Wednesday, July 28, 2010

Scapy, Traceroute and Pretty Pictures

much much more available in the documentation
http://www.secdev.org/projects/scapy/doc/usage.html

but here is how to make a cool traceroute graph from you to another host.

from: http://www.secdev.org/projects/scapy/doc/usage.html#tcp-traceroute-2

Welcome to Scapy (v1.1.1 / -)
>>> res, unans = traceroute("www.google.com",dport=80,maxttl=20)
Begin emission:
*****************Finished to send 20 packets.
*
Received 18 packets, got 18 answers, remaining 2 packets
209.85.225.103:tcp80
1 209.20.72.2 11
2 209.20.79.6 11
3 4.53.160.189 11
4 4.69.132.186 11
5 4.69.132.190 11
6 4.68.101.34 11
7 4.79.208.18 11
8 209.85.254.130 11
9 72.14.232.141 11
10 209.85.241.35 11
11 66.249.95.138 11
14 209.85.225.103 SA
15 209.85.225.103 SA
16 209.85.225.103 SA
17 209.85.225.103 SA
18 209.85.225.103 SA
19 209.85.225.103 SA
20 209.85.225.103 SA
>>> res.graph(target="> /tmp/graph.svg")
>>>

opening up /tmp/graph.svg will give you:


Monday, July 26, 2010

Reversing Android Apps

thanks to cktricky for pointing me to:

android-apktool

Once you've gotten it installed/unzipped its fairly easy to use. Download your .apk from the emulator.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk 2441 KB/s (625416 bytes in 0.250s)

From there simply decode the .apk

user@dev:~/android-tutorial/reverse$ ./apktool d com.joelapenna.foursquared.apk foursquare
I: Baksmaling...

I: Loading resource table...

I: Decoding resources...

I: Loading resource table from file: /home/user/apktool/framework/1.apk

I: Copying assets and libs...


From there you should have a folder looking something like this


inside your smali folder will be all the decompiled java. have fun.

actually after i did the above, I found this which is a video covering the above and previous posts.

Friday, July 23, 2010

Using the Android Debug Bridge (adb)

The android debug bridge (adb) has lots of useful features. its documented here:
http://developer.android.com/guide/developing/tools/adb.html


user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb
Android Debug Bridge version 1.0.25


some of the features you may want to immediately mess with are:

listing devices

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb devices
* daemon not running. starting it now *
* daemon started successfully *
List of devices attached
emulator-5554 device

getting an interactive shell on the emulator

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb shell
# ls
sqlite_stmt_journals
cache
sdcard
etc
system
sys
sbin
proc
init.rc
init.goldfish.rc
init
default.prop
data
root
dev


cat'ing useful stuff inside that shell

# cat /proc/cpuinfo
Processor : ARM926EJ-S rev 5 (v5l)

BogoMIPS : 233.47

Features : swp half thumb fastmult vfp edsp java

CPU implementer : 0x41

CPU architecture: 5TEJ

CPU variant : 0x0

CPU part : 0x926

CPU revision : 5

Cache type : write-through

Cache clean : not required

Cache lockdown : not supported

Cache format : Harvard

I size : 4096

I assoc : 4

I line length : 32

I sets : 32

D size : 65536

D assoc : 4

D line length : 32

D sets : 512


Hardware : Goldfish
Revision : 0000

Serial : 0000000000000000


and probably pulling things off the file system so you can reverse them.

user@dev:~/android-tutorial/android-sdk-linux_86/tools$ ./adb pull /data/app/com.joelapenna.foursquared.apk com.joelapenna.foursquared.apk
2441 KB/s (625416 bytes in 0.250s)

Wednesday, July 21, 2010

Accessing your android emulator on the command line

A poster on one of the other android posts mentioned you can just telnet into the android app if you've got the emulator running.

Its easy to do and the preferred way if you just want to script events. Just telnet into localhost 5554 and you can issue emulator commands.

user@dev:~$ telnet localhost 5554
Trying ::1...

