# Finger

Finger es una herramienta que permite consultar la información de los usuarios de un sistema. Para poder obtener esta información el sistema tiene que estar ejecutando el servicio finger. Habitualmente se ejecuta en el puerto 79.
En este laboratorio utilizaremos un router Cisco que tenga en ejecución el servicio finger y consultaremos los usuarios del router desde un equipo remoto utilizando la herramienta finger.

local# finger @router
[router]

Line       User       Host(s)              Idle       Location
0 con 0     root       idle                 00:00:25
6 vty 0     carlos     idle                 00:00:07 192.168.5.1

Interface    User               Mode         Idle     Peer Address
Se0          david              Sync PPP     00:13:59 192.168.1.2
local#
Podemos observar:

- Los siguientes usuarios: root, carlos y david.
- Cómo acceden al router (con0, vty0, s0).
- El tiempo ocioso desde el acceso a las líneas o interfaces.
- Desde dónde acceden (192.168.5.1, 192.168.1.2).
- El modo de acceso a la interfaz s0 (PPP).

# S/Key

S/Key es un sistema de autenticación OTP (One-Time Password), por lo tanto, permite utilizar contraseñas de un único uso. Estas contraseñas son generadas a partir de una función de hash (md4, md5, sha1 o rmd160) y una clave secreta.
Funcionamiento:

F: función de hash
skey: palabra secreta
Pi: contraseña 1-10

F(skey) = P0
F(P0) = P1
F(P1) = P2
F(P2) = P3
F(P3) = P4
F(P4) = P5
F(P5) = P6
F(P6) = P7
F(P7) = P8
F(P8) = P9
F(P9) = P10

S/Key está soportado en sistemas *NIX y se encarga de la autenticación de algunos protocolos (telnet, ftp, ssh, ...).
El servidor almacena la última contraseña generada (P10). Cuando el usuario intenta acceder al servidor, se le solicita la contraseña P9, si F(P9) = P10, el servidor permite el acceso, almacena P9 y en el siguiente acceso solicitará P8.
En el caso de que un atacante interceptara P9, esta ya no sería válida. En el caso de que quisiera obtener P8 a partir de P9, tendría un gran problema (encontrar la función inversa G(P9)->P8), ya que las contraseñas se generan utilizando funciones de hash de una vía (F(P8)->P9).

Práctica:
local# ssh root@192.168.1.12
root@192.168.1.12's password: 
Last login: Sat Oct  4 23:00:28 2008
OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008

remoto# skeyinit -E
remoto# skeyinit
Reminder - Only use this method if you are directly connected
or have an encrypted channel.  If you are using telnet,
hit return now and use skeyinit -s.
[Adding root with md5]
Enter new secret passphrase: 
Again secret passphrase: 

ID root skey is otp-md5 100 open65334
Next login password: YAM LOWE GIBE HOWL LION MAST

remoto# otp-md5 -n 100 `skeyinfo`  
Reminder - Do not use this program while logged in via telnet.
Enter secret passphrase: 
0: ORGY COST EDGY TINT DEAR BLUM
1: RASH HELL LEAD NEIL HARM ADEN
2: GAG PER EMMA BAND USES GET   
3: SAW BALE WAY KNEW RULE CLUE  
4: GRAD BOWL ALGA TONY BUSS NOW 
5: AVOW HALL VIE MUD YEAR COY   
6: YAP DIAL WEAL DUD PER HAAS   
7: VASE HESS ULAN DORA YAWL EYED
8: GASH SIP KISS WHY HEAL TACT  
9: KONG MARE SHIM CAGE BACK RULE
10: WU BUCK LAME RUDY OLAF COCK  
11: SOFA DRUG LAVA HAY BAIL STAB 
12: GIRL VICE KEY AWE AT RENT    
13: DAY OSLO TUFT MA MANY EASY   
14: MILE RAM DINE HOYT THUG PAD  
15: NIP DEFY DATA LINK FILE TAKE 
16: HAND WEIR HOOK LIED PEA LIAR 
17: RYE WAGE HAYS SELL TIE HOP   
18: GULF TONG AT DRAW MINE CADY  
19: CHEW FANG LYLE SUDS EASY MIT 
20: WARM HASH BERT SALK WEE DEBT 
21: EST MAW LUCK EVEN WEST GARB  
22: ROOF ARTY DOSE GLOW GLIB TOOT
23: TELL ROE SELF NOLL GARB CASK 
24: MEAL MILD FIST TEAM COOT ROAR
25: HECK DIET AID SON HIS RUDE   
26: VISE EVIL FEE TIDY BURT SIRE 
27: MOTH FERN OTT SURE WELD REID 
28: MICE LYNN GANG HOLT ROSA LOOK
29: HO TUNA DESK LIP GUSH SOAR   
30: KEG LIN DIRT TEEM COMA SAIL  
31: EVA ANNA APT IQ TUBE WART    
32: AHOY SOWN RISK GAP DARK BADE 
33: LINK HAL CELL SHE LAVA MUST  
34: GIFT MAE SOD SLIM HAIR HESS  
35: KATE NIT TAB SOCK GLOW CLUE  
36: GO PEN EARL TIP WICK SORT    
37: TIER IFFY ARCH YES YEAR WOK  
38: WIRE WISH THEY LOSE NAN ROBE 
39: MOD GARY EARL TONG PIN OW    
40: BASH GINA JURY ONES DAR GIFT 
41: SLUG LIFE FIT AMRA BROW AIDE 
42: HEBE LYON VOID MORE KNEW FROM
43: ONLY TUN AT BUFF BETA HORN   
44: EDDY ABE UP THAN ANNA JAR    
45: SARA GEL DOWN KARL DIME BOG  
46: BAWL KITE BOSE OILY LION TALL
47: BOYD ALAN TOOT MEAN NICE FAD 
48: SOWN ELM AJAR TUFT WEAL ANTE 
49: SELF FIRM GAP NEWS FULL HESS 
50: TOOK JUNE BOB ROLL ABLE BIEN 
51: ROSA DIN GLUE MISS TEET VEAL 
52: DOG FLUB SIFT LARD ACME BABY 
53: JIM TOUT GOT ROVE SEEK USES  
54: ONLY PUP PEW ALTO LIMB GIVE  
55: BEAU HUT SEA HOC CUT SUD     
56: NOV WRY JOHN AMY PHI NODE    
57: GIST DINE DAB AHEM COIL OVER 
58: KNOB CAP YOU CUTS NAIL SIP   
59: PET WED DAM JIM STIR SCAR    
60: AUK RAT HONK SUN GENE AVON   
61: REAM ROAR VEND LIP DID EGG   
62: LIT DUG WAIT GALA WEAK NON   
63: JOVE JAM LOG DIAL LAWN LILT  
64: BARE CHUB CON LIAR STOW FOUL 
65: TREK ROOM NEWS HAN SKIT LAWS 
66: BARE TUSK JOAN TESS BARE DEN 
67: JUNE YAM LUND PHI ARC DUST   
68: BASE WIFE GLUE OTTO MALE SIR 
69: SOAK FANG ELY FOR PI ROUT    
70: TUCK FIRM BONA HOB TOIL SUB  
71: CERN TIED SAG SLID MAYO SOW  
72: DUNK TOE JAVA GOOD JOVE HERB 
73: HOC DUCT MAE MOE BEAK BOSS   
74: SHE SILT MURK UP GAB WEEK    
75: BELA POP HOLT BET LORD BARN  
76: CALF SWAB DAWN FOAM GUY GWEN 
77: DIP BAT ONCE TREK GLEN MACE  
78: VEIL FUSE VETO SUB CHAD EMIT 
79: TWIN PET CALF GREY KEG HIVE  
80: IO TINA KNOT JAM KNOT FUME   
81: LIEU JURY JUT KONG GAFF GLAD 
82: CAW CLAD TONE DIRT PRO ELSE  
83: KIRK LIST CODA NEWS LOSS STAN
84: GREG TESS QUIT LOW SLAY HIKE 
85: FLEA GRAD GOWN WAGE KANT FEED
86: KALE DEFY NOT OLGA GIBE CURD 
87: HUG ACTS YALE PAY RACY JULY  
88: VISE HUG MOD BAG LUCY CLOD   
89: EMIL IF ALGA FIB FAIL MUCK   
90: BETH LIN KARL AFAR FOOT WEAK 
91: NO RON ULAN MIRE RIDE NOEL   
92: DEAL SHAG DAVY OLGA AIDA MAP 
93: DELL FIRM COKE HEAT BEY KEEN 
94: CHAD PAM DUMB FAR ANTI COOL  
95: LULU VIEW BUCK DULL GLOM BOP 
96: BUOY SAY SICK JOEY ANTE COCA 
97: MORN FLIT FAKE LOOT HULK ECHO
98: NOUN KEEL HAVE CITY YELL RIME
99: ROBE DIVE MOST LAVA MIRE BONN
remoto# exit
local# ssh -l root:skey 192.168.1.12
otp-md5 99 open65334
S/Key Password: ROBE DIVE MOST LAVA MIRE BONN
Last login: Sat Oct  4 23:02:03 2008 from 192.168.1.2
OpenBSD 4.3 (GENERIC) #698: Wed Mar 12 11:07:05 MDT 2008

remoto#

# Romper el cifrado de Vigenère

Para romper el cifrado de Vigenère o las contraseñas tipo 7 de Cisco, podemos utilizar varios métodos:

- Utilizar herramientas en línea:

http://www.kazmier.com/computer/cisco-apps.html
http://www.ifm.net.nz/cookbooks/passwordcracker.html

- Utilizar la herramienta 'Cain and Abel'.

Descargar la herramienta, instalarla y ejecutarla. Una vez en ejecución, presionar Alt+7 y aparecerá la ventana 'Cisco Type-7 Password Decoder'.

- Utilizar un código en C o en perl.

- Utilizar el propio IOS del router:
router(config)#enable password crackmeifyoucan
router(config)#service password-encryption
router#show run
...
enable password 7 0307490A05042C49470F000A02110A02
...
router(config)#key chain tipo7
router(config-keychain)#key 0
router(config-keychain-key)#key-string 7 0307490A05042C49470F000A02110A02
router#show key chain tipo7
Key-chain tipo7:
key 0 -- text "crackmeifyoucan"
accept lifetime (always valid) - (always valid) [valid now]
send lifetime (always valid) - (always valid) [valid now]
Los dos primeros carácteres (03) del ciphertext (0307490A05042C49470F000A02110A02) corresponden a la semilla (seed). La semilla nos da el punto de entrada en un array de bytes para obtener la clave circular que permite cifrar/descifrar con Vigenère. Veamos paso a paso cómo desciframos el siguiente ciphertext:
# ./vigenere 0307490A05042C49470F000A02110A02 -v
seed=('enc_pw[0]'-'0')*10+'enc_pw[1]'-'0'='0'-'0')*10+'3'-'0'+1=(48-48)*10+51-48+1
seed=3

key table[]:  d  s  f  d  ;  k  f  o  A  ,  .  i  y  e  w  r  k  l  d  J  K  D
              0  1  2  3  4  5  6  7  8  9 10 11 12 13 14 15 16 17 18 19 20 21

key: d;kfoA,.iyewrkldJKDdsf

***I=2 '0'
***I=3 '7'
  '07' ^ key_table[3] = 0x7 ^ 0x64 = 001100011b = c
  password=c
***I=4 '4'
***I=5 '9'
  '49' ^ key_table[4] = 0x49 ^ 0x3b = 001110010b = r
  password=cr
***I=6 '0'
***I=7 'A'
  '0A' ^ key_table[5] = 0xa ^ 0x6b = 001100001b = a
  password=cra
***I=8 '0'
***I=9 '5'
  '05' ^ key_table[6] = 0x5 ^ 0x66 = 001100011b = c
  password=crac
***I=10 '0'
***I=11 '4'
  '04' ^ key_table[7] = 0x4 ^ 0x6f = 001101011b = k
  password=crack
***I=12 '2'
***I=13 'C'
  '2C' ^ key_table[8] = 0x2c ^ 0x41 = 001101101b = m
  password=crackm
***I=14 '4'
***I=15 '9'
  '49' ^ key_table[9] = 0x49 ^ 0x2c = 001100101b = e
  password=crackme
***I=16 '4'
***I=17 '7'
  '47' ^ key_table[10] = 0x47 ^ 0x2e = 001101001b = i
  password=crackmei
***I=18 '0'
***I=19 'F'
  '0F' ^ key_table[11] = 0xf ^ 0x69 = 001100110b = f
  password=crackmeif
***I=20 '0'
***I=21 '0'
  '00' ^ key_table[12] = 0x0 ^ 0x79 = 001111001b = y
  password=crackmeify
***I=22 '0'
***I=23 'A'
  '0A' ^ key_table[13] = 0xa ^ 0x65 = 001101111b = o
  password=crackmeifyo
***I=24 '0'
***I=25 '2'
  '02' ^ key_table[14] = 0x2 ^ 0x77 = 001110101b = u
  password=crackmeifyou
***I=26 '1'
***I=27 '1'
  '11' ^ key_table[15] = 0x11 ^ 0x72 = 001100011b = c
  password=crackmeifyouc
***I=28 '0'
***I=29 'A'
  '0A' ^ key_table[16] = 0xa ^ 0x6b = 001100001b = a
  password=crackmeifyouca
***I=30 '0'
***I=31 '2'
  '02' ^ key_table[17] = 0x2 ^ 0x6c = 001101110b = n
  password=crackmeifyoucan
Password: crackmeifyoucan
Código fuente de vigenere:
# cat vigenere.c 
#include <stdio.h>
#include <string.h>

char xlat[]={
 0x64,0x73,0x66,0x64,0x3b,0x6b,0x66,0x6f,
 0x41,0x2c,0x2e,0x69,0x79,0x65,0x77,0x72,
 0x6b,0x6c,0x64,0x4a,0x4b,0x44
};

int verbose=0;

const char* byte_to_binary(int x){
 static char b[9];
 int z;
 b[0]='\0';
 for(z=256;z>0;z>>=1){
  strcat(b,((x & z) == z) ? "1" : "0");
 }
 return b;
}

int cdecrypt(char *enc_pw,char *dec_pw){
 unsigned int seed,i,val=0;
 if(strlen(enc_pw)&1) return(-1);
 seed=(enc_pw[0]-'0')*10+enc_pw[1]-'0';
 if(verbose){
  printf("seed=('enc_pw[0]'-'0')*10+'enc_pw[1]'-'0'=");
  printf("'%c'-'0')*10+'%c'-'0'+1",enc_pw[0],enc_pw[1]);
  printf("=(%d-%d)*10+%d-%d+1\n",enc_pw[0],'0',enc_pw[1],'0');
  printf("seed=%d\n\n",seed); 
  printf("key table[]:");
  for(i=0;i<22;i++){printf("  %c",xlat[i]);}printf("\n"); 
  printf("            ");
  for(i=0;i<22;i++){printf("%3d",i);}printf("\n\n"); 
  printf("key: ");
  for(i=seed;i<22;i++){printf("%c",xlat[i]);} 
  for(i=0;i<seed;i++){printf("%c",xlat[i]);}printf("\n\n"); 
 }
 if(seed>15 || !isdigit(enc_pw[0]) || !isdigit(enc_pw[1])) return(-1);
 for(i=2;i<=strlen(enc_pw);i++){
  if(i!=2 && !(i&1)){
   dec_pw[i/2 - 2]=val^xlat[seed];
   if(verbose){
    printf("\t\t'%c%c' ^ key_table[%d] = 0x%x ^ 0x%x = %sb = ",
     enc_pw[i-2],enc_pw[i-1],seed,val,xlat[seed],byte_to_binary(dec_pw[i/2 - 2]));
    printf("%c\n",dec_pw[i/2 - 2]);
    printf("\t\tpassword=%s\n",dec_pw);
   }
   val=0;
   seed++;
  }
  if(verbose){if(i<strlen(enc_pw)){printf("***I=%d '%c'\n",i,enc_pw[i]);}}
  val*=16;
  if(isdigit(enc_pw[i]=toupper(enc_pw[i]))){
   val+=enc_pw[i]-'0';
   continue;
  }
  if(enc_pw[i]>='A' && enc_pw[i]<='F'){
   val+=enc_pw[i]-'A'+10;
   continue;
  }
  if(strlen(enc_pw)!=i) return(-1);
 }
 dec_pw[++i/2]=0;
 return(0);
}

int main(int argc,char **argv){
 char passwd[65];
 memset(passwd,0 , sizeof(passwd));
 if((argv[2]!=0)&&!strcmp(argv[2],"-v")){verbose=1;}
 cdecrypt(argv[1],passwd);
 printf("Password: %s\n",passwd);
 return 0;
}

# Dmitry

Dmitry (DeepMagic Information Gathering Tool) es una herramienta de línea de comandos para sistemas *nix escrita en C. Permite reunir información de un host (dominio, subdominios, direcciones de correo electrónico, puertos abiertos, sistema operativo, servidor web).

local$ wget http://mor-pah.net/code/DMitry-1.3a.tar.gz
local$ tar -xvzf DMitry-1.3a.tar.gz
local$ cd DMitry-1.3a
local$ ./configure
local$ make
local# make install
local$ cd ..
local$ rm -rf DMitry-1.3a*
local$ dmitry
Deepmagic Information Gathering Tool
"There be some deep magic going on"

Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
-o  Save output to %host.txt or to file specified by -o file
-i  Perform a whois lookup on the IP address of a host
-w  Perform a whois lookup on the domain name of a host
-n  Retrieve Netcraft.com information on a host
-s  Perform a search for possible subdomains
-e  Perform a search for possible email addresses
-p  Perform a TCP port scan on a host
* -f  Perform a TCP port scan on a host showing output reporting filtered ports
* -b  Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed

local$ dmitry -winsepf -t 9 nopcode.org
Deepmagic Information Gathering Tool
"There be some deep magic going on"

HostIP:67.205.19.164
HostName:nopcode.org

Gathered Inet-whois information for 67.205.19.164
---------------------------------

OrgName:    New Dream Network, LLC 
OrgID:      NDN
Address:    417 Associated Rd.
Address:    PMB #257
City:       Brea
StateProv:  CA
PostalCode: 92821
Country:    US

NetRange:   67.205.0.0 - 67.205.63.255 
CIDR:       67.205.0.0/18 
OriginAS:   AS26347
NetName:    DREAMHOST-BLK7
NetHandle:  NET-67-205-0-0-1
Parent:     NET-67-0-0-0-0
NetType:    Direct Allocation
NameServer: NS1.DREAMHOST.COM
NameServer: NS2.DREAMHOST.COM
Comment:    
RegDate:    2007-11-01
Updated:    2008-07-30

OrgAbuseHandle: DAT5-ARIN
OrgAbuseName:   DreamHost Abuse Team 
OrgAbusePhone:  +1-714-706-4182
OrgAbuseEmail:  abuse@dreamhost.com

OrgNOCHandle: ZD69-ARIN
OrgNOCName:   Network Operations 
OrgNOCPhone:  +1-714-706-4182
OrgNOCEmail:  netops@dreamhost.com

OrgTechHandle: MNA53-ARIN
OrgTechName:   Nagel, Mark 
OrgTechPhone:  +1-714-706-4182
OrgTechEmail:  mna47-arin@dreamhost.com

# ARIN WHOIS database, last updated 2008-09-27 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

Gathered Inic-whois information for nopcode.org
---------------------------------
Domain Name:NOPCODE.ORG
Created On:24-Aug-2003 15:07:57 UTC
Last Updated On:04-Aug-2008 18:22:47 UTC
Expiration Date:24-Aug-2009 15:07:57 UTC
Sponsoring Registrar:New Dream Network, LLC dba DreamHost Web Hosting (R173-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:ndn-441117
Registrant Name:nopcode.org Private Registrant
Registrant Organization:DreamHost Web Hosting
Registrant Street1:417 Associated Rd #324
Registrant Street2:
Registrant Street3:
Registrant City:Brea
Registrant State/Province:CA
Registrant Postal Code:92821
Registrant Country:US
Registrant Phone:+1.2139471032
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:nopcode.org@proxy.dreamhost.com
Admin ID:ndn-441117
Admin Name:nopcode.org Private Registrant
Admin Organization:DreamHost Web Hosting
Admin Street1:417 Associated Rd #324
Admin Street2:
Admin Street3:
Admin City:Brea
Admin State/Province:CA
Admin Postal Code:92821
Admin Country:US
Admin Phone:+1.2139471032
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:nopcode.org@proxy.dreamhost.com
Tech ID:ndn-441117
Tech Name:nopcode.org Private Registrant
Tech Organization:DreamHost Web Hosting
Tech Street1:417 Associated Rd #324
Tech Street2:
Tech Street3:
Tech City:Brea
Tech State/Province:CA
Tech Postal Code:92821
Tech Country:US
Tech Phone:+1.2139471032
Tech Phone Ext.:
Tech FAX:
Tech FAX Ext.:
Tech Email:nopcode.org@proxy.dreamhost.com
Name Server:NS1.DREAMHOST.COM
Name Server:NS2.DREAMHOST.COM
Name Server:NS3.DREAMHOST.COM

Gathered Netcraft information for nopcode.org
---------------------------------

Retrieving Netcraft.com information for nopcode.org
Operating System: Linux 
WebServer: Apache/2.0.61 (Unix) PHP/4.4.7 mod_ssl/2.0.61 OpenSSL/0.9?.7e mod_fastcgi/2.4.2 DAV/2 SVN/1.4.2 
Netcraft.com Information gathered

Gathered Subdomain information for nopcode.org
---------------------------------
Searching Google.com:80...
HostName:www.nopcode.org
HostIP:67.205.19.164
HostName:radare.nopcode.org
HostIP:212.36.65.53
HostName:blogs.nopcode.org
HostIP:208.113.203.211
HostName:ftp.nopcode.org
HostIP:67.205.19.164
HostName:news.nopcode.org
HostIP:212.36.65.53
HostName:deb.nopcode.org
HostIP:193.146.189.54
HostName:lists.nopcode.org
HostIP:66.33.216.179
Searching Altavista.com:80...
Found 7 possible subdomain(s) for host nopcode.org, Searched 0 pages containing 0 results

Gathered E-Mail information for nopcode.org
---------------------------------
Searching Google.com:80...
Searching Altavista.com:80...
Found 0 E-Mail(s) for host nopcode.org, Searched 0 pages containing 0 results

Gathered TCP Port information for 67.205.19.164
---------------------------------

Port  State

21/tcp  open
22/tcp  open
23/tcp  open
25/tcp  open
80/tcp  open
111/tcp  filtered
113/tcp  open

Portscan Finished: Scanned 150 ports, 142 ports were in state closed


All scans completed, exiting