Ophcrack 2.2 Password Cracker

Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman’s original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds.

Changes:

  • (feature) support of the new table set (alphanum + 33 special chars – WS-20k)
  • (feature) easier configuration for the table set (tables.cfg)
  • (feature) automatic definition of the number of tables to use at the same time (batch_tables) by queriying the system for the size of the memory
  • (feature) speed-up in tables reading
  • (feature) cleaning of the memory to make place for table readahead (linux version only)
  • (feature) improved installer for windows version
  • (fix) change of the default share for pwdump4 (ADMIN$)

Get it at http://sourceforge.net/projects/ophcrack
Labels: ,

Sealing Wafter – Defend Against OS Fingerprinting for OpenBSD

One way to defend against OS fingerprinting from tools such as nmap, queso, p0f, xprobe etc is to change the metrics that they base their analysis on.

One way to do this with OpenBSD is to use Sealing Wafter.

Goals of Sealing Wafter:
  1. To reduce OS detection based on well known fingerprints network stack behavior.
  2. To have the ability to load custom rules into the stack.
  3. To unload, modify, reload the kernel module with on the fly rules. (great feature at packet parties)
  4. To learn how the magic of tcpip stacks work.

What Sealing Wafter currently provides:
  1. Hide from Nmap Syn/Xmas/Null scans, as well as the specific fingerprinting packets.
  2. Ability to see what your stack is receiving without the need to drop your network device into promisc mode.
  3. Complete control over rules that you can load on the fly todeal with specific incoming packets.
  4. Initial support for several OS passive detection has been added for SYNs.

Weaknesses in current Sealing Wafter:
  1. Full connection scans. e.g. nmap -sT will still find open ports. this is because I have yet to find anything that seperates a real tcp connection vs an nmap full connection. (most likely isn’t one.)
  2. Can be very verbose when under heavy load. I have run this on my heaviest web servers, and have not noticed any major overhead.

Download the c code for the LKM here: Sealing Wafter
Labels: ,

kArp – Linux Kernel Level ARP Hijacking/Spoofing Utility

Introduction

kArp is a linux patch that allows one to implement ARP hijacking in the kernel, but control it easily via userland. You may configure, enable and disable kArp via ProcFS or the sysctl mechanism.

kArp is implemented almost on the device driver level. Any ethernet driver (including 802.11 drivers) is supported. The kArp code is lower than the actual ARP code in the network stack, and thus will respond to ARP requests faster than a normal machine running a normal network stack, even if the machine we’re spoofing has a CPU twice as fast as ours!

Functionality

  • ARP Hijacking - Enabling ARP spoofing allows a user to spoof an ARP response to a specific victim host. Due to the low level at which the code exists, our spoofed packet is guaranteed to arrive at the victim’s network stack prior to the response of the machine we’ve impersonated.
  • ARP Hijacking the Impersonated – Enabling this function via arp_send_to_spoofed allows us to spoof the victim’s information to the impersonated machine as well, helping to solidify the MiM attack. However, this functionality may kill the speed of our spoofed frame to the victim, so it isn’t enabled by default.
  • ARP Flooding – Enabling this function via arp_flood causes the kernel to send a flood of random source and destination MAC addresses via a broken ARP frame. On some switches this will fill its internal MAC table, or overflow it. Often, the result of this attack is forcing the switch to fall back to dumb hub mode, allowing us to sniff the wire without a MiM attack.

Warning

kArp was written to beat the race in responding to an ARP Request from a target (victim) machine. It is *not* meant as an tool to flood a victim with ARP information. This means that some operating systems (MacOSX) that ingest unsolicited ARP responses may still obtain the actual MAC address of the machine we’re impersonating. Linux, however, only accepts the fastest response. If you want to flood a machine with fake ARP responses, use a userland tool.


For now, the URL is:

http://aversion.net/~north/karp/
Labels: ,

pwdump6 version 1.2 BETA

Version 1.2 (Beta) of the pwdump6 software has been released.

There are three major changes from the previous version:

  • Uses “random” named pipes (GUIDs) to allow concurrent copies of the client to run. This is predominately for the next version of fgdump, which will be multithreaded.
  • Will turn off password histories if the requisite APIs are not available (there are instances in which this is the case) – pwdump will no longer simply refuse to grab the hashes that it can.
  • Data is now encrypted over the named pipe using the Blowfish algorithm. More information on this is available on the website.

pwdump is a very useful tool for grabbing the password hashes directly from Windows (you do need Administrator access, so in some situations you need to escalate your priveleges first).

It is still useful though, as normally with Admin access on a Windows box you can’t get the SAM file as it’s locked by the OS, the only way normally is to boot using a Security LiveCD and save it to a USB drive or e-mail it to yourself.

You can grab the latest version of pwdump here.
Labels: , ,

Windows Rootkits

Windows Rootkits are a big rarity in this modern web hacking tehnology…
I won’t speak exactly about rootkits, because it’s impropriate to call them that way… why? Well rootkits are programs that aid you in getting access to root level users…

So in the case we are using Windows "rootkits" we should call them admkits (admin kits [©copyrighted to me of course])…. So let’s cut the **** and get down to serious business.

Note: the following admkits are from www.packetstormsecurity.org, there also could be others available on the net… not just the following 4

_ROOT_040

Windows NT Rootkit v0.04 alpha – Hides processes, files, directories, has k-mode shell using TCP/IP – you can telnet into rootkit from remote. Hides registry keys – (keyboard patch disabled in this build.) Includes execution redirection.


Fake Netstat

Fake Netstat is a windows copy of netstat which can hide certain network connections. Requires renaming the original netstat.


NT BindShell

Ntbindshell is a lightweight (24k compiled) cmd.exe backdoor for Windows. Full C source included. Provides two modes of operation – standard (listening mode) or reverse-connect mode. Includes the ability to install itself as a system service, providing a shell with LocalSystem privileges.


reverseTelnet

Reverse telnet redirector / port redirector and front end console for Windows. Perfect for firewall bypassing from inside out. Can be used for bouncing connections, piping or relaying data, or as a quick MIM chat server. Windows executable form only.


More information of course can be found in the readme files from the archive…
Labels: ,
Subscribe to: Posts (Atom)