Milo2012's Security Blog

Cracking hashes using findmyhash

milo2012 — Tue, 24 Jan 2012 17:11:49 +0000

Hashcat http://hashcat.net/hashcat/ is the definitely tool to use for cracking hashes. It might be highly possible that the hash might have been cracked by others online.

Therefore, it might be more convenient to perform a lookup using the online free services before even trying to crack the hash with Hashcat.

findmyhash is a very useful tool for cracking the hashes using free online services.

Most of the password dumps have been appearing on websites like Pastebin.com and it makes it even more useful if findmyhash is able to find and crack md5/sha1 hashes located in a website link like pastebin. I have submitted a patch to https://code.google.com/p/findmyhash/issues/detail?id=7 for this new feature.

If you do not feel comfortable with another party knowing about the hashes, you should skip using findmyhash all together and dive straight to hashcat instead.

Cracking hashes from a url

To directly search and crack hashes from a url, you only need to key in the below commands

python findmyhash_v1.1.2.py MD5 -u http://pastebin.com/ddWYY634
python findmyhash_v1.1.2.py SHA1 -u http://pastebin.com/1YbcH2k5

Applying the patch

As the patch is not yet accepted and committed to the source, you can apply the patch listed at https://code.google.com/p/findmyhash/issues/detail?id=7 by performing the below actions

python findmyhash_v1.1.2.py -i findmyhash.patch -o findmyhash_v1.1.3.py

Video on how to use findmyhash 1.1.2

Below is a video on how to use findmyhash.py

https://www.youtube.com/watch?feature=player_embedded&v=O2I8pd2uMIU#!

Download File

You can download the updated findmyhash at http://pastebin.com/9GRTrNj7

Speed Improvement for Metagoofil (Intelligence Gathering)

milo2012 — Mon, 09 Jan 2012 19:39:30 +0000

I made some speed bumps to the source code for metagoofil by adding in some threading code to speed up the downloading process.
The below tests were done on a vmware guest with 4GB of ram with 1 processor (2 cores).

Results might varies on your machine.

For the below test, I ran metagoofil against microsoft.com for 100 pdfs.

Results show that you can get quite a significant speed improvement if you are downloading a lot of documents for analysis with metagoofil.

Download Links

If you adventurous enough to try the patch, you can download the patch or the updated metagoofil.py file from the below links

Patch: http://pastebin.com/J3d7yUkJ
Updated Metagoofil.py File: http://pastebin.com/AfpaUgQv

Let me know if you face any issues.

Metagoofil Fix (Intelligence Gathering)

milo2012 — Mon, 09 Jan 2012 12:20:15 +0000

Metagoofil is a useful tool to use for the passive reconnaissance in the intelligence gathering phrase of penetration testing.

Metagoofil is available for download at http://code.google.com/p/metagoofil

It allows you to extract useful metadata from public documents belong to a target company from search engine.

You can learn about using Metagoofil at Irongeek’s site http://www.irongeek.com/i.php?page=videos/using-metagoofil-to-extract-metadata-from-public-documents-found-via-google

I was trying to use metagoofil today. The results show that there are 7 files found but they are actually invalid links.

How to apply the patch?
You can download the patch from http://pastebin.com/prHBxqfK

Save the file from pastebin as parser.patch in the metagoofil-read-only folder.

To apply the patch, type “patch -i parser.patch” as shown in the below screenshot.

You should see the below lines in your updated parser.py file in your metagoofil-read-only folder.

Thank you for reading this post and enjoy having fun with using Metagoofil as much as I do.

OWASP Ajax Crawling Tool (Good Companion Tool to Burpsuite)

milo2012 — Tue, 27 Dec 2011 01:44:09 +0000

OWASP Ajax Crawling Tool is an awesome companion to the tool Burpsuite. It allows you to crawl ajax websites which is a feature missing from Burpsuite. Both are must have tools for penetration testing of modern Ajax websites.

The official website for ACT is https://www.owasp.org/index.php/OWASP_AJAX_Crawling_Tool

The current version of ACT 0.1a seems to have issues with crawling some Ajax websites due to some issues in the dependencies.

I have submitted the bugfixes to the website but it will take some time for the changes to be committed.

Below shows the screenshots of the results of the crawl before and after the patch.

Before the patch

After the patch
As shown in the below screenshot, extra 4 links were discovered after the patch.

I have also added the function of being able to specify the proxy server via command line mode.

