8

Installing Firewalk on KUbuntu

-

Installing Firewalk turned out to be more complicated than I thought it would be. There were some compilation issues and some library errors.
The chief amongst them was:


checking for arp_get in -ldnet... no
configure: error: No libdnet? http://libdnet.sourceforge.net.

I did install libdnet using aptitude but it did not do the trick. Thereafer, searching a few forums got me this information. The “Libdnet” that Firewalk looks for is libdumbnet1 in the ubuntu language.
So I got the Debian packages from the following links:
libdnet1
libdnet-dev
I continued to get that error and no wonder because there was nothing in /usr/lib.
So I executed the following commands :


$ cd /usr/lib
$ sudo ln -s libdumbnet.so libdnet.so
$ cd /usr/include
$ sudo ln -s dumbnet.h dnet.h

Then there was a compilation error:


firewalk.c: In function ‘firewalk’:
firewalk.c:193: error: label at end of compound statement
make[1]: *** [firewalk.o] Error 1
make[1]: Leaving directory `/home/trance/Desktop/Firewalk/src'
make: *** [all-recursive] Error 1

So then opening the firewalk.c file in vim (and following up on line 193) showed that the “break;” statement was missing after default: switch statement.
So then I added the the following characters (without quotes) “break;” at a line above the comment as shown below:


default:
break;
/* empty */


$ ./configure
$ make
$ sudo make install
$ sudo cp man/firewalk.8 /usr/local/man/man8

Now firewalk was installed and ready to use!

8

Spike Fuzzer linker errors

-

I decided to play around with Spike fuzzer and encountered some weird errors during installation. I was using gcc 4.1.2.

gcc -ggdb -o generic_listen_tcp generic_listen_tcp.o dlrpc.o 
dlargs.o spike.o listener.o hdebug.o tcpstuff.o
spike_dcerpc.o base64.o udpstuff.o spike_oncrpc.o -ldl -L. -ldlrpc
/usr/bin/ld: generic_listen_tcp: hidden symbol `__stack_chk_fail_local' in
/usr/lib/libc_nonshared.a(stack_chk_fail_local.oS) is referenced by DSO
/usr/bin/ld: final link failed: Nonrepresentable section on output
collect2: ld returned 1 exit status
make: *** [generic_listen_tcp] Error 1

If you are also getting the same error, I would recommend that you do the following

SPIKE/SPIKE/src$ ./configure

Now open the Makefile in your favorite editor and edit the CFLAGS line to include the following option:

-fno-stack-protector

This is how my CFLAGS line looks like in the Makefile:

CFLAGS = -Wall -funsigned-char -c -fPIC -ggdb -fno-stack-protector

This should make it build fine (I do get a few warnings but that’s cool…it still does not result in a no-build.

0

WPA2+TKIP on Kubuntu with IPW3945

-

So I decided to use WPA2 Personal with AES+TKIP on my new Linksys WRT54GL router after my old D-Link router died. However, there were some issues in getting it to work on Kubuntu 6.10 Edgy Eft with my Intel Wireless IPW3945abg.
So I decided to put my /etc/network/interfaces and the /etc/wpa_supplicant.conf files up here for reference:
Suppose BLAH is my ESSID name. The psk value is an altered value for elucidation purposes only:

ctrl_interface=/var/run/wpa_supplicant
ctrl_interface_group=0
eapol_version=1
ap_scan=2
fast_reauth=1

# WPA-PSK
network={
ssid="BLAH"
proto=WPA RSN
key_mgmt=WPA-PSK
pairwise=TKIP
group=TKIP
psk=aaaa3fa7bbbbccccf6d44e199ecb2bebccccad25a0778beeee104db0b3fffff7
}

The value of the PSK command was obtained by using the value associated with the prefix “psk=…” after issuing the following command:

# wpa_passphrase BLAH passphrase
network={
ssid="BLAH"
#psk="passphrase"
psk=aaaa3fa7bbbbccccf6d44e199ecb2bebccccad25a0778beeee104db0b3fffff7
}

The /etc/network/interfaces looked like this:

auto lo
iface lo inet loopback

auto eth1
iface eth1 inet dhcp
wpa-conf managed
wpa-driver wext
wpa-ssid BLAH
wpa-ap-scan 2
wpa-proto RSN
wpa-pairwise TKIP
wpa-group TKIP
wpa-key-mgmt WPA-PSK
wpa-psk aaaa3fa7bbbbccccf6d44e199ecb2bebccccad25a0778beeee104db0b3fffff7
pre-up wpa_supplicant -Bw -Dwext -i eth1 -c/etc/wpa_supplicant.conf
post-down killall -q wpa_supplicant

