#wget https://sourcery.mentor.com/sgpp/lite/arm/portal/package9728/public/arm-none-linux-gnueabi/arm-2011.09-70-arm-none-linux-gnueabi-i686-pc-linux-gnu.tar.bz2
#tar jxf arm-2011.09-70-arm-none-linux-gnueabi-i686-pc-linux-gnu.tar.bz2
#rm arm-2011.09-70-arm-none-linux-gnueabi-i686-pc-linux-gnu.tar.bz2
#exit
$

Ubuntu is now current with the tools required to compile for Android. Now to create a simple shell script to setup the environment variables for cross compiling.


$mkdir ~/source
$cd ~/source
$vim setenv.sh

Include the following information in setenv.sh. This script will set the environment to allow you to use the Android / ARM compiler instead of the native compiler.

#!/bin/bash
export ac_cv_linux_vers=2
export CC=/usr/local/arm-2011.09/bin/arm-none-linux-gnueabi-gcc
export GCC=/usr/local/arm-2011.09/bin/arm-none-linux-gnueabi-gcc
export CXX=/usr/local/arm-2011.09/bin/arm-none-linux-gnueabi-g++
export CPP=/usr/local/arm-2011.09/bin/arm-none-linux-gnueabi-cpp
export LD=/usr/local/arm-2011.09/bin/arm-none-linux-gnueabi-ld
export AR=/usr/local/arm-2011.09/bin/arm-none-linux-gnueabi-ar
export AS=/usr/local/arm-2011.09/bin/arm-none-linux-gnueabi-as
export NM=/usr/local/arm-2011.09/bin/arm-none-linux-gnueabi-nm
export RANLIB=/usr/local/arm-2011.09/arm-none-linux-gnueabi/bin/ranlib
export CC1=/usr/local/arm-2011.09/libexec/gcc/arm-none-linux-gnueabi/4.6.1/cc1
export PATH=/usr/local/arm-2011.09/bin:/usr/local/arm-2011.09/:/usr/local/arm-2011.09/lib:/usr/local/arm-2011.09/libexec/gcc/arm-none-linux-gnueabi/4.6.1:$PATH
export LDFLAGS=”-static”
export CFLAGS=”-Os -s”

$source setenv.sh
$wget http://nmap.org/dist/nmap-5.61TEST4.tar.bz2
$tar jxf nmap-5.61TEST4.tar.bz2
$cd nmap-5.61TEST4

At this point you can configure and compile just Nmap. This will be without LUA library support (–without-liblua) which will disable all of the NSE scripts that have been created for Nmap as well as the additional command line tools ncat, ndiff, and nping.


$ ./configure --host=arm-linux-androideabi --without-zenmap --without-liblua --without-nping --without-ndiff --without-ncat --with-libpcap=internal --with-pcap=linux --enable-static --prefix=/data/opt

If you want to include these scripts and tools you will have to modify the Nmap source code. If you try to compile with LUA support you will get this error.

strict-aliasing -DLUA_USE_POSIX -DLUA_USE_DLOPEN -c -o llex.o llex.c
llex.c: In function ‘trydecpoint’:
llex.c:181: error: ‘struct lconv’ has no member named ‘decimal_point’
make[1]: *** [llex.o] Error 1
make[1]: Leaving directory `/home/edge/source/nmap-5.51/liblua’
make: *** [lua_build] Error 2

If you try to compile without LUA but want nping you get this error.

In file included from ArgParser.cc:94:
nping.h:116:26: error: sysexits.h: No such file or directory
make[3]: *** [ArgParser.o] Error 1
make[3]: Leaving directory `/home/edge/source/nmap-5.51/nping’
make[2]: *** [all] Error 2
make[2]: Leaving directory `/home/edge/source/nmap-5.51/nping’
make[1]: *** [build-nping] Error 2
make[1]: Leaving directory `/home/edge/source/nmap-5.51′
make: *** [all] Error 2

Vlatko Kosturjak comes to the rescue with his patch that allows you to compile with LUA and nping. I’m hosting the patch from my site just in case it is removed from the forums where he posted it.


