Saturday 31 May 2014

Setting up Freeradius Server on Kali Linux

Hi,

The FreeRADIUS Server is a daemon for unix and unix like operating systems which allows one to set up a radius protocol server, which can be used for Authentication and Accounting various types of network access. To use the server, you also need a correctly setup client which will talk to it, including terminal servers, Ethernet Switches, Wireless Access Points or a PC with appropriate software which emulates it.

For more information Visit : http://wiki.freeradius.org/guide/faq

Installing FreeRADIUS server was easy on using 
apt-get install Freeradius*


FreeRadius Server Version Information :










Navigate to /etc/freeradius/radiusd.conf and edit below mentioned parameters for specifying IP Address at 2 Locations :






Specify Clients IP Range in my case (192.168.4.0/24) with secret = password which will be usedby Access Point to authenticate with Radius server.



















Now we need to add Credentials for our Clients in users file as mentioned below :
( In my case I have created User with name eXpl0i13r which will be used by client laptops to authenticate with Radius server)

















Configure EAP Type to PEAP in /etc/freeradius/eap.conf as mentioned below :


















Now time to start our Radius Server with command : freeradius -X



















Radius Server Successfully Started on below mentioned Ports:


















Configure Access Point to connect with Radius Server :















Access Points Connected to our Radius Server :














Configuring PEAP on client Machine :





















Configuring Advanced Settings as mentioned below :























It will Ask for Credentials configured in Users file.



















eXpl0i13r User connected to our Radius Server and we can see details about it :


















That's It.. You are now connected to Access Point!...
I hope this will help on setting up Radius Server.

Regards,
eXpl0i13r




Wireless Enterprise Authentication


Hi,

As I worked on few Wireless Penetration Testing assignments recently, I thought to post information related to Enterprise Authentication.
As we all are aware WEP is Broken Beyond Repair, and WPA/WPA2 Bruteforce handshakes!

But most of organizations implement WAP/WAP2 Enterprise Authenticataion, containing Domain Authentication, so ideally Wireless Client will authenticate to AP using Domain Credentials!

To capture Authentication Handshakes for Enterprise networks and bruteforce them we need Freeradius-WPE (Wireless Pawn-age Edition)

Basic Structure of Wireless Enterprise Network ( Using Radius Server) :

Tutorial - Geier E - 1051 - Figure 1.png



So attacker can bring Physical Access point which will be connected to Freeradius server hosted in Attacker's Virtual Machine as mentioned below :















Attacker broadcast SSID with similar name as official SSID of Access Point.
When Client connects to attackers rogue AP, It will send Authentication challenges which attacker can bruteforce offline to recover passwords.

This is just a theory on how attacker can work towards breaking Enterprise Level authentication.
In next post I will post about setup and configuration of Freeradius server, and slowly towards hacking enterprise authentications.

Regards,
eXpl0i13r

Tuesday 13 May 2014

HP Data Protector Remote command execution Space Limitation

HP Data Protector < A.06.20 affected by Multiple Vulnerabilities including Remote command execution, which is very critical.

There are 2 different Metasploit Modules 

Windows --> auxiliary/admin/hp/hp_data_protector_cmd
Linux       --> exploit/linux/misc/hp_data_protector_cmd_exec

As I wanted to execute this exploit on Windows Environment there was some challenge, as I was able to execute any specific file, but was not able to pass Argument to it.

Little Challenges :
1. Specifying Executable Path
2. Execute commands with parameters


Correct Way to specify Path for executable file :



















So by using \\ we can specify exact executable path.
But hang on!.....What If i want to specify "net user" command as a parameter to cmd.exe ?
which looks something similar to :

set CMD "Windows\\System32\\cmd.exe net user"

I have tried many other combinations to overcome it and none of them worked, because of this issue, we could only execute basic set of EXE available on system and nothing else!!!..

Google!....Google!...& Google!.... Found that above Exploit had limitations of spacing.
After digging up came across below mentioned link.

http://blog.opensecurityresearch.com/2012/08/manually-exploiting-hp-data-protector.html
http://seclists.org/bugtraq/2013/Aug/60    (Python Exploit for HP Data Protector)

Python script mentioned on blog was specifically created to bypass limitation of Spacing, using which you can execute commands with parameters,

Ex.

exploit.py 192.168.1.1 5555 'dir c:\'
exploit.py 192.168.1.1 5555 'ipconfig /all'
exploit.py 192.168.1.1 5555 'net user userbackdoor pwdbackdoor /ADD'


Thought to mention this here for future reference.
Hope this is helpful!...

Regards,
eXpl0i13r

Sunday 11 May 2014

While working on some assignments, I wanted to copy data from my friends TrueCrypt Volume which was encrypted with password and he forget password!!!! and that's my journey started towards TrueCrypt Hacking!

 TrueCrypt is an open source program to create and mount virtual encrypted disks in Windows Vista/XP/2000 and Linux and OS X as well as Whole Disk Encryption on Windows. It provides two levels of plausible deniability (hidden values / no signatures to make a distinction from random data), on the fly encryption and supports AES, Serpent and Twofish. As of version 6.0 TrueCrypt now supports hidden Operating Systems under Windows only.

Favorite attack is Dictionary Based / Brute Force, for which there are multiple tools available for Linux as well as Windows.

Tools :
  1. TrueCrack  (Most Reliable Tool)
  2. Unprotect.info
  3. TCHead
  4. TCBrute 2
  5. Passware Passwod Recovery Kit Forensic (Commercial)
  6. Hashcat/CudaHashcat

Also there are attacks for extracting Master Keys for TrueCrypt from Memory Dump.


TrueCrack

TrueCrack In Action with Dictionary Attack 
























Unprotect.info

Pure Brute Force attack with Digits :
























TCHead

TCHead In Action with Dictionary Attack :













TCBrute 2

Specified Dictionary & TrueCrypt Encrypted file, but for some reason TCBrute seems unreliable as I was unable to crack password although it was present in dictionary, Visitors can cross check and comment.















Password not cracked, although it was present in mentioned dictionary file :


















Passware Passwod Recovery Kit Forensic (Commercial) 

First of all this is commercial tool, and can perform various known attacks agains TrueCrypt encrypted volume.










 Brute Force with Digits :

















Password Cracked :


















Mount TrueCrypt volume using Command Line :

Command line options for TrueCrypt :





















Mount TrueCrypt Encrypted Volume using Command :

/l = Drive Letter
 




















TrueCrypt Reference Links

http://www.tateu.net/software/
http://www.autohotkey.com/board/topic/86586-tcbrute-2-truecrypt-bruteforce-password-recovery/
http://dl.securityvision.ch/TCBrute/
http://security.stackexchange.com/questions/30605/brute-forcing-password-to-a-truecrypt-encrypted-file-with-partial-knowledge
 http://truecryptblooz.blogspot.in/2011/09/one-day-i-forgot-my-truecrypt-password.html
https://code.google.com/p/truecrack/
http://www.hacker10.com/other-computing/brute-force-a-truecrypt-volume-with-truecrack/
http://16s.us/software/TCHead/TCHead-0.5/
http://jeffball55.blogspot.in/2011/07/dictionary-attacking-truecrypt.html
http://www.hacker10.com/other-computing/brute-force-a-truecrypt-volume-with-truecrack/
http://unprotect.info/
http://mweissbacher.com/blog/tag/truecrypt/
http://www.truecrypt.org/docs/command-line-usage


Hope you enjoyed, I will post more interesting Information soon!

Regards,
eXpl0i13r