asoa’s blog

Forse non sar”* una canzone
a cambiare le regole del gioco
ma voglio viverla cosi quest’avventura
senza frontiere e con il cuore in gola

E il mondo in una giostra di colori
e il vento accarezza le bandiere
arriva un brivido e ti trascina via
e sciogli in un abbraccio la follia

notti magiche
inseguendo un goal
sotto il cielo
di un’estate italiana

e negli occhi tuoi
voglia di vincere
un’estate
un’avventura in pi”`

Quel sogno che comincia da bambino
e che ti porta sempre piu”` lontano
non “” una favola - e dagli spogliatoi
escono i ragazza e siamo noi

notti magiche
inseguendo un goal
sotto il cielo
di un’estate italiana

e negli occhi tuoi
voglia di vincere
un’estate
un’avventura in piu”`

Here I am in Trivandrum for a medical and wardrived almost all the major roads here and not even a single wi-fi signal was caught by my PDA.

Came home, we have a cable connection at home which was connected to a PC. The PC gets the IP via DHCP from the Cable Service provider. I tried connecting my iBook to the Cable Modem and I am not getting an IP as in the case of the PC. I needed to find a solution to check my mails from my iBook.

Since my room is on the ground floor and the PC with the cable connection is on the first floor, the best solution for me to use the laptop in my room and the sitting room would be to get a wireless router and connect it to the cable modem. We went to a few places and most of the guys doesn’t even know what a router (”rootere” - as they call it) is. Atlast we found a place where there are Linksys 802.11b and D-Link 802.11g routers. The choice was D-Link for a number of reasons. Speed, Size, Functions, Ability to operate in mixed mode are some of the few.

We got the router and when it comes for the configurations, the router doesn’t get the IP via DHCP too. Thought for a while on the issue and I cloned the MAC address from the PC’s network card to the router. Bingo! I got the connection. (That means the Cable Service provider has bound the MAC address of the PC’s network card so only that PC gets the IP via DHCP).

Connected the PC with the one of the routers LAN ports and setup wireless as an open system. Why an open? There are no hackers around? No much places around my home.

Wireless Security Is Bad For Your Health Scott Turner, wireless nonexpert, argues that wireless security is leading to a health epidemic.

Now I can run around my home either using my iBook or iPAQ to use Internet rather than sticking infront of the PC. Mobility is very important huh?

I have passed my Wireless# exam at first attempt on 11/06/2006 with a score of 80%. This was way below my expectation as I have been scoring 95-98% on the Practice tests.

I was initially studying for my CWNA exam when Wireless# came out. So thought to try it first. PrepLogic Megaguide and the Wireless# Practices tests (the answer explanations) was the most useful.

My references were.

1. CWNA book
2. CWSP book
3. CWAP book
3. PrepLogic MegaGuide
4. Practice Tests (Free Wireless#, CWNA, CWAP)
5. Intensified’s Spreadsheets.

Some people may consider my referencing to CWSP and CWAP as over studying. In fact I was studying for my CWNA. For that I was using CWAP as a reference. Then came the Wireless#. So I guess it cannot be classified as overstudying cos my ultimate goal is to attempt and pass all the CWNP certifications. No harm in gaining extra knowledge on the subject whether it comes on exam or not.

I’ll be attending my CWNA exam in another 2-3 weeks and will follow up with CWAP before CWSP.

This is the details of a social engineering attack pulled on Dhiraagu (for a good cause again).

What is Social Engineering?

Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of the people to obtain information with or without the use of technology.

The texts in italics in this article are extracts from the book “Art of Deception” by Kevin D. Mitnick that gives you details of the tricks of social engineering attacks used in the case.

A friend of mine has called me to help him with his ADSL connection which keeps on dropping the signal every 2 seconds. They have recently moved to this new building and Dhiraagu has moved their ADSL also to this new building. I went to meet at him around 17:30 hrs on a Thursday.

I asked my friend for the username and password of the ADSL router which he has in order to find out what could be wrong. He didn’t have that information as usual with most of us who doesnt keep those type of information in a safe place. I then asked him whether he has the ADSL username and password in case if I have to reset the router back to factory settings to access it. He didn’t have that either.