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

Android Console: type 'help' for a list of commands

OK

help


Android console command help:

help|h|? print a list of commands

event simulate hardware events

geo Geo-location commands

gsm GSM related commands

kill kill the emulator instance

network manage network settings

power power related commands

quit|exit quit control session

redir manage port redirections

sms SMS related commands

avd manager virtual device state

window manage emulator window

help event
allows you to send fake hardware events to the kernel

available sub-commands:
event send send a series of events to the kernel
event types list all type aliases
event codes list all code aliases for a given type
event text simulate keystrokes from a given text

OK

help geo
allows you to change Geo-related settings, or to send GPS NMEA sentences

available sub-commands:
geo nmea send an GPS NMEA sentence
geo fix send a simple GPS fix


you get the idea...

Tuesday, July 6, 2010

Fatal System Error Pseudo Book Review

Fatal System Error: The Hunt for the New Crime Lords Who are Bringing Down the Internet

Pseudo Book Review since its not "really" a tech book. The book is written with very little technical jargon and its an interesting read with a mix of information on Barrett Lyon who fought DDOS attacks against various websites, the ties of online gambling and the mob with a transition into the fight by Andy Crocker, a British cybersecurity agent, against the Russian and eastern block carding cybercriminials. An entertaining read about the history of carding and denial of service attacks by eastern block criminals.

In the category of:

Masters of Deception: The Gang That Ruled Cyberspace

The Fugitive Game: Online with Kevin Mitnick

Crypto: How the Code Rebels Beat the Government Saving Privacy in the Digital Age

learn about hacker history type books.



Thursday, July 1, 2010

Revisiting HALFLM Stuff

I covered some of the halflm challenge sniffing stuff in a previous post.

but I had to revisit it the other day for work and couldn't find the actually tables and program from the post.

so here are some updated links.

where to grab the tables:

http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/

where to grab the program:

http://sourceforge.net/projects/rcracki/

Some gotchas I ran into on the last PT was some reason getting odd hashes in the SMB and NTLM sniffing modules.

in some cases the hashes were not the same for the same username and hostname, these were unusable, I also had some that had a bunch of zeros in them, those were also not crackable.

Windows 2000 2195:Windows 2000 5.0:1122334455667788:4c4d5353500003000000010001004600000000000000470000000000000040000000000000004000000006000600400000001000100047000000158a88e048004f0044000081196a7af2e4491c28af3025741067535700:00000000000000000000000000000000

But I did get smb_login scanned, that was fun:

ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:59de5d885e583167c3a9a92ac42c0ae52f85252cc731bb25:5ada49d539bd174e7049805dc1004925e25130c33dbe892a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:40305b22075d6000d0508d9ad1f7beb02f85252cc731bb25:337c939e66480243d1833309b8afe49a81fe4c5e646bf00a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:daf3570c10ed2817c3d8a05d69f9ef292f85252cc731bb25:d3fb390bac5d152f7a394466fbef686e275d05b99c0a115e ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:d737aa8f95ce38359cab5d8a2519c4b92f85252cc731bb25:0624a3f7d457c54b163c641dbf4b7963548ef1c5d0397cbf ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:0e89a68d07e315c6035e82b757b955882f85252cc731bb25:58f2d720179b4a38a0523e02aef0d41dacccd6577eaa943c ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:aa9436c1d40cb53f3e7a20091c4b931c2f85252cc731bb25:8ac45acdbd60f2fad3081ecf005536efa6009c21ca5faf36 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:dce867f0cb638db2dbcc3576a52dc4612f85252cc731bb25:8990b33dac65c5ef75073829894b911a983c1e260fbd1097 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:6f9d851d74c8a095c9df672a1554bebc2f85252cc731bb25:89953de6f957b7db5fe664d23af3de41dd38f5ec0a4a6eb0 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b7582273227fd61a5952f85252cc731bb25:76d3c3deb0bb8ef1a1e41ab6a3f6c686a321ce016c624567 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b754db66776827758d30b7892eef2e3f2bc:df58ae0f786becc11be11034dc53b21bdf1d73579af868d1 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:de5d1d85daf6593d0a09ff32049013ab2f85252cc731bb25:526471d8c4a0ecc8af05851804ea8fdd26848fa3ccc63152 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:b8489edee1058b43f3ce0f0abe5a16872f85252cc731bb25:57b9c47a75335692f60e787e41cd16a292a21bc667b3fd02 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:2b6b134af8d48f2a972bff5660420d582f85252cc731bb25:5018402148e15a8d77cb22dd46f1449a2791416b73ee9c3d ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:bb49aefd51ed0dccd5be291bd33be3052f85252cc731bb25:c9b255750bd88ac72e03adafda261e62618c943f7d59daf5