Sunday, May 29, 2011

.PDF Password Cracking

In my honest opinion, I rarely come across password-protected .pdf files. Most .pdf files I have ever read don't really have anything in them that would be worth password-protection anyway. Still, to me it represents the concept of good security and privacy, both of which should be important to anybody using a computer. However, where you can make it, you can somehow break it. So fire up a Terminal (or a Shell Konsole) and let me show you how.

First of all, we need a .pdf file. Download any .pdf file online, or make a file and save it in a .pdf format. Let me just say you should be using a Linux distribution, preferably BackTrack 5. If you do not have Linux, go make friends with Google and do some research on it. Now then, the tool we will be using to password-protect the file is pdftk, and the tool to crack the password is called pdfcrack. It's a nifty little tool that cracks both user and owner passwords applied to .pdf files. To download the tools, make sure you are root (unless you are using BackTrack, in which case you already are), and type in-

apt-get install pdftk

Then-

apt-get install pdfcrack


Once you have both tools installed, we need to password protect our file. Go to your terminal and type-

pdftk unprotected_file.pdf output protected_file.pdf user_pw PROMPT

-where "unprotected_file.pdf" is your original .pdf file that you want to protect with a password, and "protected_file" is the new file that will be password protected (you can name this file anything you want). You will then be asked for a password as input, which will be the password that is used to protect your new .pdf file. I suggest using password as your password, just as a proof of concept for the tool, and also to test it (You can benchmark to do this, but where is the fun in that?). Once you enter it and hit your Return key (your Enter key), you now have two .pdf files- the original one without a password, and the new one that you created with pdftk.

Now you are ready to crack your password-protected .pdf file. Just go to your Terminal and type-


pdfcrack


After you type in this command, you will see plenty of options-


root@bt:~# pdfcrack
Usage: pdfcrack -f filename [OPTIONS]
OPTIONS:
-b, --bench perform benchmark and exit
-c, --charset=STRING Use the characters in STRING as charset
-w, --wordlist=FILE Use FILE as source of passwords to try
-n, --minpw=INTEGER Skip trying passwords shorter than this
-m, --maxpw=INTEGER Stop when reaching this passwordlength
-l, --loadState=FILE Continue from the state saved in FILENAME
-o, --owner Work with the ownerpassword
-u, --user Work with the userpassword (default)
-p, --password=STRING Give userpassword to speed up breaking
ownerpassword (implies -o)
-q, --quiet Run quietly
-s, --permutate Try permutating the passwords (currently only
supports switching first character to uppercase)
-v, --version Print version and exit

For this guide, I will show you two methods of cracking- a Dictionary Attack, and a Bruteforce Attack. The first method we will use is a dictionary attack. This will read every line of a wordlist until a match to the .pdf file's password is found. I specified above that you should have used password as your password for your .pdf file. Make sure you are in the same directory as your password-protected .pdf file, then type this in your Terminal-

pdfcrack -f [password-protected pdf file] --wordlist=[path to wordlist]

I named my .pdf file "crackme.pdf", so in BackTrack 5 my command would look like this-

pdfcrack -f crackme.pdf --wordlist=/pentest/passwords/wordlists/darkc0de.lst

Here is the output from my command-

root@bt:~/Hacking/Tutorials# pdfcrack -f crackme.pdf --wordlist=/pentest/passwords/wordlists/darkc0de.lst
PDF version 1.3
Security Handler: Standard
V: 2
R: 3
P: -3904
Length: 128
Encrypted Metadata: True
FileID: b1de5d9d3ca2f5ec1dc4514f2a583907
U: 1f10ccc1e8a59d7083f9bbc1acf9c70900000000000000000000000000000000
O: 43710afb9adf32376fad13575c2ae401b12dd0cd7b6cde9fca684132393c6604
Average Speed: 14601.4 w/s. Current Word: 'J Arthur Moore'
Average Speed: 14024.8 w/s. Current Word: 'avvizzimento'
Average Speed: 13901.1 w/s. Current Word: 'ferebamque'
Average Speed: 14160.5 w/s. Current Word: 'mescoleremo'
found user-password: 'password'

As you can see, pdfcrack cracked the password, specified by this line of output-

found user-password: 'password'

Yes, password was the password I chose.


The command for brute-forcing, however, will look like this-

pdfcrack -f crackme.pdf --charset=abcdefghijklmnopqrstuvwxyz -n 6

The output for this command will be similar to the Dictionary Attack output. However, this method will take longer, because it has to use the character set (charset) we specified to find the password, instead of using a dictionary file.