I called up Dhiraagu 123 from my mobile (which has no relation to the address where the ADSL was connected) and directly told the guy that I don’t have my username and password of my ADSL connection and the only information which I can give him is the address where the ADSL is connected to.

The Direct Attack: Just Asking for It

Anybody gutsy enough to call and claim to be the owner or whatever will likely to be taken at his word. Unless it’s obvious that he doesn’t know the terminology, or if he’s nervous and stumbles over his words, or in some other way doesn’t sound authentic, he may not even be asked a single question to verify his claim. That’s exactly what happened here with the support person.

The guy looked up the database and simply gave me the username, I then asked for the password, he gave me the same. Then I asked him for the username of the ADSL router (which Dhiraagu provides), he gave me the username and password for the router too.

The Direct Attack: Just Asking for It

Knowledge of a company’s lingo, and of its corporate structure—its various office and departments, what each does and what information each has—is part of the essential bag of tricks of the successful social engineer.

What if somebody uses Social Engineering to harm these organisations and its customers?

A few days back I have been assigned a project to get back a domain from a couple of guys who took over it. The project also has a limited time to complete.

The main purpose of me attending to this job is to prove to my friends, colleagues and associates that anything can be achieved if you set it in your mind no matter how difficult the process is. Also this was an opportunity for me to try and test my social engineering (for a good cause) and technological skills.

What is Social Engineering?

Social Engineering uses influence and persuasion to deceive people by convincing them that the social engineer is someone he is not, or by manipulation. As a result, the social engineer is able to take advantage of the people to obtain information with or without the use of technology.

The following is a real case of social engineering. I have changed the names of the domain, the registrar and some other things in order not to reveal the real identities involved. The texts in italics in this article are extracts from the book “Art of Deception” by Kevin D. Mitnick that gives you details of the tricks of social engineering attacks used in the case.

Project: Getting back the domain.com
Project Code Name: domain
Type of work: Combination of Technology and Social Engineering.

Details:

Domain.com has been taken over by someone and it has to be retrieved back at the earliest.

Tasks:
1. Getting the domain back

How it was done:

Looking at the situation from different angles, it was believed that the best approach to this task would be to attempt a combination of technology and social engineering attack rather than a technological one alone.

Getting the Domain.

Contacted the Domain Registrar to see how the Administrative email can be changed as soon as possible to retrieve the password for the domain.

Played the sympathy role with a story of an ex administrator taking away all the passwords when he left the company. Also played dumb to get the support guy to give me specific information on how to fill in the form to reset the administrative account.

Can You Help Me?

The attacker asking the organisation’s support personnel to walk him through the steps of carrying out a form filling process he didn’t know how to do. A powerful and effective turning of the tables, this is equivalent of asking the owner of a store to help you carry a box containing items you’ve just stolen from his shelves out to your car.

The Administrative email was successfully changed and the domain password was retrieved. After login to the system using this password, I came to know I was in for more trouble as this domain account resides in another main account (known as One Click Domain Manager or OCDM account). The password to this OCDM account still resides with the guys who took over this domain.

The next attempt was to see how powerful this so called OCDM account is. In order to learn about this OCDM account, its capabilities and how the total system works, I created my own OCDM account. This led me to learn all the capabilities of this OCDM account.

After using the OCDM account for a couple of minutes, I found out that a domain can be imported into an OCDM if I know the password of that domain. Since I have the password to the domain.com, I tried importing it into my OCDM account and came to know that the domain domain.com has to be first removed from the original OCDM account in which it resides now. Then only I would be able to import it into my OCDM account.

I took advantage of the above by finding out the details of how the OCDM accounts work and the lingo and asking directly for it.

Trust:

It’s natural for people to have a higher degree of acceptance for anyone who claims to be a fellow employee, customer and who knows the company procedures and lingo.

I called up Domain Registrar support again and told the support guy that I am having problems logging into my OCDM and that I have been managing my domain from the domain password. Also I have explained to him that I have created another OCDM and that I need to move my domain (domain.com) into it. I then explained to him that I am unable to do so as it resides in the old OCDM account which I am unable to access as I have forgotten the password for it. The very helpful support guy Mr. …… (He feels sorry and bends the rules a little to help the poor customer) had assured to me that he will remove my domain from my old OCDM so that I can import it to my OCDM.

