#!/usr/bin/perl
use File::Copy;
############################################################################
# Vigenere translation table
############################################################################
@V=(0x64, 0x73, 0x66, 0x64, 0x3b, 0x6b, 0x66, 0x6f, 0x41, 0x2c, 0x2e,
0x69, 0x79, 0x65, 0x77, 0x72, 0x6b, 0x6c, 0x64, 0x4a, 0x4b, 0x44,
0x48, 0x53, 0x55, 0x42, 0x73, 0x67, 0x76, 0x63, 0x61, 0x36, 0x39,
0x38, 0x33, 0x34, 0x6e, 0x63, 0x78, 0x76, 0x39, 0x38, 0x37, 0x33,
0x32, 0x35, 0x34, 0x6b, 0x3b, 0x66, 0x67, 0x38, 0x37);
############################################################################
############################################################################
# Usage guidelines
############################################################################
if ($ARGV[0] eq ""){
print "This script reveals the IOS passwords obfuscated using the Vigenere algorithm.n";
print "n";
print "Usage guidelines:n";
print " cdecrypt.pl 04480E051A33490E # Reveals a single passwordn";
print " # Original file stored with .bak extensionn";
}
############################################################################
# Process arguments and execute
############################################################################
print Decrypt($ARGV[0]) . " " . $ARGV[0] . "\n"; # Prints the plain text password and the encrypted one
############################################################################
# Vigenere decryption/deobfuscation function
############################################################################
sub Decrypt{
my $pw=shift(@_); # Retrieve input obfuscated password
my $i=substr($pw,0,2); # Initial index into Vigenere translation table
my $c=2; # Initial pointer
my $r=""; # Variable to hold cleartext password
while ($c<length($pw)){ # Process each pair of hex values
$r.=chr(hex(substr($pw,$c,2))^$V[$i++]); # Vigenere reverse translation
$c+=2; # Move pointer to next hex pair
$i%=53; # Vigenere table wrap around
} #
return $r; # Return cleartext password
}
Tuesday, August 27, 2013
Saturday, August 10, 2013
Using aircrack-ng, airdecap-ng, tshark, and grep regex
Recently in a capture the flag event I had to utilize aircrack-ng to break the WEP key on a packet capture, then airdecap-ng to decrypt the contents of the WEP packets and export them to another packet capture, use tshark to output to text and then use a grep regular expression to extract base64 Authentication Basic username and passwords.
Below are the commands that I ran to accomplish this:
# aircrack-ng WIRELESS-C2.cap
Opening WIRELESS-C2.cap
Read 73650 packets.
# BSSID ESSID Encryption
1 00:40:10:20:00:03 Wireless Challenge Two WEP (25704 IVs)
Choosing first network as target.
Opening WIRELESS-C2.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 25704 ivs.
Aircrack-ng 1.2 beta1
[00:00:00] Tested 397 keys (got 25082 IVs)
KB depth byte(vote)
0 2/ 4 DA(31232) C0(30976) 22(30720) E8(30720) 16(30208) 25(30208) D0(30208)
1 0/ 1 1C(35840) 03(32256) 7F(32000) B7(32000) F2(30464) 95(30208) 86(29952)
2 0/ 5 91(34048) CC(33792) 2D(32512) 58(31232) 84(31232) 2F(30720) 3D(30720)
3 5/ 26 0A(30208) 39(30208) 5B(30208) 62(29952) ED(29696) 02(29696) 2E(29696)
4 0/ 1 C4(35072) 19(31744) 31(30464) CD(30208) 10(29696) 6E(29696) D5(29696)
KEY FOUND! [ C0:1C:91:0A:C4 ]
Decrypted correctly: 100%
# airdecap-ng -w c01c910ac4 WIRELESS-C2.cap
## Open up in Wireshark the WIRELESS-C2-dec.cap
## Add filter for (http.request.method == "GET") || (http.request.method == "POST")
## After the filter is applied find the management.asp page
## Right-click and follow TCP stream
## In the open window you find the "Authorization: Basic cm9vdDphZG1pbg=="
## The base64 encoding is the admin username and password
## Decoded the username and password is root:admin
## OR you can use tshark and export the packet information to a file
# tshark -V -r WIRELESS-C2-dec.cap > WIRELESS-dec.txt
## Then wrote a short and sweet regex to extract base64 encoded strings
# cat WIRELESS-C2-dec.txt | grep '\+*[A-Za-z0-9]\{11,\}\+=' # Find base64 encoded text that is 11 characters or longer
## Walla! Authorization: Basic cm9vdDphZG1pbg==\r\n
## Then you can decode it from the command line by doing the following
echo "cm9vdDphZG1pbg==" | base64 -d
# Note on WPA2 packet captures
#aircrack-ng <file>.cap -w Wordlist.txt - This is to find the password used
# Then to decrypt the packet capture
# airdecap-ng <file>.pcap -e <SSID> -p <password>
Below are the commands that I ran to accomplish this:
# aircrack-ng WIRELESS-C2.cap
Opening WIRELESS-C2.cap
Read 73650 packets.
# BSSID ESSID Encryption
1 00:40:10:20:00:03 Wireless Challenge Two WEP (25704 IVs)
Choosing first network as target.
Opening WIRELESS-C2.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 25704 ivs.
Aircrack-ng 1.2 beta1
[00:00:00] Tested 397 keys (got 25082 IVs)
KB depth byte(vote)
0 2/ 4 DA(31232) C0(30976) 22(30720) E8(30720) 16(30208) 25(30208) D0(30208)
1 0/ 1 1C(35840) 03(32256) 7F(32000) B7(32000) F2(30464) 95(30208) 86(29952)
2 0/ 5 91(34048) CC(33792) 2D(32512) 58(31232) 84(31232) 2F(30720) 3D(30720)
3 5/ 26 0A(30208) 39(30208) 5B(30208) 62(29952) ED(29696) 02(29696) 2E(29696)
4 0/ 1 C4(35072) 19(31744) 31(30464) CD(30208) 10(29696) 6E(29696) D5(29696)
KEY FOUND! [ C0:1C:91:0A:C4 ]
Decrypted correctly: 100%
# airdecap-ng -w c01c910ac4 WIRELESS-C2.cap
## Open up in Wireshark the WIRELESS-C2-dec.cap
## Add filter for (http.request.method == "GET") || (http.request.method == "POST")
## After the filter is applied find the management.asp page
## Right-click and follow TCP stream
## In the open window you find the "Authorization: Basic cm9vdDphZG1pbg=="
## The base64 encoding is the admin username and password
## Decoded the username and password is root:admin
## OR you can use tshark and export the packet information to a file
# tshark -V -r WIRELESS-C2-dec.cap > WIRELESS-dec.txt
## Then wrote a short and sweet regex to extract base64 encoded strings
# cat WIRELESS-C2-dec.txt | grep '\+*[A-Za-z0-9]\{11,\}\+=' # Find base64 encoded text that is 11 characters or longer
## Walla! Authorization: Basic cm9vdDphZG1pbg==\r\n
## Then you can decode it from the command line by doing the following
echo "cm9vdDphZG1pbg==" | base64 -d
# Note on WPA2 packet captures
#aircrack-ng <file>.cap -w Wordlist.txt - This is to find the password used
# Then to decrypt the packet capture
# airdecap-ng <file>.pcap -e <SSID> -p <password>
Thursday, August 8, 2013
Subscribe to:
Posts (Atom)
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist... -
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them... -
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th... -
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
-
Recently I was doing some scanning with a tool that is available on github called masscan. The tool allows you to configure a configuration...