hackvault: 2012

2012-08-05

The Wall of Sheep by Irongeek

I was searching a data dumb from this year's DC20 Wall of Sheep and came across Irongeek's script. The date stamp on his post was 2006, kinda old but I just have the to find the time to test it out. I've a also included the actual code at the bottom of this post. There are links for an Slax iso at the bottom, but I'm not sure if it works, plus you might need a password by emailing Irongeek.

Irongeek's Wall of Social Science Majors
(inspired by the Wall of Shame/Wall of Sheep)

You all have seen the Wall of Shame/Wall of Sheep that they run at various hacker cons right? I know DefCON had one every year, and I saw something similar at PhreakNIC. Well, this is my version, the Wall of Social Science Majors. What the wall does is display the passwords of users at the con that are using insecure protocols. They set up a box on the gateway that sniffs for plaintext passwords (Telnet, HTTP Basic Authentication, FTP, POP3 etc. ) and displays them. Well, I could not find any code to do this on the web, so I made my own. You feed this PHP script with the output from Ettercap ("ettercap -Tq -d -m ettertest.log") and it seems to work pretty well, read the comments in the code for details on how to set it up. If you have any suggestions/changes/code fixes please email me. Feel free to use it on your co if you like.

Read the code and change the commenting to enable some of these features:

Display X characters of the password instead of the whole thing.
Change the automatic refresh rate.
Choose where the script finds the Ettercap log created with the -m option.

Download from:

Ver 1.2 (rename the txt file to shame.php)
Ver 1.0
Or you can get this 200MB+
Slax based live CD with Ver 1.2 of the Wall
(Having this up killed my bandwidth/connections limit with Dreamhost, email me for the password)
The CD has all of the basic tools needed to get the password wall up and running: Apache, Ettercap, PHP, Etc. However, you will have to edit the run scripts to fit your needs, your card may not be supported, and I'm not doing tech support if you have a problem with this Live CD. :)
Norad also set up a Rapidshare for the ISO:
http://rapidshare.com/files/25510785/igwall.0.1.part1.rar.html
http://rapidshare.com/files/25521883/igwall.0.1.part2.rar.html
http://rapidshare.com/files/25523205/igwall.0.1.part3.rar.html

Here's the PHP script. (Rename it to shame.php)

<?
/*
 Irongeek's Wall Of Shame Code ver. 1.2
Irongeek -at- irongeek.com
http://www.irongeek.com
Contributors: 
 Julien Goodwin <jgoodwin#studio442.com.au>

Just a fugly script I wrote to take a logfile from Etthercap and display 
passwords to a webpage.

Ettercap supports:
TELNET, FTP,  POP,  RLOGIN,  SSH1,  ICQ,  SMB,
       MySQL,  HTTP,  NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC,
       LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols  coming
       soon...)
 Some help from:
 http://www.php.net/
 http://www.theukwebdesigncompany.com/articles/article.php?article=165

Consider this code GPLed, but it would be sweet of you to link back to 
Irongeek.com if you use it.
 */

//// Configuration settings
// Refresh time (in seconds), set to 0 to disable
$refresh = 30;

/*Point the line below to the log file you are creating with:
         "ettercap -Tq -D  -m ettertest.log".
 if you get an error like:
 BUG at [ec_ui.c:ui_register:339]
 ops->input == NULL
 then try just "ettercap -Tq  -m ettertest.log" without the daemon option..
 Also, you could ARP poison the gateway if you like with a command like:
 ettercap -Tq  -m /tmp/ettercap.log -M arp /gateway-IP/ //.
*/
// Logfile generated by ettercap
$logfile = '/tmp/ettercap.log';

// Show duplicate entries?
$showdupes = false;

/*Set the below to just show the first X characters of the password, "all" to
show all, or none to show all *'s */
//$showxchar = 3;
$showxchar = 'all';
//$showxchar = 'none';

// Show service names (instead of port numbers)
$showservnames = true;

// Do a reverse DNS query of target (WARNING! use only with a good local DNS cache)
$resolvetarget = false;

?>
<HTML>
<HEAD>
<?php if ($refresh > 0) { ?>
 <META HTTP-EQUIV="Refresh" Content = "<?= $refresh ?>; URL=shame.php">
<?php } ?>
 <TITLE>Irongeek's Wall Of Shame</TITLE>
<style type="text/css">
<!-- 
 BODY {
  background-color: #FFFFFF;
 }