The Direct Attack: Just Asking for It

Knowledge of a company’s lingo, and of its corporate structure—its various office and departments, what each does and what information each has—is part of the essential bag of tricks of the successful social engineer.

After waiting for 4 hours for it to be removed from the old OCDM, I called up the Domain Registrar support again and told the support guy that I need to get my domain removed from the old OCDM and that I have been assured by his colleague Mr. ….. before 4 hours that he will do it and but it has not been done yet. (Feeling guilty about what his co-worker couldn’t do, he bends the rules a little to help out a fellow employee who couldn’t provide support to this customer). This support guy assured to me that it will be done in 5 minutes and he proved that by removing it from the old OCDM. At last I was able to move the domain to my new OCDM and become the total control for the domain.

Using Sympathy, Guilt and Intimidation

Anybody gutsy enough to call and claim to be the owner or whatever will likely to be taken at his word. Unless it’s obvious that he doesn’t know the terminology, or if he’s nervous and stumbles over his words, or in some other way doesn’t sound authentic, he may not even be asked a single question to verify his claim. That’s exactly what happened here with two different support personnel.

Now that the domain is in my full control and that the job is completed.

Conclusion

The impossible was made possible after all with a few tricks of social engineering and learning a bit of technology.

During this process, I found out that every organization or company be it government or private is vulnerable to such social engineering attacks. The organization for which I did this work was also vulnerable to such attacks.

Telecommmunications Authority of Maldives (TAM) has recently opened Telecom Policy 2006-2010 for public comments. Though I would also comment for it and here follows my comments.

The draft for this policy can be downloaded from TAM website.

Comments for Maldives Telecommunication Policy 2006-2010

The Introduction of this policy is basically the same thing from the policy of 2000-2005. I believe the past 5 years has brought enough change for us to write a better introduction than this.

Objective 1.1: Implement “one service one tariff” concept.

Even though the following action under the following objective was there in the policy of 2000-2005 to abolish the difference in telecommunication charges, we are at 2006 still studying the commercial impact of abolishing these differences.

Objective 1.1: Reduce the disparity in telecommunication charges between Male and the rest of the country.

Action 1.1.1: Abolish the differences in telecommunication charges among all inhabited islands, within a period of 3 years.

This action needs to be taken immediately and the difference in telecommunication charges to be abolished rather than studying the impacts of it for another 2-5 years.

Objective 3.3: The regulator should have a converged role of regulating IT and telecommunications.

I believe the following action should be added.

• The regulators skills should be enhanced for them to meet the challenges in regulating the operators.

The regulator should have enough people trained on the aspects of IT as well as telecommunications to properly regulate the issues. Unless there are trained people from these aspects, the regulator would not be in a position to properly regulate anything. People who knows IT / telecommunications should be there rather than some Management gurus who doesn’t have the knowledge or experience of IT and telecommunications. It should be more of a technical management than any other type of management.

Objective 4.2: Increase infrastructure competition

Action 4.2.3: Assign certain frequency bands as license free bands and allow installation of infrastructure for individual and scientific / experimental purposes.

- Assign the entire FCC assigned license free ISM (Industrial, Scientific and Medical) and Unlicensed National Information Infrastructure (UNII) bands as license free bands and allow them to operate as per FCC regulations with power outputs and spectrum usage.

- Assign the Military whatever frequencies they require and keep the scope to move the existing operators in these frequencies to another unallocated frequency block depending on the requirements. Everywhere else the Military is on top of the priority list and gets what ever they want before any others get a chunk of the spectrum. They should be given priority, as they are our protectors.

Even though the following action under the following objective was there in the policy of 2000-2005 for the management of the Internet domain names of the Maldives, the action has not been taken to this date and it was not even mentioned in the policy of 2006-2010.

Objective 4.2: Make available resources required for the telecommunication operators.

Action 4.2.5: Assign the Regulator with the function of registration and management of the Internet domain names of the Maldives.

The .mv domains or the Top Level Domain (TLD) for the Internet domain names of the Maldives is still under Dhiraagu which is just one of the operators.

