Steelwedge Software

Posted: 28 Mar 2013 12:03 PM PDT

As organizations grapple with today's multinational environment, and look to increasingly take more business processes global, numerous opportunities and pitfalls present themselves. Steelwedge recently explored these dynamics in a webinar entitled "The Pursuit of Growth: Is Your S&OP Glocal Enough?" … Continue reading →

Pro Hack - Ngrep-Grep patterns in Network traffic

Pro Hack - Ngrep–Grep patterns in Network traffic

In This Issue...

Ngrep–Grep patterns in Network traffic
More Recent Articles
Search Pro Hack

We have got a lot of packet sniffer/analyzer software out there, I am a self confessed Wireshark & Ettercap lover, but still, when it comes to analyzing network traffic from command line in a fast manner, ngrep is my one of my favourites. Written by Jordan Ritter its used to "grep" traffic patterns from the network interfaces. As per official documentation -

ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

ngrep runs on Windows & *nix platforms alike and you need WinPCAP to run it since it relies on it.

Ngrep–Grep patterns in Network traffic - Theprohack.com

Once you install it, it by default uses the first interface on your machine, so , make sure to check the detected interfaces by running -

C:\Users\RISHABH\Desktop>ngrep -L
idx     dev
---     ---
1:     \Device\NPF_{4D491111-D331-42BC-9A33-98EF8C40D422} (Microsoft)
2:     \Device\NPF_{ADBF6AC1-D111-463D-8D99-C58FA1BEF979} (Sun)
3:     \Device\NPF_{6F801AE0-CA61-4A6D-B5FF-DCB7CE8FC529} (VMware Virtual Ethernet Adapter)
4:     \Device\NPF_{930B6EC8-A5E3-4FFA-B68F-F159FDFC2064} (VMware Virtual Ethernet Adapter)
5:     \Device\NPF_{D1999293-A041-4C2A-B63F-5D8B4906000F} (Realtek PCIe GBE Family Controller)
exit

Now for example you want to check out whats going on at port 23 using interface 5

C:\Users\RISHABH\Desktop>ngrep -d 5 port 23
interface: \Device\NPF_{D1999293-A041-4C2A-B63F-5D8B4906000F} (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( port 23 )
exit
0 received, 0 dropped

Piece of cake.. and if you want to filter any website in you are searching for keyword "password" then :

ngrep -d 5 "password" port 80

Easy aint it ? Ngrep does it all : ] With some complex grep commands , you can become a pcap ninja.

Well, you can

Download Ngrep from here
Check out documentation and examples here
Learn about Wireshark from here

• Email to a friend • Article Search • View comments • Track comments •

Pro Hack - Cisco Type 4 Passwords cracked-Coding mistake endangers devices

Pro Hack - Cisco Type 4 Passwords cracked–Coding mistake endangers devices

In This Issue...

Cisco Type 4 Passwords cracked–Coding mistake endangers devices
More Recent Articles
Search Pro Hack

Cisco has issued a security advisory intimating that its new password hashing algorithm TYPE 4 is vulnerable,which allows Cisco TYPE 4 encoded hashes to be cracked easily. TYPE 4 is an update of TYPE 5 , and was supposed to salt passwords and apply 1000 iterations of SHA-256 . Well, engineers at Cisco actually miscoded the algorithm by forgetting to salt passwords and setting the number of iterations to 1 which makes it even weaker than TYPE 5 algorithm .

"This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity."

Also, the code base (CISCO IOS 15) also disables TYPE 5 encryption on devices. Well..talk about rubbing salt on wounds.

Cisco Type 4 Passwords cracked–Coding misfire endangers hardware - - TheProhack.com

As per advisory -

"A device running a Cisco IOS or IOS XE release with support for Type 4 passwords lost the capability to create a Type 5 password from a user-provided plaintext password.Backward compatibility problems may arise when downgrading from a device running a Cisco IOS or IOS XE release with Type 4 password support and Type 4 passwords configured to a Cisco IOS or Cisco IOS XE release that does not support Type 4 passwords. Depending on the specific device configuration, the administrator may not be able to log in to the device or to change into privileged EXEC mode, requiring a password recovery process to be performed."

It was meant to be discovered inevitably. Folks at Hashcat - Philipp Schmidt and Jens Steube found it and were able to decode a hash posted at inetpro.org . Since hashes were weak, the information was more than enough to crack millions of hashes in hours if anyone gets their hands on hashes.

The aftermath ? Cisco says it will be creating new password type to counter it with new as of now unknown commands to implement it. In the meantime, Cisco says you "may" want to replace Type 4 password with Type 5 , as quoted -

There are two options to generate a Type 5 password:

Using another device running a Cisco IOS or Cisco IOS XE release without Type 4 support

Using the openssl command-line tool (part of the OpenSSL Project)

You can read the advisory here

You might also want to read -