esp8266 Bruteforce #2 CRAR

Zrzut ekranu 2018-03-27 o 22.40.18

Next day – next step.

So while being at the hotel after hours i finally decided to spend time on coding CRAR instead of watching the German Eurosport. One – i don’t understand a word, two time flies 3x faster during coding – so as i’m pretty much waiting for end of week to depart from here i started coding and testing.

First of all – Victim

So in order to test CRAR properly i had to find a good victim. Quickly downloaded the LAN Scan tool to figure out what’s happening here. The Hotel has a free WiFi connection so there should be also some router here that you can login to manage it. Quick scan revealed a good target for the game.

A

I opened the web page to figure out what am i trying to achieve here and i found what i was looking for. Simple login page using a POST to a PHP script – meaning we can easily craft the data and keep on sending. The web page presents itself as : Tiger IP Connect 5.1

Zrzut ekranu 2018-03-27 o 21.56.28

Googled quickly to figure out what is this – seems like a dedicated software to control/manage access to AP (see here). Doesn’t really mater as long as i can test CRAR on it. So, knowing we have a page to login, let’s see how data is posted to this http server. No fancy investigation was done just a view into the html output from this server.

Zrzut ekranu 2018-03-27 o 21.56.34

I easily found that the form with user/password is POSTing to index.php. Well with all that in hand i was ready to launch the ESP (well took one for a trip, knowing i will be bored as hell after hours hehehe).

Secondly – the configuration

Right, i hooked up my ESP to my Macbook and as the software was done  i started configuring the brute-forcer as per the details taken from the web page form.

B

There are couple updates here since my last post, mainly done for ease of setting up the whole process. Let me guide you through what are these settings.

  1. ESP starts in AP_STA mode, so that i can access it’s own WIFI when craxor is connected to victim AP. Thanks to this i don’t have to connect to victim’s WiFi anymore, i can reconfigure CRAR by connecting to the hotspot it creates.C

Settings are as follows:

  • WiFi – self explanatory, target (victim) AP SSID
  • Password – target (victim) AP Password – in this case, no password, public hotspot
  • Host – the HTTP ip address
  • URL – the URL for the POST
  • Body – the arguments for the POST (taken from the html form definition above), here i assume that the username is admin, why not. It’s just testing, nothing serious 😉
  • Min characters – this is to indicate minimum characters for Wordlist generator
  • Max characters – this is to indicate maximum characters for Wordlist generator
  • Socket Timeout – this is for the socket connect function, so it doesn’t get stuck waiting for socket to timeout, i make it 200ms
  • Charset – this is for the wordlist generator i basically say here that i want to generate 6 characters long including lower case, upper case and numbers.
  • Success Word – hehe bad naming but this is the text that when NOT found means we got this form cracked. Why ‘not’ found ? Well it’s because it’s hard to guess what page displays when login is OK, so it’s better to see if failure text is present every time we check new word from generator. If Failure text is not present, we might be already logged in!

Controls

  • Start – which is to start the bruteforce process
  • Pause – which is to pause the bruteforce
  • Reset – which is to restart the ESP (start from setup())

Status

  • Started flag (1/0)
  • Current Word – that’s basically the word we test against now
  • Total Epochs – number of epochs passed (iterations basically)
  • Epochs / sec – number of iterations per second
  • WiFi Signal – yeah, signal to the AP
  • WiFi Connected – just a flag if we’re connected

Results

Self explanatory 🙂

Page down there are more debug things you might be interested in, so here is the screen

Zrzut ekranu 2018-03-27 o 21.56.57

Basically what we see here is

Sent – what we have sent to the server

Received – what we have received from the server
Based on  received text area  you can deduct why i put “Invalid” in the Success Word field.

If Invalid is found, it means we have probably logged in. As long as this word is present in the response, we know we have provided invalid credentials.

Ok, so i’m leaving this soft running until the last day, we will see what happens, overall it’s just a test of the soft and the overall POC. As resuming the wordlist generation is also implemented, i can easily turn off and on ESP and cracking will continue from the last word saved.

