Eclectic Security

About:

Ncrack is a high-speed network authentication cracking tool. It was built to help auditors to perform password auditing. The strength behind Ncrack is the full integration with Nmap, XML or Nmap Normal output format  scan files can used as a  hosts/networks list. In this post I’m going only to illustrate how to compile and install Ncrack from the source code.

DISCLAIMER:
This tools can cause harm to the normal operation of your network/servers if used improperly. Use this tool on your own networks/servers, or networks/servers for which you have been given permission to test. Before using this tools, please read the documentation available.

Main Features:

* Sessions: Ncrack saves the current state into a file which it can later use to continue from where it had stopped.
* IPv6 support
* Runtime Interaction, This allows you to interact with the program without aborting and restarting it.

Modules available:

FTP, TELNET, SSH, SMB, RDP, POP3(S)

Installation (ubuntu 10.04 32 bit):

apt-get install build-essential checkinstall libssl-dev  libssh-dev
wget http://nmap.org/ncrack/dist/ncrack-0.3ALPHA.tar.gz
tar xvfz ncrack-0.3ALPHA.tar.gz
cd ncrack-0.3ALPHA/

./configure
make
checkinstall
dpkg -i ncrack_0.3ALPHA-1_i386.deb

(sorry for the lame photo)

About:

Nmap (“Network Mapper”) is the best tool to scan large networks to determine which hosts are up and what services they are offering. Originally written by Fyodor Vaskovich (the pseudonim of Gordon Lyon). Nmap offers a number of advanced features with the new  Nmap Scripting Engine (NSE), the flexybility of the Lua programming language allow to write simple and powerful script to automate a wide variety of networking task. But about NSE we will talk another time, in this post I’m going to illustrate how to compile and install Nmap from the source code.

DISCLAIMER:
This tools can cause harm to the normal operation of your network/servers if used improperly. Use this tool on your own networks/servers, or networks/servers for which you have been given permission to test. Before using this tools, please read the documentation available.

Main Features:

* Host Discovery
* Port Scanning
* Version Detection
* OS Detection
* Scriptable interaction with the target

Installation (ubuntu 10.04 32 bit):

apt-get install build-essential checkinstall bzip2

wget http://nmap.org/dist/nmap-5.21.tar.bz2

bzip2 -cd nmap-5.21.tar.bz2 | tar xvf -

./configure  –without-zenmap

make

checkinstall

dpkg -i nmap_5.21-1_i386.deb

Testing nmap:

nmap -v -n -sS scanme.nmap.org

Starting Nmap 5.21 ( http://nmap.org ) at 2010-09-25 07:07 UTC
Initiating Ping Scan at 07:07
Scanning scanme.nmap.org (64.13.134.52) [4 ports]
Completed Ping Scan at 07:07, 0.21s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 07:07
Scanning scanme.nmap.org (64.13.134.52) [1000 ports]
Discovered open port 22/tcp on 64.13.134.52
Discovered open port 80/tcp on 64.13.134.52
Discovered open port 53/tcp on 64.13.134.52
Completed SYN Stealth Scan at 07:07, 12.00s elapsed (1000 total ports)
Nmap scan report for scanme.nmap.org (64.13.134.52)
Host is up (0.21s latency).
Not shown: 993 filtered ports
PORT      STATE  SERVICE
22/tcp    open   ssh
25/tcp    closed smtp
53/tcp    open   domain
70/tcp    closed gopher
80/tcp    open   http
113/tcp   closed auth
31337/tcp closed Elite

Read data files from: /usr/local/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 12.33 seconds
Raw packets sent: 2003 (88.084KB) | Rcvd: 16 (712B)

Happy scanning

About:

Hashkill is an multithreaded password cracker that uses the OpenSSL library to crack different types of password hashes.  Several plugins are available to extend the cracking capabilities, the most commons are  md5md5, cisco-pix, mysql5 and oracle11g. Hashkill is capable to use the ‘cracking session’, so that in case of power failure  or incidental kill/crash of the program, you may continue from the last checkpoint. In this howto I’m going to illustrate how to install and use hashKill on ubuntu 10.04.

DISCLAIMER:
This tools can cause harm to the normal operation of your network/servers if used improperly. Use this tool on your own networks/servers, or networks/servers for which you have been given permission to test. Before using this tools, please read the documentation available.

Main Features:

* allow cracking lots of different types of password hashes on linux
* employ easy to use command-line interface
* multithreaded
* SSE2 accelerated
* open-sourced, GPL-licensed

Disadvantages at that moment are that it does not support GPU-based cracking.

