Friday, February 24, 2012

Course Review - Offensive Security Wireless Attacks (WiFu)

The Background

After passing the OSCP, I enrolled for the Offensive Security Wireless Attacks (aka WiFu) course. This course is talking about how to attack a wireless rotuer no matter it is set to WEP, WPA or WPA2.

The Hardware

You are required to have at least one wireless device to act as victim (laptop with wireless card or smartphone, such as Android or iPhone) and a computer which is installed with BackTrack 5 R1 as an attacker. The attacker machine is recommended to have a USB adaptor (the USB adaptors that recommended on the official site). If you do not have wireless device as victim, you may consider to buy a wireless USB dongle for your desktop.

Furthermore, you are also required to have a wireless router or access point that equipped with WEP and WPA/WPA2 features (the models are recommeded on the official site).

Beware that not all the wireless dongles or wireless cards can be injected and in monitor mode. In addition, some wireless routers behaved unexpectedly when doing the attacks. For example, my dd-wrt flashed TP-LINK TL-WR1043ND do not perform some of the attacks, such as Korek Chopchop attack. However, not all access points can perform Korek Chopchop attack indeed. Therefore, the suggested hardwares in the official website are recommended to buy.

At the time of this writing, Netgear WNR1000v2h2 N150 can be bought in Hong Kong and it is not so expensive. However, I am not sure if this model is the one stated in the official site. You should not upgrade the firmware but you should downgrade it to v1.0.1.1 as the other version of firmwares do not provide WEP function. The older firmware can be downloaded from the Netgear official site.

My hardwares for the lab are as the following. Hope they can give you some idea :
(1) Access Point - TP-LINK TL-WR1043ND (flashed with dd-wrt v24-sp2 18024) (can be injected)
(2) Access Point - Netgear WNR1000v2h2 N150 (firmware v1.0.1.1)
(3) Victim - Google Nexus One (Android 2.3.6)
(4) Victim - TP-LINK TL-WN321G (54Mbps, Ver 4.1) (can be injected and in monitor mode)
(5) Victim - TP-LINK TL-WN821N (300Mbps, Ver 3.1) (can be injected and in monitor mode)
(6) Attacker - Cloned ALFA Networks AWUS036H USB 500mW (Realtek RTL8187L)

The Course

This course, version 3.0, is designed for beginners. It teaches you the wireless concept and its weakness. The most mentioned tool is Aircrack-NG Suite but it also mentioned others, such as tool that using GPUs for the brute forcing and other advanced tools. However, it does not cover the WPA/WPA2-Enterprise attack.

Offensive Security does not provide any lab for your access. You are required to set up your lab for practice. The hardwares that mentioned above are required for setting up your own lab.

The Challenge

The four hours challenge requires you to SSH to a BackTrack box in order to complete the objectives. After the challenge, you are required to submit your report within 24 hours.

Finally, the exam was over. Within 3 business days, I received an email which informed me that I passed the challenge. If you passed the challenge, you will be an Offensive Security Wireless Professional (OSWP). I am an OSWP now!

The Conclusion

In conclusion, this course will teach you all the basic wireless cracking.

Sunday, February 12, 2012

Automatic Backdoor Generator for Windows System

Astr0baby developed an automatic tools to generate a backdoor for Windows system.

Later, modified his work to make it workable on Back|Track 5. So, I made the modified source code available at here.

Then, I slightly modified's work and make a video at here for reference.

The evasion of anti-virus of the captioned generated file is not too good as some of the users posted the generated file to the free anti-virus scanners on the web and/or local anti-virus programs to confirm if it can be detected or not. The problem is that the free scanners on the web will submit the code to their companies for further analysis. So, their detection rate will be higher, just a kind of honeypot. Therefore, if you want to test the generated file locally, please make sure the box cannot surf the internet as the result will be submitted to the anti-virus company after the scan.

I found generation of backdoor automatically is quite interesting. I completely rewrite the code and it can embedded to an executable file. The code can do some simple input data validation too. The current version is 0.2 at the time of this writing. I made a video for the demo. However, the code will not be available at the moment as I am still consider to release the source code or not.

PDFs and image files can also be embedded backdoor to them in the similar way. Therefore, do not download any programs, PDFs and image files from any untrusted sources. Especially, any cracked softwares and free licensed ebooks are to be alerted. This does not only affected Windows system, Linux or Mac OS can be infected too.

That's all! See you.

Sunday, February 05, 2012

HOWTO : FreeNAS 8.0.3 RELEASE p1 USB device boot bug fix

The Problem

When I upgraded my FreeNAS to the latest version FreeNAS 8.0.3 RELEASE p1, it refused to boot and stop at the following message.

mountroot> GEOM: da0s1: geometry does not match label (16h,63s != 255h,63s).
GEOM: da0s2: geometry does not match label (16h,63s != 255h,63s).

I typed the following command and it boots fine.


The problem is that I need to type the captioned command on each boot up. How to solve this problem? Yes, I can.

The Solution

After the system is booting up and a menu is displayed. Select "9) Shell" to go to the shell prompt where we can do the following.

Step 1 :

nano /etc/fstab

Change from :
/dev/ufs/FreeNASs1a / ufs ro 1 1

To :
/dev/ufs/FreeNASs1a / ufs rw 1 1

Step 2 :

Then, save and exit the editor. Execute the following command :

mount -a

Step 3 :

Next, open up another file :

nano /boot/loader.conf

Change from :
#Fix booting from USB device bug

To :
#Fix booting from USB device bug

Save and exit the editor. Then reboot. This time, the boot up is much slower than before but it works. Problem solved!

That's all! See you.