Below is the temporary download link for the ACT if you can’t wait for the changes to be committed at the main site.

https://www.dropbox.com/s/gosq97z5vjlr09f/act-new.jar

Reversing LifeSize 220 HD Video Conferencing Appliance Firmware

milo2012 — Sun, 18 Dec 2011 17:46:27 +0000

I have recently taken an interest in finding vulnerabilities in embedded devices. Since it is expensive to purchase some of these equipments to perform testing, it might be more cost effective to reverse the firmwares instead.
The product which I am reversing is the LifeSize Room 220. LifeSize Room 220 is a HD video conference solution.

It looks like a fairly interesting product to learn more about reversing firmware.

More information about the product can be found here. http://www.lifesize.com/Products/Video/LifeSize_Room_Series/Room_220.aspx

First, we will need to install all the prerequisites in Debian.
$ apt-get install pkgconfig libglib2.0-dev libcurl4-gnutls-dev
$ wget http://zlib.net/zlib-1.2.5.tar.gz
$ tar xvfz zlib-1.2.5.tar.gz
$ ./configure && make && make install

Next, we will download the Lifesize firmware from a 3rd party’s website
$ wget http://videonations.net/upload/lifesize/LS_RM1_4.1.1_17.cmg

Next, we will downloading and compiling binwalk which will identify signatures of compressions/filesystems on the firmware
$ wget http://binwalk.googlecode.com/files/binwalk-0.4.1.tar.gz
$ ./configure
$ make && make install

$ binwalk LS_RM1_4.1.1_17.cmg

We will need to download cramfsswap which will convert the cramfs filesystem from big endian to little endian
$ apt-get install cramfsswap
$ cramfsswap LS_RM1_4.1.1_17.fs LS_RM1_4.1.1_17.cramfs

Next, we wil need to download firmware mod kit which contains uncramfs which can be used to extract the cramfs filesytem
$ mkdir /tmp1/image

$ apt-get install subversion
$ svn checkout http://firmware-mod-kit.googlecode.com/svn/trunk/ firmware-mod-kit-read-only
$ cd firmware-mod-kit-read-only/trunk/src/uncramfs
$ make
$ ./uncramfs /tmp/cramfs /tmp1/LS_RM1_4.1.1_17.cramfs

In order to properly emulate the device, we need to identify the processor type. We can do that by running the file command against /bin/busybox.

Having identified the processor type as PowerPC, we will then download and compile Qemu which will be used for emulation.
$ wget http://wiki.qemu.org/download/qemu-1.0.tar.gz
$ tar xvfz qemu-1.0.tar.gz
$ ./configure -static
$ make && make install

$ cp /tmp1/qemu-1.0/ppc-linux-user/qemu-ppc /tmp1/image
$ chroot . ./qemu-ppc ./bin/ls

We have successfully run /bin/ls command from the firmware image

milo2012 — Tue, 01 Nov 2011 01:01:15 +0000

A more in-depth writeup on the IPhone espionage project has been posted at http://resources.infosecinstitute.com/iphone-espionage/

Breaking Enterprise iPhone Application Security ?

milo2012 — Mon, 17 Oct 2011 20:09:51 +0000

There are a couple of enterprise iPhone applications out there that promises over the air and device encryption. (e.g. MS Exchange email sandbox apps).

However, there is a fundamental issue. Some of these iPhone applications are built upon the iOS frameworks like UIViewController which provides the layout of the applications.

It is possible to hook onto these classes on a jailbroken iPhone to perform screen captures of confidential emails in your so called sandbox applications. When used together with a iPhone keyboard logger (https://github.com/milo2012/iPhone-Espionage/tree/master/kbhook2) which hooks on the UIKeyboardImpl class and captures all keystrokes that you have entered, including any passwords.

In this case, if your jailbroken device is compromised, there is only so much you can do even if you are using an iPhone application that provides encryption or security.

Should you allow jailbroken iPhones in your organization?

Should your enterprise application detect if the device is a jailbroken iPhone and exit the application if a jailbroken iPhone is detected ?

Please let me know what you think.

Source code can be found at the below link
https://github.com/milo2012/iPhone-Espionage/tree/master/demoScreenCapture1

Slide deck and Short Video for iPhone Espionage talk at HackInTheBox Malaysia 2011

milo2012 — Thu, 13 Oct 2011 07:22:35 +0000

The slide deck can be downloaded here. http://t.co/PCm5M0gu .

