Freerainbowtables.com: Rcracki_mt and HALFLMCHALL

Download the Rcracki_mt Linux binary from http://sourceforge.net/projects/rcracki/files/rcracki_mt/rcracki_mt_0.7.0/

$ sudo apt-get install p7zip links
$ cd ~/tools
~/tools$ links http://sourceforge.net/projects/rcracki/files/rcracki_mt/rcracki_mt_0.7.0/rcracki_mt_0.7.0_linux_x86_64.7z/download
~/tools$ p7zip -d rcracki_mt_0.7.0_linux_x86_64.7z
~/tools$ cd rcracki_mt_0.7.0_linux_x86_64/

Download the HALFLMCHALL Rainbowtables from https://www.freerainbowtables.com/tables/

$ mkdir -p RainbowTables/halflmchall
$ cd RainbowTables/halflmchall
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_0/halflmchall_alpha-numeric%231-7_0_2400x57648865_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_0/halflmchall_alpha-numeric%231-7_0_2400x57648865_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti.index
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_1/halflmchall_alpha-numeric%231-7_1_2400x56281894_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_1/halflmchall_alpha-numeric%231-7_1_2400x56281894_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti.index
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_2/halflmchall_alpha-numeric%231-7_2_2400x58928524_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_2/halflmchall_alpha-numeric%231-7_2_2400x58928524_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti.index
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_3/halflmchall_alpha-numeric%231-7_3_2400x58924114_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti
~/RainbowTables/halflmchall$ wget http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/halflmchall_alpha-numeric%231-7_3/halflmchall_alpha-numeric%231-7_3_2400x58924114_1122334455667788_distrrtgen%5bp%5d%5bi%5d_0.rti.index

Update to ProjectRF – version 12.11.2013

So Tenable has made a bunch of changes and additions to the XML (.nessus) file and I’ve tried my best to incorporate them into the project.  First off they did something awesome which is alphabetize the XML elements.  So I’ve done that as well in the Nessus parse and report scripts.  It makes it so much easier to manage.  So with new elements comes new table columns.  If using this code base you should know that you need to clear all data from the DB.  I made the exploit table even less crappy and included the new XML elements around core, canvas, and d2 elliot frameworks.  I added “Show more/Show less” options for the vulnerability site indexes (CVE, BID, etc)  I noticed that listing them all out can create one long report and who really needs to have the links for all 30 CVEs around java anyway 🙂  I include any JS and CSS in the HTML instead of linking to a file.  I know…goes against all HTML teachings.  But this makes one neat file/report when you save the HTML as a file in any browser.  No more stupid folder with all the “files”.  I’ve also made some changes to the Executive report.  You now have an option to report on Nessus Plugin or CVE total.  Look for BID, OSVDB, etc in the near future.

Code here. (http://www.jedge.com/docs/projectRF.12.11.2013.zip)

Oh, and lastly…the Nessus Vuln Matrix is broken as I need to update the code to reflect all the changes.  It mostly centers around the CVSS field breaking out into four elements.

ISACA Atlanta Chapter – GEEK WEEK 2013

ISACA Atlanta Geek Week Logo
ISACA Atlanta Geek Week

The 6th annual Atlanta Chapter of ISACA GEEK WEEK conference was held the week of August 19 – 23, 2013. GEEK WEEK is a track-oriented, full week Conference focusing on providing training, networking, and roundtable sessions on IT governance, audit & security.

I conducted the presentation Compliance Based Penetration Testing: You’re Doing it Wrong. You can find the presentation slides here. For links and information on the other presentations you can go here.

Security Bsides Rhode Island 2013

From the site:

“Each BSides is a community-driven framework for building events for and by information security community members.  The goal is to expand the spectrum of conversation beyond the traditional confines of space and time.  It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening. “

Presenter: James Edge – Mainstream Security
Title: Show and Tell: Super MiniPwner
Abstract: The TP-Link WR703N is a low cost wireless access point that has replaced the venerable Linksys WRT54G as the most popular device to crack open and tinker with.  Many project tutorials have sprung up on how to hack this device from a hardware and software perspective.  One such project is the “minipwner”  coined by Kevin Bong with his site www.minipwner.com.  This talk builds off of that concept by trying to upgrade and implement as many features as possible while still keeping the original case.  Why the original case?  Because I said so.  We double the RAM and flash storage, add a usb hub, usb sdcard reader storage, usb to Ethernet port, serial port over usb, and finally we have integration with the Teensy so you can run keyboard commands remotely over WiFi.  I call this device the very original name of super-minipwner.

Slides from the presentation are here.

Conference videos, courtesy of Adrian “Irongeek” Crenshaw (www.irongeek.com), are here.

Direct link to my talk here.

TP-Link WR703N Serial Port Pads

The TP_IN and TP_OUT connections on the TP-LINK WR703N are pretty touchy. One wrong tug on the soldered wire and the pad will rip off. Just a guess but I think they are held on by silly putty. So what do you do when you rip the pads off? I know the device is sub $25 but who wants to wait another month for a new one? Never fear as you can move down the line to C55 and C57. In my opinion this is actually an easier place connect the wires.