Zrzut ekranu 2018-03-27 o 22.44.18

Will see where we are on Friday with that 😉

 

Peace

 

Advertisements

esp8266 bruteforce #1 CRAR

Zrzut ekranu 2018-03-26 o 20.43.02.png

Synopsis

Warrning – i have not enough photos in this post – basically writing it in a hotel.

Sundays are lazy days, that one was no different – with a cup of coffee and e-cig i was looking around for an idea when i realised i still have my Kali Linux laptop lying around and i can actually try to see if there is anything interesting around (last time i checked it was months ago). I moved last year to new home and pretty much haven’t played with Kali for some time. It was a good exercise to do and i just went for it.

Plugged my laptop into a socket (one of these laptops that do not work on a battery anymore 🙂 ) and sat again on the same couch. Quick scan and i realised there is some week/poor WPA2 / WPS signal broadcasted, isn’t something that i could use as a backup internet, but still was ok-ish to check against WPS (reaver) attack.

I kicked off Reaver and started cracking and went around the WPS weakness even though the signal wasn’t that good. After couple of hours pinning the WiFi router i finally got the key and connected. After adjusting the antenna several times i figured out that the network i have connected was running near my home, the distance was around 30m (garden). Signal was absolutely weak.

Quick scan of the LAN revealed two interesting hosts one of which was a router with some sharing enabled (ftp,http opened).

As usual, the dumb-mode test has been executed and i found there is no admin/admin, admin/password or even anonymous access granted to both the http / ftp. Opening the web page of the router gave pretty much a login screen and that was it.

The quality of the connection wasn’t enough to keep alive for longer than couple of minutes, either it was dropped or i had pings lost, so checking above credentials took me some time and patience.

I figured out at that point that there is absolutely no sense to push on testing it that way and it would be more beneficial if i think of a solution to leave this process automated close to the garden fence and forget about it until something is found.

Let’s get dirty and prepare a plan

What do i want to automate?

I want to get into that http://192.168.0.1 which is serving the HTTP login, forget the FTP for now – i guess when access to HTTP will be granted, we will get access to all services there.

How do i want to automate it?

Brute-force – just go with the most simple approach but keep the process flow inteligent by ensuring that when power is lost, we don’t start from the beginning, that we can get a wordlist or go full hardcore by doing a words generation for fun. Also, i don’t need a process that takes me minutes to setup – the game itself is considered a waste of time, so need myself spending +10minutes on starting laptop, bash scripting and stuff – i need something low level and firing up straight away when switched on.

Deciding on the right hardware

Knowing all of the above i realised that the best solution for my exercise would be a esp8266. I always believed ESP’s are made for more than just turning the light on/off as an IOT device. I see two possible options here

  1. Put the ESP8266 with a power-bank into a Coca Cola bottle (to make it water resistant / rain / snow ). Fantastic idea to drop these kind of things wherever needed, but there’s a big problem here – Battery.Zrzut ekranu 2018-03-26 o 22.02.59Well as this is just a fun project  i don’t mind; i know brute forcing can take ages so i don’t mind to pick it up from time to time and recharge. Software however needs to tackle this properly – as mentioned earlier, once dropped i never get back to it for setting up, only recharging.

    Above require a software to notify about the low battery – but i’ll get to that later on.

    Ps. How cool would it be to have it running for weeks on batteries, in that case you could drop it in some distance place and come back for it in days.

  2. Install the ESP8266 in the garden lamp (already 12Volt enabled) – and keep it running there for ages – seems like the simplest solution without any cons. But, i don’t like it – i like the idea of having an option to drop a cracker somewhere or stick it. Lamps are generally already installed, i doubt i will get a good signal out of them – so this is a NONO – however a possibility.
    Zrzut ekranu 2018-03-26 o 21.29.10

 

So out of these 2, i choose option one and try to ensure it gets ultra small size – don’t want a 2L coca cola bottle lying in my garden whole summer 😉

For that i’ve seen already good projects for IOT gardens – i’ll copy a good solution and post a photo in next update.

So having hardware plan already, i move on to the next step.

Software – bringing life

Let’s start with the assumption that CRAR is not a WiFi cracker, so in order to operate it already needs wifi credentials – but that’s all clear.

Now the logic behind it should be ultra simple:

  1. Start
  2. Load config (contains last word from which to resume and other settings)
  3. Check if WiFi connected
  4. If not, reconnect, goto 3
  5. If yes, connect to the specific IP address (tcp)
    1. if not connected goto 6
    2. if connected
      1. send a prepared url as an HTTP packet
      2. check for the response
        1. if response contains “SPECIFIC_WORD/CONTENT” – cracking completed
        2. if response does not contain “SPECIFIC_WORD/CONTENT” – not cracked
      3. generate next word (wordlist generator)
      4. Save Config
  6. Serve HTTP web page so we can access this esp and check for stats
  7. Send out notification (via pushover) when Cracking completed / Battery level low

Voilla, that’s it.
This logic ensures that when this nitty device gets plugged in – it loads up the latest word  and resumes from it. That we have a wifi reconnection tackled and that we are serving a Web server – at any time we can control the device with a simple web server, and that we finally get a notification when things are done / about to be off (battery)

As usual i started coding

Zrzut ekranu 2018-03-26 o 20.22.33

This is a screen shot of an esp running a brute force against a Raspberry PI PHP crafted page to see if all works fine – looking at this already, i spot a place for a more distributed approach to this cracking, but it’s not a rocket science so i leave it up to you:)

Next step is to move it really to a production environment, meaning i will be sharing more shots of the victim’s router, hardware and some code snippets – where finally i will drop it in the garden and we will all start the timers. We will see if CRAX0R makes anything out of it 😉 If not, it’s still a great fun!

Stay tuned.

WPA Bruteforce test

Just a side note, i’ll be getting to the crackers i wrote later on – but been testing WPA update since couple of days now on WPA Handshakes and the cracker is a success.

ddd

This is a single core task – but have a Distributed Task for GridMan in place already.
The cracker goes through all WPA handshakes that i have sniffed and tries to crack them with a wordlist or a bruteforce generator.

macs

Above a dump from a modified version of a handshake stripper, i take the airmon dump file and strip all WPA Handshakes that were found for a crack-all-at-once approach.

Ok, let’s find out what’s sitting there and let me tell you that i hate Linux support for WiFi – it’s just a mess if you need to do things quick, but as i’m left now with a Raspberry PI on the balcony that has Kali installed, there’s no other option around.

Couple of command line entries and we’re in.

aaaa

 

Now that we know we’re in, let’s checkout the AP.

Zrzut ekranu 2016-08-06 o 22.58.04

Aha! A login form, i can bet the owner didn’t even change admin password.
admin/admin is the default setting for WR340g.

Zrzut ekranu 2016-08-06 o 22.59.05

dodo

Fuzzing continues

Just made a simple fuzzing strategy that shoots random characters on arguments for binary. I am testing this on my MacOSX – and it seems like it works 😉
Zrzut ekranu 2016-08-05 o 23.36.23

The tool itself is dirty coded yet, however fuzzing Rez with argv0 gave

SIGSEGV 11 Invalid memory segment access (ANSI)

 

Splendid.

Fuzzing

Recently i turned my attention to security, but this time i took a peak into what’s called Fuzzing.

Long story short, fuzzing is mainly brute force vulnerability detection and has a lot of categories. Take a look here. What caught my attention is fuzz testing Web applications and local binaries (mainly black box /grey box fuzzing).

I am total noob in this area, never tried it and never seen a fuzzer doing a good job – however interested in this area i have a low power distributed approach idea somewhere behind.

Just started to read a great book on the topic check it out.

As always, there are some basics that i’ll be focusing on at the start.

  1. Fuzzing arguments passed to suid binary, you just randomly generate a set of characters and put them into binary arguments to discover eventual input handling issues.
  2. Fuzzing WEB applications, this is a bigger topic however here i would like to focus mainly on SQL injection discovery, directory traversal, and POST/GET argument fuzzing.

The whole fuzzing area is wide but i have decided to pick up two pretty major destinations to see if i come up with something interesting. Ideally i would like to be able to write a vulnerable binary, fuzz it and get back with some results. Finally i am thinking of getting this stuff distributed, as it is known fuzzing can take some time – it would be good to pack it all up with GridMan.