$cd ~/source/ nmap-5.61TEST4
$mkdir android
$wget http://www.jedge.com/code/nmap.android.patches.diff -O android/ nmap.android.patches.diff
$patch -N -p1 < android/nmap.android.patches.diff
$ ./configure --host=arm-linux-androideabi --without-zenmap --with-liblua=included --with-libpcap=internal --with-pcap=linux --enable-static --prefix=/data/opt
$make
$sudo make install

One my phone I created the directory opt in the data directory where I install all of my tools (/data/opt). That is why you see –prefix set to /data/opt. You can set it to whatever directory you want but remember I use this directory throughout my instructions. When you “install” nmap on your Linux host system it will be placed in /data/opt/bin and /data/opt/share. I mirror these same directories on my Android phone.

I believe you can run nmap on a phone that has not been rooted by sticking the files in /data/data//bin but I will not be discussing how to accomplish that or what pitfalls exist. My phone is already rooted and yours should be too if you want to be successful with this tutorial. Rooting your phone is outside the scope of this tutorial.
Install Android SDK and pushing files to the phone

One of the best ways to get files copied to your Android phone is to use the command ‘adb’ which is part of the platform-tools of the Android SDK. Below are the steps to obtain the SDK and use ‘adb’ to push the compiled nmap files to your phone.


$sudo –s
#apt-get install openjdk-7-jdk
#cd /usr/local
# wget http://dl.google.com/android/android-sdk_r16-linux.tgz
#tar android-sdk_r16-linux.tgz

This next step is the only part where you need a GUI. Running /usr/local/android-sdk-linux/tools/android will open up a window where you need to select Android SDK Platform Tools, deselect Android 4.0.x, and click Install 1 package… (See Screenshot below).


#android-sdk-linux/tools/android &

Android SDK Manager


#export PATH=/usr/local/android-sdk-linux/platform-tools:$PATH
#adb devices

Output examples
List of devices attached ???????????? offline
Unplug your phone and plug it back in. You should see the following output.
List of devices attached 364247A74CE500FD device


#adb remount
#adb shell mkdir /data/opt
#adb chmod 755 /data/opt
#adb push /data/opt /data/opt

This will push the bin and share directories created on Ubuntu that were installed when you ran ‘make install’ from the Nmap directory. They will be pushed to the corresponding directory on the phone.
Running Nmap on your phone

I use BTEP (Better Terminal Emulator Pro) as my terminal of choice on my Android phone. The home directory is located in /data/data/com.magicandroidapps.bettertermpro/home
I also use Root Explorer to traverse the file structure and open up files for editing.

All applications I compile for Android I place in my /data/opt directory and I modify .profile of BTEP to include the executable directory in my PATH (/data/opt/bin). I also include /data/opt/lib in LD_LIBRARY_PATH.

Use Root Explorer and traverse to the home directory of BTEP

Long press .profile to bring up this menu and choose Open With

Open with Text Editor

Edit .profile PATH and LD_LIBRARY_PATH

Hit your phones menu but and Save and Exit

To have your changes take effect you can close and reopen BTEP or run #source .profile from the command line.

You can now run Nmap from your Android phone. A program you successfully cross compiled yourself. These steps can be modified to compile other software for your phone. Your mileage will vary with other software. Especially since Android uses a stripped down libc called Bionic which will prevent software from compiling or running correctly.

Special Thanks to Vlatko Kosturjak http://k0st.wordpress.com/ who got nmap to compile with liblua support as well as nping to compile.

https://secwiki.org/w/Nmap/Android
http://seclists.org/nmap-dev/2012/q1/135
http://seclists.org/nmap-dev/2010/q2/1021
http://k0st.wordpress.com/2012/01/12/nmap-5-61test4-on-android/

(download PDF)

Linux Penetration Testing Laptop Setup v4 (Ubuntu 11.4 Natty Narwhal)

admin — Tue, 20 Sep 2011 03:46:30 +0000

I’m now providing an updated Linux Penetration Testing Laptop Setup document to help install popular and useful vulnerability assessment tools for the Linux operating system. You can go and obtain Backtrack but I feel that you will have more understanding of the tools and Linux in general if you install the tools yourself. You will also have the most current version available. See Configuration Tutorials for the latest document.