So…what if you just love tinkering with the device and you accidentally rip the pad on C55 off?
Read More

TP-Link WR703N Custom Pwn Plug

I was wandering the aisles of Fry’s Electronics and spotted a display of Westinghouse Outlet Valet’s for under $10.  The second I saw this I knew I my TP-Link wr703n was destined to be stuffed into it.  I also picked up an Inland USB Hub because I know it has the smallest foot print of any hub I’ve seen.  I’ve actually been able to place it under the wr703n board in the original housing.  I also picked up a Kingston 16GB micro SD card which comes with a small footprint USB reader.  Couple that with a Samsung OEM wall charger I had and we got the makings of a computer hiding in plain sight.

I created a Coppermine Photo Gallery album with some pictures I took of the device as it was being made.

 

Read More

Bsides Atlanta 2012

From the site:

“Each BSides is a community-driven framework for building events for and by information security community members.  The goal is to expand the spectrum of conversation beyond the traditional confines of space and time.  It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening. “

Presenter: James Edge – No Affiliation
Title: Show and Tell: Custom Power Pwn
Abstract:  The people over at Pwnie Express are coming out with a neat device called the Power Pwn. This device follows up on the Pwn Plug and the PwnPhone. With my experience as a penetration tester and junior hardware hacker I’ve been working on my own “pwn” hardware. I combined the PCEngines Alix 6f2, an APC BE650R Battery Backup Power Strip, and a battery Power Pack for a Custom Power Pwn. I integrated the Alix connectors for the serial, ethernet, and external antenna connectors with the existing APC coax, rj45, and rj50 ports. This talk is a show and tell on what I did and how anyone who is a fan of hardware hacking can do this themselves.

Slides from the presentation are here.

Conference videos were never posted on the Bsides site but I managed to obtain the video for my talk.

Direct link to my talk here.

 

Mobile Devices and Airbase-ng Attacks

I don’t feel that this issue gets enough coverage so I am adding my voice to the mix in the hopes that someday the makers of our popular mobile operating systems will FIX THE ISSUE!  What I’m going to discuss is a wireless association vulnerability that was first discovered by Max Moser (site here and his full disclosure) way back in 2004 for Windows XP.  Using airbase-ng (part of the Aircrack-ng suite of tools) this same attack works against the latest versions of iOS5 and iOS6 (iPhone and iPad), Blackberry OS, and Android.  Apple’s iOS, from AT&T Wireless, even comes with a helpful default profile so you can attack a device right out of the box (see Tweet by HD Moore).  The only mobile OS that does not have this issue is Windows 8 on the new Nokia phones.  I don’t know a soul that has one of these phones so I hung out in an AT&T Wireless store to conduct my testing.  Those Microsoft devices will not associate with any Airbase-ng APs that mimic APs from the device’s probe packets.  Some individuals have tried to tell the world about this issue.  A great Youtube video was created by Jeffery Wilkins demonstrating this issue.  Vincent Costagliola at patctech.com wrote this article mentioning the same issue.

My testing has shown that an iPhone will connect to airbase-ng even if it is already connected to a WPA encrypted access point.  Just as described by Max Moser in 2004.

My Custom Power Pwn

See the Security Bsides Atlanta talk (when it gets posted) at http://www.securitybsides.com/w/page/58266249/BSidesATL-2012.  Powerpoint slides can be found here.

The people over at PwnieExpress are coming out with a neat device called the Power Pwn.  This device follows up on the Pwn Plug and the PwnPhone (Nokia N900). With my experience as a penetration tester and junior hardware hacker I’ve been working on my own “pwn” hardware. I have a Nokia N810 as well as an Alix 6f2 (PCEngines.ch). I purchased an APC BE650R Battery Backup Power Strip off of Ebay and gutted the inside to fit the Alix board. I integrated the Alix connectors for the serial, ethernet, and external antenna connectors with the existing APC coax, rj45, and rj50 ports. The setup has an internal Xpal portable netbook charger that can run the Alix board for over 4 hours.  However, the main power to the board is integrated with the APC power strip.  Plugging in the APC will run power to the Xpal battery which in turn powers the Alix.  Four of the eight plugs on the APC are also functional.  I created a simple DB9 to RJ45 adapter for the serial connection so I can properly configure the device before use.  Since the Xpal battery powers it for 4 hours I have plenty of time to get it configured and to its final pwnage destination.  I didn’t take any photos of the gutting of the APC but it involved a lot of dremel, plastic nipper, and xacto knife work.  I do have photos of everything fitting together.  The only missing item is the internal RP-SMA to female F pigtails.  But as you can see in the photos you can fit some rubber duck antennas inside the APC with no problems.  Also, the best part about the Alix 6f2 is that you can add a mini-pci express GSM card for out of band cellular access to the device.  You don’t see the card installed on the Alix in the pictures.  I currently have the card in a Mini PCI-E WWAN to USB Adapter for testing.

The software I run on the PCEngines Alix is Debian-for-Alix where I contributed to the wiki with instructions on how to install all the tools.
Read More