Category Archives: Guides

Using Cookie Cadger for Live Packet Capture

I’m very sorry I wasn’t able to get to this sooner, I know I said I would write one. But now I’m home and I’m going to write a guide to capturing you first cookies with Cookie Cadger. If you haven’t already downloaded Cookie Cadger do so now. Cookie cadger is a Java package so you will also need to have Java 7 downloaded as well a a Wireshark Package called tshark. If you have Wireshark installed tshark should be installed also. But if it isn’t, download it from what ever package manager you use.

The next step before you open up Cadger is to set your card into monitor mode. I wrote a guide that should work for almost every wireless card on the market. But if my guide doesn’t work a little bit of Googling around should find a guide that will work for your card. Once you set your card into monitor mode you need to open the CookieCadger.jar package. Note: Some users have reported issues with Cadger not recognizing capture devices. This problem can be solved by running Cadger as root.

Once you open up Cadger and you will first be presented with a little bit of text. It is asking you if you want it to automatically begin capturing traffic when the real program starts up. It also informs you about the legality of what you are about to do. I believe that in the United States at least it is legal to capture insecure traffic. Correct me if I’m wrong. Anyways click yes.

Once you click Yes another screen will load up. The first thing you want to select is the interface you want to capture cookies on. Cadger will list what ever interface you have set into monitor mode. If you set eth0 chose eth0 if you set wlan0 chose wlan0.

If you selected the correct interface, for example eth0 you should start seeing a bunch of insecure cookies as long as you are on a network with people using the internet. Click on the tab recognized sessions, find a cookie that you like, Facebook is a good one to start with. Open the cookie in your browser.

The cookie will load up and you will have access to the persons Facebook! There is definitely a lot more potential behind Cookie Cadger than just breaking into peoples Facebook’s. Play around with Cadger a bit and you’ll find it’s a really great tool. Use your new found powers wisely.

Note: Using Cadger is exactly the same on any OS. Command line mode may differ. The only difference is how you get your card into monitor mode. We have a guide for Linux and a guide for Mac. A guide for Windows is in the works.

If you have any questions or something I need to add tell me in the comments.

Cookie Cadger Is Free! But How Do I Use It?

Cookie Cadger is now free but I’ve had some people asking how you set your card into monitor mode a requirement for Cookie Cadger. Before you set into monitor mode download Cookie Cadger you will need Java 7 installed as well as a package called tshark, normally part of the wireshark package though I had to install it from my package manager. I know you asked for a guide to use Cookie Cadger I hope you can get by with just a guide to monitor mode until I get home. You can now use the guide Cadger for basic capture. Also for Mac users I’ve written a guide for setting your card into monitor mode the usage of Cookie Cadger is exactly the same on any OS.

First step to begin hacking the WEP networks is to put your wireless network card into monitor mode. For this we will use ifconfig and iwconfig. These instructions may not work for your card. I will explain how to set it up with atheros chipset cards in a separate post. This is for Broadcoms or RT2500 and most other stock cards.

Step 1: Open a shell
Now we want to see what the cards installed on our computer are known as.

Step 2: At the prompt type iwconfig
You will see something like this:

lo no wireless extensions

eth0 IEEE 802.11b/g ESSID:Off/any Nickname: "Broadcom 4311"

Mode: Managed Frequency=2.437 GHz...

Disregard the ‘lo’ card. Your card is the one or more other cards listed. In my case the card is known as ‘eth0’ yours also could be know as ‘wlan0’. As we can also see in the second line, the card is currently in managed mode, we must get it into monitor mode.

We also need our card to be “UP”. To check the up and down status, we use:

ifconfig

The results should show your card and the second line of the cards information should start with ‘UP’. If your card is not shown or if it is not showing it with the word ‘UP’, then we must put it up. If you’re not sure, you can also put it up and there will be no harm done. Here’s how we do it.

ifconfig eth0 up

Now type ifconfig again and you should see your card and marked as up.

 iwconfig eth0 mode monitor

In case you couldn’t tell, this places the card into monitor mode. Doing iwconfig again should now show mode as monitor.

If you followed these steps correctly you should be able to start up Cookie Cadger, Aircrack or any thing else that requires monitor mode and it should work exactly how you want it to. I’m writing this from my phone but I’ll be post some screen shots later on. If you have any questions ask them in the comments.

Narwhal’s Guide to Command Line | Processes

2.1 Listing and PIDs

Each process has a unique number, the PID. A list of all running process is retrieved with ps.

# ps -auxefw                         # Extensive list of all running process

However more typical usage is with a pipe or with pgrep

# ps axww | grep cron
586  ??  Is     0:01.48 /usr/sbin/cron -s
# ps axjf                            # All processes in a tree format
# ps aux | grep ‘ss[h]’              # Find all ssh pids without the grep pid
# pgrep -l sshd                      # Find the PIDs of processes by (part of) name
# echo $$                            # The PID of your shell
# fuser -va 22/tcp                   # List processes using port 22
# pmap PID                           # Memory map of process (hunt memory leaks)
# fuser -va /home                    # List processes accessing the /home partition
# strace df                          # Trace system calls and signals

2.2 Background/Foreground

When started from a shell, processes can be brought in the background and back to the foreground with [Ctrl]-[Z] (^Z), bg and fg. List the processes with jobs. When needed detach from the terminal with disown.

# ping cb.vu > ping.log
^Z                                   # ping is suspended (stopped) with [Ctrl]-[Z]
# bg                                 # put in background and continues running
# jobs -l                            # List processes in background
[1]  – 36232 Running                       ping cb.vu > ping.log
[2]  + 36233 Suspended (tty output)        top
# fg %2                              # Bring process 2 back in foregroun

# make                               # start a long compile job but need to leave the terminal
^Z                                   # suspended (stopped) with [Ctrl]-[Z]
# bg                                 # put in background and continues running
# disown -h %1                       # detatch process from terminal, won’t be killed at logout

No straight forward way to re-attach the process to a new terminal, try reptyr (Linux).
Use nohup to start a process which has to keep running when the shell is closed (immune to hangups).

2.3 Top

The program top displays running information of processes. See also the program htop from htop.sourceforge.net (a more powerful version of top) which runs on Linux. While top is running press the key h for a help overview. Useful keys are:

  • u [user name] To display only the processes belonging to the user. Use + or blank to see all users
  • k [pid] Kill the process with pid.
  • 1 To display all processors statistics (Linux only)
  • R Toggle normal/reverse sort.

2.4 Signals/Kill

Terminate or send a signal with kill or killall.

# ping -i 60 cb.vu > ping.log &
[1] 4712
# kill -s TERM 4712                  # same as kill -15 4712
# killall -1 httpd                   # Kill HUP processes by exact name
# pkill -9 http                      # Kill TERM processes by (part of) name
# pkill -TERM -u www                 # Kill TERM processes owned by www
# fuser -k -TERM -m /home            # Kill every process accessing /home (to umount)

Important signals are:

1       HUP (hang up)
2       INT (interrupt)
3       QUIT (quit)
9       KILL (non-catchable, non-ignorable kill)
15     TERM (software termination signal)

Next up in Narwhal’s Toolbox: File System

Bitcoin Bounties On Cracking WPA2 Handshakes

If you have a couple extra GPU’s sitting around Reddit user px403 has the perfect job for you. He/she has setup a site where you submit a WPA2 hash, put a bitcoin bounty on it and once someone has cracked it your bounty goes to them and the site emails you with the password. It seems like a great way to make a few bitcoins on the side. As well as a great way for Pen testers without access to a large computer to crack their hashes quickly.

hashbounty.net

Here’s a few links to learn how you can collect handshakes as well as crack them.

Collecting Handshakes

http://www.aircrack-ng.org/doku.php?id=cracking_wpa

Cracking Hand Shakes

http://hashcat.net/oclhashcat-plus/

https://hashcat.net/wiki/doku.php?id=cracking_wpawpa2

Video guide to cracking WPA hashes

If you have a link you think would be helpful add it in the comments.

Narwhal’s Guide To Command Line | System

I’ve decided to write up a list of commands for Unix/Linux that are useful for IT work or for advanced users. This is a guide with concise explanations, however you are supposed to have some knowledge of Unix/Linux in order to use this guide to it’s full extent.

1.1 – Basic System Information

Running kernel and system information

# uname -a                           # Get the kernel version
# lsb_release -a                     # Full release info of any LSB distribution
# cat /etc/SuSE-release              # Get SuSE version
# cat /etc/debian_version            # Get Debian version

# uptime                             # Show how long the system has been running + load
# hostname                           # system’s host name
# hostname -i                        # Display the IP address of the host. (Linux only)
# man hier                           # Description of the file system hierarchy
# last reboot                        # Show system reboot history

1.2 – Hardware Information

Kernel Detected Hardware

# cat /proc/cpuinfo                  # CPU model
# cat /proc/meminfo                  # Hardware memory
# grep MemTotal /proc/meminfo        # Display the physical memory
# watch -n1 ‘cat /proc/interrupts’   # Watch changeable interrupts continuously
# free -m                            # Used and free memory (-m for MB)
# cat /proc/devices                  # Configured devices
# lspci -tv                          # Show PCI devices
# lsusb -tv                          # Show USB devices
# lshal                              # Show a list of all devices with their properties
# dmidecode                          # Show DMI/SMBIOS: hw info from the BIOS

1.3 – Load, statistics and messages

The following commands are useful to find out what is going on on the system.

# top                                # display and update the top cpu processes
# mpstat 1                           # display processors related statistics
# vmstat 2                           # display virtual memory statistics
# iostat 2                           # display I/O statistics (2 s intervals)
# tail -n 500 /var/log/messages      # Last 500 kernel/syslog messages
# tail /var/log/warn                 # System warnings messages see syslog.conf

1.4 – Users

# id                                 # Show the active user id with login and group
# last                               # Show last logins on the system
# who                                # Show who is logged on the system
# groupadd admin                     # Add group “admin” and user colin (Linux/Solaris)
# useradd -c “Colin Barschel” -g admin -m colin
# usermod -a -G <group> <user>       # Add existing user to group (Debian)
# groupmod -A <user> <group>         # Add existing user to group (SuSE)
# userdel colin                      # Delete user colin (Linux/Solaris)

Encrypted passwords are stored in /etc/shadow for Linux and Solaris. If the master.passwd is modified manually (say to delete a password), run # pwd_mkdb -p master.passwd to rebuild the database. (This has large implications especially for a Unix with an encrypted partition you could in theory modify the owners password in master.passwd giving you read/write access to the encrypted partition. Correct me if I’m wrong.)

1.5 – Limits

Some application require higher limits on open files and sockets (like a proxy
web server, database). The default limits are usually too low.

Per Shell/Script

# ulimit -n 10240                    # This is only valid within the shell

Per User/Process

# cat /etc/security/limits.conf
*   hard    nproc   250              # Limit user processes
asterisk hard nofile 409600          # Limit application open files

System Wide

# sysctl -a                          # View all system limits
# sysctl fs.file-max                 # View max open files limit
# sysctl fs.file-max=102400          # Change max open files limit
# echo “1024 50000” > /proc/sys/net/ipv4/ip_local_port_range  # port range
# cat /etc/sysctl.conf
fs.file-max=102400                   # Permanent entry in sysctl.conf
# cat /proc/sys/fs/file-nr           # How many file descriptors are in use

1.6 – Compile the Kernel

# cd /usr/src/linux
# make mrproper                      # Clean everything, including config files
# make oldconfig                     # Reuse the old .config if existent
# make menuconfig                    # or xconfig (Qt) or gconfig (GTK)
# make                               # Create a compressed kernel image
# make modules                       # Compile the modules
# make modules_install               # Install the modules
# make install                       # Install the kernel
# reboot

1.7 – Repair Grub

So you broke grub? Boot from a live cd, [find your linux partition under /dev and use fdisk to find the linux partion] mount the linux partition, add /proc and /dev and use grub-install /dev/xyz. Suppose linux lies on /dev/sda6:

# mount /dev/sda6 /mnt               # mount the linux partition on /mnt
# mount –bind /proc /mnt/proc       # mount the proc subsystem into /mnt
# mount –bind /dev /mnt/dev         # mount the devices into /mnt
# chroot /mnt                        # change root to the linux partition
# grub-install /dev/sda              # reinstall grub with your old settings

1.8 – Reset Root Password

At the boot loader (lilo or grub), enter the following boot option:

init=/bin/sh

The kernel will mount the root partition and init will start the bourne shell
instead of rc and then a runlevel. Use the command passwd at the prompt to change the password and then reboot. Forget the single user mode as you need the password for that.

If, after booting, the root partition is mounted read only, remount it rw:

# mount -o remount,rw /
# passwd                             # or delete the root password (/etc/shadow)
# sync; mount -o remount,ro /        # sync before to remount read only
# reboot

Next up in Narwhal’s Toolbox: Process