Once I was done with this configuration all I had to do was, issue the following command to get wireless working with WPA2 and TKIP:

# /etc/init.d/networking restart
2

John the Ripper 1.7.2 – Jumbo patch

-

I’ve been struggling to find the best working version of John so that it can crack MS Cache outputs from Cachedump (of course, this functionality is now included in fgdump). Running fgdump gives two files host.pwdump and hostname.cachedump. I’ve found 127.0.0.1.pwdump and 127.0.0.1.cachedump files upon using fgdump without any parameters.
So now you have the Cached credentials but then comes the big problem of cracking those. So there’s the jumbo patch for john-1.7.2.
Following commands need to be executed to get this patch going:


$ tar zxvf john-1.7.2.tar.gz
$ cd john-1.7.2/
$ wget http://www.openwall.com/john/contrib/john-1.7.2-all-9.diff.gz
$ gzip -d john-1.7.2-all-9.diff.gz
$ patch -p1 <john-1.7.2-all-9.diff
$ cd src/
$ make linux-x86-sse2


You get some warnings upon compilations but the executable works very well.

Go ahead and get cracking:
$ cd run/
$ ./john –format=mscash

0

SMBProxy Compilation issues

-

So the other day I was on a pen test and I got hold of the hashes. Since my laptop got fried I needed a new version of SMBProxy. There were a few issues that I had with the compilation though. I got a few errors in the file crypto.c.
Moreover, SMBProxy ues crypto library libdes written by Eric Young available here.
I give here a guide to compiling SMBProxy that worked for me.

First, compile and install libdes

  1. Download libdes 4.01
  2. tar zxvf libdes-4.01.tar.gz
  3. cd libdes
  4. make gcc
  5. sudo make install

Now, you’ll find that the file libdes.a is now in /usr/local/lib.
Second, compile and install SMBProxy. Now here there were a couple of compilation errors that I had to deal with.
Here’s the diff output for crypto.c

trance@z0n3:~/Desktop$ diff smbproxy/crypto.c smbproxy-orig-src/crypto.c
40,41c40
< #include
< #define MD4_SIGNATURE_SIZE 16 --- >
46c45
<> static u_char Get7Bits(UCHAR *input, int startBit) {
58c57
<> static void MakeKey(UCHAR *key, UCHAR *des_key) {
74c73
<> void DesEncrypt(UCHAR *clear, UCHAR *key, UCHAR *cipher) {
85c84
<> void mkResponse(UCHAR **ntlmhash, UCHAR hash[MD4_SIGNATURE_SIZE], UCHAR* challenge) {
88c87
<> UCHAR ntlm_response[24];

Having done this there were still a few issues with the make comand.
The Makefile can be generated by running the following command:

trance@z0n3:~/Desktop/smbproxy-orig-src$ ./configure

Here’s the diff output of the Makefile:

trance@z0n3:~/Desktop$ diff smbproxy/Makefile smbproxy-orig-src/Makefile
10,11c10,11
< smbbf_include =" -Iinclude">
< libs ="">

> SMBBF_INCLUDE = -Iinclude
> LIBS = des
31c31
< $(LIBDES) $(LIBS)

> $(LIBDES)

The following libraries are required: openssl, openssl-dev, libdes for successfully compiling SMBProxy.

apt-get install openssl openssl-dev

0

PaiMei and MySQL error – eax_deref default value

-

I was playing with PaiMei and trying to get some initial stuff working on Pai Mei Reverse Engineering framework by Pedram Amini.
It was a smooth ride until the following steps:
1. Install MySQL
2. Install wxPython
3. Install GDE and uDraw

There was a slight problem in the __install_requirements.py file that it would always look at C:\Program Files for the files whereas my files were in S:\Program Files.
Either way a small change from C to S in the __install_requirements.py did the trick. Thereafter, when I ran __setup_mysql.py script I got the following error:

_mysql_exceptions.OperationalError: (1101, “BLOB/TEXT column ‘eax_deref’ can’t have a default value”)

Seems like MySQL should not be running in “strict” mode while you run this script. I got this information from the following link:
http://paimei.openrce.org:8000/ticket/5