 .SNMP {
  color: #009900;
 }

 .HTTP {
  color: #330099;
 }

 .TELNET {
  color: #CC33CC;
 }

 .POP {
  color: #8888FF;
 }

 .FTP {
  color: #004400;
 }

 .VNC {
  color: #007080;
 }

 .SMB {
  color: #F07080;
 }

 .IRC {
  color: #FF3333;
 }

 .YMSG {
  color: #BBBB00;
 }

-->
</style>
</HEAD>
<BODY>
<?

function between($somestring, $ss1, $ss2){
 if ($ss2 === false) { // That's what it does equate to in theory, just enforce it
  $ss2 = '';
 }

 preg_match('/' . $ss1 . '\s*(.*)\s*' . $ss2 . '/', $somestring, $matches);
 return $matches[1];
}

function showfirst($somestring, $chrnum) {
 global $showxchar;

 if ($showxchar == 'all') {
  return $somestring;
 } else if ($showxchar == 'none') {
  return str_pad(substr($somestring, 0, $showxchar), strlen($somestring), "*");
 } else {
  return str_pad(substr($somestring, 0, $showxchar), 10, '*');
 }
}

function padpw($string) {
 return showfirst($string, $showxchar);
}

function PrintCapItem($proto, $target, $user, $password, $info = false) {
 global $showservnames;
 global $resolvetarget;

// Generate full target data - NOTE, we assume TCP here
$server = explode(':', $target);
$host = $server[0];
$service = getservbyport($server[1],'tcp'); // Note this is a quick (and cached) operation so we do it anyway
if ((strlen($service) < 1) || ($showservnames === false)) {
 $service = $port;
} else {
 $service .= ' <small>(' . $server[1] . ')</small>';
}

if ($resolvetarget) {
 $host = gethostbyaddr($server[0]);
 if (strlen($host) < 1) {
  $host = $server[0];
 } else {
  $host .= ' <small>(' . $ip . ')</small>';
 }
}

?> <TR CLASS="<?= $proto ?>">
  <TD><B><?= $proto ?></TD>
  <TD><?= $host ?></TD>
  <TD><?= $service ?></TD>
  <TD><?= $user ?></TD>
  <TD><?= $password ?></TD>
 </TR>
<?php if ($info !== false) { ?>
 <TR CLASS="<?= $proto ?>">
  <TD></TD>
  <TD COLSPAN="4"><small><I>More Info:</I> <?= $info ?></small></TD>
 </TR>
<?php }
}

function linkify($text) {
 return preg_replace('/(https?:\/\/[a-zA-Z0-9\-\?\&\.\/\=\;]*)/','<a href="\1">\1</a>',$text);
}

$contents = file($logfile);
if ($contents === false) {
 echo 'Ettercap logfile could not be opened.';
 die();
}

$contents = array_reverse($contents);
// Note we want the latest entries first, by reversing first old values do show up, move the above line below the if to change this behaviour
if (!$showdupes) {
 $contents = array_unique($contents);
}

?>
<h1 align="center">Irongeek's<BR>
Wall Of Shame</h1>

<p>Using protocols that pass your credentials insecurely at a hacker con? Shame on you! Keep away from protocols like authenticated FTP, POP3, TELNET and Basic HTTP non-anonymous without SSL/TLS when you can. Try encrypted tunnels like SSH or a VPN to get through possibly hostile networks when you have to use such insecure protocols. Have a nice day.</p>
<P align="right">Your buddy,<BR>
Irongeek</P>
<hr>

<TABLE BORDER="1" ALIGN="CENTER">
<thead>
<TR>
 <TH>Protocol</TH>
 <TH colspan="2">Target</TH>
 <TH>User</TH>
 <TH>Password</TD>
</TR>
</thead>
<?
foreach ($contents as $line ) {
 $line   = htmlentities($line);
 $proto  = trim(substr($line, 0, strpos($line, ':')));
 $target = between($line, ' : ', ' -&gt;');
 switch ($proto) {
  case 'SNMP':
   $user     = 'N/A';
   $password = padpw(between($line, '-&gt; COMMUNITY:', 'INFO:'));
   $info     = between($line, 'INFO:', false);
   PrintCapItem($proto, $target,$user,$password, $info);
   break;

  case 'HTTP':
   $user     = between($line, 'USER:', 'PASS:');
   $password = padpw(between($line, 'PASS: ', '  INFO:'));
   $info     = linkify(between($line, 'INFO:', false));
   PrintCapItem($proto, $target,$user,$password, $info );
   break;

  case 'TELNET':
   $user     = between($line, 'USER:', 'PASS:');
   $password = padpw(between($line, 'PASS:', false));
   PrintCapItem($proto, $target, $user, $password);
   break;

  case 'POP':
   $user     = between($line, 'USER:', 'PASS:');
   $password = padpw(between($line, 'PASS:', false));
   PrintCapItem($proto, $target, $user, $password);
   break;  

