Tuesday, 4 August 2015

Batch Script - Windows Privilege Escalation

While working on Windows privilege escalation, we need to gather as much system information as we can, so just thought to club all important windows commands into a batch file which will generate system information all at a once, and later we can analyse this to identify potential privilege escalation entry points.


Hope this helps!


Sunday, 14 June 2015

Root Samsung note 10.1 N8000 and Installing Kali Linux on android tab

Finally I rooted my Samsung Galaxy Note 10.1 N8000!!

Here are simple steps and handy links :


1. Install Samsung Kies from  : Samsung Kies
2. Download ODIN and necessary files for rooting from :


3. Start ODIN
4. Restart TAB and press Volume Down + Power Button
5. While in download mode connect TAB to Laptop through USB.
6. Click on PDA and select root file : "CF-Auto-Root-p4noterf-p4noterfx-gtn8000.tar.md5"
7. Click on Start button and restart TAB
8. That's it Note 8000 is now rooted!

My aim was to install Kali Linux on N8000 Tab.


1. Download Kali Linux for ARM : here
2. Copy file in wherever convenient , I copied this file at /sdcard/kali.img.gz
3. It is important to decompress is and copy this file on tab, if not then
    a  Install "ConnectBot" - Connecting to your Table over SSH
    b. Install "busybox" apk on rooted android tablet - as we need to use "gunzip" command
    c. "gunzip kali.img.gz"  - Decompress Kali Image
4. I tried installing "Kali.img" using  "Complete Linux Installed" but unfortunately when we import       Kali.img file this tool crashes.
5. Install "Linux Deploy" on rooted android
6. Install "androidVNC" on rooted device
7. Install "Terminal Emulator" on rooted device

Configure Installation Path = Kali.img path

Once you start instance - SSH will start 

After Connecting to Kali Instance using tightvnc

Brand New Kali Instance on N8000 - Samsung Note 10.1

It was fun installing and using Kali instance on N8000.
Hope this will be helpful.


Saturday, 11 April 2015

WPA2 Enterprise Credential Capture using Freeradius server

In previous article we configured Fake radius server on Kali Linux which will be used to capture domain credentials of endpoints connected to WPA2 MGT [ WPA2 Enterprise Wi-Fi Access Points ]

Steps :

1. Attacker will setup Freeradius server on Kali Linux.
2. Enumerated clients connected to WPA2 Enterprise Wi-Fi Access point :

3. De-authenticated  client connected to WPA2 Enterprise Wi-Fi

4. Client connected to nearest WPA2 Enterprise Access point [ Attackers Fake Access Point ] 

5. Credentials captured while client authenticated with access point using domain credentials

6. Credentials captured are bruteforced using custom made dictionary with the help of asleap tool.

Game Over!....Now you can authenticate with WPA2 Enterprise access point using these credentials.
If MAC address authentication is enabled its very easy to spoof mac using "macchanger" tool.

macchanger --mac MACADDRESS wlan0

Hope this is helpful.


Tuesday, 13 January 2015

Nullcon CTF 2015 Write up - Length Extension Attack [ Web 400 ]


It was fun playing Nullcon CTF 2015 challenges, and learnt lot of things over 2 days!
One of the challenge consist of interesting crypto attack known as "Length Extension Attack"

Referring this diagram from Wikipedia  :  http://en.wikipedia.org/wiki/Message_authentication_code


1. Sender has "Hash" i.e MAC & Message which will be sent to server.
2. Receiver receives MAC and Message
3. Receiver passes Message + Secret Key to algorithm = MAC
4. Receiver Compares new generated MAC with MAC received from Sender if matches message is authentic.

Nullcon pass at 10999 Rs

If you observe source code it has information  - Hash + Message + Length of Secrete key (19)

Pass above information to Hashpum tool which will perform Length Extension Attack to generate new hash to buy our product in 0 Rs. by appending |0

Message Format = Nullcon2015|Corporate|10999 i.e price

URL Encode new generated message from Hashpump and remove unnecessary characters "5cx"

Tamper data will show original Message & Hash

Tamper original Message and Hash with updated Hash and URL Encoded message

Forward HTTP request and That's It!.. You bought Nullcon Pass for 0 Rs.

This was interesting challenge and thought to post here on blog although CTF writ up is being published on official NullCon Site..

It was fun playing this CTF...and wish to learn more things going ahead!.