Reveal Hidden(Saved) Passwords in Web Forms

Posted on April 15, 2012 by admin

I recently came across a javascript that can be used to show any saved passwords on a website. What I mean is, for example you have your gmail password ‘remembered’ and when you visit http://gmail.com/ you see your username and a password hidden with asterisks (******). Well this script reveals what stays behind those asterisks.

javascript:
var s='',f = document.getElementsByTagName('input');
for(var i=0;i<f.length;i++){
     if(f[i].type.toLowerCase()=='password' && f[i].value)
     {s+='found: '+f[i].value+' \n';}
}
s=(s)?s+'\nThat\'s All Folks!':'No Passwords Found';
alert(s);

This script can be inserted in the developer consoles of Firefox/Chrome.

So think twice before saving any of your passwords on any public computers. Or on any computer really, as even some of your friends can pull a prank on you.

I don’t take any credit for the script.

Original script:
https://gist.github.com/895120#file_recover_hidden_web_passwords.js


SubscribeDiggdel.icio.usFacebookStumbleUpon
Posted in Uncategorized | Leave a comment

Facebook cookie-sniffing and MITM-attacks

Posted on February 14, 2012 by Numbers

So recently we’ve introduced you to Reaver, which shows that even WPA/WPA2-encrypted networks with strong passwords aren’t safe. Personally, I’m using a pretty expensive router (Linksys E3000) which I’ve configured manually – however, to my knowledge, the WPS-functionality cannot be disabled on any Linksys-routers at this time.

The WPS-vulnerability for WPA/WPA2 along with WEP being easily crackable without WPS tells us that actually most WiFi’s can be infiltrated by unwanted users. This leads us to another important question, which is what a hacker actually can do once he’s inside your network.

comaX has written a very good script for sniffing passwords which includes sslstripping the network (simply put, this makes https sites like Facebook come as http, allowing you to sniff the password unencrypted) and ARP cache poisoning (rerouting all traffic through your own computer, putting you as a man in the middle). We’ve already covered this script in a previous post.

A small issue I’ve encountered when doing MITM-attacks is that the running sessions (here we talk specifically of Facebook-sessions) are sometimes not terminated, which is essential since you need your victim to type in their passwords to be able to sniff it.

Here is what I do when using automated MITM-attacks to jump straight into the targets ongoing Facebook-sessions without them ever typing the password:

First of all, start Wireshark. If you’re using Backtrack it is already included, so just open a terminal window and type:

wireshark &

Select your interface that is connected to the network and start sniffing:

You should now be seeing packets dropping in. You can keep Wireshark listening as long as you like, but there will be many packets flooding the window so it’s useful to learn how to apply filters. For this specific task you will want to set the filter to only show http traffic and maybe only the traffic from and to the target:

The Facebook cookie will be inside a HTTP-packet and has a POST- or GET-tag in the info-field and will look something like this:

POST /ajax/growth/…/ HTTP/1.1

GET /ajax/presence/…/ HTTP/1.1

Here I’ve sniffed one of these packets from my own login:

If you find a packet that looks like this, select it, right-click and select “Follow TCP Stream”:

Here we can see the cookie:

This cookie provides us with all the information we need to log in to the Facebook account. Now we just need a cookie editor. A good one to use is the Advanced Cookie Manager Add-on for Firefox: http://addons.mozilla.org/en-US/firefox/addon/cookie-manager/

Restart Firefox and open up the Cookie Manager (the icon will be in the upper right corner)

Browse to your Facebook cookie

Now you will just have to change the values in your cookie to match the cookie you sniffed:

 

Make sure you filled in the values correctly (without the semi-colon). Next, open up www.facebook.com and you will be logged in to the account!

The hacker now has access to your Facebook account until you logout or the cookie expires.

The beauty of this little hack is that it is not only limited to Facebook-sessions, and can be useful in many situations when you’re sniffing traffic (not only MITM-attacks). Similar methods to the ones described here can be used on virtually any site that use cookies to manage user sessions!

—————————————————————————————————-

Enjoy your cookies!

Numbers


SubscribeDiggdel.icio.usFacebookStumbleUpon
Posted in Backtrack | 6 Comments

YAMAS – Maemo Update

Posted on February 9, 2012 by admin

Original article: http://pcsci3nce.info/?p=291

Version 1.0.0-1 has just been released in extras-devel
changelog:

  • NEW: Added dsniff in the dependencies.
  • NEW: Added support for arpspoof.
  • CHANGE: For the “final” menu, case is used instead of nested ifs.
  • CHANGE: All ettercap reference is now used only optionally; arpspoof is default.
  • CHANGE: Deleted function for tailgreping for hosts; was useless and cpu consuming.

