Hope you know Hardware keyloggers, which is a perfect way to keep track of user activity, which is totally electronic device, and using this doesnt need any access to any OS no fear of ur tracks, so here is a link which gives you total detail of making a hardware keylogger for yourself…
http://www.keelog.com/wireless_keylogger.html
enjoy
I was just thinking about windows Wifi snags and its audits, now i got some info about the Mac Wifi stuff so letting you people know about it,
Viha is a project developing a suite of wireless auditing tools for MacOS X. So far, the only components developed are a custom AirPort driver for monitor mode packet capture, a framework for driver access and 802.11 packet deconstruction, and a command-line wireless network stumbler. Because OS X before 10.2 (Jaguar) doesn’t allow us to dynamically unload/load the Apple AirPort driver, we require OS X 10.2 for now.
They are GPL’ing everything for the newer releases, so the 0.0.1a release is binary-only, but the 0.0.2 releases will be under the GNU General Public License. To assist in using the driver in other projects, it will be available separately while the “Tools” release includes everything else (including the driver).
The 0.0.1a release is a bugfix to correct a memory leak in IEEE80211Frame , (thanks to Michael Rossberg (aziel@gmx.net) for reporting it, check out his awesome AQUA STUMBLER.
you can download and get more info of Viha here
Wireless access points could be used by hi-tech criminals to spread viruses and worms, warn US researchers.
Security holes and the popularity of the devices in cities makes them ideal for spreading malware, they found. Using modelling methods from real diseases the team showed how a worm could gradually infect all access points in urban areas. They found that the majority of vulnerable access points would be hit in the first 24 hours of an outbreak.
Password cracking
The simulation work showed that within two weeks of an outbreak occurring 55% of wi-fi access points would be compromised. In urban areas this could mean tens of thousands of people were at risk, said the researchers. Continue
WEP Wi-Fi security has been known as an easy-to-crack security protocol for a while now, which is why it was superseded by the more secure Wi-Fi Protected Access (WPA) standard. But now a PhD candidate studying encryption has found an exploit in the WPA standard that would allow a hacker to “send bogus data to an unsuspecting WiFi client,” completely compromising your Wi-Fi security and opening your network to all sorts of hacking. Lucky for you, it’s not terribly difficult to protect yourself against the new exploit.
The key: Just log into your router, switch off Temporal Key Integrity Protocol (TKIP) as an encryption mode, and use Advanced Encryption System (AES) only. TKIP is the only protocol that the hack applies to, so switching to AES-only will ensure that your Wi-Fi network is safe again. It’s quick and easy, so do yourself a favor and make the adjustment now so you don’t run into any problems in the future.
Security researchers have cracked the Wi-Fi Protected Access (WPA) encryption standard used to protect data on many wireless network according to a presentation at next week’s PacSec conference in Tokyo.
There, researcher Erik Tews will show how he was able to crack WPA encryption, in order to read data being sent from a router to a laptop computer. The attack could also be used to send bogus information to a client connected to the router.
To do this, Tews and his co-researcher Martin Beck found a way to break the Temporal Key Integrity Protocol (TKIP) key, used by WPA, in just 12 to 15 minutes, according to Dragos Ruiu, the conference’s organiser.
They have not, however, managed to crack the encryption keys used to secure data that goes from the PC to the router in this particular attack
Security experts had known that TKIP could be cracked using what’s known as a dictionary attack. Using massive computational resources, the attacker essentially cracks the encryption by making an extremely large number of educated guesses as to what key is being used to secure the wireless data.
The work of Tews and Beck does not involve a dictionary attack, however.
To pull off their trick, the researchers first discovered a way to trick a WPA router into sending them large amounts of data. This makes cracking the key easier, but this technique is also combined with a “mathematical breakthrough,” that lets them crack WPA much more quickly than any previous attempt, Ruiu said.
Tews is planning to publish the cryptographic work in an academic journal, Ruiu said. Some of the code used in the attack was quietly added to Beck’s Aircrack-ng Wi-Fi encryption hacking tool two weeks ago, he added.
WPA is widely used on today’s Wi-Fi networks and is considered a better alternative to the original WEP (Wired Equivalent Privacy) standard, which was developed in the late 1990s.
Soon after the development of WEP, however, hackers found a way to break its encryption and it is now considered insecure by most security professionals. Store chain T.J. Maxx was in the process of upgrading from WEP to WPA encryption when it experienced one of the most widely publicised data breaches in U.S. history, in which hundreds of millions of credit card numbers were stolen over a two-year period.