  case 'FTP':
   $user     = between($line, 'USER:', 'PASS:');
   $password = padpw(between($line, 'PASS:', false));
   PrintCapItem($proto, $target, $user, $password);
   break; 

  case 'VNC':
   $user     = 'Challenge: ' . between($line, '-&gt; Challenge:', ' Response:');
   $password = 'Response: ' . between($line, ' Response:', false);
   PrintCapItem($proto, $target, $user, $password);
   break;

  case 'SMB':
   $user     = between($line, 'USER:', 'HASH:');
   $password = between($line, 'HASH:', false);
   PrintCapItem($proto, $target, $user, $password);
   break;

  case 'IRC':
   $user     = between($line, 'USER:', 'PASS:');
   $password = padpw(between($line, 'PASS:', 'INFO:'));
   $info     = between($line, 'INFO:', false);
   PrintCapItem($proto, $target,$user,$password, $info );
   break;

  case 'YMSG':
   $user     = between($line,'USER:', 'HASH:');
   $password = padpw(between($line, 'HASH: ', '  - '));
   $info     = between($line, '  - ', false);
   PrintCapItem($proto, $target, $user, $password, $info );
   break;

  case 'DHCP':
   break; // Just add any other protocols to hide to this list

  default:
   if (strpos($line, ' : ') != 0 && strpos($line, 'PASS') != 0){
    $target    = between($line, ' : ', ' -&gt; USER:'); 
    $user      = between($line, 'USER: ', '  PASS:');
    $password  = padpw(between($line, 'PASS:', false));
    PrintCapItem($proto, $target, $user, $password);
    break; 
   }else{
    $trash .= '<TR><TD>' . $proto . '</td><td colspan="3">' . $line . '</TD></TR>';
   }
 }
}
//Call the PHP script with a ?debug on the end to see the trash lines.
if (isset($_GET[debug])) {
?>
<tfoot>
 <tr><th colspan=4>Debug messages</th></tr>
<?= $trash ?>
</tfoot>
<?php
}
?>
</TABLE>
<HR>
<CENTER>Source code for this &quot;Wall of Shame&quot; script can be found at 
<A HREF="http://www.irongeek.com/">http://www.irongeek.com/</A></CENTER>
</BODY>
</HTML>

2012-07-31

DEFCON 20: Network Forensics Puzzle Contest

Decryption keys and answers for the DEFCON 20 Network Forensics Puzzle Contest are listed below. The website indicated that they will provide a full write up of the solution.

If you're wondering where the questions are, they were on CDs handed out during the con when you registered to play. You just have to go to the DC Contest Area and look for their desk. The moderators will give you a piece of paper where you have to write your team name and a phone number where they can text you the decryption keys. They will also provide you a cell number where you can text your answers. For every correct answer you text them, they will text you back the decryption key for the next round and so on....etc.

I guess if you can read packets, write code, analyze and listen to talks at the same time during the con, then you have a good chance of having a productive Defcon weekend.

Decryption Keys
Contest Container: W3lc0m3toNFPC2012@defcon
Round2: Aw3s0m3s4uc3@
Round3: DFC=w00t!
Round4: 4r3g3ttingh4rd
Round5: tHiswi11b3fun#
Round6: Th3R4c3is0n$

Answers to DEFCON 2012 Contest Questions
Round 1 Answer: 99901
Round 2 Answer: Golden Alley
Round 3 Answer: ICdarkwater
Round 4 Answer: 15684-b5.12
Round 5 Answer: 2300
Round 6 Answer: Dogfort

2012-07-30

DEFCON 20: Swag and Con Stash

I was able to acquire items I planned to get this year. The only item I missed out was the RFID reader because the vendor ran out. I got 2 badges and all 3 lanyards. You'll need all 3 lanyards (green, red, yellow) to solve the puzzles. I also got the Defcon backpack and pocket books. I was also able to get my copy of Metasploit signed by Dave. Other acquisitions worth mentioning, Reaver Pro and the Wifi Pineapple Elite. My badge was able to pair with a number of other badges, minus the Artist and the Uber. I remember pairing with an Artist on Saturday night, but obviously it did not dock properly. As far as the Uber was concerned, I did try to find any of the contest winners Sunday afternoon after the Closing Ceremonies but it seemed like everyone of them was rushing to the airport or to the next party in Rio. Either way, my badge still reported my rank as "Hustler"

DEFCON 20: Badges

Here are the Defcon 20 badges (pics borrowed from the Parallax website). Parallax had the awesome job of making them this year, and they did an amazing job. You read all about it on their website

Each of the badges are issued to the type of attendee you are. I personally think that other than the Uber (black) the Goons (red) and the Press (blue/yellow) had the best badges. They have an infra red sensor that can dock with other badges. According to l057, by completing on docking all the badge types, it'll reveal an easter egg. To check what you have to far, you'll have to plug your badge to the Parallax Serial Terminal at 57,600 BPS to see who you have encountered. You can see my badge results below. I thought I was able to pair with an artist but it obviously did not dock. The Uber (contest winners) holders were pretty hard to locate since they do not give those out until the end of the con. Most of them just rush to the airport...