Or in other words – YAMAS on the N900 should now be much faster and stable. Moreover, it shouldn’t break your network as much. If you still want to use ettercap though, you can always use the “-e” option.

Please report any issues with this version as arpspoof as a standalone package itself hasn’t been tested fully and moreover, this version of yamas is still in developement.

As usual, all this was possible thanks to Comax for the creation and maintenance of the script and to Saturn who packaged it and supports it.  Bonus credits go to @Karam from talk.meamo.org who ported the dsniff package to begin with, which made this update possible.

In the future, I’ll look into the possibilities of implementing urlsnarf and driffnet into the YAMAS.


SubscribeDiggdel.icio.usFacebookStumbleUpon
Posted in N900 | 5 Comments

Cracking WPS protected WiFi – Introduction to Reaver/Wash

Posted on January 23, 2012 by admin

We already went through the complex process of “trying” to crack a WPA/WPA2, and I am using the word ‘trying’ as the results are quite uncertain and heavily dependent on your wordlist. However, many routers’ are vulnerable to a much easier attack. You must have come across routers with enabled WPS ( Wi-Fi Protected setup) – it works in several methods such as PIN method, Push-button-method and etc. If you want to get more familiar with WPS and this attack – I recommend reading Stefan Viehbock’s article on it. These devices that have WPS enaabled, are vulnerable to brute-force attacks and by ‘guessing’ the WPS code, you essentially also gain the WPA2 encryption password – or in other words the needed Wi-Fi password.

All this is possible thanks to Reaver. Downloading and installing is explained on their website on Google Code. The process is insanely easy – once installed, you can use Wash to find the available Wi-Fi networks with enabled WPS protection:

walsh -i ‘your wireless interface in monitor mode(usually mon0)’

This will essentially show you the networks vulnerable to the attack. If you encounter the “Found packet with bad FCS, skipping…” error, edit the command to walsh -i mon0 –ignore-fcs .

 Choose your network and launch the attack:

reaver -i  ’your wireless interface in monitor mode(usually mon0)’ -b ‘victim router’s Mac address’ -vv (or -v for less info)

This essentially should break the WPA password for up to 10 hours. There are ways to speed things up – add parameters such as -c <channel of router> and -d 0, which will speed things up BUT can result in the router crashing.

The best part is, the software is fully functional under Maemo and the N900. The latest version available is revision 100, provided in this post thanks to marc0s_h4f. (However, this version has issues with wash reading pcap format, but it is irrelevant to this post.) You should check that thread, as he seems to provide new versions constantly.

Moreover, Saturn has edited Cleven and it now has a GUI for Wash and Reaven and essentially makes the process even easier. You should note that macr0s_h4f’s files should be unpacked to  /home/user/.reaver/ - once that is done, restart cleven ( make sure you have the latest version) and the options for reaver and wash should appear.

DISCLAIMER: This program is intended for learning purposes only. I do not condone hacking and wouldn’t be held responsible for your actions. Only you would face legal consequences if you used this script for illegal activities. 



SubscribeDiggdel.icio.usFacebookStumbleUpon
Posted in Backtrack, N900 | Leave a comment

Cleven – a user interface of aircrack-ng for the N900

Posted on December 13, 2011 by admin

The greatest GUI for aircrack on the N900 so far – it is fully functional, works in portrait mode and is still maintained by Saturn. I recommend it as it is a great replacement for the AirCrack GUI which never realised its full potential due to dropped maintenance.

Key dependencies and features:
* The package depends on aircrack-ng, macchanger and expects power kernel >= 2.6.28.10power46-wl1.
* Includes the injection drivers (courtesy of lxp)
* Original MAC is stored and restored on exit.
* Handles correctly spaces and special characters in the ESSID names (see issues)
* The ESSID names are sorted and the hidden are not shown.
* Decryption can be done for data captured over multiple sessions.
* Successful decrypted keys are stored in a separate folder.
* Management of captured files.

Website - http://wiki.maemo.org/Cleven
Forum - http://talk.maemo.org/showthread.php?t=75428

DISCLAIMER: This program is intended for learning purposes only. I do not condone hacking and wouldn’t be held responsible for your actions. Only you would face legal consequences if you used this script for illegal activities. 


SubscribeDiggdel.icio.usFacebookStumbleUpon
Posted in N900 | 1 Comment