A new wireless standard known as WPA2 is considered safe from the attack developed by Tews and Beck, but many WPA2 routers also support WPA.
“Everybody has been saying, ‘Go to WPA because WEP is broken,’” Ruiu said. “This is a break in WPA.”
There are lots of tools around to help people carry out ARP-related exploits and if a malicious, Wi-Fi enabled neighbour decided to find out more about your network, this could be an effective way to do it.
The good news is that there are some defences out there. The bad? They can be costly and don’t always deliver the protection you might expect.
Arpdefender is a good example. It’s a solid-state security appliance that you simply connect to your network, then leave to look out for ARP poisoning attacks. It would be excellent if not for the fact that it costs almost £300 and, even if it does detect an attack, will do little more than make an entry in your system logs more
WEP Rundown
by intimidat0r
Part I: About WEP
WEP stands for Wired Equivalent Privacy. It is the standard for wireless encryption thus far. Many people dont even use WEP because they think security unnecessary, cant be bothered, or think WEP is pointless, since it can be cracked, though it typically takes a very long time to get enough data to pull a WEP key, especially a very large one.
WEP is comprised of a secret key and an encryption. The secret key, shared between the access point and everybody on the wireless network, consists of 5 or 13 characters. It is used by the encryption process to obfuscate the packets exchanged throughout the WLAN, or Wireless Local Area Network. The packets are all uniquely scrambled, so if someone cracks one packets key, they wont be able to view the others without cracking theirs as well.
This is done by using the secret key in conjunction with three more characters (the Initialization Vector, or IV) that are randomly chosen by the wireless hardware. For example, if your key were “hello”, it may create “abchello” for one packet, and “xyzhello” for another.
WEP also uses XOR, or Exclusive OR, for encryption. XOR compares two bits and, if theyre different, it returns a 1. Otherwise, it returns a 0. For example, 1 XOR 1 would be 0, and 1 XOR 0 would be 1.
Arrays are a word every programmer should have in their arsenal. Arrays are variables that can hold multiple values. For example, the array alphabet[26] would hold 26 values, labeled 0 through 25.
alphabet[0] = ‘A’;
alphabet[1] = ‘B’;
void swap(char &first, char &second)
{
char temp = first;
first = second;
second = temp;
}
swap(alphabet[0], alphabet[1]);
If the array values were swapped randomely many times, it would be impossible to tell which array element holds which value.
The actual algorithm used by WEP to encrypt the packets is RC4. RC4 consists of two steps: the Key Scheduling Algorithm and the Pseudo Random Generation Algorithm. The first part, the Key Scheduling Algorithm, or KSA, looks like this in C code, assuming k[] is an array of the secret keys:
int n = 256;
char s[n];
// initialization
for (int i = 0; i <= (n – 1); i++)
s[i] = i;
int j = 0;
// scrambling
for (int l = 0; l <= (n – 1); l++)
{
j += s[l] + k[l];
swap(s[l], s[j]);
}
Let’s go over this code, so we understand what it does:
1. The integer ‘n’ determines how strong the encryption is. WEP uses 256.
2. The array of characters ‘k’ is the secret key combined with the three pseudo characters. It is not changed at all in our program.
3. The initialization stage begins where the ‘// initialization’ comment is, obviously. It just seeds the array ’s’ with values 0-255, corresponding to the element they’re inserted into.
4. The integer ‘j’ is used to hold the value during scrambling. It is initialized to 0 because it must always start on 0.
5. Next, (where the ‘// scrambling’ comment is) the scrambling process begins. It basically creates the “random” ’s’ array from the previously boring ’s’ array.
6. Inside the loop, the first part merges their key (k) with the random array (s) to create a finalized character. Then, the call to swap() puts it into the array of finalized characters.
Now it’s time for the second part of the RC4 algorithm, the Pseudo Random Generation Algorithm (PRGA). This part outputs a streaming key based on the KSA’s pseudo-random array. This streaming key will then be merged with the cleartext data to create the encrypted data.
int i = 0;
int j = 0;
int z;
while (there_is_data_to_be_encrypted)
{
i++;
j += s[i];
swap(s[i], s[j]);
z = s[s[i] + s[j]];
// z is outputted here
// and then XOR’d with cleartext
}
1. The integers ‘i’ and ‘j’ are declared and initialized to 0.
2. There is a loop that runs until the end of the packet of data is reached.
3. ‘i’ is incremented in every iteration of the loop to keep it running.