The .mv is also believed to be the most expensive TLD which costs around USD 93.39 / year with .tv next to it with USD 34.95 / year. This could be one reason why most of the people wouldn’t want to go for a .mv domain.

The Regulator could take a small fee such as USD 0.25 / domain to maintain the list of domains as ICAAN does for most of the TLD’s and let the Operators, ISP’s and other registered / accredited Domain & Hosting companies to play the role of registration and management of the Internet domain names of the Maldives.

Objective 5.1: Increase awareness of telecommunications and ICT

ICT seminars should also be added to Action 5.1.3

Also another point should be added to encourage to form local ICT groups and to support them to conduct various ICT programs to create awareness among the public.

I welcome comments to my article as well as comments to the Telecom Policy 2006-2010.

While I was studying for my CWNA exam, the CWNP has released its Wireless# exam a few months back. Wireless# is entry-level and prepares people for working on home networks and small office networks, as well as learning the basics about many wireless technologies.

Since I was very thorough with CWNA materials, without a second thought I attempted Practice Test for Wireless# to see how I would be doing. It was way too tough than I expected and ended up with a score of 73%. That’s a PASS but I believed that I should have scored more than that.

Then I had a comparisson between Wireless# and CWNA and came to know that some technologies in the Wireless# are not really covered in detail in the CWNA. These include Bluetooth, WiMAX, RFID, IrDA. If you’re looking to gain conceptual and decision making knowledge related to these technologies Wireless# is a great benefit.

Time to read about these technologies, did that for a week and attempted the Practice Test again and the score was very much better this time at 98%. So thought to attempt the real exam before the Beta period expires (31st Jan 2006), called up the local VUE testing centre to find out that the testing centre is going through upgrades of their testing software. Seems this will take 1-2 weeks for completion.

No choice, I registered for the Final Wireless# exam on 1st Feb 2005 and has scheduled to take the exam on Saturday 11 Feb 2006 if the testing centre is back in operation. If everything goes well am also planning to attempt my CWNA exam in February 2006.

Wish me best of luck.

A boring week with nothing much to do or to celebrate, I connected a RF splitter to the J-SAT cable at our home to split the CATV cable and connected a cable modem. The cable did not lock as the power was way too low due to the splittings. We had another cable from MESCO which doesn’t have any splits. So I just split that into two and then connected the cable modem. Bingo, my modem signal is locked. Before I go any further let me try to give you all some info about the type of VPNs ROL uses now.

ROL is running on PPTP-VPNs now! What is a PPTP-VPN?

PPTP VPNs offer legacy authentication mechanisms such as PAP, CHAP, MS-CHAP, and MS-CHAPv2, with the strongest being MS-CHAPv2. MS-CHAPv2 is also used in Cisco’s LEAP and EAP-FAST phase-0. MS-CHAPv2 can be broken using the ASLEAP cracking tool for Linux and Windows. A tutorial exploiting the weakness of PPTP-VPN with Asleap and Auditor can be found here

PPTP tunnels use an IP connection to form an encrypted tunnel for data transport. The tunnel has its own IP subnet (in the case of ROL, 202.21.*.), and after the tunnel is formed between client and server, a static route is entered into both hosts so that all future data traffic is sent through the tunnel. However, the original IP subnet (in the case of ROL on jsat cable, 10.99.*.) on the Hybrid Fibre Coax (HFC) network can still be used for data transfer, such as port scanners and other hacking tools. The high-speed connectivity over the HFC network not only makes it quicker, easier and cheaper for customers to get the service but also enables Whackers (black hat hackers) to enjoy a number of open ports and services that are in the pipeline. Without a personal firewall in place, the client and server devices are still open to IP attacks.

PPTP uses Microsoft Point-to-Point Encryption, which uses the RC4 stream cipher. While MPPE-128 is a reasonably strong encryption scheme, it’s the authentication mechanism (MS-CHAPv2) that makes PPTP weak.