A demo video for the basic tool can be found here http://www.youtube.com/watch?v=m3MOLmWE4UA

iPhone Espionage

milo2012 — Thu, 13 Oct 2011 07:17:28 +0000

Slashdot published this article “iPhone’s PIN-Based Security Transparent To Ubuntu” in May 2010. This shouldn’t work on Jailbroken iPhone 4 as the vulnerability is reported so long ago.

Using the below tool, you are able to access SMS database and other confidential information which are supposed to be protected on a passcode protected jailbroken iPhone. Well, if you have a non jailbroken iPhone, you are safe!

In order to recreate the demo that I did in HackInTheBox, you will need to run the below on your Ubuntu/Debian system or you can download the shell script from https://github.com/milo2012/iPhone-Espionage/raw/master/evil_gf_attack/setupPrerequisites.sh

apt-get install libusb-dev usbmuxd libimobiledevice-dev libplist-dev libgnutls-dev build-essential libgnutls-dev libxml2-dev libreadline5-dev libgcrypt-dev libglib2.0-dev libplist-dev libusbmuxd-dev usbmuxd make automake autoconf libtool gcc python-dev git libfuse-dev libimobiledevice-utils -y
mkdir /tmp1 && cd /tmp1
git clone https://github.com/mcolyer/libiphone.git
cd libiphone && ./autogen.sh && ./configure && make && make install
cd /tmp1
git clone https://github.com/mcolyer/ifuse.git
cd ifuse && ./autogen.sh && ./configure -prefix=/ && make && make install
cd /tmp1
wget http://www.libimobiledevice.org/downloads/ideviceinstaller-1.0.0.tar.bz2
bunzip2 -d ideviceinstaller-1.0.0.tar.bz2 && tar xvf ideviceinstaller-1.0.0.tar && cd ideviceinstaller-1.0.0 && ./configure && make && make install
cd /tmp1
apt-get install libgtk2.0-dev libnautilus-extension-dev intltool libzip-dev -y
wget http://www.libimobiledevice.org/downloads/nautilus-ideviceinfo-0.1.0.tar.bz2
bunzip2 -d nautilus-ideviceinfo-0.1.0.tar.bz2 && tar xvf nautilus-ideviceinfo-0.1.0.tar && cd nautilus-ideviceinfo-0.1.0 && ./configure && make && make install

After installing the prerequisites, create a folder called /tmp1 and download the file com.apple.CrashHousekeeping.plist and put it inside /tmp1

Since we are unable to use launchctl command to allow our binaries to run during setup, we need to find an alternative means.

It seems possible to overwrite the plist file for any iOS service and iOS doesnt do any verification at all. We have identified a list of launch daemons which can be safely replaced to execute our own executable instead. http://modmyi.com/forums/file-mods/682255-speed-up-your-iphone-ipod-removing-launch-daemons.html

You might want to modify the plist file with the time and executable that you want it to execute.

Next, you will download scanUSB.sh (from https://github.com/milo2012/iPhone-Espionage/blob/master/evil_gf_attack/scanUSB.sh) and put it inside /tmp1/ as well.

Run scanUSB.sh and then connect your iPhone to one of the USB ports on your computer.

It should rip out a couple of databases like google maps cached location, call history database, SMS database and cell tower location database.

It should not take more than 3 seconds if you connect it locally instead of via a VM.

Edit and compile https://github.com/milo2012/iPhone-Espionage/tree/master/sql2 and then save it in /tmp1/Transfer/sql12.

sql2 is a iPhone tool which is a POC code which extracts your Facebook caches/database as well as Dropbox offline files.
You can find more tools which you can deploy via scanUSB from here https://github.com/milo2012/iPhone-Espionage

You might want to recompile this with your own email address and password so that it delivers the information to your email.

Run /tmp/scanUSB.sh and then connect your iPhone.

Let me know if you face any issues or have any suggestions on how I can improve the tools. Enjoy!

Vulnerability for Harry’s Bar iPhone App

milo2012 — Sat, 03 Sep 2011 05:33:16 +0000

Harry’s Bar made this iPhone app which allows its customers to win prizes when patronizing its premises.

It is possible to win the grand prize of a bucket of Harry’s Beer by doing a MITM using Burp or another other proxy tool.

The server name is exhost.se. As you can see here, they did not prevent directory browsing.

Venues.xml looks interesting, it shows the probability for winning a certain prize as well as the ID for the prizes.

By doing a MITM and change the incoming ID to 6, you will be able to win a bucket of Harry’s Beer every single time.