IT Dribble

It seems that John the Ripper (JtR) has been out done with some of the latest hashing cracking software in the business! Hashcat and oclHashcat (hashcat.net) is forging ahead with over 33 and 13 hash types respectivley which are able to be cracked. Did I mention oclHashcat uses the GPU of CUDA based video cards for seriously parallel processing? Well it does.

This article has an updated version -> Here

Today at work a client he needed to access a cisco router but no-one new the password but we had the config files saved which included the MD5 hashes of the enable and enable secret passwords. So I set about cracking the hashes, which was done successfully btw, following on from that I then remembered a John the Ripper MPI patch which I had seen some time ago I ended getting it going at home and the results are good!

Directions for installation are as follows (on Fedora 11)

yum install mpich2 mpich2-devel
wget http://www.bindshell.net/tools/johntheripper/john-1.7.2-bp17-mpi8.tar.gz
tar -zxvf john-1.7.2-bp17-mpi8.tar.gz
cd john-1.7.2-bp17/src
make linux-x86-64 (for 64bit version duh!)
cd ../run
touch ~/.mpd.conf && echo "MPD_SECRETWORD=secret" > ~/.mpd.conf && chmod 600 ~/.mpd.conf
mpd &
mpiexec.py -n 4 -path ./ -wdir ./ ./john --test

Initial Benchmarking looks good. Below is 1 core vs 4 cores

Traditional DES [128/128 BS SSE2-16]
1591K c/s real, 1594K c/s virtual / 6131K c/s real, 6380K c/s virtual
BSDI DES (x725) [128/128 BS SSE2-16]
Many salts: 53222 c/s real, 53329 c/s virtual / Many salts: 207665 c/s real, 215407 c/s virtual
FreeBSD MD5 [32/64 X2]
Raw: 9718 c/s real, 9816 c/s virtual / Raw: 37720 c/s real, 39581 c/s virtual
mysql [mysql]
Raw: 2571K c/s real, 2571K c/s virtual / Raw: 9397K c/s real, 10254K c/s virtual

About a 100% increase per core! Life is good!

Recently I came across a new file format called RSDF, these appear to be txt files which have a bunch of links in them, so called link containers. I wanted to access the URLS in these files, but I didnt really want to entrust my computer to just “any” application. So after a bit of searching I came across this crafty german website from there I got the python script to decrypt the RSDF files, this Python script requires:

Python (doh!!)
Python-crypto
Probably something else also…..

from their its as simple as: drsdf.py rsdfcontainer.rsdf
and it outputs to your screen! So without further ado here it is:

    #!/usr/bin/env python
    # drsdf.py

    import binascii
    import base64
    from Crypto.Cipher import AES
    import sys

    # 8C 35 19 2D 96 4D C3 18 2C 6F 84 F3 25 22 39 EB 4A 32 0D 25

    file = sys.argv[1]

    file = file.replace(".ccf", ".rsdf")
    f = open(file, "r")
    data = f.read()
    f.close()

    f = open(file, "w")
    f.write(data.split("x00")[0])
    f.close()

    infile = sys.argv[1]
    Key = binascii.unhexlify('8C35192D964DC3182C6F84F3252239EB4A320D2500000000')

    IV = binascii.unhexlify('FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF')
    IV_Cipher = AES.new(Key,AES.MODE_ECB)
    IV = IV_Cipher.encrypt(IV)

    obj = AES.new(Key,AES.MODE_CFB,IV)

    rsdf = open(infile,'r')

    data = rsdf.read()
    data = binascii.unhexlify(''.join(data.split()))
    data = data.splitlines()

    for link in data:
    link = base64.b64decode(link)
    link = obj.decrypt(link)
    print link.replace('CCF: ','')

    rsdf.close()

Happy Downloading!

Hooray! I did it!
I have managed to boot my bootable usb pendrive (BackTrack 3) under QEMU within Windows XP.

For those of you who want the magic one liner here you are:

qemu.exe -L . -m 512 -std-vga -hda \.PhysicalDrive2 -soundhw all -localtime -M pc -kernel ../../boot/vmlinuz -initrd ../../boot/initrd.gz -append "root=/dev/ram0 rw initrd=../../boot/initrd.gz ramdisk_size=6666 vga=0x317"

* This gives you TextMode with 512 MB Ram and Mouse Support!!
* You will need to change PhysicalDrive2 to what ever drive number your USB key is. (Hint look under the DiskManagment snap-in)
* You require administrative rights also
* My Qemu directory lives under USBDriveLetterBT3QEMU FYI
* QEMU Version Win32 PreCompiled 0.9.1

Hopefully this saves you a few hours

Part of works server migration has meant that we are working on a new Terminal Server. I liked the old one better because:

It had a run command
I could view the system drives
I could type H: in the address bar and it worked!
It had command prompt access!
No firefox installed (Hardened IE installed! OMG WTF!)

And the list goes on….. What I find mose stupid is a work for an IT company and they lock the shit down which make us less productive!!

Anyway I got bored and hacked up a batch file that acts as a command prompt, now pretty much every Terminal Server will allow notepad access, so copy and paste this a save a .bat

@ECHO OFF
ECHO Please type your command:
set /p command=
%command%
pause

As for the Firefox issue, get your bum down to portableapps.com and download portable firefox and install it in your home directory ;-)

Happy pinging (or what ever you do)