See If You Can Find It

Friday, July 10, 2020

Tools for Android: WiGLE

Hi! I hope you're having a good weekend. Here's some more wireless and Android for you!

If you've ever started to even think about hacking WiFi, then you may have heard of wardriving and warchalking. If not, you've probably at least thought of the concept before. Warchalking is the practice of identifying wireless networks and marking areas around where the signal was found (be it on the side of a building, on the ground, you name it) and letting hackers or otherwise know about its existence and whether or not there's any security to it. Wardriving on the other hand, is driving around and identifying networks with high power antennas, collecting data such as channel, average signal strength, security type, or if it's an open network. This data can then be used to identify targets.

Today, there's an amazing place called WiGLE. Here, tons of people have gone around, collected information about networks, and uploaded it to a database on the site. You can even host your own local database. Now you may be thinking, how is this allowed? I'll be honest. I don't know all the details or legalities when it comes to the collection of this data. However, I can tell you it does have its ethical uses. I'll give you a scenario. Say you have a known malicious actor, you've successfully exploited their mobile device or laptop, and have a program feeding you some data. Some of that data is MAC addresses of access points or BSSID. As I mentioned before, WiGLE has a database full of wireless networks and information about them. All you have to do is plug in that MAC/BSSID and if it's ever been scanned and uploaded, you'll be able to identify an area your target is located in.

Another idea for you, say you want to identify what channels your neighbors are operating on so you can configure yours to eliminate interference. Or, you want to be proactive and identify which neighbors have weak security on their APs so that you can educate them. Sounds great, right? Well, as the new age saying goes, there's an app for that. So pull out your Android device and download WiGLE from your preferred app store.

Usage

As you may already be able to tell, WiGLE has many useful features, and their mobile app is no different. Once you've got it installed, go ahead and launch it. You should see something like this:
Lot's of useful information here! First, at the top, notice you have a latitude, longitude, and altitude. Then go down to the networks, the green lock signifies WPA2 is being utilized (it's also stated underneath the hardware name). Under the lock, you'll see signal strength, then the MAC/BSSID, channel, and technologies in use. This app has also been updated in the past few years to identify Bluetooth and BLE signals as well as mobile cell towers!

Alright, now tap the bar menu at the top left, go to settings and sign in/register for an account. Once that's done you can search their database. From here, you can search for all access points with the name "walmart" or anything else you can think of.
From here you can even get a location where the networks are identified, try it out!

You may have also noticed that you can search by BSSID, I've identified a network with the BSSID of 00:13:10:d3:f5:be that is probably trying to trick people into connecting to it. Take a look:
Notice the typo here. Now it could be as simple as that, but I'm going to air on the side of caution and say it's not.

WiGLE's website is also an incredible resource for CTF's! Anyways, I hope you've enjoyed this little review. Be responsible, have fun!


Sunday, July 5, 2020

HACK THIS SITE! (2)

Welcome back! This time, we're going to go over some more of the basic challenges over on Hack This Site!

Basic 5

This one is basically the same as basic 4, you're gonna take a look at the code for the webpage, and then replace Sam's email with yours. The program is supposed to more secure through referer validation, but it still isn't secure enough to protect from this simple "hack". So long as you use your HTS email, you should get the password and then see the following upon submission:


Basic 6


Now we start getting into some pretty interesting stuff. Let's play with the field to encrypt a string here. I'm going to use the "encrypted password" and pass it through, just to see what happens.
Look at that! The first character remained the same.. but wait, the 2nd character increased in value by 1.. and the 3rd increased by two?? But what if.. Hm.
Yes, I was right. The first digit remains the same, the 2nd increases by 1, 3rd by 2, 4th by 3, and so on.. (you could also think of it the terms of an array, postition 0= + 0, position 1 = + 1, etc). But where are these symbols coming from? They're ASCII characters. You'll use the "char column" in an ASCII chart such as the one below, and just move down a position to find the value you're looking for: f to e, 8 to 7, etc..
For my decrypted password, I got "f5166ba5". Note that yours will be different as your encrypted password will be different. From here just submit and move on!

Basic 7
This one is much more simple than it seems. It says that he uses a script, but you basically have direct access to the terminal.. If you're familiar with unix/linux, go ahead and give it a whirl. If not, we're just going to give the command a year to process, and then add the "ls" command to it to list the contents of the current directory this "script" is operating in. Take a look:
And oh man, Sam... You messed up bud.
Go ahead and navigate to that php file with your browser and you'll get your password to move on to the next challenge.

Basic 8
SSI.. Server-Side Includes. Having fun yet? If you aren't familiar with SSI, take a look at this article from OWASP.

Let's try a couple of commands using SSI. First, I'm going to take a look at what's in the current directory with "<!--#exec cmd="ls"-- >
Hmmm.. I don't see anything that stands out from this. Let's see what directory we're actually in, we'll do this with "<!--#exec cmd="pwd" -->"
Well.. Looks like we aren't supposed to know where we are.. (although, it does tell you in the URL bar)
Hmmm... Let's just try to see what's in the root directory. We'll do this with "<!--#exec cmd="ls .." -->"
That looks like success to me! Go ahead and navigate to that first .php file and you'll get your password to move on!
That's it for today! I hope you enjoyed it! Next time, keep your eye out for a way on to the Easter egg page.


Wednesday, July 1, 2020

Windows System Administration: Local User Manipulation in CLI

Alright, hi everyone! Today I'm gonna bring you some Windows SysAdmin stuff in the CLI. Sure, we may be able to manipulate user accounts via the gui tools, but it's great to know how to do it both ways! Let's get started.

First and foremost, we need to launch either PowerShell or Command Prompt (make sure you do this as admin). From there we need to get into the WMIC utility, and to do this, all you have to do is type "wmic" at the prompt. WMIC is the Windows Management Instrumentation Command-line utility, it has some wonderful functionality. Once you're in this context, we need to take a look at all of the local users on the machine. Type "useraccount get name,status,lockout,disabled". There are other properties you can view, but we won't need that for this tutorial. If you'd like to take a look, simply type "useraccount /?".

Here we see all of our local accounts. We're going to focus on "Administrator". We need to change the "Status" and "Disabled" values. Doing this will allow the account to be accessible, and will allow it to use admin privileges if it has any. This can happen in one of two ways; either by sending the command to change the property without targeting any user, or by selecting your targeted user. The first method, you would type "useraccount set status=ok". This would prompt you to decide whether you want to modify that property for each user on the list. The second way would be to type "useraccount where name='Administrator' set status=ok". That would allow you to decide ONLY for that user.


Now that we've set the "Status" property, let's change the "Disabled" property.

From there, you'll exit out of the WMIC context and back to your regular PowerShell terminal. Now in order to actually access our newly enabled account, we need to set a password that we know, for this we'll use the "net user" command. On it's own "net user" will just list all of the local accounts, just like "useraccount get name" would in WMIC. To change the password, you just specify the user and add an asterisk (*).


There we go, all set! Now we can log in and use this account. Want more Windows command line? Comment and let me know what you'd like to see! Thanks for reading!