Fortigate SSH Backdoor Password Calculator

Recently Fortinet confirmed there was a backdoor in their firewalls which impacted FortiGate OS Version 4.x -  5.0.7. An exploit was released in the wild but it took some efforts to work with (I am looking at you : paramiko/termios/msvcrt). So I ported the code to create a quick and dirty password calculator that will help in pwning Fortinet firewalls with vulnerable versions.

Tested it on test firewalls and it works like a charm : )

https://packetstormsecurity.com/files/136430/Fortigate-Backdoor-Password-Calculator.html

Ngrep–Grep patterns in Network traffic

We have got a lot of packet sniffer/analyzer software out there, I am a self confessed Wireshark & Ettercap lover, but still, when it comes to analyzing network traffic from command line in a fast manner, ngrep is my one of my favourites. Written by Jordan Ritter its used to “grep” traffic patterns from the network interfaces. As per official documentation -

ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

ngrep runs on Windows & *nix platforms alike and you need WinPCAP to run it since it relies on it. 

Once you install it, it by default uses the first interface on your machine, so , make sure to check the detected interfaces by running -

C:\Users\RISHABH\Desktop>ngrep -L
idx     dev
---     ---
1:     \Device\NPF_{4D491111-D331-42BC-9A33-98EF8C40D422} (Microsoft)
2:     \Device\NPF_{ADBF6AC1-D111-463D-8D99-C58FA1BEF979} (Sun)
3:     \Device\NPF_{6F801AE0-CA61-4A6D-B5FF-DCB7CE8FC529} (VMware Virtual Ethernet Adapter)
4:     \Device\NPF_{930B6EC8-A5E3-4FFA-B68F-F159FDFC2064} (VMware Virtual Ethernet Adapter)
5:     \Device\NPF_{D1999293-A041-4C2A-B63F-5D8B4906000F} (Realtek PCIe GBE Family Controller)
exit

Now for example you want to check out whats going on at port 23 using interface 5

C:\Users\RISHABH\Desktop>ngrep -d 5  port 23
interface: \Device\NPF_{D1999293-A041-4C2A-B63F-5D8B4906000F} (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( port 23 )
exit
0 received, 0 dropped

Piece of cake.. and if you want to filter any website in you are searching for keyword "password" then :

ngrep -d 5 “password” port 80

Easy aint it ? Ngrep does it all : ] With some complex grep commands , you can become a pcap ninja.

Well, you can

1. Download Ngrep from here
2. Check out documentation and examples here
3. Learn about Wireshark from here

Wardriving at Delhi–Wardriving revisited

The last time I wardrived at Delhi was over 2 years ago, I was at Tulip Telecom then and was doing something of a personal project then. Well, now I am at Orange and thought of replicating the feat, this time I will be publishing the details of networks I wardrived while going to Gurgaon from Delhi. It was done using  combination of G-Mon,Kismet, Moocherhunter  and you just might find it useful. I intent to make a map of Delhi with all the access points , which does sounds incredulous & far fetched, but yep, I intend to do it and I am doing it bit by bit. It helps to analyse in layman terms -

1. The security awareness of people and organizations
2. The devices they are using
3. The security mechanisms they are using.
4. Wifi range analysis of individual device.

Well, in all you can find the data from below links -

1. Hotspot details / BSSID (See if you are on the list) =))
2. Google Maps KML Data (See it in Google Maps)

If you are interested in contributing to the data, please contact me at admin<at>theprohack.com

Happy Wardriving
- Rishabh Dangwal

winAUTOPWN v2.7 Released - Vulnerability Testing on Windows

winAUTOPWN and bsdAUTOPWN are minimal Interactive Frameworks which act as a frontend for quick systems vulnerability exploitation. It takes inputs like IP address, Hostname, CMS Path, etc. and does a smart multi- threaded portscan for TCP ports 1 to 65535. Exploits capable of giving Remote Shells, which are released publicly over the Internet by active contributors and exploit writers are constantly added to winAUTOPWN/bsdAUTOPWN. A lot of these exploits are written in scripting languages like python, perl and php. Presence of these language interpreters is essential for successful exploitations using winAUTOPWN/bsdAUTOPWN.