The Human badges also come in multiple variations. I'm not sure how many there were. According to DT, they made 16,500 badges this year. The rough estimate for attendees was about 15,000. So they had extra Human badges after the con. He has announced that they will be selling the badges for $40 each.

The Defcon 20 badge and Always Panti liners..

I was searching the hotel room for some kind of material that can at least protect the DEFCON 20 badges and survive the trip home in my backpack without breaking in half. I came across the perfect size in length and protection.... my lovely wife's Always Panti liner box...
The fit is perfect and offers complete protection!

2012-07-28

Defcon 20th Anniversary Hacker Jeopardy Challenge Coin

Defcon 20 Hacker Jeopardy Challenge Coin Limited Edition #21

This coin was not available at the swag booth. It can be acquired only at the Hacker Jeopardy contest during the Friday night elimination and the Saturday night finals. Winn was giving it away to individuals from the audience for answering hard Hacker Jeopardy questions. Other than that, the only other way to get it was to donate to the EFF. I do not know exactly how many was made or given away. But is would have been awesome if I got #20 for Defcon's 20th Anniversary. BTW, it doubles as a bottle opener.

Hak5 Challenge Coin

I also got the Hak5 challenge coin courtesy of Snubs. It has little stamps of pineapples (wifi pineapple) on it. I thought it was a pretty cool coin also, but I don't think I can win any free drinks with it. But it's still pretty cool.

Defcon 20 gear.

I did not finish prepping my gear this year. Plus, the hotel we are staying in does not have free wifi. Thank God for high gain wifi antennas, now leeching wifi from the hotel next door.
So here's the gear for this year:
MacBook Pro: Lion plus Virtual Box running a variety of Linux, Backtrack and yes, ehem Windows 8 preview.
Gateway NetBook: aka my Defcon laptop - triple booting Ubuntu, Backtrack 5 and Windows 7.
1 iPhone
1 Android
I also brought my wifi Pineapple for fun...
Variety of cables and power cords
No I didn't bring a soldering iron this year. Being unprepared this year... I think I'd might have to rebuild the netbook after the Con.

Defcon 20: Hackers and Feds.

It was unimaginable a few years ago to ever think we would actually align with the Feds. Gen. Alexander on stage in DEFCON 20! Commander of the US Cyber Command and Director of the National Security Agency.... boom! major street cred!

Update: The General's talk was voted worst talk during the Defcon Recognition Awards. DT has to inform him that he won the worst talk award.

2012-07-27

The Defcon 20 Rotunda Clues

For the 2nd year at Defcon, clues were left on the rotunda floors by 1o57. I didn't spend anytime on figuring them out this year due to a number of reasons, basically technical reasons. I was not able to connect to the Defcon Secure Wifi so my resources were an issue. In any case, I hope the pictures help for your personal entertainment and learning. There were more clues tweeted by 1o57 from his twitter account, so the bread crumbs are all over the place. You just have to put it all together.

2012-03-16

Apache Web Server Recon Info

The Apache Directory Structure

The Apache software is typically distributed into the following subdirectories:

cgi-bin	This is where many, if not all, of the interactive programs that you write will reside. These will be programs written with Perl, Java, or other programming languages.
conf	This directory will contain your configuration files.
htdocs	This directory will contain your actual hypertext documents. This directory will typically have many subdirectories.This directory is known as the DocumentRoot.
icons	This directory contains the icons (small images) that Apache will use when displaying information or error messages.
images	This directory will contain the image files (GIF or JPG) that you will use on your web site.
logs	This directory will contain your log files - the access_log and error_log files.
sbin	Use nogroup

B. The Apache Configuration Files

access.conf	The security configuration file. Contains instructions about which users should be able to access what information.
httpd.conf	The server configuration file. Typically contains directives that affect how the server runs, such as user and group ID's it should use when running, the location of other files, etc.
srm.conf	The resource configuration file. Contains directives that define where documents are found, how to change addresses to filenames, etc.
mime.types	A configuration file that relates filename extensions to file types.