So let’s treat this as an intro, i will be posting in Security/Fuzzing area some updates as i go through the learning curve.

Fingers x.

ESP8266 – WIDS – “Spooky”

Okay this is both #ESP8266 and #Security.

When i first got my hands on the ESP8266 i was curious how much can be done with the chip in terms of security. Knowing that the chip can go ‘monitor’ mode it was clear to me that first thing i’ll code would be the Wireless Intrusion Detection thing running on a 5v low power chip. At that time i ordered something what is called #NODEMCU and the fun started.

IMG_2941

The chip itself is capable of running a callback on ever packet it receives with a function:

static void ICACHE_FLASH_ATTR handle_pkt(uint8_t* buf, uint16_t len)

There is actually an official “Sniffer” PDF document by Espressif, google it for more details.

So the way Spooky works is simple. It captures packets within BSSID that is your local home Access Point. When a packet is received, it scans through 802.11 to find the source and destination. If Source or Destination is not listed on the ‘trusted mac’s’ list then it adds this traffic to a list that is then sent out to your Gmail account every hour.

So long story short, Spooky monitors for a non-trusted traffic (that has to be defined by user) and reports it when found via E-Mail, see below for example.

A Spooky generated e-mail notifying of unknown traffic (this is an unknown device authenticating on my AP)

 

 

And a simple configuration page with trusted devices added

 

static void ICACHE_FLASH_ATTR handle_pkt(uint8_t* buf, uint16_t len)

So how is this all programmed?
Firstly all is coded in C with Arduino IDE – it’s just great we can code chips with C. It was my first adventure with chip programming and i was very happy i didn’t have to lear myself some ASM or other script-kiddie language around.

The code itself is very easy, ESP8266 has a file system (SPIFF) so the configuration is loaded/stored directly from that file. I could easily skip writing/reading from EEPROM thanks to this.

All these Web server things are built in and available as ready to use classes so i will not go into details with that.

The Sniffer Callback function has to be very quickly executed or WatchDog will restart the chip, so there is no room and space and time for a lot of work to do. Knowing that i am only doing quick 802.11 inspection to find out RSSI, BSSID, Source, Destination and packet type in accordance to the below 802.11 header

802dot11_frame

First i find out the packet type by defining them as below:
Zrzut ekranu 2016-08-04 o 10.58.11

Then i filter out all Beacon and Probe request type of frames as they fly around and Spooky will identify them as unknown traffic. So i’m looking only after DATA and MANAGEMENT type frames that are Directed towards user selected Access Point BSSID. This is how i get only the interesting packets out of the chaos around.

Next i read out Source / Destination by looking into ToDS FromDS fields – these are swapped around in regards to the frame type, so be careful how you read them. An example below:

Zrzut ekranu 2016-08-04 o 10.57.11

Then we get the RSSI of the packet, this is easily taken from ESPRESSIF RxControl header within 802.11.

At this moment Spooky knows:
– What is the Packet type
– What BSSID is packet traveling within
– What source is this packet coming from
– What destination is this packet going to
– RSSI

Now having all above and list of trusted MAC addresses, it is easy for Spooky to identify wether a traffic directed within a defined BSSID is trusted or non trusted.
Anything coming from/to a MAC address that is not on the trusted list and having BSSID as defined by user is considered untrusted – and Spooky will email you the details.
All the rest is trusted so Spooky will ignore the traffic.

So the idea of using Spooky is quite simple:
Whenever you get an untrusted traffic notification from Spooky – you either block the MAC address on your Router (if you can’t identify it) or add it to Spooky Trusted MAC’s list (if you know the MAC).

Thanks to this you keep your AP safe and you are notified of unknown events. The word Notified is important because you don’t have to check your AP logs (who does it anyway?)  for intruders and you can respond to events immediately. And yes i know routers can be configured to block untrusted MACs, but i never used that option.

Spooky went into release and some of the users even made a small TicTac version of it.

 

I expect to make some 3d printed cube for spooky in free time. If you are interested in the code i will be posting it shortly.