4. ‘j’ holds the pseudo-random number.
5. Another call to swap() switches the characters in s[i] and s[j].
6. ‘z’ is calculated by adding s[i] and s[j] and taking the value in the element corresponding to their sum. The reason for this will be explained why later on.
7. ‘z’ is XOR’d in with the cleartext to create the new encrypted text.
CRC stands for Cyclic Redundancy Checksum. When packets are sent across the network, there has to be a way for the receiving host to know the packet has not been damaged in any way. This is the CRC’s purpose. Before the data is sent, CRC calculates a value, or checksum, for the packet, which is sent with the packet. When it is received, the target host calculates a new checksum from it using CRC. If the CRCs match, the packet’s credibility has been confirmed.
So let’s summarize. The Access Point creates the pseudo-random characters. They are merged with the prechosen shared key to create the secret key. The KSA then uses this key to create the pseudo-random array, which is used by the PRGA to create a streaming key. This key is then XOR’d with the cleartext to create the encrypted data, and the CRC jumps in and creates a checksum for it.
Then, the receiving host decrypts it. The characters appended on by the AP are removed and merged with the shared key to recreate the secret key. The secret key goes through the whole RC4 process, and is XOR’d with the encrypted text, creating the cleartext and checksum. The checksum is removed and another is created. They are then compared to see if the data survived, and the user is authentic.
Part II: Cracking WEP
Before we get into cracking WEP, let’s cover a few more flaws in the encryption process:
* There is a 5% chance that the values in s[0]-s[3] will not be changed after the first three iterations by the KSA.
* The first value in the encrypted data is the SNAP, which is 0xAA, or 170 base 10. Sniffing the first byte of encrypted text and XOR-ing it with 170 will give the first output byte of the PRGA.
* A certain format of the bytes given by the AP will indicate that it is weak and subject to cracking. The format is (B + 3, 255, X), where B is the first byte of the secret key. X can be any value.
We’re going to talk about the KSA now. Let’s define some variables for a “testing environment”:
* The captured character code from the AP is 3,255,7. We sniffed it out of the air. We will be using it because testing has shown it is a very weak code.
* The shared password is 22222. We are just telling you this so you will understand the process. In practice, you would not know this.
* N is 256, of course.
* If there is a value above 256, a modulo operation will be performed on it. The resulting value will be used.
* The array ’s’ has already been seeded, with values 0-255.
Open up the program Kismet. Kismet is a free wireless scanner for Linux. When you open it, you will see a list of WLANs that are in range. Choose one and make a note of these four details (note that the target computer can be any host on the WLAN):
* AP MAC address
* Target computer’s MAC address
* WEP Key used
* Wi-Fi channel used
Open up Aircrack and it will start capturing packets. You’ll also notice that it’s capturing IVs. But this takes a long time. It could even take several hours or days to capture a sufficient number of IVs to crack the WEP key.
Luckily, we can speed things up. For example, if the WLAN were very busy, there would be more traffic, resulting in more IVs being captured. If we were to continuously ping the network, it would result in more traffic, and speed things up nicely:
ping -t -l 50000 ip_address
So what to do now? We have a bit of data, but we have to get a WEP key here. It’s time to break out void11. void11 forces the AP to deauthenticate all of the hosts attached to it, virtually cutting off all of the hosts. The first thing they will automaticall do is try to reconnect to the AP. This generates an extreme amount of traffic, though it’s not very subtle.
Yet another technique is called a replay attack. This captures a packet from a host on the WLAN, and then spoofs the host and continues to replay the packet over and over again. This generates a very large amount of traffic. A good program for this is airreplay. This is what void11 was for. If you run airreplay right after stopping void11, airreplay will pickup the necessary packets caused by the deauth attack from void11.
Open up airodump. Now, thanks to the replay attack, the IV count has risen to about 200 per second. Wow! You’ll probably get all the necessary packets within 10 minutes. All of these IVs are being written out into a capture file. Open up aircrack. It will read in all the IVs from the capture file, and perform a statistical analysis on them. Then, it will attempt to brute force its way in. Once it has found the key, it will tell you.
Part III: Protect Your WLAN
The first thing you should do is change your default SSID and password. This is obvious, but it’s surprising how many people neglect to do it.
You’re also going to want to upgrade the AP’s firmware as often as possible. If you want good security, switch from WEP to WPA or WPA2. These are uncrackable…so far. Disable SSID broadcast. This will stop a NetStumbler scan, and some other lowly programs, though Kismet and AirMagnet don’t rely on SSID broadcast.