Exploits written in languages like C, Delphi, ASM which can be compiled are pre-compiled and added along-with others. On successful exploitation winAUTOPWN/bsdAUTOPWN gives a remote shell and waits for the attacker to use the shell before trying other exploits. This way the attacker can count and check the number of exploits which actually worked on a Target System.

Download
Read more here

Download SQL Injection tool - SQL injection automated software SQLMAP

Sqlmap is an open source command-line automatic SQL injection tool and its goal is to detect and take advantage of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specified DBMS tables/columns, run his own SQL statement, read or write either text or binary files on the file system, execute arbitrary commands on the operating system, establish an out-of-band stateful connection between the attacker box and the database server via Metasploit payload stager, database stored procedure buffer overflow exploitation or SMB relay attack and more.Enthusiastics can experiment with its opotions and pwn many of the servers around,or can test their skills to secure their servers..but remember,SQL map is a tool,its might help you to find and apply vulnerabilities and injections,but in the end,you really must have a good knowledge of SQL some real pwning out there..
You Can download sqlmap 0.7 here:

Linux Source: sqlmap-0.7.tar.gz
Windows Portable: sqlmap-0.7_exe.zip

Wardriving with Android | Hacking Wifi networks with Android | Wifi Network Audit using Android | Wifu with android | Best wardriving applications on android

Hi friends.. I recently bought HTC wildfire and have been experimenting with it to the fullest. Its based on Android 2.2.1  Froyo and is unrootable till date using Unevoked, superoneclick root and z4root rooting applications, hence i am bit limited by the default manufacturer only functions. I nearly bricked my phone but it sprang back to life after some trys. On the topic though. I was actually quite interested in testing the wardriving capabilities of the device and hence on scrolling through the app market, I found some useful applications which I thought must share you with. Wardriving for me is a two step process -

• scanning networks and analyzing them
• breaking them if vulnerable. (WEP using generic packet capture, WPA using rainbow)

G-mon

G-mon is a powerful WarDriving scanner and GSM / UMTS Netmonitor and drive test tool. It scans for all WiFi networks in range & saves the data with GPS coordinates into a file on your sd card. You can create a kml file for Google Earth. It shows you the encryption, channel an signal strength. It shows all APs in range in a live map. I used it to collect lots of wifi data which I will be publishing soon.

Install it from here

 

Wardrive

another fantastic wardriving app which stores scans in sqlite db on the sdcard and displays found networks around in the map.It Requires Google MAPS installed.

Install it from here

 

Wifi Analyzer

This app literally turns your android phone into a Wi-Fi analyzer!! It helps you to find a less crowded channel for your wireless router and allows to audit networks.

Install it from here

 

Once you get networks, you can then break them into it using Aircrack and backtrack.  Its easy and worth its salt :) . Here is a slice of my wardriving logs while i was in DTC bus :D

BSSID;LAT;LON;SSID;Crypt;Beacon Interval;Connection Mode;Channel;RXL;Date;Time
00:08:5C:EF:08:F0;28.56602;77.22951;Adiva;WpaPsk;-93;Infra;11;-92;2011/03/17;18:52:01
00:08:9F:81:8F:C4;28.56944;77.20531;Car0baR;WPA2;-96;Infra;6;-95;2011/03/17;18:58:30
00:0F:A3:6A:88:B8;28.56804;77.22473;sbi;Wep;-93;Infra;6;-91;2011/03/17;18:53:02
00:17:9A:09:D1:79;28.56813;77.22440;WebunivM;Wep;-93;Infra;6;-91;2011/03/17;18:53:05
00:18:02:87:02:8F;28.56845;77.22306;RT2561_6;Wep;-94;Infra;6;-93;2011/03/17;18:53:18
00:18:02:8E:32:5A;28.56885;77.21437;SrDDGA;WpaPsk;-91;Infra;6;-90;2011/03/17;18:55:31
00:18:02:92:A2:73;28.56955;77.20365;mtnlbb;Wep;-90;Infra;6;-89;2011/03/17;19:00:21
00:18:39:AA:5E:B8;28.56845;77.22306;Neeta;Wep;-89;Infra;11;-88;2011/03/17;18:53:18

at the end of the day, the moment that put a smile on my face was when i saw this as a network name near Delhi Cantt -

“You cant hack this Wifi dear neighbor”

It was a wpa2/psk secured network with static ip and mac filtering and the guy knew what he was doing :) Watching secured networks always makes my day.