2012-03-13

!pastebin :: ftp-passwords

#
. /$$ /$$ /$$$$$$
#
.| $$ | $$ /$$__ $$
#
.| $$ /$$ /$$| $$ /$$$$$$$$| $$ \__/ /$$$$$$ /$$$$$$$
#
.| $$ | $$ | $$| $$|____ /$$/| $$$$$$ /$$__ $$ /$$_____/
#
.| $$ | $$ | $$| $$ /$$$$/ \____ $$| $$$$$$$$| $$
#
.| $$ | $$ | $$| $$ /$$__/ /$$ \ $$| $$_____/| $$
#
.| $$$$$$$$| $$$$$$/| $$ /$$$$$$$$| $$$$$$/| $$$$$$$| $$$$$$.$
#
.|________/ \______/ |__/|________/ \______/ \_______/ \_______/

//Laughing at your security since !
//fuck sabu
//lulzsecreborn(Xeus)

www.global-telecom.co.uk
Global Telecom FTP Accounts

FTP Host Username Password
global-telecom.co.uk globaltelecom CaT8maX
start.global-telecom.co.uk start hU4bNaa
uploads.global-telecom.co.uk uploads globaluser
telecomglobal.co.uk telecomglobal A4rDFcv
globaltelecomuk.com globaltelecomuk Fi5LocS
globalcallsaver.co.uk globalcallsaver 31QwunL
global-wholesale-telecom.com globalwholesale AwE32lk
globaltelecombroadband.com globalbb EQ2vgHl
globaltelecomvoip.com globalvoip Re2Avzc
entrepreneursinspired.com einspired QasG98p
inglesfamily.co.uk ingles Yqrv3Xl
globaltelecomeurope.eu globalte AfTar61
globaltelecom999.com globalta 9ukf2Xq
globaltelecomeurope.es globaltes Rarv9Lu
hosting5.123-reg.co.uk philpingles-1516144 n6q5FMju
uk0844number.co.uk uk0844number daewoo
uk03numbers.co.uk uk03numbers daewoo
uk0300numbers.co.uk uk0300numbers daewoo
uk0303numbers.co.uk uk0303numbers daewoo
uk0330numbers.co.uk uk0330numbers daewoo
uk0333numbers.co.uk uk0333numbers daewoo
uk0845numbers.co.uk uk0845numbers daewoo
uk0800numbers.co.uk uk0800numbers daewoo
uk03xxnumbers.co.uk uk03xxnumbers daewoo
dads-inspired.com dadsglobal daewoo
03ukwidenumbers.com globalwide daewoo

2012-02-13

Mac fun with the Terminal application

Add "Quit Finder" on the Finder menu

This will display pure wallpaper on the desktop. Got is the annoying (IMHO) Finder that is always running from the time you powered up your awesome MacBook Pro. Finder will act like an application. Oh BTW, to shutdown or logoff, press Control + [Eject] to bring up the choices.

defaults write com.apple.finder QuitMenuItem -bool YES

To kill the Finder: killall Finder

Control-Eject This keyboard shortcut opens the Shutdown dialog. From here, you can choose to shutdown, restart, or put your Mac to sleep.

The Mac OS X Shutdown dialog offers sleep and restart options, too.

Command-Option-Eject Hold these keys down for a few seconds to put your Mac to sleep without opening a confirmation dialog.
Command-Option-Control-Eject This fist full of keys gracefully shuts down your Mac while giving you the option to save any open documents.
Power button If your Mac's power button is in easy reach, press it once to open the Shutdown dialog.

Disable Dashboard If you don’t want or like the dashboard running you can disable it. Change YES to NO to enable it again.

defaults write com.apple.dashboard mcx-disabled -boolean YES

killall Dock

How to show all Invisible/System Files on your MacBook Pro.

Remember when you use to click view all hidden files on Window, well this is the equivalent. Microsoft and Apple just want to protect the system files from being messed around by "users" who have no business messing with them. Well, if you are reading my blog, you're not a "user" and wouldn't mind crashing your Mac or PC a few times for academic purposes.

defaults write com.apple.finder AppleShowAllFiles true

To bring it back to normal, replace "true" with "false"

Make your Computer Talk

say (any words here)

Make a Banner with any Words

Click and drag the terminal window to make it bigger to see this trick. Type in banner than it will ask you to put in some words. (keep it short).

Private Terminal Chat Room

Type in emacs than hit enter, than press esc and the x key at the same time. Than type in the word "doctor" and hit enter.

Invert screen

Another function that not many Mac users know is “Invert screen”. Just press Ctrl-Option-Cmd-8 on your keyboard and see your Mac invert its colours.

Ultimately here's more - http://www.danrodney.com/mac/index.html