Another good option is MAC address filtering. This allows you to setup a filter, only allowing computers with certain MAC addresses in, or denying certain MAC addresses.
The program (apc-channel.py) takes 3 options:
–interval sec to set the interval between hops (default is 0.5 sec)
–step increment to specify the size of the channel hop (default is 5)
–quit to prevent the program from displaying each channel hop
The program also serves as an example on how to use the AirPcap dll from a Python program.
I’ve a couple of other AirPcap programs written in Python (like one to monitor probe requests). If there’s enough interest, I’ll clean up the code and publish it. Be aware that you need an AirPcap adapter for all these programs.
link: hxxp://didierstevens.com/files/software/apc-channel_v0_1.zip
H4×0r
NetStumbler
Netstumbler also famously known as Network Stumbleris a good tool which acilitates dedecting of Wireless Lans using the 802.11b, 802.11a and 802.11g WLAN standards it runs on microsoft OS from Win98 – Win Vista, there is anothere version called Mini Stumbler which is available for the handheld Windows CE operating System.
you can get it here
Aircrack
The fastest available WEP/WPA cracking tool
Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).
you can get Aircrackhere
Airsnort
802.11 WEP Encryption Cracking Tool
AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It was developed by the Shmoo Group and operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. You may also be interested in the similar Aircrack.
you can get AirSnort here
Cowpatty
This Cowpatty is good brute force tool for cracking WPA-PSK, considered the “New WEP” for home Wireless Security. This program simply tries a bunch of different options from a dictionary file to see if one ends up matching what is defined as the Pre-Shared Key.
you can get Cowpatty here
Asleap
This Tool is really good for when the network is using Leap. this tool can be used to gather the authentication data that is being passed across the network, and these sniffed credentials can be cracked. LEAP doesn’t protect the authentication like other “real” EAP types, which is the main reason why LEAP can be broken
you can get LEAP here
Ethereal
Ethereal is used by all around the world by both Wind0s and opensource Operating system, its used for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements
you can download Ethereal here
by Ne0
In the Field of IT security Breaches, wifi hacking is an illegal way of penentration of wifi Network, A wifi network can be penetrated in a number of ways. There are methods ranging from those that demand a high level of technological skill and commitment to methods that are less sophisticated and require minimal technologically skill. Once within a network a skilled hacker can modify software, network settings, other security items and much more. To counter the security threat of an intrusion into a wireless network, there are many precautions available.
The various methods used by hacker that enable them to exploit wireless connections typically begin with eavesdropping on a network, “sniffing”. A packet sniffer is a program that monitors that information contained on a network. The information that sniffer programs make available include emails, user names and passwords, among other sensitive information. There are different means of sniffing out wireless networks including passively scanning and collecting Media Access Control (MAC) addresses.
A hacker can passively scan each radio channel that wireless networks are broadcast on to check for activity. By passively scanning the presence of that scanner is not revealed since they are not actually transmitting any traceable material to the network at this point.
Detecting a wireless “sniffer” is extremely difficult. It is only after the hacker starts to probe and/or install packets onto the network that the location of the attacker and/or the device can be isolated. For some hackers the main goal of an intrusion is to obtain the WEP key. There are several methods that are used to achieve this. The main obstacle to intruders gaining the WEP key is a lack of computing power. The average home computer could take anywhere from hours to days to gain access through weak system frames.
The information that a hacker can collect from sniffing alone is limited, in order to gain all the information that they want hackers must then engage in actively probing a network. In actively probing a network a hacker increases the probably of detection. This risk comes as a result of the packets that are sent to the target in an effort to get back the desired information in return.
War Driving is another increasingly common method of gaining access to unprotected networks. The main equipment for war driving includes a WiFi enabled laptop or PDA, a GPS device.
Other means available and use by hackers to gain access to a wireless network include virtually probing, lost password and social spying. These methods are not as technologically intensive as virtual intrusions but they nonetheless pose a high security threat.
In an effort to protect a wireless network there are several security measures that can be employed.
It is a common misconception that disabling broadcasting of the SSID and enabling MAC filtering is a sufficient security configuration. This is not the case. Disabling the SSID broadcast merely prevents casual nearby wireless users from detecting the presence of your network – war drivers and those who are already aware of your wireless network will not be disadvantaged at all by a disabled SSID. Similarly, MAC address filtering will only prevent accidental connection from casual users – MAC address’s can be spoofed to appear to be that of an authorised workstation or laptop.