Installation (ubuntu 10.04 32 bit):

apt-get install build-essential checkinstall pkg-config libssl-dev zlib1g-dev  zlib1g libcompfaceg1-dev automake1.9

wget  http://ignum.dl.sourceforge.net/project/hashkill/hashkill-0.2.3b.tar.gz

tar xvfz hashkill-0.2.3b.tar.gz

./configure
make
checkinstall
dpkg -i hashkill_0.2.3b-1_i386.deb

Plugins available:

apr1, cisco-pix, desunix, hashunix, ipb2, ldap-sha, ldap-ssha, lm, md4, md5md5, md5-passsalt, md5-saltpass, md5, mssql-2000, mssql-2005, mysql5, mysql-old, ntlm, oracle11g, oracle-old, phpbb3, privkey, ripemd160, , sha1, sha256, sha512, smf, vbulletin, wordpress, zip

Examples:

Simple md5 hash list

e206a54e97690cce50cc872dd70ee896
106a6c241b8797f52e1e77317b96a201
9a1f30943126974075dbd4d13c8018ac

hashkill -f hashlist.txt

Attack statistics…
Speed: 8005 KPlaintexts/sec   Cracked: 3 hashes

[hashkill] Markov attack complete. It took 5 seconds…

[hashkill] -= Cracked list =-

Username:         Hash:                         Preimage:
———————————————————————————–
N/A                 9a1f30943126974075dbd4d13c8018ac             rock
N/A                 106a6c241b8797f52e1e77317b96a201             home
N/A                 e206a54e97690cce50cc872dd70ee896             linux

[hashkill] Bye bye

Mysql 5 hash

hashkill –plugin mysql5  6F3CAE7C3BBB2A5B5D933738682953BC21AEBEE7

Attack statistics…
Speed: 1304 KPlaintexts/sec   Cracked: 1 hashes

[hashkill] Markov attack complete. It took 15 seconds…

[hashkill] -= Cracked list =-

Username:         Hash:                         Preimage:
———————————————————————————–
N/A                 6f3cae7c3bbb2a5b5d933738682953bc21aebee7     linux

[hashkill] Bye bye

Cisco Pix hash

hashkill –plugin cisco-pix PVSASRJovmamnVkD
Attack statistics…
Speed: 4652 KPlaintexts/sec   Cracked: 1 hashes

[hashkill] Markov attack complete. It took 6 seconds…

[hashkill] -= Cracked list =-

Username:         Hash:                         Preimage:
———————————————————————————–
PIX enable pwd      PVSASRJovmamnVkD                             admin

[hashkill] Bye bye

About:
Nast is a packet sniffer and a LAN analyzer that can perform a broad range of advanced network analysis and security assessments. A very comprehensive syntax and a human readable output make the usage less cryptic. This isn’t a replacement for Tcpdump, it’s an addition!

DISCLAIMER:
This tools can cause harm to the normal operation of your network/servers if used improperly. Use this tool on your own networks/servers, or networks/servers for which you have been given permission to test. Before using this tools, please read the documentation available.

Main Features:

* Build LAN hosts list
* Follow a TCP-DATA stream
* Find LAN Internet gateways
* Discover promiscuous nodes
* Reset an established connection
* Perform a single half-open portscanner
* Perform a multi half-open portscanner
* Find link type (hub or switch)
* Catch daemon banner of LAN nodes
* Control ARP answers to discover possible ARP-spoofing
* Byte counting with an optional filter
* Write reports logging

Installation (ubuntu 10.4):
apt-get install nast

Examples:

*Map the LAN by performing a series of ARP request to sequential subnet IP addresses.

#nast -m

Nast V. 0.2.0

Mapping the Lan for 255.255.255.0 subnet … please wait

MAC address        Ip address (hostname)
===========================================================
00:18:F8:78:6E:35     192.168.1.1 (unknown) (*)
00:14:D7:02:4F:54     192.168.1.2 (192.168.1.2)
00:0C:29:EF:82:91     192.168.1.3 (192.168.1.3)
00:0C:29:3A:93:DC     192.168.1.4 (192.168.1.4)
00:0C:29:36:AE:D3     192.168.1.5 (192.168.1.5)
00:0C:29:68:D3:F8     192.168.1.6 (192.168.1.6)
00:0A:5E:53:65:C8     192.168.1.7 (192.168.1.7)
00:0C:29:36:FF:D4     192.168.1.8 (192.168.1.8)
00:1E:E5:84:C8:C3     192.168.1.9 (192.168.1.9)

(*) This is localhost

*Check other NIC on the LAN with the promiscuous flag set.

#nast -P all

Nast V. 0.2.0

This check can have false response, pay attention!
Probe for hosts…done

192.168.1.1 (unknown)   ———> Found!

*Try to find possible Internet-gateways.

#nast -g

Nast V. 0.2.0

Finding suitable hosts (excluding localhost) ->
Done

Trying 192.168.1.1 (00:18:E8:78:5E:35)-> Good

*

In this post I’m going to share about a tweak on the Metasploitable virtual machine. The confconsole add-on will improve the appliance administration tasks, setting a static IP address ,Requesting DHCP, Rebooting the appliance, Shutting down the appliance using a nice and friendly ncurses interface.

Thanks again to the turnkey crew www.turnkeylinux.org and the metasploit/metasploitable developers.

Installation:

Login in the  metasploitable box  with msfadmin:msfadmin and make #sudo -su

Download the gpg key:
wget http://code.turnkeylinux.org/turnkey-keyring/turnkey-release-keyring.gpg
apt-key add turnkey-release-keyring.gpg

Open the sources file:
vim /etc/apt/sources.list

Add the turnkey repository:
deb http://archive.turnkeylinux.org/ubuntu hardy main
deb http://archive.turnkeylinux.org/ubuntu hardy universe

apt-get update
apt-get install confconsole

from the usage.txt file you can you can tweak the confconsole
vim /etc/confconsole/usage.txt

Reboot the metasploitable box, and enjoy .-)

Screenshots: