Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- This is a detailed telling of how I hacked Philip M. over a period of several days. It started out as a typical router crack but I found myself motivated to dig deeper than usual. Without damaging the validity of the hack, I scrubbed as much identifiable info from the screenshots as possible to protect my identity.
- Tools Used:
- aircrack suite
- cupp.py
- pyrit
- nmap
- hydra
- sparta
- mitmf
- sslstrip
- arpspoof
- ncrack
- medusa
- chromepass
- FreeOTP
- axcrypt
- Patience
- INFILTRATION:
- $ airodump-ng -M wlan0mon
- Code: [Select]
- BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID MANUFACTURER
- C4:6E:1F:XX:XX:XX -57 580 26 0 11 54e. WPA2 CCMP PSK XXXXX TP-LINK TECHNOLOGIES
- F8:E4:FB:XX:XX:XX -60 808 286 0 6 54e. WPA2 CCMP PSK XXXXX Actiontec Electronics, Inc
- 84:1B:5E:XX:XX:XX -64 2547 27432 0 11 54e WPA2 CCMP PSK BruceLee Netgear
- D4:05:98:XX:XX:XX -70 304 32 0 1 54e. WPA2 CCMP PSK XXXXX ARRIS Group, Inc.
- 00:14:6A:XX:XX:XX -71 401 3 0 3 54e. WPA2 CCMP PSK XXXXX CISCO SYSTEMS, INC.
- 00:26:62:XX:XX:XX -71 382 2653 1 11 54e. WPA2 CCMP PSK XXXXX Actiontec Electronics, Inc
- 00:7F:28:XX:XX:XX -73 56 5 0 11 54e. WPA2 CCMP PSK XXXXX Actiontec Electronics, Inc
- There was enormous traffic coming from AP "BruceLee". Access Point's with this much activity are always exciting.
- $ airodump-ng -c 1 -UM -w data/dump --bssid 84:1B:5E:XX:XX:XX wlan0mon
- $ aireplay-ng -0 2 -a 84:1B:5E:XX:XX:XX -c 30:F7:C5:XX:XX:XX -e BruceLee wlan0mon
- Now I needed to verify the integrity of the handshake and strip it of useless data captured during the airodump.
- $ pyrit -r data/dump-117.cap analyze
- $ pyrit -r data/dump-117.cap Desktop/BruceLee.cap strip
- Parsing file 'data/dump-117.cap' (1/1)...
- Parsed 4 packets (4 802.11-packets), got 1 AP(s)
- #1: AccessPoint 84:1b:5e:xx:xx:xx ('BruceLee'):
- #1: Station 30:f7:c5:xx:xx:xx, 1 handshake(s):
- #1: HMAC_SHA1_AES, good, spread 1
- With a solid capture, I was ready to bruteforce the cap. Netgear owners usually use custom passwords. I've never owned a Netgear router but imagine the firmware prompts users to enter a new password during the initial installation. This is especially wonderful to a cracker like myself because (as we all know), people have been using weak passwords since the conception of the password.
- For this particular router, I created a custom wordlist before trying larger libraries at my disposal. The reason I chose to generate a new wordlist is simply because his AP was named: "BruceLee". This, to me, is a dead giveaway and indicator of the password potentially being somehow related to Bruce Lee...
- As source material for the wordlist, I navigated to Bruce Lee's wikipedia and IMDb to scrape the pages for words of interest, such as: cities and countries where Bruce Lee was born and lived, Bruce's movie character names, movie titles, the months, days, years and names on the wiki, etc. I also added a few commonly used generic weak passwords. For this I used CUPP.
- $ python cupp.py -i
- $ pyrit -r Desktop/BruceLee.cap -i cupp-master/bruce.txt
- Image
- Parsing file 'Desktop/BruceLee.cap' (1/1)...
- Parsed 4 packets (4 802.11-packets), got 1 AP(s)
- Picked AccessPoint 84:1b:5e:xx:xx:xx ('BruceLee') automatically.
- Tried 47254 PMKs so far; 906 PMKs per second.
- The password is 'kato194027'.
- Kato is Bruce Lee's character name in the 1960's tv series The Green Hornet. 1940 is the year Bruce was born. Not sure what 27 is. CUPP totally nailed it.
- The truth is, I was prepared to spend a lot more time trying to crack this. A 61544 word count isn't exactly a comprehensive wordlist. This is where I decided to document my actions. With a password so easily guessed, I was counting the rest of his setup to be just as vulnerable and I just forged the master-key to his city.
- RECONNAISSANCE:
- This is by far the most exciting moment after cracking a router. The very first thing I do is find the gateway and change the password. This insures ownership of the router and makes it difficult for the victim to change their AP password (should I be suspected on the network).
- $ route -n
- Code: [Select]
- Destination Gateway Genmask Flags Metric Ref Use Iface
- 0.0.0.0 192.168.1.1 0.0.0.0 UG 600 0 0 wlan0
- 192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlan0
- Typical gateway address. Login credentials are admin:admin or admin:password 95% of the time. In this case, Philip changed the default gateway password... unfortunately for him, it was also "kato194027".
- Here I thoroughly examine the Attached Devices. We can see there are several, including a windows machine, iPhone (CHUCKLES) and iPad.
- Image
- Now for deeper recon, I used Sparta. It has quickly become my go-to recon tool of choice. It's slow to scan (patience), but comprehensive and worth the wait in this situation.
- What is SPARTA?
- "SPARTA is a python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase. It allows the tester to save time by having point-and-click access to his toolkit and by displaying all tool output in a convenient way. If little time is spent setting up commands and tools, more time can be spent focusing on analyzing results."
- ...Basically the GUI lovechild of nmap and hydra.
- Image
- We can see he's using Plex, VNC and SSH. First thing I did was check to see if his SSH server had password authentication enabled. To my surprise, it did not.
- Moving on, his Plex library was the least interesting thing here. I observed a new email address which I recorded but didn't take time to probe with known passwords.
- Image
- Poking at the VNC port, it was also password protected. Unlike SSH, this one I can bruteforce. For this I tried several tools: ncrack, medusa and hydra. The VNC server was extremely temperamental. After only a few consecutive attempts, the sever timed out and ignored additional attempts to authenticate. Timeouts seemed to last about 15 seconds. This wouldn't have been a big deal only, ncrack and hydra continued with new attempts even after the server timeouts. This meant a potentially correct password could be lost on the timed out server.
- "[ERROR] VNC server connection failed"
- There was a lot of that.
- My experience with bruting VNC servers was limited so this was a learning process. Fortunately hydra has a delay function that allowed me to place some time between authentication attempts. With some time spent finding the servers sweet spot, I settled with "-W 2". This would try a new password every 2 seconds. Which sucked. -- I calculated just over 40,000 password attempts over a 24/hr period so I very carefully selected a wordlist and setup an old netbook I use for overnight and/or remote attacks such as this.
- $ hydra -P wordlists/best110-wordlist.cupp.txt vnc://192.168.1.2:5900 -t 1 -W 2
- While my netbook did it's thing, I took the opportunity to start prepping a mitm attack back on my Kali box.
- After several attempts, it worked. You'll notice the "type" of browser he used was "Mobile Safari". I was a little surprised by this. Maybe the built-in Mail app stopped responding after the mitm attacks? Your guess is as good as any here. Either way, it worked.
- Image
- Next, I was careful not to login to his email over tor. After all, Iceweasel's browser fingerprint was very likely dramatically different from his browsers of choice. A brand new fingerprint with a brand new IP belonging to another country might arouse Gmails security features.
- Image
- This is a major breach. His email revealed an enormous amount of personal information about his life. Thanks to Google, I can now see Philip's web browsing habits from the last 365 days, his calendar/schedule, family photos and contacts, purchases and (partial) credit card information, his place of work, girlfriends address and their movements throughout the city. With enough analysis someone could probably determine their favorite places to eat and how often they fuck.
- Though it is glorious, I'm withholding the screenshot of his daily Google Maps activity as it reveals my location within 100 miles.
- I returned to my netbook a day later (patience) and discovered, remarkably, the VNC password cracked.
- 1 of 1 target successfully completed, 1 valid password found
- password: "monkey1234"
- Image
- Unfortunately for Philip, this is checkmate; his entire network, desktop and primary email address are completely compromised at this point. The above screenshot is his desktop via VNC. I might as well be sitting in his apartment at this point. His monitor size was much larger than my Kali VM allowed so my moneyshot is a little botched.
- Now, his browser revealed several entries stored in the built-in password manager. They were protected by his Windows login password, which I didn't know, so I couldn't view them here. But this wasn't a concern, I came prepared. Enter: Chromepass.
- "ChromePass is a small password recovery tool that allows you to view the user names and passwords stored by Google Chrome Web browser. For each password entry, the following information is displayed: Origin URL, Action URL, User Name Field, Password Field, User Name, Password, and Created Time."
- Image
- This I thought was really funny. Windows "User Account Control" kept closing my VNC connection when the ChromePass.exe was opened so I wrote a (laughably) stupid batch script to execute the exe. Windows security is truly ridiculous.
- EXECUTION:
- With his passwords in hand, it was time to wreck havoc.
- I didn't want to alarm Philip of the compromise yet so I didn't immediately login (patience) to the VNC. From the looks of it, he's some kind of sales or operations manager at JCrew, handling special orders and such. He was piping his work emails into this gmail account so the odds of him working out of email during the breach seemed probable. After all, compromising his primary email account wasn't my only goal.
- To avoid detection I created custom gmail filters to automatically Trash new emails from *.facebook.com, *.google.com and *.chase.com. This way his phone wouldn't start buzzing uncontrollably when changes occurred. Thanks again, Google.
- Image
- Damage Report:
- - changed gmail password, changed backup email address associated w/ gmail, added 2FA with FreeOTP
- - changed dropbox password, changed email associated w/ acct, added 2FA
- - changed icloud password
- - changed twitter acct password, email account
- - encrypted his PC customer info and PC photo library
- - changed facebook password
- I thought this was a good place to stop. Truth be told, this venture lost its flavor once his VNC cracked; the challenge was over.
- CONCLUSION:
- Ultimately, I returned ownership of Philip's accounts after several hours. I cleared his desktop of shortcuts and created a Dear\ Philip.txt:
- Image"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement