Midnight Research Labs

TACACS+ password cracking^w auditing
aaron posted in passwords on January 22nd, 2009
comments:0

If you’re using the tac_plus implementation of Cisco’s TACACS+ server and want to do password auditing, I’ve written a quick script that will take the config file with all of its users and output a john the ripper compatible password file. You can run john directly against this generated file.

Here’s an abbreviated example:

$ ./tacacs-passwd-dump.py
usage: ./tacacs-passwd-dump.py <input tacacs file> <output passwd file>

$ ./tacacs-passwd-dump.py tac_plus.cfg tacacs.passwd
[*] Got user [john] [john smith]
[*] Got user [fred] [fred smith]
[*] Imported [2] accounts
[*] Done.

$ john tacacs.passwd
Loaded 2 password hashes with 2 different salts (Traditional DES [128/128 BS SSE2])
lamepassword (foo1)

Lots of new conference videos online
aaron posted in Uncategorized on January 20th, 2009
comments:0

Here are a few sets of conference videos that are now online:

– Hack in the box – Malaysia videos. Day1 — Day 2. Even though it’s a pirate bay link, the videos were linked from the main HITB page, so I’m assuming it’s legit, .

– Microsoft’s BlueHat 8 videos. Day 1 — Day 2.

– Dojosec videos.

– (edited to add) 25C3 videos are also now online. Awesome.

Happy torrenting.

Wifi Theremin
aaron posted in most unnecessary, wifi on January 19th, 2009
comments:15

A theremin, for those who don’t already know, is a musical instrument that varies the pitch based on your proximity to an antenna, and varies the volume based on your proximity to another antenna. It’s a touch-less device, and you’d probably recognize the sound from old sci-fi movies (listen to the vibrato whistling sound in the background).

Here’s an example of a theremin:


So what does this have to do with anything? I wrote up a script that has the same functionality that uses a wifi device and its signal strength to control the frequency and volume. Yeah, pretty useless, but yet here it is. We actually did this a couple years ago at MRL, but that version was even more of a hack. This version will actually interpolate the pitch as the signal strength jumps around and is threaded so the sound is a little smoother. This version also allows for a second control (wifi interface) that corresponds with the volume so it is a little bit more like a real theremin. There’s still a decent amount of latency though, so you can’t really use it to create useful music.

Here’s a short sample of what it sounds like when you run it from my system. Now isn’t that a beautiful sound, .

I started creating this on my mac book pro, but after realizing the embedded antenna is pretty difficult to control the signal strength from, I added support for linux. It’s not doing anything fancy for reading signal strength (just parsing CLI utils), so I’m not sure how portable it really is. Also, it does have a couple dependencies on audio libraries, but they’re pretty easy to install (in case you really care).

Anyway, Have fun!

Kenshoto stepping down?
aaron posted in Uncategorized on January 16th, 2009
comments:0

It looks like kenshoto is stepping down as the organizer for one of the largest hacking competitions in the world. An announcement has been made on the defcon forums for new organizers.

From the announcement:

WANTED:
An evil large multinational corporation, or…
An nefarious group of genius autonomous hackers, or…
A shadowy government organization from somewhere in the world
TO:
Host, recreate, and innovate the worlds most (in)famous hacking contest.

Kenshoto has always done an amazing job at both the pre-qualification rounds as well as the main competition. They really stepped up the game as more of an art than just a competition. Their efforts will be missed as we look forward to who will carry the torch next.

Wepawet: analyzing web-based malware
aaron posted in Uncategorized on January 15th, 2009
comments:0

This is a pretty cool looking website/service from the Computer Security Group at UC Santa Barbara that will analyze flash and javascript for malicious content. It will actually de-obfuscate javascript and pull out the active exploits that it uses. I’m guessing that it’s also doing some dynamic analysis because it is able to see the exact request/responses that it’s making. Here is a sample report that shows multiple exploit attempts and the actual malware. The website says that it’s currently in alpha and it will have the ability to submit URLs (instead of javascript/flash files) soon.

Via www.offensivecomputing.net

0day in WowWee Rovio Robot
aaron posted in Uncategorized on January 14th, 2009
comments:2

You can’t use it in your plot to take over the world with remote control robots yet, but there’s a new 0day in the WowWee Rovio that will allow remote snooping of the audio/video data that comes from the robot. Other things you can do remotely are get configuration data, update the firmware, and send things to the speaker. It looks like the Rovio is a fancy robotic pseudo-telepresence toy for your dog.

From the advisory text:

Unfortunately, Rovio’s access control mechanisms (username/password) are not
completely utilized across the platform even when enabled. Certain URLs and
RTSP Streaming capabilities of the device are accessible with no
authentication. Furthermore, deployment of the device in the default
configuration attempts to use UPnP to automatically configure your firewall to
allow external access to the mobile webcam platform.

Happy 2008^H9!
aaron posted in Uncategorized on January 14th, 2009
comments:0

I don’t want to bore anyone with arbitrary end of year statements/predictions, but I did want to acknowledge the milestone. 2008 was a pretty good year, and we’ve managed to get back into an regular schedule again with meetings twice a month. We’re looking forward to an exciting 2009, and have a couple new projects that we’re working on that we can hopefully start posting about soon. More fun stuff on the horizon.