HAPPY HACKING!
Posted by at 8 comments:

Saturday, May 28, 2011

The Art Of Cracking WEP


#Notes-

-->Click On Images To See Them Larger

-->My target AP, output, data, and interfaces may or may not be the same as yours. Replace my command line parameters/info with your own.


Hello, and welcome to my WEP cracking guide. In this guide, I will teach you how to crack WEP implementing Open System authentication. To do this, we will be using a tool, or tool suite, called aircrack-ng. Aircrack-ng has a whole array of tools and scripts to be used for wireless hacking, and every penetration tester should have this in their hacking arsenal. If you don't, be sure to get it at-


http://www.aircrack-ng.org/

I will not go over the entire history of WEP, but let me just say a couple things about it. First of all, WEP stands for Wired Equivalent Privacy. It uses the RC4 stream cipher, so of course the same key can never be used more than once. The key is concatenated with what is called an initialization vector, which forms the key. But, after around 5,000 packets, the key can possibly be repeated. The reason for this is that a 24-bit initialization vector is not long enough to ensure security on a large network, or a network with lots of traffic. We, as the hacker, must prove that this is a big 'ol fuck up, and inform the guilty party to change to WPA (WiFi Protected Access) as soon as possible for the sake of security.

But how do we exploit this vulnerability? We open up a Terminal window, and type-



airmon-ng



Let's look at the output from the above command-


















From this image I am able to see that my interface is wlan0. So now I will start my interface to see which interface monitor mode is enabled on-



airmon-ng start wlan0


Here is the output from this command-
















According to the output, monitor mode is enabled on mon0. We are going to use this interface to put our wireless card into monitor mode, and while we're at it, we are also going to change the mac address for this interface to cover our tracks. To do all of this, just type-


ifconfig mon0 down


Then type-



macchanger --mac 00:11:22:33:44:55 mon0


And finally-


ifconfig mon0 up



Here is what the output of all of these commands will look like-


















As you can see, we have faked our mac address, and we are ready to scan for access points (AP's) on our monitor mode interface. To do this, type-


airodump-ng mon0


Here is the output for this command-

















Let's look at the output. We have found an AP with the network name (ESSID) bightire. It uses WEP for it's encryption/cipher, and since AUTH is blank, it is implementing Open System authentication. It is also on channel 11. But this is just a general scan. Now we have to filter, or "single out" our target AP. To do this, we will specify the details of this AP in airodump-ng-


airodump-ng -c 11 -w wep_crack --bssid 00:23:69:C5:8F:D0 mon0

In this command, we are running airodump-ng and specifying that the AP is on channel 11. We are writing all of our collected data to a file called wep_crack, and specifying the bssid of the AP. And finally, we are doing all of this on the mon0 interface. Here is the output-















LEAVE THIS WINDOW OPEN WITH THE COMMAND RUNNING. We need to collect initialization vectors (#Data), so that we can crack the WEP key. Now we will open a new window (Ctrl-Shift-T) and fake association and authentication with the AP. We are able to do this because the AP implements Open System authentication. After you have your new window open, type-



aireplay-ng -1 0 -a 00:23:69:C5:8F:D0 -e bightire -h 00:11:22:33:44:55 mon0


This is what the output of this command looks like-















Now that we are authenticated and associated, we can replay ARP packets to collect IV's (initialization vectors) a whole lot faster. To do this, type-



aireplay-ng -3 -b 00:23:69:C5:8F:D0 -e bightire -h 00:11:22:33:44:55 mon0

Here is the output from my command, which is right below the previous command-














DO NOT STOP THIS COMMAND.

Now we wait until we have anywhere from 10,000 to half a million IV's (DAMN!). So go do something (this may include smoking a cigarette, drinking a Monster, or going to the bathroom). Come back in a minute.....

Great, your back! Now it's time to crack our WEP key. Open up you third and final Terminal window, and type-


aircrack-ng --bssid 00:23:69:C5:8F:D0 wep_crack-01.cap

Here is my output-














At the bottom of this output, you can clearly see the WEP key, specified by (KEY FOUND!). Inside of the "[ ]" is the WEP key. Remove the colons (:) from it and enter it into you network manager to gain access to your target AP.

Happy Hacking! :-)
Posted by at 1 comment:
Subscribe to: Posts (Atom)