Connecting to ROL HFC Network:

Then I connected an Ethernet cable between my laptop and the modem and got an IP from the 10.99. range (original IP subnet). Fired up Nmap to see if there are any open ports and found some machines with port 80 open, ran Firefox and connected to one of those machines. Firefox brought me to a web page of some sort of web server called WAMPP with access to a MySQL database. I was even able to create my own databases without any authentications. Could this be a machine of an individual user? Could this be a machine of ROL? I leave it for the readers to do their own research and find out for themselves. (Hint: There are other interesting ports too!)

Before turning my mind to other interesting ports. I got stumbled into ROL’s Subscriber Management Software which runs on IP 202.21.176.234 externally and IP 192.168.50.1 internally. They run really interesting software called Log2Space from Spacecom Technologies Limited, India. Those of you who are interested in learning how this software works could see a demo of it on the Spacecom website. Click here for a demo.

Did some further scanning and ran a couple of tools by pressing keys and buttons here and there and I couldn’t even believe my eyes on where I end up. Where was I walking into wearing the dark black court? In fact I was in a position to map the whole network with more than 20 different segments and was also in a position to throw off individual users or a whole bunch of users from the network by pressing a couple of buttons. For those of you who are interested in the logical design of the ROL network you may download this Visio network map of ROL.

For a second I thought, is this the security we talk about? Is this the industry standards and practices that ROL follows as required of an ISP (Internet Service Provider)?

A word to the tech team at ROL: Don’t mislead your Managing Director in to thinking that you have the best security that is up to the industry standards. Humans do make mistakes. Humans learn by their mistakes. So admit your mistakes to your boss, get the issues resolved internally or externally and then learn from that experience rather than trying to hide the facts and mislead your own boss. If you mislead him, he will unknowingly mislead the general public.

Some of us might think that we need a rocket scientist who has a law degree to perform such a task but in reality somebody who has a little bit of networking knowledge with a few network tools could perform such a task in a few minutes

Another year has just passed us without us noticing and much being done.

Wish you all a very Happy New Year 2006

Introduction:

This tutorial explains how to crack most WEP encrypted Access Points out there. The tools used will be as follows:

Airodump
Aireplay
Aircrack

As for wireless cards, i recommend any Prism , Orinoco , or Atheros based cards (i used the Atheros based card mentioned above).

Getting Started:

Let’s see, First thing you are going to want to do is charge your laptop to the top (aireplay and aircrack drain the battery quite a bit) Next you are going to want to load up your favourite live CD (i used Auditor final) or Linux OS, then stumble across a encrypted WLAN, use Kismet to do so.

First off you are going to want to set your wireless card to the right mode, depending on what chipset depends on what commands you have got to use:

Since my Proxim card uses madwifi, I have to place the card in pure 802.11b mode first:

iwpriv ath0 mode 2

Then change the card into monitor mode

iwconfig ath0 mode monitor

Then bring the card up

ifconfig ath0 up

Going for the kill:

Open a terminal window and fire up Airodump to sniff the packtes.

airodump ath0 tocrack

Ok so now you have got a stream of packets from your target, you see the IV column, those are whats known as ‘weak key’ packets, we want as many of them as we can get (500k+ is a nice number, the more the better). Now we are going to capture a ‘weak key’ packet from on the network we are targeting and going to flood the Access Point with it in hope that we get lots of ‘weak key’ replies sent out so we can eventually crack the password. So now open another terminal window and execute aireplay

aireplay -i ath0


Here we are going to grab a few packets from the Access Point until we catch a ‘weak key’ packet which then aireplay will ask you if you want to use to then flood the Access Point with that packet. when it asks you if it can use one of the packets hit ‘y’ then return, but do not choose a packet with a destination address of FF:FF:FF:FF:FF:FF

If you flick back to your terminal with airodump running you should see the packets being captured will increase by a huge amount and with that the IV packets should also be increasing pretty damn fast aswell, if all went well in about 10mins you should have enough packets to then dump into aircrack.

Run aircrack to crack the wep from the captured file.

aircrack -q 3 -f 2 tocrack.cap

What i did there was set aircrack to read my packet file called tocrack.cap (what airodump creates). If all goes well you will get the key in a few mins.

Happy WarDriving.

Note: some portions of the texts of this article are extracted from the WEP Cracking by UmInAsHoE.